Back to videos
The Overlooked Security Layer – Your Website
Website security is critical in keeping your customers confidential information safe. Is your website safe from malicious actors?
Prefer to read? (Transcription)
TOM: This is the – gosh, I don’t know how many we’ve done, at least a half a dozen of these. This webinar is about our Deeper Dive Quicklooks series, and what it’s about is the overlooked security layer.
If you’ve been through some of the others or the NRWA one, you know I talk a lot about layered security. That’s what we practice using best of breed – applications, administrative controls, technical controls, and all of that. Websites are one of those things that everyone overlooks. They typically think of it as “I just need a website designer and I need to get something up to do whatever,” take payments on accounts or maybe to put water status alerts up or general information, phone numbers, things like that where they can contact you, office hours and all of that.
But that’s an asset to your organization just as much as your office building is. For the very same reasons you need to keep your office building secure and your networks and your computers secure, you need to keep your website secure. And we’re going got use a multilayered approach to doing that.t so we’re drilling in to websites. That’s part of the main presentation; I just barely mention it. But we’re going to look into exactly what, why, who, and how you can go about doing a better job with your website.
So why is it important? Well, all sites on the internet today, the millions or billions, whatever there is, of them all over the world are monitored by browsers like Chrome or Internet Explorer, Edge, Firefox, Safari, search engines like Google, and then one of our security layers that we add to networks, DNS filters. All of those things plus other tools that can be used block access to known or suspected malicious websites. Those are sites that, for one reason or another, the search engines or the DNS filters don’t want visitors to go to because bad things could happen.
As a result, your website can get blacklisted. Which is kind of a good thing, because if you get blacklisted, it’s because there’s a reason for it. But if you do get blacklisted, you’re going to lose up to 98% of your traffic and no one’s going to be able to get your phone number, get your office hours. You’ve got all of a sudden a community trust issue because “Wait a minute, this is warning me not to go there because it could be a malicious website.” What does that do to your reputation?
But most importantly, it’s one of the assets that you have to identify, both the asset that needs to be protected and what to do and all of this stuff, and it’s part of the NIST (National Institute of Standards and Technologies) Cybersecurity Framework. So that means it’s part of AWIA. Either if you’re required or you’re going to get AWIA certified or whatever they call it, if you’re going to get to that level – which everyone should – you’re going to use the NIST CSF, and the website is one of those things. So besides all of the other things, it’s just the right thing to do. That’s the short answer to that.
So why do these hackers attack websites? Some of these are technical and not something that I’m going to get into a deep explanation on, but to a website designer, they’re going to know what injecting SEO spam is.
As we talk in network security or computer security, dropping a backdoor in for persistent access. That’s one of the things they can do with a website because a website server is nothing more than a server. It serves files up just like if you have a file server in your office. That’s all it is. It’s basically a PC that serves files up.
Another purpose is to collect visitor personally identifiable information and/or credit card data. I know that some of you, if you do take credit cards online for payments, chances are you’ve offloaded that PCI component to PayPal or whoever you may use and you don’t have to be PCI compliant. But it’s still best to protect any personal information that’s on the website.
Sites can be hacked to deliver a drive-by payload, like a malicious piece of software that can be used to mine cryptocurrency. Bitcoin is electronically mined by performing calculations, and computer resources are expensive, so one of the things they can do is drop it on there. Somebody visiting the website can download that mining software, and after a few thousand of those a hacker is actually starting to make money off of it.
It could be hacked to show unwanted ads and scam site visitors. Probably everyone that’s on the webinar today has seen these pop-ups that say, “Hey, your computer is infected. We’re part of the Microsoft security team and you need to call this 800 number.” It looks very important, looks very urgent. This is a scam. And they can remote in to your computer if you fall for it, and they do great customer service and are willing to do anything and answer all your questions – for a small fee. So you can inject those types of scary things in there.
It can also be used to distribute ransomware payloads, like in a drive-by. Or just simply it’s not a drive-by; it just has the payload, and your server is – the macro for the file attachment opening, that just happens to be the server it knows to get the download.
It can also be used to launch attacks against other sites. There was an attack a few days ago from Anonymous, but I can’t remember who they did. This is a hacktivist group. They have a cause. Not doing it for money, not really doing it necessarily for fame, because most of these people are doing it for the money, and then nation-states, of course, and some of those are doing it for money. But these hacktivists want to shut down – Greenpeace wants to shut down the oil industry websites. Their cyber hacktivist sympathizers can compromise your site to deliver a denial of service attack against Exxon Mobil or whatever these hacktivists, these activists – Greenpeace against Japanese whaling companies, those types of things. That’s what DoS usually is, from a hacktivist. Sometimes nation-states will do that as well.
But that’s just a sample of what they can do by hacking the website. That’s not all of them. There’s a lot of other things that could be done, and new uses are being discovered continuously by the hackers. “Oh, I can use a web server for this.”
Now, as I’ve mentioned whenever we talk about the hacking industry, 2 years ago it was estimated to be a $1.4 trillion business. And that was conservative 2 years ago. Today, it’s probably a $3-4 trillion business worldwide. It puts it in front of the GDP of Australia, so this is a huge, huge business done at scale. They’re going to automate both the discovery of sites that can be hacked, but they’re also going to automate the hacking itself, to a large degree.
If they’re looking for sites to distribute ransomware, they do an automated tool to look for a specific vulnerability. In WordPress, for example. That’s a CMS. So this automated tool goes out and says, “Here’s an unpatched WordPress website. The exploit itself is automated, so I’m going to run the exploit, and then I want to deposit this file for nefarious purposes.” They’re doing this at scale.
So you can see if you had a million websites around the world, it would not be hard to form a web bot to do denial of service attacks. This is not hard to do. It doesn’t take someone looking at each and every site and then manually uploading the file. It can be done automatically and at scale, and the way they do that is through unpatched server operating systems, unpatched databases. They typically use MySQL these days. The server OS is usually Linux. There are still a handful using Windows, but either one of those that are unpatched. All software has to have security patches.
Of course, WordPress itself – not only do you have to upgrade WordPress itself, almost every single WordPress site has plug-ins and multiple themes. You know, how it looks and feels and the color schemes and all of that. It has themes that must be patched to make sure you’ve got the latest, greatest secure version of the software. Just like you have to patch Windows, Mac OS, Microsoft Outlook – all of these things have to be kept up to date. You’re real familiar with this on your PC, but a lot of people don’t realize that web servers are not these magical, mystical things. They’re just computers, just like any other computer, and they are vulnerable for various reasons. You have to remember that.
So what are the typical attack vectors? Once again, this is a little bit technical, but they can use SQL injections, which is the language used by databases. They can do cross-site scripting.
Another one that WordPress especially is susceptible to is credential brute force attacks. The default username for the administrator on WordPress, unless they changed it recently, is still “admin.” You have to go in and manually change it from “admin” into something else. I can’t tell you how many websites that we deal with and they go, “It’s ‘admin’ and then this is the password.” First of all, just change “admin” to something else. Everyone knows this.
Advertising networks, of all things. This used to be more common than it is now, but I did see somebody get hacked – it probably wasn’t Weather.com, but in the past, all of these sites that are household names – CNN.com, Weather.com, FoxNews.com, all of these sites have been hacked through their advertising networks. The way that works is – a good example is your local TV provider. On their website, they typically have multiple ad networks where they serve up ads. They entrust that the advertising networks themselves make sure that none of the ads are malicious.
These advertising networks did not make security a priority pretty much just until recently, and they did a poor job of screening advertisers. So somebody could go on there and say, “I’m Tom’s boat-building company, and here’s some ads of custom boats and yachts and everything else that I want to try to sell to those types of people that buy yachts.” They’d look at it for a few days, “Yeah, that ad’s legit. That click-through is legit.” Then once I gain their trust after a week or two, I just start swapping in malicious ads.
And maybe it’s the scam for the virus warning, “Call Microsoft.” Or it could be any number of different scams that you can do using the advertising network. Sometimes you can just do a drive-by file download through the advertising network. But they’ve become a lot better and they realize that’s damaging to their business if they don’t screen their advertisers really carefully.
And then finally, like I mentioned, an attack vector is not only can your website be used to do DoS, but it can also become a victim of DoS. A denial of service attack is the attempt to flood a server to get it to shut down, nonresponsive, and nobody can visit the site.
Feel free to drop any questions. The Q&A is there, and Kindsey’s keeping an eye on it. Chat’s fine, too. So if you’ve got any questions as you come on, just drop them in there. I might even answer them during the webinar here.
So, what should you do? As I mentioned earlier, we’re going to use the NIST Cybersecurity Framework – because remember, that’s what you do if you’re getting in AWIA compliance. And the 5 major components of NIST CSF – and if you look this up, it looks more complicated than it actually is, so I’m simplifying it. In fact, we’ve done webinars, “AWIA Simplified.” It’s not just the filling out of the paperwork and certifying you’ve done the 2 things, but it’s actually doing the work itself that needs to be done that you’ve identified.
The very first thing you do with Cybersecurity Framework is you identify. In the case of a website, what CMS am I using? For most of you, it’s probably going to be WordPress. What’s the server operating system? What’s the database? Where is my domain registered? And then finally – and if you’re taking notes, just write this down. I don’t expect you to understand it all, but make sure you know who’s got control of the DNS and where your domain is registered. As far as the rest of the stuff goes, you should know if it’s WordPress or not, but wherever the website is hosted, chances are they’re going to do a limited amount of security for you. They are not going to update your website. Not security updates, more often than not.
The second thing you do with NIST Cybersecurity Framework is to protect it. That website server has got to be hardened. The CMS or WordPress, you’ve got to stay on top of it and make sure it stays patched, all the updates are done to WordPress, all the updates are done to the plug-ins, all the updates are done to the themes.
Detect. Now, if you use a professional website hosting service, especially those designed for the particular CMS you use – which, like I said, is probably WordPress – they’re going to provide monitoring and detection services as part of the hosting package. And they are probably going to keep the server operating system, the database application, and other things up to date. DNS and domain registration is another whole thing entirely. They’re not responsible for that. You should be responsible for that, or use a company that understands DNS – which typical web designers, it’s not unusual for a web designer to not be good at DNS.
I’d prefer professionally managed domain registration and DNS because you can be hacked. If you remember back in the days of long distance slamming, where you’d get a check in the mail and if you signed it, they’d switch you over to another long distance provider, or they would trick you with phone calls, and next thing you know you’re not on AT&T. Well, they have a modern version of that with domain registration. If you don’t know who your domain registration is with – say if you don’t know it’s with GoDaddy – you may get a letter in the mail that looks all official that your website domain is about to expire, and “Renew it here by dropping a check in the mail for $35.”
Well, guess what? You just got slammed, just like in the old days with long distance carriers. So you’ve got to know where your domain is registered, and the best thing to do is register it privately. That way you won’t even get those letters in the mail.
A good website hosting company is also going to respond, the fourth thing on the Cybersecurity Framework. They are going to detect and respond to hacking attempts on the server operating system, the database, PHP, those types of things that are part of the server itself. Some of them even will respond to just WordPress vulnerabilities. But the best way to do that is to keep it patched.
Then finally, you have to plan for recovery, just like you do in your business resilience, is the way it’s referred to with AWIA. Your business resilience, your website resilience. What happens if it gets compromised and hacked and corrupted? Where are those backups? How old are those backups? And how long is it going to take to get back up and running? You’ve got to plan for recovery, or what’s also known as business resilience. Your website is an asset. It’s very much like your office. All your customers use it to conduct business with you, to find out where they need to get their water, to order new service, to turn off service, and all of those things. It’s just as important as a telephone is to your business.
Part 2 of what you should do is use – and most everybody’s going to have SSL set up. Google I think stopped indexing sites that aren’t using SSL, or maybe they’re not even sending visitors. But SSL is a security certificate that has to be renewed yearly that helps establish a secure connection between the site visitor and your website server. So you have to use SSL. That increases security.
Manage your DNS records. If you’re not good at managing DNS, make sure your website developer is good at it, or use a company that manages DNS for you. Because if you don’t know what you’re doing with DNS, you can break a lot of stuff very quickly, especially email, spam filtering. Lots of other types of monitoring. It controls a lot more stuff than just your website, and I’ve seen website developers go in – I know this is a little technical, but they’ll go in and change name servers, and all of a sudden everything else that depends on your DNS is broken. If you did ours, we would be down for a while. We couldn’t get to our ticketing system, we couldn’t get to a number of different things. Remote monitoring and management. Couldn’t get to any of that stuff if our DNS gets tampered with.
Your DNS is also used to verify that you own the domain, with lots of different tools, like Google Webmaster tools; it’s important for Google Analytics. Anyway, it’s just very, very important.
Least privileged access security policy. This is an administrative control that means we not only want to restrict access to something to only the people that need it, but you also want to control what access they have. So if you have somebody writing blog posts for you and that’s all they do, then they just want to be a contributor. I can’t remember if it’s contributor or writer for blog posts in WordPress. WordPress has got like 5 different levels, I believe. You don’t want to give administrator privilege because that’s least privileged access. It’s not because you don’t trust them; it’s because they don’t need it, and the least amount of access you grant helps secure that asset, that website and domain name access.
Furthermore, each authorized user must have their own set of credentials. No sharing of credentials. You don’t give 2 writers “writer” as the username and the same password and they use the same one to log on. You’ve got to have accountability, and you need to put in practice a zero trust environment. Once again, that doesn’t mean we don’t trust these people. You’ve worked with some of these people 20 or 30 years. That’s not the issue. The issue is to control access to such an extent that it’s not easy to get the credentials.
So if you have someone that practices better security hygiene, which you’ll understand with our training – if you’ve got 2 people sharing the same sets of credentials, then whoever does the worse job at security hygiene is as strong as those credentials are going to be. If they use their first name and their pet’s name, that’s not good security hygiene. And if you have 2 people that have that set, then it’s worse. Each person must have their own set, and that should be true for everything that has credentials.
You can use secure domain registration, which once again, like I mentioned earlier, is a way of hiding name, address, and all of that so nobody can see it.
And finally, just remove your unused plug-ins and themes so you don’t have to update them. It makes updating and patching a lot, lot easier.
I forgot to mention, but everybody that stays on the call, we can spot check your website to see if it’s secure for free. All you have to do is drop it in the chat box. Give us your domain name for the website, the name you give to everybody, “Hey, what’s your website?” I want to go to your website. Drop it in there and we can do it.
While I’m waiting on that – oh, and by the way, these are all public tests, so even if you don’t do it yourself, I can look up your domain name and run it through for myself. We’re going to use IronTech Security as one, we’ll use Amazon.com as another, and maybe we’ll do – okay, Connie’s got one in there. But I want to remind you before we do that, we are free at any time. Would love to answer any concerns about network, network security, password policies.
The cybersecurity industry is huge, and it’s just a subset of IT. A lot of mistakes that I see people making is they assume – and if you’ve been in the webinar where I talk about this, and I think we’ve got another one coming up in about a month or so, Kindsey – your IT guy should not be your cybersecurity expert. The guys putting those servers in and setting up desktops typically are not cybersecurity experts. This industry is absolutely huge. You don’t go to a neurosurgeon for heart surgery. The IT business is deeper and wider than even the medical industry is. There’s pharmacists, there’s dermatologists, there’s all kinds of stuff. A system administrator is not an expert at cybersecurity. A network administrator is not an expert. A database management or DBA is not an expert at cybersecurity. This needs to be handed by professionals following NIST CSF.
But anyway, we can also look up your credentials. Give us your email address and we’ll see if any of your email addresses and passwords are for sale on the Dark Web. I think it was last week or the week before we did the Dark Web thing, which was a lot of fun. We went to the live Dark Web. Don’t do that, but we did, and we showed it, where you can buy all tis stuff. It is scary, scary, scary how simple it is.
You can call us and also sign up for a 30-day trial of our security training. This is not our security training. Our security training actually trains actual, real-world hacks. The way it works if you’ve got a yearly subscription is we get a baseline. Takes 30 to 45 minutes to take the test once a year. And then every week, there are micro quizzes that take about 2 to 3 minutes to do. You get a score. It scores all of your people in the organization so you can see how they’re doing, the participation rate, and see what your overall security score is.
You’re only as strong as the weakest link, and everyone’s weakest link is human beings because they simply don’t know what to look for. So by doing it every week, we can quickly respond to new threats. And there are a lot around COVID-19 right now. We’ve already done micro quizzes training on COVID-19 and showing you what not to do.
Finally, you can send an email to sales@irontechsecurity.com for any of those questions. Say, “I want to check my credentials, I want to try out the security training.” 30 days, no charge, no obligation, none of that stuff. Most of you on there, you know how we work. Really easy to get along with. No worries, nothing hidden. We’re a best of breed company, so rest assured you’re getting the best possible products that we have found to date, and we continuously look for more and more.
I think I’ve got one website to look at, Kindsey, so I’m going to switch screens here and get out of the slideshow. I’m not sharing the screen, am I?
KINDSEY: No.
TOM: Let me get it set up here. This’ll only take a moment. Just bear with me. This is kind of cool, really. All right, here we go. Hopefully it’ll be good news for everybody.
The first thing I’m going to do – and this is a free scan. This particular company, that’s one of their specialties, to monitor websites. A good dedicated WordPress hosting company will also do a lot of this stuff, and I think that’s more than adequate. But we’re going to use their free tool here, if I can get my focus on – you know, sometimes Zoom just frustrates me. Especially when I do a portion of the screen. Sorry about that.
This is our website. We’re going to hit a scan on it. It only takes a few seconds. Kindsey, can you see that okay?
KINDSEY: Yes, it’s perfect.
TOM: So this one’s coming up with no malware found. You can see it knows exactly what version of WordPress we’re running. This doesn’t take any effort, and this is an automated tool. All of this is done automatically. There’s not a human being worried about anything. You can look here, no defacements detected in the history, no malware. It’s clean by all these different blacklists, and there’s a lot more blacklists out there.
Now, in the case of the monitoring and the firewall, you can get a negative – we’ve got website monitoring and we have a firewall. When I do Amazon, you’ll see what I’m talking about. And then some other things. These are minor, minor things, but they probably need to be done. But overall, it’s got a great reputation score. Some of the blacklists do that. There’s a lot of other different things to do. This particular company does website backups. That’s all well and good.
But let’s take a look at Amazon. Theirs ought to be perfect, right? Okay, site’s not blacklisted. Everything looks good. But look, website monitoring is not detected. Like I said, it can get a false positive, because you know Amazon certainly monitors their website, the largest retailer in the world. That’s their business, is website stuff. So you know they monitor it. This one picked up the firewall. A good way to protect a website – either right or wrong; I wouldn’t pretend to judge whether Amazon having their firewall be detectable – that’s probably fine for them. But another good strategy is to not let them detect – the least amount of information you give up, the better off you are. We use a hosting provider ourselves. That’s probably why ours said not detected; they elected not to broadcast that out when you do a low level request like this.
Okay, Connie, I’m going to go for it. Here we go. Connie was nice enough to share her domain name to do a scan. Mary’s got hers up there. Medium security risk. That’s not bad. That does need to be addressed, though. Oh, that might be on a Windows server. That’s not bad in and of itself. It’s just unusual these days.
The mixed content found – some of the visitors are going to hit this problem, maybe. It’s more than likely a – that might be an iframe for a member portal of some sort off of the main site. It’s on port 443. You’re going to have to talk to your web person about that. We can get that report to you. Yeah, it is run on Microsoft IIS. The CMS is unknown, so if it’s WordPress, no one runs WordPress on Windows servers anymore. Oh, it’s at Amazon AWS. There’s a virtual server in Amazon’s cloud that’s running a Windows server in it where your website is. And it actually redirects to 443.
I’ll send this to you, Connie. And Mary wants me to check one. This one’s actually fairly easy to fix. Whoever’s managing your DNS can fix that. Basically, if you don’t type in – I think by default, though, most browsers will put in the HTTPS, so you probably don’t have anything to worry about. But that error can still be fixed through a DNS entry. I’m not sure what all of that is. It couldn’t discover what type of CMS you’re using.
But anyway, this error, you would drop down below if you fixed that TLS recommendation. And the same thing for you, Connie. That’ll make it low risk. And Connie, in your case – it would not surprise me that there’s someplace on the website where a user may get warned not to do this. Yes, I’ll send that to you, Mary.
Anyone else want me to do theirs real quick? I guess that’s it, Kindsey. Did we have any questions?
KINDSEY: No, it doesn’t look like it.
TOM: Alrighty. Thanks, everyone, for attending. The 2 websites that we did, you guys will get the reports here in a little while. We’ll see you next week. Thanks.