No matter what business you’re in, your website is likely the first port of call any new or existing customer will land on to learn more about you. It has become an essential digital asset that projects a company’s relevancy, services and brand. Therefore, if your website is compromised by an aggressive third party with malicious intentions, it can take just seconds to seriously damage a company’s reputation, customer experience and profits.
Protecting your website is critical for all businesses operating in 2019, but it’s impossible to stay safe unless you understand the key ways a bad actor can take control of your website.
In this guide, we'll explore the six key areas you need to secure to stay one step ahead of the hackers.
Depending on their level of skill, attackers use both simple guessing techniques to more sophisticated automated techniques for uncovering passwords as they attempt to gain access to the access credentials of websites. These blunt methods can be very effective if administrators don’t employ basic and sensible password management protocols. These include creating a strong password that is difficult to guess and isn’t reliant on personal information.
However, there are two important points to remember. First, (a reality that sadly can no longer be ignored) it’s important to avoid reusing similar passwords across multiple online services. Once attackers are able to identify a working username and password combination (e.g. discovered in one of the larger breaches like Yahoo or LinkedIn), they will try to use the same username and password combination on as many obvious services as possible that may relate to you or your company.
For example, if I find a breached email and password for email@example.com and the password is “bigears”, it is reasonably easy to quickly access their cloud hosted emails, potentially log into their work networks or even impersonate the user on social media channels like LinkedIn and Twitter. Using unique passwords for each online service is a great first line of defence to prevent other accounts on different services from being compromised.
Even better, take advantage of a two-factor authentication (2FA) service like Google 2-Step Verification wherever the option is available. 2FA allows a second layer of login credentials, usually via a text message code or other dynamically generated pin, that limits an attacker’s ability to access your account with just a stolen password. An increasing number of CMS (Content Management Service) platforms which support websites are incorporating this.
How we can help
Darkbeam’s breached email detection tool reveals any email addresses associated with your domain that are currently exposed to the public alongside passwords. In seconds, you can identify any breached email addresses so you can instantly take next steps whether its resetting passwords, deactivating accounts or alerting your colleagues to the increased likelihood of phishing attacks.
Insecure Themes and Plugins
Plugins and themes on a website’s CMS add valuable, enhanced functionality and are particularly popular with smaller organisations who lack the resources for in-house front-end developers and graphic designers. However, outdated or unpatched themes and plugins are a major source of vulnerabilities on websites. If you use themes or plugins on your site, it’s essential to keep them up to date and prioritise the removal of themes or plugins that are no longer maintained by their developers.
Be extremely cautious of free plugins or themes from untrusted sites. It’s a common tactic for attackers to add malicious code to free versions of paid plugins or themes. When removing a plugin, make sure to remove all its files from your server rather than simply disabling it.
How we can help
Darkbeam’s broad portfolio of digital risk tests gives users a continuous monitoring capability of these possible risks:
X XXS Protection
Strict Transport Security
Inconsistent domain security updates
Older versions of software are more likely to be affected by high-risk security vulnerabilities that enable attackers to compromise an entire website. Attackers actively seek out old software with known vulnerabilities to quickly and efficiently breach networks. Without a proactive approach to domain security, your site is highly visible as a target to attackers.
Note: It’s essential to periodically check for software updates for your site in order to patch vulnerabilities.
Some examples of software you’ll want to keep updated include:
Web server software, if you run your own servers
Content Management System. Example: Security releases from Wordpress, Drupal and Joomla!
All plugins and add-ons you use on your site
How we can help
Darkbeam’s non-intrusive scanning of a domain provides a hacker’s eye view of your domain security and cyber posture enabling you to quickly audit any weaknesses that may exist so that you can immediately mitigate your risks. In seconds, Darkbeam tools break down your current domain security in diagnostic detail.
Security policy holes
If you are a system administrator or run your own website, remember that poor security policies can allow attackers to compromise your site. Although most businesses have robust processes in place that mandate users to create strong passwords and closely monitor users granted admin access, the list of policies and vulnerabilities to be aware of grows daily. Whether its allowing users to sign in using HTTP or neglecting to type check file uploads from unauthenticated users, hackers will consistently zero in on any security holes left unattended.
When protecting your site, make sure you follow these basic policies:
Ensure your website is configured with high security controls by disabling unnecessary services
Test access controls and user privileges
Use encryption for pages that handle sensitive information, like login pages
Regularly checking your logs for any suspicious activities
How we can help
Of course, monitoring complex network infrastructures for security policy breaches can be hugely manual and resource intensive. Darkbeam’s Digital Risk Protection platform assists security professionals to automate their monitoring activities and instantly identify a number of weaknesses as they arise.
Social engineering is about exploiting human nature to bypass sophisticated security infrastructure. These types of attacks trick authorized users into providing confidential information such as passwords. For example, a common form of social engineering is phishing. During a phishing attempt, an attacker will send an email pretending to be a legitimate organization and request confidential information or even fraudulent payments.
Caution: According to a Google study on social engineering, some of the most widely used phishing campaigns have a 45% success rate!
Remember never to give out any sensitive information (e.g. passwords, credit card numbers, banking information, or even your date of birth) unless you’re sure about the requestor’s identity. If your website is managed by several people, consider providing regular training to raise security awareness against social engineering attacks.
How we can help
With staff often representing the weakest link in a company’s digital risk profile, Darkbeam takes social engineering seriously. One of our most popular tools creates and prioritises possible domain permutations a hacker may adopt when mounting such a social engineering attack. These lists of domains should be immediately blacklisted by your IT team, preventing any suspicious email reaching a vulnerable end user.
Secondly, Darkbeam’s Cyber Stars program is available as an accredited cyber awareness course to establish lasting behavioural change that protects your users. Each program is tailored specifically for the client and the sector they are in to highlight the most relevant risks and vulnerabilities.
Data leaks can happen for a number of reasons, often when confidential data is uploaded and a misconfiguration makes that confidential information publicly available. For example, messaging in a web application can potentially leak configuration information in a poorly handled error message. Using a method known as "dorking", malicious actors can exploit search engine functionality to find this data and capture intellectual property or confidential client information.
Ensure that your site doesn’t reveal sensitive information to unauthorized users by conducting periodic checks and restricting confidential data to trusted entities through security policies.
How we can help
Occasionally, even the most cyber aware organisations suffer from human error that leads to a wide scale data leak. To help businesses quickly and accurately monitor the dark web for confidential data, Darkbeam has created a proprietary crawler that captures hacker sites of interest across dark networks and the open internet. Using our search tools, you can identify leaked data in real-time and accelerate your response activities before business as usual is impacted.
Darkbeam are on a mission to make the internet a safer place for everyone. For more best practice advice on securing your website and business critical data, get in touch with the Darkbeam team today.