De’Von Carter of CarTek Consulting is the featured guest in video 3 of a 3 part series that focuses on website security – The focus of this video is common causes of your website getting hacked.

In an effort to continue to educate business owners on some pitfalls to be careful of when it comes to website security, CarTek Consulting has provided it’s list of common causes of websites getting hacked.

 

• Personal Computer Security – Most people take for granted how much of a treasure trove of information your personal computer can be for a hacker.  Most end users do things like unknowingly visit malicious websites, click on links in phishing emails, share passwords, etc…  Doing these things give cyber criminals access to your credentials, which are then used to log into your personal accounts.  Because most end users use the same username and password for all of their accounts, this breach of your personal computer can allow hackers to gain access to your corporate information as well.  Depending on your role in your job, this could include access to valuable intellectual property.

• Third-Party Access – As discussed in the vlog, one of the most widely used content management systems (CMS) at the moment is WordPress.  WordPress is a modular CMS.  The good thing about having a module CMS is that it gives you tremendous flexibility with your design and functionality.  On the other hand, when developers are building these modules, they take a lot of care to ensure they are secured and functional.  However, once the modules are released, developers will typically move on to the next project and can be to busy to develop the necessary patches and updates that are needed to protect you from new vulnerabilities and attacks.  This means, you must be diligent in researching your modules and plugins to ensure that patches and updates are regularly released.  Then you must be careful when you install the patches because the new patch that closes the security hole could cause an issue elsewhere in your website.

• Application Vulnerabilities – Because WordPress is so popular, this means that it is a huge target.  For example, nearly 25% of websites developed in 2014 were based on WordPress.  That means that if a hacker finds a flaw in WordPress, he can exploit millions of websites until a patch or fix is developed.

• Indirect Server Hacks – I am sure you have heard of the “Cloud”, and maybe you think it is a new invention that was just created within the last couple of years.  Well, let me assure you this is not the case.  Did you know that the “Cloud” as we know it is nothing more that a lot of virtualization on shared infrastructure?  Let me explain, when I say virtualization, I mean that someone is able to take a single physical device like a computer or server and install virtualization software.  Once installed the software gives you the ability to create virtual servers and computers within a single physical device.  What does this mean to us in this security blog?  It can mean trouble.  If your website is hosted in a shared environment, which I can guarantee it is, and someone else’s website that is stored on the same shared virtualized server as yours is breached, that means your site has been breach as well.  In other words, your website can be indirectly breached just because it is resides on the same shared virtualized server as someone else who was the actual target.  You become collateral damage.

• Responding to Phishing Email – What is a phishing email?  Great question – it is a malicious email message that is sent under the guise of being legitimate, when in fact, it is just an attempt to get you to click a link in the email that will send  you to a malicious website for the purpose of stealing your credentials.  Once the hacker has  your credentials, they are able to gain access to your computer.  Phishing emails are one of the easiest ways to get hacked.  Recent statistics show that phishing emails have a click rate of 25 to 30%.  That means, at least, 1 in 4 will always click the malicious link causing themselves to be infected with a virus or having their credentials stolen. Once the attacker has your credentials, it is open season.

• Lack of Proper Vulnerability Management – According to Symantec, online hacks cost medium-sized businesses and smaller more than $188,000 each year on average. More than 60 percent of these companies go out of business within six months of the hack.  If these companies implemented vulnerability management into their regular activities, it is a good chance these company’s vulnerabilities could have been removed or fixed before the breach occurred.  This means the hacked companies would still be in business.

 

 

If you are interested in learning about CarTek’s vulnerability management service offering, reach out using our “Contact Us” page.