Daniel Beazer, director of strategy at FireHost, discusses the four most vicious hacks that can damage a website, and how to protect yourself against them.
Most of the posts on Reputation Management are about how to use the power of the web to build brand equity. What happens when your (or your client’s) hard won reputation becomes a target and the site, or even worse, the site’s end-users, become the victim of malicious cyber attack?
We’ve all seen how reputations built up over years can be ruined in minutes by hackers or some other technical disaster. A lot of agencies protect themselves by having clauses in their T&Cs that exclude liability for security breaches. It’s a reasonable enough stance; after all, it’s almost impossible to protect a customer against all potential attacks. But the conversation with the client who has just had his customers’ credit card details broadcast over the net won’t be a pretty one. It’s best never to put yourself in that position and be able to show that you have incorporated a genuine security element into the build. Those ‘best practices’ in the T&Cs really need to be best practices.
But how can an agency go about protecting customers against the thousands and thousands of potential attack forms proliferating on the web? Is there a shopping list of major attack types for which the digital community needs to look out? Sort of.
As a secure cloud IaaS provider at FireHost we believe developers should have a broad overview of attack vector trends, and in response the hoster provides some really useful tools that help you safeguard against them.
Our company’s Superfecta Report graphs the frequency and trend of the four most vicious hacks, giving our developers a clear picture of the patterns at play. Named after a type of wager where the gambler picks the first four finishers in a race, in the correct sequence, here’s a closer look at the current trends for attacks mitigated on behalf of FireHost’s clients:
It’s not the most well known attack but it’s become the most common, taking the top spot in the rankings with a 43% share in Q2. It’s not the easiest breach to explain. Crudely it’s an http attack that allows hackers to access restricted directories (hence traversal).
Cross site scripting
The second most common attack with 27%. The attacks are an injection problem in which scripts are injected into a website, which then becomes compromised and sends malicious script to end-users’ browsers.
Cross site forgery request
Takes third place with 12%. In a cross site forgery request, a victim is tricked into loading a page that contains a malicious request, such as changing the victim’s password.
In last place with a 9% share but, worryingly, attacks have risen dramatically Quarter on Quarter bumping up 69%. By injecting SQL code (the widely used database language) into a web form entry field, the attack attempts to pass a rogue SQL command to the database. This is the most widely known attack though, thanks mostly to high profile breaches at Sony, Yahoo, and LinkedIn
What Can I Do?
Security or ‘being secure’ is not a state; it’s more like a constant battle or an evolutionary arms race, where the opponent, the methods of engagement and the weapons of attack constantly change. That’s why the survey comes out quarterly.
Simply keeping up with the trends in the most common types of cyber attack won’t solve all security problems, but by covering off the four most common, you can at least avoid the embarrassment of ignorance in front of a client and become a better shopper for technology service partners.
For web design agencies, the cloud is becoming an increasingly popular option for hosting projects. With the pay-as-you-go service delivery model, it’s easy to see the attraction for an industry where the three-month project is a staple.
But what questions should an agency be asking when it’s looking for a hosting partner to take its hard-won project to the cloud? As we’ve said, taking a close look at their approach to security is vital. Can the hoster protect your clients adequately against the most common type of threat as outlined above? Then, do they really have a month-to-month contract model or do their contracts actually run year to year? Beware, many providers like sticking to the old contractual model and just incorporate a few elements of pay as you go into the billing.
Finally it’s a good idea to ask cloud providers if they have a partner scheme. Some will pay as much as 10% of any revenue you bring to them. It can be done two ways, with either the agency billing the customer for the hosting and fronting the contract themselves, or with the end-client signing the paperwork and the agency picking up a fee for the introducing a new customer.
With cloud computing being the thing of the moment in the IT world, web designers are spoilt for choice. Ask the questions in this guide though, and, very few will be left. For many designers, developers, and agencies, the best solution is to host in a properly secure, virtualised hosting environment, which provides protection against the most common attack types plus more.
The views expressed in this post are those of the author so may not represent those of the Koozai team.
Security concept with a lock via BigStock