WEBSITE SECURITY 101

Types of Malware

Malware is a combination of the words “malicious” and “software.” It’s basically any program, code, or other software that intends to do your computer harm. You’ve probably heard of the different forms of malware — here are a few:

Virus:

Like a real virus, a computer virus is a code that enters a computer and replicates itself. They spread from one computer to the next, but usually require tricking a user into running an infected program. A virus can slow down a computer, corrupt and overwrite programs, or crash a computer entirely.

Worms:

While they also spread from computer to computer, worms often don’t require a user to initiate them. They can steal data and passwords, encrypt data (as in a ransomware attack) or can open “backdoors” that allow other computers to control your computer.

Trojan:

Named after a great wooden horse that soldiers hid inside so they could sack the city of Troy in Ancient Greece, Trojan malware requires a user to click on or open a file. While it usually doesn’t replicate itself like viruses or worms, Trojan horse malware can give hackers backdoor access, steal data, or damage files.

Spyware:

Just like its name implies, this type of malware gathers information (like passwords and private data) from your computer and sends it off without your consent.

Ransomware:

This type of malware locks or encrypts files on your computer, making them inaccessible to you until you agree to pay a ransom. Ransomware can also threaten to publish your private data if the ransom is not paid. Usually spread through Trojan horses, ransomware can also be “wormable,” meaning it can travel from computer to computer.

Bots:

In normal settings, a bot is simply a program that completes automated tasks. A malicious bot can turn make your computer participate in a “botnet” that executes someone else’s bidding remotely. They can use your computer to spread spam, launch other malware attacks, or perform illegal tasks such as crypto mining for their own gains. They’re also used in DDoS attacks. (More on that in the next section).

Other Malicious Threats and Attacks

Malware isn’t the only threat to website security — here are just a few more:

Distributed Denial of Service (DDoS): By overwhelming your site with a flood of automated traffic (usually via bots), hackers can bring down your site.

Brute Force Attack:

This attack uses an application that attempts every possible password combination until it cracks your passwords and enters your systems.

Code Injection:

Malicious data is sent to your site to trick it into doing something like revealing private information or granting illegal access.Cross Site Scripting: Hackers use this vulnerability to run their own code on your website which they then use to access sensitive information (like passwords), deface a site, or send users to another website.

Zero Day:

This is a vulnerability that a software supplier may know about but hasn’t yet patched. Attacks on these vulnerabilities are called zero-day attacks.

Search Engine Blacklists

One side-effect of getting hit by malware is the potential of getting put on Google’s blacklist. To reduce web security threats, Google is continually looking for sites that may be spreading malware. Sites deemed suspicious are put on its list. Unfortunately, if your site is a victim of malware, Google may designate your site as suspicious and warn, or even block, users when they attempt to access your site.

Once your site is cleared of malware, it’s time to start the process of removing your site from Google’s blacklist. This is something you can do yourself, or you can hire a service to do it for you. Better yet, many website security services have blacklist removal built-in to their plans.

How to Protect Your Site Against Malware and Other Threats

The best way to prevent malware from ruining your day, or more likely your week, is to have it never get into your site in the first place. Continually updated vulnerability scanners, also known as website scanners, perform vulnerability and suspicious activity scans. The best vulnerability scanning tools run once a day or more.

There are two types of vulnerability scanners, “Authenticated” and “Unauthenticated.”

Authenticated Vulnerability Scanning:

Also known as “logged-in scanning,” an authenticated scan determines security from the inside-out. They’re generally used to identify how to protect assets within the system in order to limit damage if an attacker were to somehow gain access to it.

Unauthenticated Vulnerability Scanning:

An unauthenticated scan can only see information that is publicly visible and can’t provide detailed information. It’s usually used to determine the overall cybersecurity strength.

When a website scanner encounters an issue, an alert is sent, usually with a recommendation for how to address it.

Sucuri SiteCheck, owned by GoDaddy, is a good, free vulnerability scanner that can detect outdated CMSs, server-side languages like PHP, and much more.   Two more scanners, which provide a good amount of information from multiple attack surfaces are Pentest Tools and UpGuard.  Here are C-DR’s results from UpGuard.

However, not all website scanners are created equal. In fact, we don’t recommend SiteLock or Comodo’s cWatch, based on in-depth studies of consumer reviews.

Sometimes vulnerability scans are confused for penetration testing. But the two are much different.

Penetration Testing:

A penetration test is an authorized attack used to determine the overall security of the system. It’s more complicated than a simple website scan, and is usually carried about by a contracted individual. Various tests are run to identify weaknesses and a risk assessment is compiled at the end of the test.

But those methods are just used to identify weaknesses. The best way to actively improve web security against the long list of nefarious actors out there is with a strong firewall and security monitoring — here’s how they work.

Firewall:

A network firewall prevents destruction from getting to you. It essentially acts as a “gatekeeper” for your network, monitoring all incoming and outgoing traffic and deciding what to let pass through, based on a set of security rules. If something looks suspicious, the firewall stops it from entering your network.

Often, more security measures are taken in addition to Firewalls. These monitor your network, acting as a “watchdog” for any suspicious activity. Usually, these are done through Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). Here’s how they work…

Intrusion Detection System:

An IDS monitors traffic, comparing all activity on a network to a large database of known threats to see if there are any matches. It can find threats like security violations, malware, and port scanners.

Intrusion Prevention System:

An IPS operates in much the same that a firewall does. It has a tighter security profile and denies entry when it detects a security threat.

Nowadays, IDS and IPS are often integrated with firewalls to beef up security and add an extra layer of defense. If you’re interested in learning more about them, you can read an informative article here.

While these security protections add multiple layers of safety to a website, it’s always great to have a backup plan in case something does happen. And when we say backup, we mean it literally…

Website backup protects your site by keeping a “clean copy” of your site from a time before the malware struck. Backing up your site each night, or at least once per day is ideal. But if you think that’s something you may forget (or just don’t have time for) a service that does a website backup automatically is a wise option.

What to Do If Your Site Gets Hit by Malware

If your website gets hit with malware and you had the incredibly intelligent foresight to back it up, it’s relatively easy to recover. Just follow these instructions (depending on the hosting service you are using) and your website will be back up in no time.

And if your site wasn’t backed up, it’s not the end of the world. Malware can be removed with auto-removal software, or in the case of extra powerful malware, it may need to be removed manually. While you can purchase a service to remove malware once you realize you’ve been infected, having a malware removal service on standby means your site will experience far less downtime, and get back to working order as fast as possible.

How to Tell Your Customers Your Site Is Safe

See that little padlock icon up there in your browser’s address bar? That tells you www.cheap-domainregistration.com is secure. Go to a site without that icon and you’ll often see a note before the address that reads “not secure,” or something similar. A little less obvious is the address itself. A secure site has an address that begins with “https”. A site without a current SSL certificate will have an address beginning with “http.”

Secure Sockets Layer, or SSL certificates do more than tell your visitors and customers your site is secure, it protects your customers’ data in two ways:

Domain Validation:

A site with a valid SSL certificate indicates that the owner of that site is the person to whom the certificate authority has issued the certificate.

Encryption:

More importantly, an SSL keeps all the data sent between your website and its visitors secure by encrypting it. Even if a hacker got a hold of the data being sent, they wouldn’t be able to make any sense of it. Before any information is sent, a secure connection is created and any data sent is encrypted. It can’t be unencrypted until it reaches its destination.

If your site deals with critical information such as credit card numbers, bank info, or home addresses, it’s fairly obvious why you need an SSL certificate protecting your site. But other types of sites benefit too. That’s because Google has decided ALL websites should be working with valid SSL certificates to increase overall web security. Search rankings for “https,” or secure sites, are much better than search rankings for “http,” or non-secure sites. Think of it as an important step in making your website legitimate.

Getting a Valid SSL Certificate

A handful of companies oversee issuing SSL certificates and verify the identities of individuals and organizations to whom those certificates are issued. These providers issue certificates directly or through resellers. Generally the company that provides your hosting can issue a certificate to you.

Some organizations will install the certificate for you, generally for a small fee. Alternatively, you may install the certificate yourself with the help of a guide.