Posted on by Adam James Lamagna

The Frustration with Website Security

People just expect their websites to be secure!

People just expect their sites to be safe, and I’ll admit, I did for the longest time too! But that’s a far cry from reality and one that’s hard to sell.

I work for Sucuri, one of the best website security companies on the market today (probably the best – and yes, I am biased!). But I sell web products to agencies and enterprise level clients. It’s not so difficult to sell them on our products. Sucuri’s products, they just work and very well at that! What I need to sell people on is website security as a whole, which is much more difficult than you may realize.

Let me break things down.

There are all these moving pieces to the web, correct? Yes, there are. Even more so at a granular level when you look at company’s servers or hosting environments, file structures and setups, their clients and others who have access to these sites, the sites themselves and all their vulnerabilities. Not to mention the hackers, who rarely leave a trace and rarely get caught and rarely get punished for it.

Let’s start with different environments. There’s a great analogy I use for shared hosting, VPS, and dedicated accounts.

  1. Shared hosting – this, essentially, means that you are sharing resources with everyone else in that environment, like CPU time or memory space. It’s like living in an apartment complex and sharing the pool, laundry, and parking lot with your neighbors. You still have your own place, but if the laundry is tied up, you’ve got to wait!
  2. VPS (Virtual Private Server) – this is like living in a condo, because you’re still sharing resources that are outside of your condo, like parking space, but you’re ultimately responsible for things inside your condo. So, in a VPS environment, there are still shared resources, but portions of those resources are dedicated to each individual VPS.
  3. Dedicated server – this is like owning your own home. You’re responsible for the upkeep, but you also have access to all the resources, and no one shares them with you.

So, this is a very simplified version of server environments. Nowadays, people use the term ‘server’ and the term ‘hosting’ in somewhat the same way. Years ago, when someone said we host internally, it usually meant that they had physical servers inside their offices where they would manage them and actually host their sites on those servers. And for those of you who don’t know, a server is just a computer, with a little different hardware on it (even though, a desktop computer could run a server) – I know, confusing!!!

Hosting is done by a number of different providers like WP Engine, 1and1, GoDaddy, Pantheon, and so on. They have the hardware and resources to handle many different types of platforms (or a specific one), and they also make things easy for people to manage their environments through something called a C-Panel or Control Panel. It’ll give you access to your domains (if you’ve pointed them from your registrar or used the hosting company to buy the domain) and let you change the directory path and DNS settings, things like that.

Now with most servers, there will be server-level firewalls set up with the infrastructure, but that means that it’ll still let in web traffic, which is what we need a lot of protection from. Port 80 (HTTP) and port 443 (HTTPS) traffic can let in a lot of different activity (good and bad).  This is how your visitors reach your site, through one of those two ports depending on whether or not you have an SSL certificate. So, there are many different ways a website can get compromised.

  • Software vulnerabilities
  • XSS (Cross-site scripting)
  • Backdoor Injections
  • SQL Injections
  • SEO Spam
  • DDoS (Distributed Denial of Service) Attacks
  • Brute Force Attempts

And the list goes on…and on…and on…

But you have to be aware of this stuff, and keep in mind that a lot of these attacks are automated. Some may be done manually by a bored teenager sitting at home in front of his computer. But for the most part, they’re automated attacks. And keep in mind there are attacks of opportunity (which we are all susceptible to) and targeted attacks, which are usually for the bigger brands and companies, but make no mistake if you engage in controversial content on your website (like religion or politics), you can very well be targeted too!

There are a few different reasons why someone would want to attack your site or gain access to it. It’s not just money, but that can be part of it.

  1. Revenue – and I’m not talking about people trying to steal credit card info (although, that happens all the time), but if you don’t do anything with e-commerce, hackers can still profit off of your website. Imagine a hacker injects your site with malware and then your mom visits your website. She unwittingly downloads something that your site told her to download (because she trusts you and what you put on your website) and then four hours later she has no money in her bank account. BOOM!! Oops… That’s what I’m talking about. And there’s also SEO spam. Hackers who use your site to redirect traffic to their pages to make money by inserting links, or keyword stuff your site (which will send your rankings through the floor – and it’s hard to recover from) to get better rankings in the short term and make money off of your audience.
  2. Resources – this is another big one. Maybe the hackers don’t want money, but they may want your resources. Things like bandwidth or CPU. They can build a network off of your system and lease it to others. Now hackers can take your resources and use them to attack other unknowing parties, without YOU (the website owner) even realizing it. Scary, right??
  3. Lulz – yup, that’s right, lulz!! What is that you ask? Well…it’s just for the hell of it! Fuck it, let’s try it! I want to see if I can do this. Again, it could be some bored teenager just sitting around chatting on the security forums. Someone tells them about a tool to drop scripts in a website via a contact form, and they want to see if they can do it and gain access. Then once they do, who knows what could happen!! Be careful of this, because this is really hard to mitigate against. Get a WAF (website application firewall).

We have to be careful of things like Ransomware (holding a website owner’s site hostage) or Malvertisements (malicious ads) and there’s no one right way to do this. It really starts with education, so if you’re reading this post, kudos!

Some thoughts on general security

In order to keep your site (and your visitors) safe, you’ll need to explore general website security. Starting with monitoring and a firewall. Sucuri offers an awesome monitor/firewall package, our Website Security Stack. But if you can’t afford that, then look at all the free stuff out there.

You can use our Sitecheck to see if there is malware on your site. But keep in mind this only scans remotely, it can’t check the database.

You can learn how to harden WordPress. Which is basically locking a few things down like access, having containment, certain configurations.

Or you can take a look at OWASP and ModSecurity – which are open source and free to use, you just have to configure the firewall yourself, and that can get confusing!!

The Frustration of Website Security

And this is the frustration of website security—is that there is no 100% solution out there. I don’t think there ever will be! Ever! The reality is is that the landscape of websites and their environments change so frequently that once a solution had been produced, hackers have already found a solution of their own to beat it. And that’s the continual cycle.

So educate yourself and the people around you. If you own a website, you not only have a responsibility to it, but to your audience, and the web in general.

More to come on this topic…..