Website Owners Unite! It’s time to take up an offensive position that keeps our online technology assets in tip-top shape.
Security on My Mind
I’ll be listening to what you have to say and I’ll try to gear my posts to what you want/need to hear.” — Sherryl Perry, from her About Me page
I enjoy interacting with the community here at Keep Up With The Web. When I re-visited Sherryl’s about page, the quote above struck me as appropos to what I wanted to write about and share with fellow entrepreneurs here, mainly because it falls into the “what you want/need to hear” to keep your hard work and hard-earned dollars from being taken from you by nefarious, badly behaving others out on the world wide web. The focus today is to help you evaluate and protect your online technology assets, especially those that impact your internet business activities.
Bird’s-Eye View: Website Security
Taking a bird’s-eye view, website security is a big problem. The evil surrounding us is baffling and seemingly indiscriminate. It appears we can do little about it except wait and hope it doesn’t happen to us. Unfortunately, if it happens, most of us are ill equipped to mitigate the circumstances. We can truthfully admit we don’t know where to start to be proactive or how to not be reactionary.
You might not know you already have a problem: StopBadware and Commtouch jointly surveyed over 600 website owners and administrators whose websites had been compromised. “It turns out that in nearly half of the cases, owners were alerted by a browser, search engine or other warning when they tried to visit their own sites. Colleagues, friends, web hosting providers, or security organizations (such as StopBadware) let the owner know there was something amiss. Only 6% of website owners were able to detect an issue based on strange or increased activity within their sites.”(Compromised Websites: An Owner’s Perspective, February 2012, p. 8)
Who you hire can affect your security: Another alarming set of facts and statistics reveal that teachers aren’t well prepared to teach anything about protecting personal information online, basic computer security, online safety or online ethics (respecting privacy). According to research by NCSA, almost half of 18-24 year olds use file-sharing apps that give others access to their PCs and files and a horrific 30% of 18-24 year-olds admit to trying to guess another person’s password. (State of U.S. Cyber Education (Infographic), StaySafeOnline.org, National Cyber Security Alliance (NCSA))
(Note: Clicking on the “teachers aren’t well prepared” link above will open a pop-up box asking you to either open or save the PDF. As long as you have Adobe Acrobat Reader installed on your computer, you should be able to simply click on the “Open with” button without having to browse to the program.)
As you can see in the image below, these stats are borne out by the results of the risky behavior section of The Raytheon Millennial Cybersecurity Survey which included responses from 1,000 adults in the U.S. aged 18 to 26.
That extra pair of hands, that virtual assistant, that super-savvy PC tech . . . In some cases, We are hiring young people whose open way of digital life runs counter to our increasing need for cyber-security. And whose habits carry over from internet to PC to cell phone to tablet to iPad … and ultimately, to your business if that’s who maintains any of your technology assets. The good news is that the Ratheon survey also showed Millennials are taking some steps to combat their own risky behaviors; furthermore, a healthy percentage expressed interest in pursuing cybersecurity jobs (even if their Guidance Counselors never mentioned the cybersecurity field).
Not just websites, but digital devices, too: Website security firm Fireblade reminds small business owners that “website security has to keep up pace or even think two steps further.” That thinking has to encompass even the digital devices used by business owners in their day-to-day operations, as shown by research from CYREN’s Internet Threat Trends Report (July 2014) in the high percentage of attacks on smartphones, specifically Android phones.
Evil Bots Surrounding Us … Baffling and Indiscriminate
As if those threats aren’t enough, here come the networks of automated miscreants which are harder to combat by virtue of their work behind the scenes.
Finally, let’s demystify DDoS (distributed denial of service) and BOTS, because the better you understand, the easier you will know how to innoculate your business website against rampant infection.
During the past summer, our friend and colleague Adrienne Smith sent out a heart-rending plea: “HELP: My Blog Is Being Attacked By Bots, who said her hosting company “ran a report and found I had been visited by 3,152 known bots.” (For the record, this didn’t appear so much to be a “DDoS attack” but rather the usual legion of bots doing their thing, whatever that might have been.)
Stay Safe Online’s Botnet Fact Sheet explains bots and botnets this way:
- Botnets are generally networks of computers infected by malware (computer virus, key loggers and other malicious software) and controlled remotely by cybercriminals, usually for financial gain or to launch attacks on website or networks.
- Botnets may infect and use laptops, desktops, servers, routers, smartphones, or any other network equipment to conduct malicious activity.
- Many botnets are designed to harvest data, such as passwords, social security numbers, credit card numbers, addresses, telephone numbers, and other personal information.
- The data is then used for nefarious purposes, such as identity theft, credit card fraud, spamming, and malware distribution.
- Bots can also be used to launch attacks on websites and networks, which as are sometimes referred to as Distributed Denial of Service Attacks or DDoS.
Just to be clear, not all bots are evil but their excessive activity on your site amounts to evil outcomes for you and your business website.
Tegtmeier goes on to name other types of crawlers, bots, and spiders that might be tying up your bandwidth as they gather information: SEO link snoopers, the CopyScape anti-plagiarism engine, among others.
Protect Online Technology Assets
Remember the huge DDoS attacks last year and earlier this year against WordPress, Hostgator and many of the big-name webhosting companies? Some of our sites were taken down for days at a time, costing time and money, credibility and jeopardizing client relationships (especially for those of us who maintain another business’ web assets).
What we saw during those times was an attitude of helplessness on the part of website owners. And a lack of understanding of what, if anything, we could do to protect our own technology assets. We found ourselves thinking:
- we can do little about it except wait and hope it doesn’t affect or happen to us
- if it happens we’re ill equipped to mitigate the circumstances
- we don’t know where to start to be proactive and not reactionary
Don’t Be A Sideline Victim
The numbers above show how dire the consequences can be for businesses that fail to put preventive measures in place. And fatalistic thinking is a recipe for disaster. But you don’t have to be a sideline victim. You can be proactive. Come off the sideline and take a few steps.
Attitude adjustment: stop being afraid, wishful, or hoping somebody else will handle the problem before it reaches your doorstep
Arm yourself with information: that means taking time to actually read some of the warnings and reports about cyber-security, computer safety and website security measures. Yes, it might boggle your brain, but that just means you’re stretching that muscle and strengthening your understanding.
Evaluate your current protection: Think of your website like an apartment within a complex and your webhost as the entire complex. Find out what the webhost has done to protect the residents (gates, sentry, keycard for access) then determine what extra steps have been taken inside your website abode (alarm system, deadbolts, doors and windows locked, patio secured). Have your tech person explain it, in simple terms, so you grasp it enough to know if any vulnerabilities exist.
Make a disaster plan: Such a plan should encompass both your online and offline technology assets. And just like the magnets on fridge for the plumber and electrician, keep numbers of a local PC shop nearby, write down the URLs of legit website scanners, and develop relationships some trustworthy online techie types (like Sherryl).
Take some proactive steps: Armed with solid information and a lay of the land, get moving! These steps include asking the right questions (see below), implementing the best of the abundant free solutions, and when necessary, investing real dollars into solutions that actually work (for example, subscribing to Securi’s on-demand malware cleanup service or adding Fireblade’s anti-DDoS protection).
Stop waiting to exhale … yeah, go ahead and breathe!
Ask The Right Questions
We don’t know, or even want to know, what is under the hood or how the web server works. Okay, fair enough. But in order to protect online technology assets you should know this:
- It is not enough to add a security plugin to your blog
- It is negligent to rely upon your hosting company for backups
- It is courting danger to not have a server-level firewall in place
- You are asking for trouble if your “maintenance plan” does not include periodic virus and malware scans
- The risks are yours alone if you have an un-managed dedicated server or VPS
Just knowing the importance of those few items concerning your website is enough for you to ask the right questions and put preventive measures in place.
Ask your webhost these questions:
- Is there a server-level firewall in place? Does it block known bad botnets?
- Do you monitor websites for bad behavior, like using your servers for spamming, running botnets, and similar?
- Are the webservers, database servers and email servers scanned periodically for viruses and malware?
- How do you handle DDoS attacks hitting your servers? Individual websites?
- Do you have an external layer of DDoS protection? Is my website covered, too?
If your webhost does not offer you any type of DDoS protection, you can affordably protect your business website from cyber bullies on your own. For example, Fireblade has an Anti DDoS service that goes beyond the usual firewall blocking, incorporating reputational and behavioral technologies.
And ask your webmaster or site manager these questions:
– Has there been any unusual activity on my site lately (from viewing server logs)
– Are my backups stored offsite?
– What security measures are in place?
– Is my site being scanned consistently for viruses and malware?
– Are there a lot of attempts to break into my site?
– Are you using strong, secure passwords to access my site?
– Are you managing my site from insecure wifi networks?
If you have a VPS or dedicated server:
– are iptables or some other firewall turned on and tuned up?
– anonymous FTP users disabled?
– email virus scanning installed and active (like ClamAV)?
– database access (especially phpMyAdmin) locked down?
The Ball is in Your Court
Without the assurance that your website is safe and clean, you run the risk of infecting your precious visitors and customers. Equally disturbing, you risk being penalized and ending up on a blacklist by search engines (like Google) that tag your site as being “unsafe.” (That throws up a nasty, scary warning to your site visitors, who promptly close their browser tab and never even visit your website.)
The cascading effects of unsecured online technology assets eventually affect your revenue stream, more so if you depend on your website for leads or have an ecommerce component or offer free publications. To mitigate negative impacts, let’s do our best to meet the challenges head on by taking a proactive stance. Share your thoughts, concerns and solutions with the community in the comments below.
Images: Cutaway of the “Risky Behavior” section from The Raytheon Millennial Cybersecurity Survey Infographic created for the National Cyber Security Awareness Month. ~ DDoS Stacheldraht attack diagram by Everaldo Coelho, licensed under LGPL via Wikimedia Commons.