Third Tier has been a favorite target of hackers for a long time. We’ve found ourselves subject to DoD attacks and brute force account attempts on a regular basis. I take it as a compliment. Recently though the technique has changed slightly. I wonder then, how many people realize that thier website is under attack? Because by default you wouldn’t.
| mwKWaUnAL qHrMUOtWJKkE | mhklassen@aol.com |
The account above is typical. It’s a random account name, using a legitimate but stolen email account. If you’re mhklassen@aol.com, your account has been compromised and is being used by criminals to attack my website. I do hold you responsible because you’ve ignored that message to change your password to something more complex and use two-factor authentication. As far as I’m concerned you are part of the gang of criminals. 20-30 mhklassen’s are used to create accounts on our website daily. Unless I post something security related, like this post, then we’ll get hundreds of them, per hour.
Discovery
To discover these accounts, I used to run a report monthly and then delete them. When they picked up in volume and complexity, I started blocking new account activation. Of course, that’s annoying for our customers that need to create accounts to do business with us and don’t have an account yet, so I have different alerts set on different types of activity and we restrict the activity of new users.
Recently I got to wondering what percentage of websites out there have any type of security monitoring. Tomorrow is world Backup Day, on which you are supposed to think about whether your backup is sufficient or not. Most won’t think about it. They’ll just assume that it is. But in 20+ years of meeting hundreds of businesses only 5 have had a restorable backup. Backup has always been and still is, one of those systems that doesn’t stay working without some care and feeding. If less than 1% can manage to maintain a working backup, which a common skill, then an even fewer percentage are going to have a secure website because mostly IT and webdev just point at each other. I further know this to be true because I’ve yet to meet a potential client with a maintained website.
Brochure websites are considered to be of such low value that businesses simply don’t want to pay the developers to keep them secured, monitored and backed up. Too, many developers just don’t want to be bothered with that end of the business and IT often doesn’t know how. It’s a sad state of affairs.
Who cares if your website is hacked? Well everyone, but you. Ideally the site just keeps churning along but the criminals get free server resources to use at will. Those get used to maintain bot networks, launch phishing campaigns and password attacks; all on your dime. You end up funding the criminals.
What to do; what to do
SSL certificate? Yes, you need one. No, it’s not for security; it’s for privacy. Here’s what you need.
- Apply updates as they release. For the plugins, the operating system, the applications and the theme.
- Back up the site after every change. Backup Buddy, JetPack and many others offer reasonable automated backup.
- Firewall it. You need a firewall that understands websites and can monitor behavior as well as intrusion.
- Change the site out every couple of years. Code gets old; old code becomes stinky swiss cheese. Criminals love that stink.
As everything moves to the cloud, everything becomes dependent on good web security and maintenance. We all need to play our part in making sure that we aren’t participating in creating an army of every neglected website; that would be larger than anything our military ever envisioned because today’s level of cyber-attack isn’t just about causing an individual harm. It could take out an entire Country.
All we do is support IT professionals. Help for IT Pros, Super Secret News, Security community, MSP Legislation community, Kits, papers, MSP training and more. https://www.thirdtier.net
