This blog will explain why your website is attractive to criminals – even though you probably think it isn’t – and what you can do to protect yourself – even though you probably think you don’t need to.
SMEs are a bigger target than they think
Most SMEs don’t realise the extent of the cyber security threats they face. We hear it over and over again, and recent government research confirms it: asked if they agreed with a number of common cyber security misconceptions, 78% of SME respondents to a Cyber Streetwise survey believed at least one. Two thirds of them (66%) didn’t even think their business was vulnerable at all.
In fact, PwC/BIS’s most recent Information Security Breaches Survey found that 60% of small businesses had suffered a security breach. Make no mistake: if you’ve got a website, you’re vulnerable.
Why your website is vulnerable
Your website is just a commodity. It doesn’t matter who you are or what you do – your website, and the information that can be accessed from it, is worth money to someone on the black market.
Even if you don’t store financial information such as customer payment details, the data you do hold – such as employee payroll details, proprietary data or client information – has a value to someone. Hackers will rifle your databases and pull all the information they contain.
Dell SecureWorks’ recent Underground Hacker Markets report examined the underground economy and found that the black market is booming.
Business information can be sold to competitors. Contact information can be, and is, collated with other stolen data and used to hack other accounts. Spammers want lists of email addresses. Some hackers want information on specific users or IP addresses. Some want to spread malware. All such information is traded online.
Moreover, the number of stolen credentials now for sale has inevitably led to prices dropping considerably, meaning they are increasingly easy to come by: 2014’s large-scale attacks saw one billion data records compromised – one for every three Internet users worldwide. Many of these were entirely unencrypted and ripe for immediate exploitation.
Hacking generally isn’t a one-off event, either: it’s a chain. Your website will be attacked, and once everything useful has been taken from you, the hackers will install malware that will infect your site visitors, so that their information can be stolen as well.
The cyber attack spreads, gathering more and more information as it goes. Eventually it’ll hit a big target. Your website may not be obviously valuable in itself, but as a means of attacking a bigger company in the supply chain, it’s a great asset. Many massive hacks on large companies have been perpetrated as a direct result of an exploit on smaller third-party suppliers.
How your website is vulnerable
Many SME websites use common, off-the-shelf CMS platforms, software, applications and plugins, which often contain vulnerabilities that can be exploited by hackers. Criminals use bots to crawl the Internet, looking for these vulnerabilities and amassing information.
When they find a vulnerability, they exploit it. When they don’t, they record as much information about the website as they can, and wait for a vulnerability to come to light that they can return to exploit later.
Automated attacks are cheap and easy to run, and by their nature are indiscriminate, looking only to exploit known weaknesses – not specific sites. Every website is equally at risk, including yours.
When a critical vulnerability is announced, the criminals will already be working quickly to exploit it before it’s patched. If you’re using unsupported or vulnerable versions (such as WordPress, Adobe or Windows, to use three recently affected examples), then your website will be compromised unless you act quickly to install a patch or update. In October last year, for example, Drupal announced that users who hadn’t patched their CMS platform within seven hours of a bug’s discovery should presume their websites had been hacked.
For this reason, SMEs are often at greater risk than their larger counterparts: although every Internet-facing organisation essentially faces the same threats, big organisations have the resources to support IT teams who are better prepared to deal with automated attacks, implement better patch management and software update programmes, and use regular penetration testing and vulnerability scans to determine the strength of their networks and web apps.
Passwords also remain a common point of intrusion. Far too often, default passwords are left unchanged, or weak and easily cracked passwords are employed by lazy users.
Microsoft’s Security Intelligence Report (SIR), Volume 17 noted that: “What makes stolen account credentials so valuable to cybercriminals is the extent to which users reuse their account names and passwords across different sites and services”.
If another website has been compromised and login details have been stolen, criminals will automate attacks using the username/password combinations they have gained to see what else they can gain access to. Password reuse is rife, so the statistical chances of criminals gaining access to multiple sites with a single set of stolen credentials are vast.
This is why it is important to change all default passwords to strong passwords: you can be vulnerable simply because someone else from an entirely different company has chosen a poor password.
Microsoft continues: “according to a 2011 study of 6 million user-generated passwords, 98.8 percent of users chose a password that was on the list of the most common 10,000 passwords and were therefore easily cracked using off-the shelf password hash-cracking software and commodity personal computer hardware.”
A seven-character password comprising upper- and lower-case alphanumeric characters has 3,521,614,606,208 possible combinations (i.e. 62 to the power of 7). Assuming an attacker’s password cracking tool can make 1,000 attempts per second, it would take up to 40,759 days (111.7 years) to defeat, which is significantly longer than any attacker is likely to bother with. Add punctuation marks and special characters and the inherent security of a password increases dramatically.
A brute-force dictionary attack may be more successful if the password is based on an actual word, even if “leetspeak” (replacing letters with numbers – e.g. “p455w0rd”) is used, but – again – attackers will give up after a set number of failed attempts.
Of course, a password is a single authentication factor. No matter how strong it is, if it becomes widely known, it’s no barrier to access.
For even greater security, you should consider two-factor authentication, where a password must be combined with some other authentication factor such as a one-time password or secret question. Think of your bank card and PIN combination as an example: you need both factors to access your account.
You could well be hacked without knowing it
Hackers don’t want to be detected. The majority of intrusions are not detected for months – more often when patterns are noticed in stolen data usage that link back to the breached organisation. FireEye’s M-Trends 2015 report found that only 31% of breached organisations discovered the breach internally, and 69% of victims were notified by an external entity. Compromises were discovered after a median of 205 days – more than six months. The longest period an intrusion existed unnoticed was an astonishing 2,982 days – more than eight years.
What you can do to protect yourself
A recent House of Lords report found that “28% of SME employers reported that a general shortage of skills was an obstacle to their business success”. 22% of respondents to the government’s Cyber Streetwise survey admitted that they “don’t know where to start” when it comes to cyber security. If you feel the same, then don’t worry: help is at hand.
Launched in 2014, the government’s Cyber Essentials scheme provides a set of five controls that organisations can implement to establish a baseline of cyber security, and against which they can achieve certification to prove their credentials.
Certification to the scheme will demonstrate to your customers and business partners that fundamental cyber security measures are in place, and provides evidence to validate your organisation’s security posture.
For a no-nonsense introduction to the Cyber Essentials scheme, order your copy of Cyber Essentials – A Pocket Guide for only £3.49 now. Click here for more information >>
IT Governance is a CREST-accredited Cyber Essentials certification body. To find out how our fixed-price Cyber Essentials solutions can help you achieve Cyber Essentials certification for as little as £300, click here for more information >>
Beyond Cyber Essentials, organisations that want to improve their cyber security postures should consider implementing an information security management system (ISMS), as set out in the international standard ISO 27001, to ensure they have the right policies and procedures to manage their information assets.