The internet may still be a wild frontier in many ways, but when it comes to your enterprise site the last thing you want is for that wild-side to lead to compromised web security. While the world has learned to deal with many of the dark forces of the world wide web, cybercriminals always seem to find new ways to trick unsuspecting or undereducated consumers and enterprise site owners.
Sure, standard firewalls and antivirus programs work great most of the time for home networks… but is that enough to protect your digital strategy?
To understand web security, we must first understand the most common attack vectors and hazards involved.
Attack vectors are the paths and methods used by hackers and crackers to breach your web security and access your system. A vulnerable vector lets them access sensitive data or installs malignant payloads.
Examples of web security vectors include:
- Infected Web Pages
- Pop-ups
- Malware
- Phishing
While firewalls and anti-malware software can help stave off many attacks, they don’t actually provide complete protection. Viruses and hacking methods evolve constantly and the defensive software can’t always keep up. Without assistance from expert developers, you’re much more likely to suffer from security holes in popular website building platforms as well as enterprise-related software. Let’s look at the most common threats and how to deal with them.
1. Malware
Malware comes in many forms. There’s spyware that steals information about systems and users that can track your browsing history, take screenshots of your computer, and listen to your microphone. Keyloggers are a particularly problematic type that records key presses in order to steal passwords and spy on messages.
Ransomware locks you out of your system and demands a payment to unlock it. This type of malware may also steal or fabricate sensitive data about you and threaten to publish it if you don’t pay a certain amount within a specific timeframe. While most ransomware is fairly easy to disable, advanced versions use a cryptoviral extortion method where your files become encrypted in complex ways that can be impossible to reverse without the right decryption key.
Trojans hide inside ordinary apps, much like the Trojan horse of legend, and then infect your system. Additionally, the Trojan may download spyware and create back doors for future attacks but unlike viruses, Trojans don’t self-replicate.
Viruses usually infect programs or files, which they use to self-replicate and infect other system codes. Others go straight for the master boot record and when the infected code loads, the virus spreads and wreaks havoc. Viruses can also disguise themselves by mimicking your files or hijacking anti-virus software.
Polymorphic viruses encrypt and decrypt themselves in cycles. As the virus copies itself, it invents new encryption and decryption routines to stay hidden from security.
Worms are self-contained programs and don’t need host files and are typically spread through email attachments and similar routes. Open this can of worms and it’ll spam your contacts with copies of itself. Worms can cause serious damage to the system as well as overload the server as a form of denial-of-service (DoS) attack.
2. Denial of Service – DoS and DDoS Attacks
DoS attacks aim to crash servers and resources by overloading them. Distributed denial-of-service (DDoS) attacks are massive attacks from multiple machines at once and are usually the work of botnets, but manual DDoS attacks orchestrated by people do happen.
The sole purpose of these attacks is to take your site or enterprise down by preventing users from accessing your website. Sometimes, an attacker can target your internal systems including phones and printers. DDoS attacks can also temporarily open up other web security vectors. For example, a session hijacking may follow.
You may be wondering: How do I mitigate DoS attacks? Here are some tips.
One of the first web security vectors to check is TCP SYN flooding. First, increase the connection queue size and shorten the open connection timeout. Then, configure a firewall to block incoming SYN packets.
You can prevent Ping-of-Death attacks with a firewall that limits the size of fragmented IP packets.
As for Smurf attacks, you can simply block directed broadcast traffic and set hosts and routers to ignore ICMP echo requests.
Some general protection against botnets is also necessary. Blackhole filtering redirects the undesirable traffic to a dead-end before it breaches the system. Ingress filtering helps to prevent spoofing by verifying that packets come from legitimate addresses.
3. Deception – Phishing and Spoofing
Human error is among the most significant web security vectors but is mostly overlooked. A deceptive person can easily trick workers into giving them critical access.
Phishing is the act of emailing or calling people and pretending to be a trusted person or company. They typically try to steal passwords or accounting information, but they may also deliver malicious payloads or hack the system.
In the enterprise world, the real threat is spear phishing. Here, the attacker will carefully study your enterprise to find weak links and learn how to manipulate them. By email spoofing and IP spoofing, attackers can falsify the sender’s information so that it looks like the message came from inside the company or an affiliate. Moreover, they may use cloned websites to add credibility and get you to enter sensitive information such as passwords and banking credentials.
The best way to counter these things is to educate your team on these enterprise security best practices:
- Critical Thinking: Always pay attention and look for signs of impersonation. For example, poor English, low-res signatures, and fake-looking names are usually dead giveaways
- Link Inspection: Before clicking a link, you should always hover above it to see where it leads and determine if it seems reliable
- Header Analysis: Double check that the “Reply-to” and “Return-Path” point to the same domain that the email states
- Marking Emails: By placing timestamps or nonce (random, changing serial numbers) on each message and inspecting those before interacting, you can avoid replay attacks where hackers copy old messages to trick people
- Data Encryption: Encrypting sensitive data protects you against most forms of eavesdropping and spoofing
4. Password Attacks
Criminals can swipe passwords in several ways. For one, they may install a keylogger on your system and find the password. Also, they may trick people to reveal their passwords or even physically snoop around in offices. What’s worse, they can also hack your password database.
More commonly, they’ll resort to various forms of systematic automated guessing. One common example is brute-forcing, which uses a random or simple logic pattern to guess passwords repeatedly until it matches. It’s not very effective these days, but it works sometimes.
Dictionary attacks use indexes of common passwords and encryption patterns to decipher the password more efficiently.
You can defend against these attacks with an account lockout policy, so that repeated incorrect inputs will lock the account. Two-factor authentication also stops most attempts. Apps like Duo and Google Authenticator make this easy.
5. Man in the Middle
Man-in-the-middle (MitM) attacks are ones where the hacker gets in between the server and client in communication. This can happen in a few different ways.
Session hijacking occurs when attackers hijack sessions between trusted clients and networks by advanced spoofing. They may also use an active hijacking scheme where they communicate with two parties and relay information between them under false pretenses. This way, attackers can spy and steal passwords.
The best line of defense against MitM is a combination of data encryption and digital certificates.
General Web Security Best Practices
In addition to specific web security vectors, a strong foundation of overall preparedness is important. Here are some guidelines.
Keep all software up to date and install every new security patch as soon as possible. Continuous malware scanning is essential to keeping the problems at bay.
Get rid of any software and plugins that you don’t use.
- Leverage cloud security for safer storage
- Use whitelists to limit the software, websites, ports, and email contacts that’ll come through to your network
- Use firewalls between your networks
- Train your team to be responsible and think critically about web security vectors. Implement a least privilege policy to minimize risks
- Make backups of critical data so that you can easily roll back and keep going if something breaks your system
Meet the Challenge Head-On
Defending web security vectors can be a big challenge and requires an understanding of the threats. The modern web is full of security holes and exploitable functions. And while 100% security is a myth, you can be proactive and protect your digital presence in a number of ways.
At Multidots, we know the importance of optimizing websites for security. We can help you ensure that your site follows the best security practices and has a safe code. We can help monitor your website for attackers and mitigate any ill-effects through smart development and industry best practices. Your digital strategy should serve to grow your company, not act as a weak link in a thriving business.
For more information regarding the security and longevity of your enterprise, contact us today to find out how Multidots can help. Our team of engineers understands how to solve the problems listed above, helping to turn your web presence into a revenue-generating powerhouse.