If you’ve been following New Zealand media over the last week or so, you’d be forgiven for thinking that anyone and everyone was ‘hacking’ systems looking for information that could give them an advantage over their competitors.
The media spotlight on leaked emails and wide open websites has certainly brought a rise in enquiries to NetSafe about data privacy, hacking and security vulnerabilities.
Raising awareness of computer security
NetSafe has worked with the North Harbour Business Association over the last month to deliver a programme of cyber security education based on the Connect Smart Guide for SMEs, a 4 step process that looks at raising awareness of computer security issues amongst small businesses.
It’s always hard to steer clear of technical jargon and acronyms when discussing cyber security but NetSafe does have the advantage of using real life case studies to illustrate ‘bad stuff’ that happens to real New Zealanders and small Kiwi businesses.
Over the last 4 years our ORB website has taken more than 11,000 cyber incident reports from people and businesses across New Zealand with more than $10m in losses recorded from a range of digital challenges.
Common incidents affecting SMEs:
- Intercepted emails
- Hacked websites
- Employment scams
- Spear phishing
- Insider threats
When it comes to hacked websites, there are plenty of ways to identify threats and vulnerabilities your site may be at risk from. These range from professional security companies offering penetration testing services to reading up on industry standards and guidelines like the OWASP Top 10.
Recent academic research has highlighted the fact if you use a popular Content Management System or CMS to power your website, you’re more likely to encounter issues:
CMSes simplify configuration by reducing technical barriers, which means that they are often administered by non-experts. This could lead to a greater chance for server misconfiguration.
Second, CMS platforms are a form of software monoculture, exhibiting common vulnerabilities in both the underlying code and the default configurations.
Furthermore, we suspect that a key driving force behind the variation in compromise rates across software types is the software’s market share. When more webservers run a particular type of software, they collectively become a more attractive target for miscreants.
In short, if you’re using a popular system such as WordPress or Joomla to build the bones of your website it pays to keep the CMS patched and protected.
A tool like the Wordfence security plugin can highlight just how many automated attacks your site may face from attackers spread across the net:
Using the past to predict the future
Whilst pen testing and incident management plans can be considered reactive tools to improve security, imagine a world where data mining and software algorithms could identify threats in advance – highlighting the fact that the popularity of your website, the number of back links you have earned and the kind of content you publish and the systems you use can highlight risks before a hack takes place.
Automatically Detecting Vulnerable Websites Before They Turn Malicious, a paper by Kyle Soska and Nicolas Christin from Carnegie Mellon University, makes interesting reading when it comes to thinking about software or automated systems that could predict with some accuracy websites at risk from future attack and potentially assist web search engine companies with filtering poisoned search results before end users visit them and run the risk of a drive by download.
Some may say the criteria identified are common sense things that webmasters and IT teams can look for and protect against in advance. For smaller companies though, any assistance with protecting their websites from defacement or data breaches are well worth exploring.