This article describes some of the emerging security issues for and threats to websites as well as some of the options to address them. The information is first in a series of articles that will discuss how to make a website more secure.
This target audience is owners and managers of websites. The contents reflect a high level perspective of how websites get infected with malware code, why this happens and some best practices to prevent infection(s). We have tried to balance providing enough detailed information so that website owners can take concrete steps, at the same time avoid providing a level of detail that would only be useful for experienced security professionals.
(1) How are most websites built:
Websites today are built quickly, using mostly off the shelf software and easily available reusable components. Think of it as building a car with parts that are easily sourced, free, and widely used. Building a website by integrating together parts like these, i.e. existing frameworks, content management systems and third party plugins has many benefits.
- Quick turn around time for the web-designer/programmer, allowing them to design and launch more sites – Customer gets to launch the website quicker, allowing them to address their target audience faster
Take away: Find out what software is being used to power you website. Identify the version numbers and deduce if you need to upgrade.
Example: If your website is running a blog, and is powered by WordPress, you should navigate to the admin area. Usually something like mywebsite.com/wp-login.php . Log in and see if there is a message on your dashboard under “WordPress Blog” about a new version. Click on that piece of information to see how you can upgrade.
(2) Why are websites insecure:
(2.1) Lack of communication:
Website owners/admins, who maintain websites after they have been handed over by a designer/developer, do not necessarily understand the complex nature of the software used to put a website together. This occurs due to a lack of communication and information transfer between the two main parties: (1) The web designer/programmer (WD) and (2) The website owner/maintenance person (WO).
It is imperative to understand the basics of what is actually powering a website. If there is any Content Management System (such as WordPress, Typo3), a bulletin board (such as vBulletin), ad server system (such as OpenX), these must be communicated, at least at a high level to the WO by the WD.
Handing over basic information like this puts the onus of keeping all these pieces of software current, patched and updated on the WO. With most software like WordPress, whenever a new update/version is made available by the developers of the software, a message is highlighted on the main dashboard letting the WO know about this update and instructions about what to do.
Without this basic information about what software is powering the website, many a time WOs are left in the lurch with no idea as to what is outdated, and can cause security issues, that will be expensive to handle later on.
Take away: Ask your web designer/developer if your site is running any ad servers, blogs, bulletin boards. Make a list of all third party plugins (like timthumb, any image gallery plugins, jquery scripts). Find out which of these need to be updated by you, the website owner/admin, and what tools you can use to keep these pieces of software updated.
Example: If your website is running a blog, and is powered by WordPress, you can try to find out of your website is using a third party software called “timthumb”. This software is used for resizing images while being uploaded to your blog/website. To find out if you are running an outdated, vulnerable version of this software, simply install the timthumb vulnerability scanner, available via the wordpress site. Once installed, navigate to Tools-> Timthumb Scanner. A scan will ensue and highlight the fixes that are needed. All you need to do is click on the “Fix” buttons. This scanner checks for instances of timthumb that are older than version 2.0
(2.2) Lack of maintenance processes:
Often times owners of websites (WOs), do not have a formal process for maintenance and review of the websites they rely on to do business and interact with the world. This is one of the primary causes for websites to get compromised. We shall now detail what kind of maintenance processes could be considered as a good rule of thumb:
Take away: Maintain constant vigilance, follow maintenance processes religiously.
Example: Get hold of Avira, Avast and ClamAV anti viruses. They all have free editions and set them up on your PC to do scans every night. This will prevent hackers from stealing your username and password to get administrative rights to your website and thereby inject malicious code on your site.
(2.2) Vulnerabilities in website software:
Website software, or the computer code powering a website is often termed as “Web app” (short for website application code). This web app software often accepts input from users visiting a site in the form of blog comments, usernames, date of birth, and other information. It is good practice on part of web developers to cleanse the input data to prevent any malicious computer code from causing harm during analysis of the input. Unfortunately, web developers are often not trained to write secure code, or do not test their code sufficiently because of time constraints. Unsafe web apps often allow malicious hackers to break in and inject websites with malware. The good news is that if your website is powered by well known software like WordPress, Typo3, vBulletin and such, the developers of these software package release patches and updates to fix vulnerabilities in their software pretty regularly. You can even analyze the vulnerabilities on your website using vulnerability assessment scans that can point out flaws like SQL injection, Cross Site Scripting and more.
Take away: Determine if your website is powered by vulnerable software. If you are running an old outdated versions of popular software, you are most definitely putting your website at risk. You can also investigate the option of getting a vulnerability scan for your website to identify any issues, before the malicious hackers break in.
Example: You can get hold of free tools like XSSme, SQLinjectme and such to test whether your website has the most common web application vulnerabilities or not. Remember though, interpreting the report data may not be easy for most website owners.
This is the first part of our “Website Security: What do I need to know? What do I need to do? ” series. Stay tuned for the next episode.
If you find this article interesting you also may want to check out our other blog articles we did, e.g. “What is Malware? And How is Web-Malware Different?”