Hacking Happens – 5 Security Measures To Do NOW
Death, taxes, and your website will be hacked life’s new realities. WordPress has an installed base of 70M, and its code is open source so hacking is sure to happen there. E-commerce sites are easy to find because THEY WAN TO BE FOUND, so hacking is sure to happen there. Curagmai.com has had 16,494 “Blocked malicious login attempts” according to Jetpack (one of the plugins we installed to prevent spam and protect our little site). Given the certainty of every website being hacked, here are 5 Security Steps to take today.
Real “air gap” computers never directly touch the web. We’re modifying the term to mean isolating essential information such as your customer database, credit cards and other crucial and confidential information. Your production server can’t be “air gapped”, but some of your most valuable information can be at least metaphorically. Remove production data from your development environment (use fake records in dev). Architect your product environment, so critical assets have “belts and suspenders” security such as dedicated databases only accessible via two-step authentication.
Cell phones are perfect for two-step authentication. Bet you’ve experienced two-step if you’ve reset your password with large websites such as Google or where you’ve asked for two-step verification. You request a new password, and before you see the reset screen, a text message is sent. You key the code sent before resetting your password. That layer plus your email creates a much harder to hack login process. No system or process is fool-proof or can’t be hacked, but the days of writing “pencil” on a piece of paper in the principal’s office (War Games) are over.
Our Set Theory Thinking
Not all hackers are the same or equal. If we think of the “hacker” community as a bell curve the majority, the top of the bell curve, are benevolent, trying to learn in quick ways and wearing a hat that is more gray than black. On the left site of the curve are those learning now. Hacking, like any coding, takes persistence, intelligence, and skill.
Some will try, see the learning curve and decide to do something else. On the right side of the bell curve are state sponsored hacking (corporate espionage) and those looking to get rich hacking. Let’s call this the “malicious group.”
We know the malicious group has to be small because the resources required (time, expertise, testing, ability to remain undetected) are significant. We wouldn’t put “contextual thieves” such as Snowden and Manning in the “malicious” group though some would. Gladwell in The Tipping Point talks about the “broken windows” theory of context.
If you are in a subway and see turnstile jumping, you are more likely to jump. Context and wrong access at the wrong time for the wrong people explain the top of the “average” curve (at least to us and for the sake of this “set theory” discussion).
There is a small group of hackers both capable of and looking to create real pain, CNN-like pain. This group of uber-smart people has vast expertise and intelligence on many dimensions. One of those creative aspects has to be risk / reward arbitrage. This group can “count cards”. They know when something is worth doing and when it is not. I suspect the world, for people this smart and with the kind of network, code, and hacker tool information is a moving feast, a target rich environment.
Even what we think of as “security” today must make this group laugh. Now for some good news. You don’t have to do MUCH to create a wall the “malicious group” won’t care to climb. Since we are talking about VERY smart people capable of understanding cost / benefits equations instantly (think World Poker Champion level) AND they live in target rich times. Take a few simple steps to isolate, encrypt and protect should work for most Small to Medium Sized Businesses (SMBs).
If you have a WordPress blog and don’t use CAPTCHA for Comments, Jetpack or something similar you are nuts and probably swimming in spam. If you’ve read 5 Reasons Why We Are Leaving WordPress you know security concerns are one of our five reasons. We are NOT experts in WP security and won’t become one either since we are beat feeling out of town (leaving WordPress) as soon as our friends at WTE.net has us. We did find an excellent Elegant Themes post about WP Security you should read and use plugins they suggest.
No Lingering Spam
I guest blog for several sites, and I’ve noticed they don’t clean their spam. Spam comments seem to linger for weeks and months. Since we can’t figure out WHY some spam comments are left getting rid of them pronto would be a good idea. Chances are good spammers have some “real reason” for leaving a comment.
If spammers work hard to inject spam despite your use of tools to defeat scripting (writing a program to force comments into sites without protection such as Captcha for Comments) they have some reason for doing so. Wipe spam comments clean daily.
Watch your site’s statistics too. “Yeah this site had been taken over, and about half of what they were running was porn,” my friend and WTE.net CEO Eric Garrison told me on the phone yesterday. Eric knew something was out of whack because he saw server loads and traffic numbers OUT OF PROPORTION to the site’s history. When anything happens “out of proportion” online it is either an Oprah effect (positive PR or pickup by some significant traffic source talking about YOU) or bad people doing bad things.
One reason we like to eliminate spam comments FAST is to communicate with those who went to all the trouble of leaving spam over and above our anti-robot plugins, that we will reduce, report and diminish any return realized by placing spam on our sites. Remember our “set theory thinking”.
If you are just a little bit of the ball, most smart malicious hackers will move on since their environment is as target rich as it gets. Don’t let a foot get in the door. Watch and eliminate spam comments fast and see like a HAWK when it comes to your analytics. When in doubt read the next security tip and get an audit from someone who knows more.
Security audits sound like snake oil, but if you know someone you can trust, as we are lucky enough to with Eric and Cynthia Garrison at WTE.net in Hillsborough, NC, PAY THEM to spend a day looking HARD at your network, processes, and procedures. Important to have NEW EYES see your site’s security every now and again. When I worked on a multimillion-dollar e-commerce website daily, I couldn’t “see” it at all. I looked at that site five to ten hours a day. Your network people are the same. They look at their network setup and possible intrusions all day every day.
Bringing a new set of eyes and perspective in can help find holes sitting right in front of you yet invisible. Eric creates billing systems for banks, so VAULT level security is a specialty and a real benefit to his company’s over 300 web development and hosting clients. We used to recommend hosting with your development company. Unless your web developers are as sophisticated about security as Eric and his team at WTE.net, we DO NOT recommend using your web developers for hosting any longer.
Hosting has become COMPLICATED. The balance beam between security and customer experience (not slowing the site down) is a tiny one. Hosting is now a FULL-TIME job for a dedicated tribe of geekiest of the geeks. If your web development company isn’t all in on hosting, if hosting is just an add on we suggest you RUN to WTE.net, eBound Hosting, Tranquil. Find someone GOOD and hang on to them like the GOLD they are and the gold the protect – your site, your brand, and your world.
Yes, the time for “pencil” written on a piece of paper is over. Today using the same password everywhere or simple passwords (not those crazy one’s programs create) feels dangerous and over. We aren’t experts in the best password apps either so we suggest reading Jason Parker’s excellent Take control of password chaos with these six password managers on cNet.
Security is like taxes. We all have to PAY, and NO ONE wants to think, talk or know much about it. We just want to be SAFE and secure in our little web homes. Good luck with that in “rise of the hacker” times. Better to do a few simple things to make your wall a little too steep to climb in comparison to all those simple and easy hacks. What about you? What are your greatest fears? How have you found “security” online?