Thursday, May 20, 2010

So You Think Your Website Won't Get Hacked

Many website owners believe that by not having a high profile website, cyber criminals will not hack their website. This falsehood has lead to many websites being taken down and in many cases, the complete loss of the online business.

One of the hard realities of the internet today is that you need to secure your website before the first time you connect them to the net. Many new websites have, within minutes of being connected to the Internet, been hacked. This effect was caused not by hoards of hackers, but instead by scanning programs constantly searching the net for this weeks favorite vulnerability.

Most of the attacks that a website will experience range from random, unstructured episodes to the well-organized and targeted variety—both of which tend to be automated. Automated attacks can vary in their relative complexity, with attacks being initiated against a target or opportunity directly, or (more likely) through several systems that may not even know they are being used as instruments in the attack. Estimates vary on how many systems may currently be compromised in such attacks, but it has been found that the systems used are present in all kinds of situations—from the small business to the large corporation.

Who then is typically responsible for carrying out such attacks? In most cases, these automated attacks are launched by those with the lowest skill levels of the hacker community—those known as script kiddies. Script kiddies typically don't have the knowledge of those higher in the hacker community have, but that doesn't mean they can't be dangerous. When script kiddies launch an attack, they typically do so without realizing the results of their actions, such as potentially crashing systems or inadvertently performing a denial of service (DoS). These individuals fit the profile of a newbie who finds a new application, such as a scanner or password cracker, and runs it against large swathes of targets looking for an "interesting" result.

It is believed that the vast majority of the "hacker" underground is made up of these script kiddes who have only been using computers for a few years and who really know comparatively little about them. These are people, usually kids, who are attracted by the seemingly magical powers that hacking gives them. Since they know so little about computers, they don't really known how to hack themselves but instead follow recipes or "scripts" developed by real hackers. Most of these scripts are easy-to-use programs whereby the "script-kiddy" simply enters the IP address of the victim.

These script kiddies are a subset of hacker-culture. They are are usually young, unknowledgeable, curious and destructive. Unlike 'hackers' who attack a system for profit or personal satisfaction, script kiddies do it because they can. What makes a script-kiddie different from a hacker or an advanced user is that a hacker or advanced user, commonly has a vast understanding of what he or she is doing, explores and locates the security vulnerabilities, and/or creates the programs or scripts that others may use.

Lacking the knowledge to write their own exploit code (or understand the code written by others), script kiddies turn to pre-made tools that make exploits click-a-button easy. Unlike a hacker, who chooses a system then scans it for vulnerabilities and exploits them, script kiddies learn about a specific exploit then look for any site, system or server that is vulnerable to it. They also tend to be indiscriminate and may try to compromise any website on the Internet they can reach.

This is what makes attacks by script kiddies dangerous to small businesses. They attack randomly, so even if you think that there is no one out there who would be interested in compromising your website, there is a whole community dedicated to searching and scanning for anything to exploit. The adolescent demographic that makes up the majority of script kiddies are searching for power - not money and certainly not a cause that they feel is worthy. Once they find power, they exercise it. Most of them wouldn’t be able to commit a crime (let alone violence) in person. Attacks on systems however add a layer of separation that removes both the stigma and the fear from what they do. They see no connection between their actions on the web and the harm they can and do cause.

Script kiddies tend to select their targets based on ease of access and without regard to a system's relative importance or even whether that system is prone to crashing or other instability as a result of the attack. Also consider that in certain cases, script kiddies may post their results or actions on a newsgroup or blog, letting others know how and against whom they perpetrated their attack, thereby making you a bigger target. With a system compromised, an attacker may choose to pick any of a number of actions on the "menu," including attacking other systems or placing utilities on the system with the intent of waiting for valuable data to float by.

The attacks that script kiddies launch may look on the surface like those more organized groups, or even what the criminal element employ. In some cases, script kiddies are themselves pawns of organized crime or other organizations that might be looking to make financial gains.

Although most good hosting companies will protect their servers (and usually your site to some degree) it’s important to understand that you are responsible for your own site.

Script kiddies, unfortunately, are often just as dangerous as exploiters of security lapses on the Internet. The typical script kiddy uses existing and frequently well-known and easy-to-find techniques and programs or scripts to search for and exploit weaknesses in other websites on the Internet - often randomly and with little regard or perhaps even understanding of the potentially harmful consequences.

While a hacker will take pride in the quality of an attack - leaving no trace of an intrusion, for example - a script kiddy may aim at quantity, seeing the number of attacks that can be mounted as a way to obtain attention and notoriety. Script kiddies are sometimes portrayed in media as bored, lonely teenagers seeking recognition from their peers.

Because of the ease-of-use of these programs, there are hundreds of thousands (if not millions) of script-kiddies on the Internet. This has generated a certain "background-radiation" on the Internet. Any website connected directly to the Internet with a high-speed connection will likely see a fair number of attacks against their system from these script-kiddies.

There has often been a tendency among System Administrators to discount the danger of script kiddies, and this can be a misleading and dangerous thing to do. Script kiddies can have a much greater capability to cause problems then their skills alone would indicate.

As mentioned previously, most of the time script kiddies will find their victims by using scripts that conduct automated searches and attacks. These scripts written by skilled crackers or modified by some less skilled person are traded via IRC, FTP sites, web sites and other methods and can spread through the net with lightning speed. Soon after a new exploit is discovered and a script written for it, you may find it being used to attack systems all over the world.

With thousands of script kiddies who live for the next crack who needs enemies? At least if you had someone gunning for you, you could have some idea of who was after you, what they could do etc. What the script kiddie lacks in skill he/she can make up in time and computing power. Each website they crack adds to their arsenal for the next scanning attack.

The process the script kiddies use in scanning for systems to crack make the attack less personal and more abstracted. It can be harder for them to identify with their victims and easier for them to do damage or destroy their target without feeling the twinges of conscious or remorse for their actions.

The majority of script kiddies prefer "playing" with unprotected sites. Their programs usually only work if the site is unprotected, or their security is really out of date. These kind of individuals usually can't do anything to a reasonably protected site. Since they are trying to feel important: if they (or their robots) can't get in immediately, they'll just go elsewhere.

The only way to win in this game is to stay one step ahead of the hackers, and ironically, this is easy to do with script kiddies. They won't dig deep into your system, they won't be persistant and they won't focus, but all you have to do is leave your website unguarded from the latest vulnerabilities and they will be on your system in hours (if not minutes).

You should now hopefully realize that the most important aspect of operating an online business is keeping your investments secure at all times. The internet is a very dangerous place, especially for business that conduct hundreds or thousands of dollars in eCommerce each and every day.

It is of the upmost importance to remember that, any website connected to the internet is automatically vulnerable to hacker attacks, and will eventually be attacked. Thinking your website will never be attacked is a falsehood that could destroy your website and your online business.

If you want more information on plugging the security loopholes in your website, please visit the following website:

http://www.websiteprotection.net

Why So Many Websites Are At Risk

I am always amazed by the number of websites that suffer cyber attacks. Despite the enormous number of attacks, and despite widespread publicity about these attacks, most website owners fail to scan effectively for common security flaws. These attacks can range from simple nuisances to dangerous compromises of sensitive data. Many overlook the possibility of the website being destroyed by a virus, even though it is a relatively common occurrence in the online world.

With all of the work that goes into building a comprehensive website over time, it can actually be more devastating to lose a website than to lose a PC or even an operating system. When a website is brought down by a virus, it cannot be quickly replaced like an operating system or PC. In fact, the damage that is done can take months to repair, especially when you consider how many negative events can transpire as the result of a worm attack. The most obvious effect will be the loss of traffic that will be seen soon after the worm has infected the website.

Most hackers spend hours every day trying to find new exploits, hacking into sites and looking for opportunities to steal cash from hard working business owners. Yet, the business owners do not put forth the same effort to protect their websites. It is important, during website development, that all possible security threats be considered to ensure adequate protection of the website as well as end users.

If website security is an extremely important consideration for these online businesses, why are the website owners not mitigating security risks and building customer trusts?

After doing some research and speaking with various website owners, I believe I may have come up with some falsehoods most people tend to believe concerning their websites:

1. The Web Developers Deal With Website Security

Many people who start up an online business typically hire other people to build their website. They assume that these web developers will incorporate security. This unfortunately is not true, unless you ask them. As stated previously, it is important, during website development, that all possible security threats be considered.
In other situations, people may create their own website. They tend to forget about adding website protection and security. Since most people, when they first start out, are on a very low budget, security is the last thing they worry about. Not even the most basic security is incorporated which does not require any special software skills. This may not be perfect, but at least it is better than having no security which makes it easier for people to hack the website.

2. No One Will Hack The Website

Many people tend to think it won’t happen to them – why would hackers go for their website when there are huge high profile targets around? Many are fooled by this false sense of security. The sad fact is that big companies can employ legions of experts to ensure their website stays safe and secure. The smaller websites tend to have limited resources, and may also be relying on the company that designed their website.
The internet is a very dangerous place, especially for small business that conduct hundreds or thousands of dollars in eCommerce each and every day. These smaller websites have emerged as the target of choice for money hungry hackers. Just registering a new domain name will mean it gets scanned for vulnerabilities and potentially targeted.

3. The Website Uses SSL Certificate (https instead of http)

The term "secure website" is often used for the parts of a website where the data transmitted between a user and the server is encrypted. SSL only means the data in transit is encrypted. It does not actually secure a website, its data, the server or its users. SSL has no ability to protect the information stored on the website once it arrives.
SSL should be used for transfer of private and sensitive data, but that's just one small part of website security.

4. The Website Is Not Hosted With The Microsoft Operating System

When it comes to vulnerabilites in software, and patching of software, most of the news tends to be centered around Microsoft. Since Microsoft is quite popular in use, it stands to reason that it would be mentioned the most.
Many people feel that if their Websites are hosted on other operating systems, such as Unix, then they are safe. They fail to realize that these other operating systems still need to have patches and updates regularly applied.
Also, many security exploits (e.g. phishing, weak registration/login systems, cross-site scripting (XSS), business logic flaws) are completely independent of the operating system.

5. Website Is Protected By Firewall

Firewalls in front of a web server control traffic to that server. But the web server will need to see web requests, so these cannot be filtered. Web application firewalls can assist in protecting known vulnerabilities and unusual traffic but cannot usually provide protection against custom code vulnerabilities, valid use that corrupts data and zero day attacks, which takes advantage of computer vulnerabilities that do not currently have a solution. They can be of use in temporarily filtering traffic when a vulnerability is discovered, but need to be thought of as a temporary fix rather than a permanent repair.

6. The Website Is Always Backed Up

Although it is very critical to always backup the website and database in case it is brought down, backups are not a protective mechanism, they are an assistance in recovery. But if the data has been altered maliciously, the backup may well also contain this. Also, backups are unlikely to have everything needed to rebuild the site.

7. The Website Has An Annual Infiltration Test

A vulnerability scanner tool will not be able to discover all the vulnerabilities in your website. In particular vulnerabilities in any custom-developed code are unlikely to be found by automated tools. Coupled with the fact that the hosting environment and website code are likely to change over a much shorter time span, automated testing and analysis needs to be undertaken more often. Best practice is to undertake automated testing weekly and have logging and alerting functions which highlight changes to files and potential intrusions on a live basis.

8. The Website Is Up Most Of The Time

Hosting providers usually define certain minimum levels of uptime. You need to check how these are calculated, what you are responsible for and what the exclusions are.
Owners do not often consider what would happen if their website were unavailable for a period other than a few minutes. Many fail to have plans in place (disaster recovery and business continuity) to deal with the loss of, or access to the website.

The falsehoods mentioned appear to be the most basic myths that most people are under the impression of. I am fairly confident that many more falsehoods could be added.

The website owners must never forget that they are the website security. What they do or do not do is what makes their websites secure.

Always remember that hackers, like burglars, are opportunists. If you take the security measures to keep your website safe, a hacker will swiftly move on to a site that is less well protected. Securing your website can take minutes, but gives you a lifetime of peace of mind.

If you want more information on plugging the security loopholes in your website, please visit the following website:

http://www.websiteprotection.net

Monday, May 17, 2010

Video of Website Security Means Increased Online sales

The following is a video version of the article on "Website Security Means Increased Online Sales: - -
video

Sunday, May 16, 2010

Website Security Means Increased Sales

The growth of the internet has provided website owners with unique business opportunities. This incredible growth has enabled entrepreneurs of all ages to sell their products and services to a worldwide audience.

However, many forget to give their website the same consideration in regards to security. Most people understand the negative effect that a damaged operating system would have on a business owner, and therefore all efforts are made to secure the operating system and the local network. Unfortunately, many overlook their website.

Many websites are well aware of the need for an antivirus software to protect their home network and computer, and most of them have such a software installed that actively protects them from malicious software. Again, many forget to give their website the same consideration in regards to security. Unfortunately, many overlook the possibility of the website being destroyed by a virus, even though it is a relatively common occurrence in the online world.

With all of the work that goes into building a comprehensive website over time, it may actually be more devastating to lose a website than to lose a PC or even an operating system. When a website is brought down by a virus, it cannot be quickly replaced like an operating system or PC. In fact, the damage that is done can take months to repair, especially when you consider how many negative events can transpire as the result of a worm attack. The most obvious effect will be the loss of traffic that will be seen soon after the worm has infected your website.

Everyday there are thousands of new internet users online. Despite the fact that more people all the time are making purchases on the internet, there are a great deal of consumers who remain uneasy about the process and because of that are timid about the internet. Consumers are becoming more and more smarter, more savvy and more guarded about what can put them at risk. Online customers need to be confident that their personal information is safe and that their privacy will be upheld at all times.

One study by Forrester Research, Inc., uncovered that a whopping 84 percent of consumer survey respondents indicated they didn't think retailers were doing enough to protect them online. The other finding from London-based TNS PLC, a market research company, found that 75 percent of online shoppers surveyed say they had abandoned a retail site due to security concerns.

Website business owners are constantly trying to improve business. What many don't realize is that by improving their website security, they can improve their sales. Customers say that the security of a website is the number one reason why they do or do not shop on particular websites.

Websites have emerged as the target of choice for money hungry hackers. The ramifications for companies are clear: Loss of data, loss of consumer confidence and loss of brand integrity. No company can afford the black mark of a website hack.

Consider the fact that 8 out of 10 websites visited each day have a serious security vulnerability that puts corporate and customer data at risk. Add to that the irreparable harm done to a company whose brand is compromised by a publicized attack. It's a call to action for any company doing any of its business on the Web.

Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities, most website owners fail to scan effectively for the common flaws and become unwitting tools used by criminals to infect the visitors that trusted those sites to provide a safe web experience.

As an internet merchant, an important asset for you is the credibility and trust your website conveys to prospective customers. It may seem like a minor thing, but if visitors trust you and your site, they'll more likely buy something, and the more credibility you have, the higher your conversion rate will be.

Conversion Rate is the number of visitors on your site who actually do what you want them to. For instance if you get 1000 visitors on your site a day and 20 of them buy your product, your conversion rate is 2%. Credibility is crucial if you want to make money with your web site. Your website visitors must have trust in your company. It's pointless to spend a lot of work on getting visitors from search engines if these visitors don't convert to sales.

It makes sense for you as a website owner to remove all the fear, doubt, and suspicion that accompanies making a buying decision online. When there is no hesitation to do what you want your online visitors to do, your conversion rates will increase. When you increase the amount of traffic that trusts you, more people will do what you want them to do. Any doubt or hesitation on their part, substantially decreases your chances of making the sale and lowers your conversion rate.

Website security is of major importance to website owners and the people who are using the websites. As a site owner you are responsible for ensuring that your users are able to view your website without the risk of problems associated with malware, viruses and trojans.

Security is an extremely important consideration for any businesses, especially if your business is connected to the internet. When conducting business across the internet you are faced with issues like mitigating security risks and building customer trusts.

Establishing trust with the customers is highly essential for earning profits and higher sales. The trust factor is the same for a physical shop as well as for a website. If you have offered a quality product the first time, the same thing is expected when they come a second time for purchase and if you fail to offer that similar quality, they look for another website.

A site that succeeds in developing a confidence factor in their clients are successful in selling their products/services to them. The Market is basically dominated by feelings and emotions of the customers. A product that fulfills clients' needs are demanded repeatedly by them, thus creating brand loyalty.

People's trust, once broken, is difficult to restore. The reasons might be many and different in nature. Sometimes companies make fake promises at the time of sale and fail to fulfill it or are unable to deliver quality goods or services. Nearly all customers might have been duped of their expectations by merchants once in their lives, or have listened to their friends or relatives about the bad experience.

There's no doubt that you have already heard numerous stories of hacked credit card details on the net. These incidents are widespread. This is the root cause why online buyers are a little doubtful to just type in their personal information whenever asked. They needed to know the website they are purchasing from is safe. Before customers are ready to give you sensitive information such as their home address or credit card number, they need to be reassured that your website is safe and secure. Ensuring your customer's security should be a top priority. After all, how will customers react if they learn that their sensitive information (such as credit card details) were compromised on your website?

Hackers and harmful code writers can intrude a site of electronic commerce for the purpose of theft of invaluable details, such as the number of a credit card and other helpful information. Your web site, certainly, will be mentioned and can become a dwelling of cybercriminals. It can force you to lose your valuable clients, and also electronic business. Considering that most hackers spend hours every day trying to find new exploits, hacking into sites and looking for opportunities to steal cash from hard working business owners, you need to put forth the same effort to protect your website.

Thinking that your data is safe does not mean your database of sensitive organization information has not already been cloned and is resident elsewhere ready to be sold to the highest bidder. To make matters worse, only recently, it has been discovered that hackers are not simply selling your information; they're also selling the fact that you have vulnerabilities to others. It seems that most hack attacks are discovered months after the initial breach simply because attackers do not want and will not leave an audit trial. Hackers are interested in stealing the data and leaving it intact.

With the increased accessibility to information on the Internet, web security is a vital necessity. Attacks can range from simple nuisances to dangerous compromises of sensitive data. It is important, during website development, that all possible security threats be considered to ensure adequate protection of the website as well as end users.

If you're not doing everything in your power to make your website visitors feel safe and secure while buying from your website then you could be losing up to 49% of your sales. And this has nothing to do with how persuasive your sales pitch is or how fancy your website looks. When it comes to making that critical decision whether to buy from you or not, the final straw is the consumer's concerns about their online security. You cannot afford to ignore these facts, especially in these times of recession when online shoppers are looking for real value and are becoming pickier about where they spend their dollars.

You should now hopefully realize that the most important aspect of operating an online business is keeping your investments secure at all times. The internet is a very dangerous place, especially for business that conduct hundreds or thousands of dollars in eCommerce each and every day. Having a secure website not only prevents the loss of profits, but it also boosts sales as your customers will be more confident when shopping with you if they know that your site is safe.

Most of all, keep in mind that when you support your website with the appropriate website security, you are increasing the trust of your customers, which in return increases sales for you. Website security is essential, make sure you are doing all that you can to ensure a safe site for you and your customers.

So now that you know that website security might as well stand for increased confidence and sales, what are you doing to ensure that your customers are getting the right security signals from you?

If you want more information on plugging the security loopholes in your website, please visit the following website:

http://www.websiteprotection.net/
-
-