Data (In)Security

In the world of website content management systems, WordPress is king.  As far back as 2012 Fortune magazine anointed WP  rulers of Web and now their number of installed platforms exceed 70 million. So a logical question is “What does it mean to be one of 70 million in terms of website security?”

Well, in cyber-security as in many industries, Shakespeare’s line “Uneasy lies the head that wears a crown” is often applicable.  So it’s important to recognize that dominant market share makes an inviting target for criminals.  Exploit writers follow the money which, for them, lies in hacking vulnerable website code.  The more vulnerable applications in distribution, the more profit they see.

Hackers use WP sites – revenue-generating and fan-based alike – to carry out criminal activity ranging from malware distribution to data theft and more.  At 6Scan, we see an inordinate number of sites unwittingly inviting attacks with virtual “Hack Me” signs.  Of the WP sites on our scanning platform (as of January 17, 2014) fewer  than 20% were using the current version (3.8) and approximately 25% run versions that are more than one year out of date (see chart for full break out.)  Hackers love out-of-date applications, which they regard as low-hanging fruit, becuase their vulnerabilities are well known and exploit packages are available for purchase. So before doing anything else, 6Scan urges WP site owners and administrators to install the latest version of WP.  Strengthening sites across the board – all types – is good for the individual as well as the WP community in general.

 

The Reports are in: Hacked Websites are a Big Problem

The big boys have weighed in and both the Cisco’s 2014 Security Report  and the Websense 2014 Threat Report have identified a major contributor to cyber-crime: hacked legitimate websites.  The Cisco report accurately refers to these attacks as High Efficiency Infection Strategies because as the image below illustrates, a single website can attack a variety of devices. Websense re-affirms the popularity of this attack method by pointing out that 85% of malicious links are hosted on hacked legitimate websites.
Websites can launch attacks upon multiple device types ‘s (image from Cisco’s 2014 Security Report)

At 6Scan we see the magnitude of the effort behind these attacks and the damage they can inflict. There is a constant barrage of malicious traffic against the sites we secure. Why? Because using hacked websites to disseminate malware is a high-efficiency infection strategy.  A compromised web site, or web server, is the bad guys’ honeypot — it’s out there just waiting for victims to show up. Many new customers come to us after they have been targeted. Once breached, these sites become platforms for serving malware until inevitably they are blacklisted by browsers or desktop anti-virus.

In many cases these small businesses have much more to lose than bigger companies. Large firms have insurance, recovery strategies and adequate resources to survive a breach, even one that is large scale and highly visible. Smaller firms, The Fortune 15 Million, don’t always have this cushion. In many cases they stand to lose everything. This is why 6Scan offers a free service to assess website security. It’s also why we focus on fixing vulnerabilities before they become breaches.

Stay safe.

So, who needs web security?

If you run your own website, you need to protect it. It is just like locking your door, installing a car alarm or putting a password on your computer. We’ve all seen recent headlines about cyber attacks on major companies like Sony, LinkedIn, and Facebook. But these kinds of attacks are rare. Large corporate attacks are like someone trying to break into the Louvre to steal the Mona Lisa. This is potentially incredibly lucrative, but it is also incredibly challenging for the thief. Thieves are typically not that ambitious; most theft occurs when the thief sees a combination of opportunity and vulnerability (like breaking into a home, stealing a car or snatching a purse from a pedestrian). In cyber life, we see the same kind of behavior with malicious hackers and small businesses.

According to the 2012 Verizon Data Breach Investigations Report, small businesses are the preferred target for malicious hackers. Criminal hackers who target small business don’t do it for the attention; they want to fly below the radar, so they hack into as many sites as possible and steal whatever information they can from the websites they target. And attacks against small business are very common. According to 6Scan data, 7% of website requests are malicious. This translates to a website that receives 350 daily visits averages 1 hack attempt per hour, every hour, of every day. Some of these attempts will not be successful, but others may be.

Some of you have been using 6Scan for some time, and you know what it’s about. For those of you who are new to 6Scan, here is a quick summary: 6Scan tells you if your website is vulnerable for attack by hackers and provides the information detailing your site vulnerability to you for free. You then have the option to address the exposed areas on your own, or (for the less tech-savvy or time restricted individuals) you can pay a small subscription fee so that 6Scan can automatically fix vulnerabilities for you, and if necessary remove malware.

Let’s recap. Who needs website security? Technically, everyone… but small business owners need to be even more careful to not become the target of a mischievous hacker. 6Scan can help give you peace of mind, so that you can continue on with what is important…running your business.

If you run your own website, you need to protect it. It is just like locking your door, installing a car alarm or putting a password on your computer. We’ve all seen recent headlines about cyber attacks on major companies like Sony, LinkedIn, and Facebook. But these kinds of attacks are rare. Large corporate attacks are like someone trying to break into the Louvre to steal the Mona Lisa. This is potentially incredibly lucrative, but it is also incredibly challenging for the thief. Thieves are typically not that ambitious; most theft occurs when the thief sees a combination of opportunity and vulnerability (like breaking into a home, stealing a car or snatching a purse from a pedestrian). In cyber life, we see the same kind of behavior with malicious hackers and small businesses.

According to the 2012 Verizon Data Breach Investigations Report, small businesses are the preferred target for malicious hackers. Criminal hackers who target small business don’t do it for the attention; they want to fly below the radar, so they hack into as many sites as possible and steal whatever information they can from the websites they target. And attacks against small business are very common. According to 6Scan data, 7% of website requests are malicious. This translates to a website that receives 350 daily visits averages 1 hack attempt per hour, every hour, of every day. Some of these attempts will not be successful, but others may be.

Some of you have been using 6Scan for some time, and you know what it’s about. For those of you who are new to 6Scan, here is a quick summary: 6Scan tells you if your website is vulnerable for attack by hackers and provides the information detailing your site vulnerability to you for free. You then have the option to address the exposed areas on your own, or (for the less tech-savvy or time restricted individuals) you can pay a small subscription fee so that 6Scan can automatically fix vulnerabilities for you, and if necessary remove malware.

Let’s recap. Who needs website security? Technically, everyone… but small business owners need to be even more careful to not become the target of a mischievous hacker. 6Scan can help give you peace of mind, so that you can continue on with what is important…running your business.