In 2014, the total number of websites on the internet reached 1 billion. Today it’s hovering somewhere in the neighborhood of 944 million due to websites going inactive, and it is expected to normalize again at 1 billion sometime in 2015. Let’s take a minute to absorb that number for a moment – 1 billion.
Another surprising statistic is that Google, one of the most popular search engines in the world, quarantines approximately 10,000 websites a day via its Safe Browsing technology. From our own research, out of the millions of websites that push through our scanning technology, roughly 2 – 5% of them have some Indicator of Compromise (IoC) that signifies a website attack. Granted, this might be a bit high, as the websites being scanned are often suspected of having an issue, so to be conservative we would extrapolate that to suggest about 1% of the total websites online are hacked or infected. To put that into perspective, we are talking somewhere in the neighborhood of 9 million websites that are currently hacked or infected.
With this sort of impact, it’s only natural that people are curious how websites keep getting hacked. The challenge is that the answer has been the same for quite some time.
In the past month, I began a series of articles asking various aspects of website hacks and infections:
- Why, in Why do Websites get Hacked and the motivations behind them.
- What the implications of a hack were to website owners of all calibers in The Impacts of a Hacked Website.
- Today, we’ll take a moment to understand the, How.
It is the one question that almost every website security professional gets at some point in their career, and in some cases, repeatedly. As pros, we take for granted the knowledge we have gained over the years and forget what it is like not to know.
Websites get hacked because of three things:
- Access Control
- Software Vulnerabilities
- Third-Party Integrations
The Website Environment
We cannot have a conversation about how websites get hacked without having an open dialog about everything that makes up a website.
There are various elements that make a website function and work in unison. Components like, the Domain Name System (DNS) – the thing that tells requests where to go. The web server houses various website files and the infrastructure houses various web servers. These websites live in a complex ecosystem of interconnected nodes around the internet, but likely something you’ve never given much thought.
Many of these features are provided by a number of service providers that make it very easy for you to create an online presence. They sell you things like domain names, hosting space, and other services designed to make operating your website easy.
While I won’t dive into too many details about the threats that these elements introduce, please understand that every one of the components described above has an impact on your overall security posture and can potentially contribute to how your website gets hacked.
Forensics Versus Remediation
There is a difference between Forensics and Remediation, and it is not as subtle as some might believe it to be.
Forensics has been around for a very long time. It follows a very stringent process of identifying what happened, but more importantly how it happened, and often includes some form of attribution (i.e., who did it?). Remediation however, is the art of cleaning or removing the infections. When it comes to everyday infections, forensics isn’t a necessity. In most cases it is quick to ascertain what happened and how to get it to stop. With that in mind, for complex cases, good remediation cannot be achieved without proper forensics. Here is an example:
When you ask, “How do websites get hacked?” you are essentially asking for forensics. The problem is, true forensics is complex, time consuming and requires a lot of data – data that is often unavailable via most configurations. You can often segment which component is required based on audience. For small business owners with shared hosting environments, forensics is almost impossible because there is limited access. However, for large organizations/enterprises, forensics is required and the necessary data is sometimes more attainable.
A few reasons you might require forensics:
- You need to understand what happened and have all associated data elements and access.
- You are an Ecommerce website and have to be PCI compliant.
- You are an organization that has IR protocols in the event of a compromise.
How Websites Get Hacked
What I find fascinating about website hacks is that they always come down to the same elements regardless of the organization’s size. It does not matter if you are a Fortune 500 or a small business selling cupcakes. The only difference is the why.
In large organizations, it is often because they dropped the ball. They knew exactly what the threat was, but they never thought it would extend to their websites, with the common response being – “I thought someone else was handling it”. When it comes to small businesses, it is often – “Why would anyone want to hack me? I never knew it’d be an issue for me, I’m not Target, I don’t have credit card information”.
Access control speaks specifically to the process of authentication and authorization; simply put, how you log in. When I say log in, I mean more than just your website. Here are a few areas to think about when assessing access control:
- How do you log into your hosting panel?
- How do you log into your server? (i.e., FTP, SFTP, SSH)
- How do you log into your website? (i.e., WordPress, Dreamweaver, Joomla!)
- How do you log into your computer?
- How do you log into your social media forums?
The reality is that access control is much more important than most give credit. It is like the person that locks their front door but leaves every window unlatched and the alarm system turned off. This begs the question, why did you even lock the door?
Exploitation of access control often comes in the form of a brute force attack, in which the attacker attempts to guess the possible username and password combinations in an effort to log in as the user. You can also see various social engineering attempts of phishing pages designed to capture a user’s ID/username and password combination, or some form of Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF) attack in which the attacker tries to intercept the user credentials via their own browser. There is also the obvious Man in the Middle (MITM) attack, where the attacker intercepts your username and password while working via insecure networks and your credentials are transferred between one point to another via plain text.
Software vulnerabilities are not for the faint of heart. I would argue that 95% of website owners are unable to address today’s software vulnerabilities; even everyday developers are unable to account for the threats their own code introduces. The problem, as I see it, is in the way we think. It takes a special person to want to break things. Most of us use things as they are designed.
These software vulnerabilities extend beyond the website itself and easily bleed into the various technologies we discussed above (i.e., web server, infrastructure, etc.). Anywhere there is a system, there’s a potential software vulnerability waiting to be exploited. This can also extend to your browser (i.e., Chrome, Internet Explorer, Firefox, etc.).
Exploitation of software vulnerabilities come in various forms, but for the sake of sanity, we will target a website’s and not the various supporting elements. When it comes to websites, exploitation of a software vulnerability is achieved through a cleverly malformed Uniform Resource Locator (URL) or POST Headers. Via these two methods, an attacker is able to enact a number of attacks; things like Remote Code Execution (RCE), Remote / Local File Inclusion (R/LFI), and SQL Injection (SQLi) attacks. There are a number of other attacks, but these are some of the more common attacks we’re seeing affecting today’s websites.
Third-Party Integrations / Services
Third-party integrations/services are increasingly becoming a problem. The most prominent form are ads via ad networks leading to malvertising attacks. It extends beyond that to services you might use, including things like a Content Distribution Network (CDN) – as in the recent Washington Post hack last week.
Third-party integrations and services have become commonplace in today’s website ecosystem, and are especially popular in the highly extensible Content Management Systems (CMS) like WordPress, Joomla! and Drupal.
The problem with the exploitation of third-party integrations and services is that it is beyond the website owner’s ability to control. We assume when we integrate third-party providers that they are ensuring the service you consume is safe, but like everything else there is always the chance of compromise.
How to Protect Your Website
It is easy to read this article and feel overwhelmed, but understand that half of the website security battle is awareness and education. The problem is that it is almost impossible to get in front of enough people to scale awareness and education. Once you get in front of people, the next battle is getting them to care. It is often only after someone feels the pain of a compromise that they begin to care or realize the harsh effects.
The first thing I always like to tell website owners is that security is about risk reduction not risk elimination. You must get your head around this simple fact because there is no such thing as a 100% solution to staying secure. Almost all the tools you employ within your environment aim to reduce your overall risk posture; whether it’s continuous scanning or a more proactive approach such as mitigating incoming attacks.
Here are the tips I tend to offer everyone that will listen when it comes to managing website security:
- Employ Defense in Depth Principles – layers like an onion.
- Leverage best practices like Least Privileged – not everyone needs administrative privileges.
- Place emphasis on how people access your website, leveraging things like Multi-Factor and Two-Factor Authentication.
- Protect yourself against the exploitation of software vulnerabilities through use of a Website Firewall – focus on Known and Unknown Attacks.
- Backups are your friends – your safety net – try to have at least 60 days available.
- Register your website with Search Engines – Google and Bing have Webmaster Tools, leverage their infrastructure to tell you the health of your website.
Security is not a singular event or action, but rather a series of actions. It begins with good posture and the responsibility begins and ends with you. Realize that if you desire to know the How, you will inevitably cross one of the scenarios I described above, and that’s okay!
Thanks for reading!
– Your Trusted Security Professionals