How to Improve Your Website Posture – Part I

Have you ever wondered if your website security posture is adequate enough?

The risk of having a website compromise is never going to be zero. However, as a webmaster, you can play an important role in minimizing the chances of a website hack. A good security posture entails how to understand the importance of securing a website and how to implement security measures.

Correcting a poor security posture means recognizing problems that you might not notice.

Let’s begin with some stats:

  • In 2018, the total number of websites surpassed 1.8 billion.
  • Google routinely blacklists over 10k websites a day.
  • Nearly 1 million new malware threats release every day.

Today, we are going to describe some attacks that can be leveraged to target your admin credentials.

Types of Attacks

Attackers are looking to steal username and password combinations with some of the following techniques:

Brute Force

Brute force is a generic term we use for attacks that try to guess the username and password for a site. This type of attack is very common against popular CMS platforms, such as WordPress, Joomla, Drupal, Magento, and others. Brute force attacks are also common against common services, like FTP and SSH.

There are many ways to perform a brute force attack. A dictionary-based attack is the most common method. In this type, the attackers use a list of the top most common passwords and try each of them against your site. If you do a quick search online, you find lists with millions of common passwords. Hackers are always adding and multiplying their password lists from data breaches on popular websites.

Brute force attacks don’t stop until they find the right username and password combination.

Generally, it takes only a few minutes for malicious actors to run a computer program that will try thousands of combinations. Most dictionary-based attacks mix keywords from the domain itself to increase the success rate.

Phishing

Phishing techniques are mainly comprised of website pages or emails designed to trick users into handing over credentials.

Just like a fisherman casts and reels with his fishing rod, a “phisher-man” will try their luck baiting users with fake pages. Most often, this is in the form of fake login pages. These copied website pages display in front of website visitors in hopes that some users will bite and be reeled into giving away their secret data.

By wielding the web development and scripting knowledge necessary to make forms that look convincingly realistic, hackers lure unsuspecting users into entering their credentials on the imitated page.

Recently, we covered an email phishing campaign that used a fake overdue payment notification in an attempt to steal data from users.

XSS

Cross-Site Scripting (XSS) is a widespread vulnerability that affects many web applications. There are dangers behind XXS. An attacker is allowed to inject content into a website modifying how it’s displayed. This forces a victim’s browser to execute the code provided by the attacker while loading the page.

Generally, XSS vulnerabilities require the user to trigger some type of interaction. It can be done either via social engineering (manipulating users to perform an action or give away confidential information) or waiting for someone to visit a page with a specially crafted URL triggering the vulnerability. For example, a vulnerable page can be crafted to lure a user into entering their credentials on an injected iFrame.

Even though XSS starts off as a software vulnerability, it is also an access control issue because it gives an attacker almost full control of web browsers.

man in the middle

A Man in the Middle (MITM) attack happens when the malicious actor secretly monitors or alters the communication between two parties who should have been communicating with each other without a third-party interference.

MITM attacks intercept user credentials via insecure networks. This is one reason why encryption protocols like SSL are so important. You can learn how to generate a free LetsEncrypt SSL certificate with our DIY guide.

Conclusion

In the first post on how to improve your website security posture, we focused on types of attacks you should be aware of.

We have designed an infographic to help you visualize How to Improve your Website Posture.

For more robust website security, we highly recommend a website security platform that encompasses monitoring, protection, and response.

Stay tuned for the upcoming posts of this series.



*** This is a Security Bloggers Network syndicated blog from Sucuri Blog authored by AJ Syed Ali. Read the original post at: https://blog.sucuri.net/2018/08/how-to-improve-your-website-posture-access-control.html