The 15 Top Critical Security Threats and How to Fix Them
Any website or online application - whether it’s an Internet bank processing millions of dollars in transactions daily or a storefront for small neighborhood businesses – can fall victim to malicious attacks and Internet security issues. Hackers often choose their targets by vulnerability, not by size or notoriety. Smaller systems, which may not even contain sensitive data, can be more tempting targets simply because they are easier to hack.
One might view website security as a single protective shell around a site and server, which can be strengthened or weakened. A more accurate perspective is that every cyber security measure is a layer of protection. Each layer you add keeps your data safer. Many layers will be redundant, and this is good. It may seem counterintuitive or paranoid, but the best approach when securing your site is to assume each layer will fail. For example, two-factor authentication adds a second layer of authentication under the assumption that the primary password will one day be stolen.
But what exactly is a security issue?
What is a Security Issue?
A security issue is any unmitigated risk or vulnerability in your system that hackers can use to do damage to systems or data. This includes vulnerabilities in the servers and software connecting your business to customers, as well as your business processes and people. A vulnerability that hasn't been exploited is simply a vulnerability that hasn't been exploited yet. Web security problems should be addressed as soon as they are discovered, and effort should be put into finding them because exploitation attempts are inevitable.
Here are the 15 most common types of Internet security issues or web security problems and some relevant steps you can take to protect yourself, your data, and your business.
1. Ransomware Attack
The goal of a ransomware attack is to gain exclusive control of critical data. The hacker encrypts and holds your data hostage and then demands a ransom payment in exchange for the decryption key you need to access the files. The attacker may even download and threaten to release sensitive data publicly if you do not pay by a deadline. Ransomware is the type of attack you’re most likely to see reported in major news media.
How to Prevent: The most effective ransomware attack protection is to have a thorough, frequent backup of critical data in a safe location. The attacker loses leverage with a solid backup and recovery plan, allowing you to erase and restore the affected data.
2. Code Injection (Remote Code Execution)
To attempt a code injection, an attacker will search for places your application accepts user input – such as a contact form, data-entry field, or search box. Then, through experimentation, the hacker learns what various requests and field content will do.
For example, if your site’s search function places terms into a database query, they will attempt to inject other database commands into search terms. Alternatively, if your code pulls functions from other locations or files, they will attempt to manipulate those locations and inject malicious functions.
How to Prevent: Besides server or network-level protections like CloudFlare and Liquid Web's Server Secure Plus, it is also important to address this security issue from a development perspective.
Keep any framework, CMS, or development platform regularly updated with security patches. When programming, follow best practices regarding input sanitization. No matter how insignificant, all user input should be checked against a basic set of rules for what input is expected.
For example, if the expected input is a five-digit number, add code to remove any input which is not a five-digit number. To help prevent SQL injections, many scripting languages include built-in functions to sanitize input for safe SQL execution. Use these functions on any variables that build database queries.
3. Cross-Site Scripting (XSS) Attack
Hackers use XSS to attack your customers by using your site as a vehicle to distribute malware or unsolicited advertisements. As a result, your company’s reputation can be tarnished, and you can lose customer trust.
How to Prevent: Adjust content security policies on your site to limit source URLs of remote scripts and images to only your domain and whatever external URLs you specifically require. This small and often-overlooked step can prevent many XSS attacks from even getting off the ground.
4. Data Breach
A data breach occurs whenever an unauthorized user gains access to your private data. They may not have a copy of the data or control it, but they can view it and possibly make changes.
You may not even know there’s a breach immediately. For example, the attacker may have an administrative account password but hasn’t used it to make any changes yet.
How to Prevent: This Internet security issue can be challenging to address because an attacker at this stage is generally taking careful steps to remain hidden. Many systems will print connection information from your previous session when you log in. Be aware of this information where available, and be mindful of activity that isn’t familiar.
Most mainstream content management systems and open-source applications offer these notifications natively or through plugins. Other plugins automate the process of surveying your site files for any new additions or modifications. The more these tools you apply, the more you can be aware of any potentially suspicious activity. Early detection of security issues gives you the best options for cleanup and prevention.
5. Malware and Virus Infection
Malware is short for malicious software. Malware on a workstation can encrypt data for ransomware purposes or even log keystrokes to capture passwords. Hackers typically use malware to expand existing access to your site or spread access to others on the same network.
If malware is present, you’ve already been breached. Therefore, it’s crucial to determine which Internet security issues led to the breach before any malware cleanup or restoration.
How to Prevent: On workstations, mitigate the risk of this security problem by being careful about what you download and using antivirus software to find and safely remove any malware. Keeping these antivirus applications regularly updated is critical, as the malware is constantly updated and improved. In addition, workstation logins should be users without administrative access. In a worst-case scenario, keep good backups to restore the workstation if it is compromised too deeply to clean.
The situation on the server end isn’t much different. Malware scanning and intrusion detection tools like ThreatStack are available, as well as tools to monitor for any file modifications or additions. Take care when selecting CMS plugins or server applications to install. Run applications with non-administrative privileges wherever possible.
6. DDoS Attack
Distributed Denial of Service (DDoS) attacks are generally not attempting to gain access. However, they are sometimes used in conjunction with brute force attacks (explained below) and other attack types as a way to make log data less useful during your investigation.
For example, the hacker may directly attack your application layer by overwhelming your site with more requests than it can handle. They may not even view an entire page - just a single image or script URL with a flood of concurrent requests. Beyond the traffic flood making your site unreachable (which any volumetric attack will do), a Layer 7 attack can inflict further damage by flooding order queues or polling data with bogus transactions that require extensive and costly manual verification to sort out.
How to Prevent: Blocking such an attack can be nearly impossible by conventional means. There is generally no security issue being exploited. The requests themselves are not malicious and deliberately blend in with normal traffic. The more widely distributed the attack, the more difficult it is to distinguish legitimate requests from those that are not.
If you’re not able to use a DDoS protection service, options are fairly limited and vary case by case. The most effective measures absorb all the traffic by increasing available server and network resources to accommodate the additional traffic until the attack subsides or can be isolated.
7. Credential Stuffing Attack
Credential stuffing is a common term we now give to hackers abusing the re-use of passwords across multiple accounts. If a hacker gains access to one of your account passwords, you can be assured they will attempt to log into dozens of other common services with the same username and password they just captured.
How to Prevent: The best and easiest way to avoid this security issue is to simply never use the same username or password for multiple services. Multi-factor authentication also helps prevent this by keeping the login secure even if the primary password is weak.
8. Brute Force Attack
In a brute force attack, the hacker (usually with the help of automation) tries multiple password guesses in various combinations until one is successful. In simpler terms, think of it as opening a combination padlock by trying every possible combination of numbers in order.
How to Prevent: Many CMS and mainstream applications include software that monitors your system for repeated login failures or offers a plugin system that provides this information. These software and plugins are the best preventions for brute force attacks, as they severely limit the number of guesses allowed.
9. Weak Passwords and Authentication Issues
A chain is only as strong as its weakest link, and a computer system is only as secure as its weakest password. Therefore, for any level of access, all passwords should be of sufficient length and complexity. A strong password should include 18 characters minimum, and the longer, the better. Password length increases security more than complexity.
A password like “dK3(7PL” can be cracked faster than a password like “ThisPasswordIsSixWordsLong” even though the latter contains dictionary words.
How to Prevent: Use two-factor authentication wherever available. This can protect a login even if the correct password is obtained or guessed. Also, change your passwords on a regular schedule, such as every 60 or 90 days, and never use the same one twice.
10. Social Engineering
Social engineering encompasses all of the non-technical ways an attacker may use to gain access or do damage to your systems or data. The most common method is the oldest: lying or using fabricated information to gain trust.
A malicious actor may impersonate your bank, a utility provider, or even law enforcement. They may claim to be a customer or pose as an executive from your organization. The goal of such attacks is generally to either obtain sensitive information or trick an insider into unknowingly performing destructive actions.
They may try to:
- Obtain confidential contact details.
- Obtain account or credit card numbers.
- Obtain or reset passwords.
- Persuade staff to suspend or cancel essential services.
- Persuade staff to disable critical infrastructure.
- Persuade staff to upload or install malicious software.
Social engineering attacks can be devastatingly effective because the people who launch them are well-practiced in persuasion and deceit. Many have years of experience and finely-honed characters. For example, an attacker posing as law enforcement may give such a skilled performance that they’d fool an actual law enforcement officer. You absolutely cannot rely on your ability to judge character to protect yourself from these attacks.
How to Prevent: Watch for some of these common red-flag cues to become aware of social engineering at play:
- Aggressive language and demanding behavior designed to make you feel like you've done something wrong.
- A sense of urgency around fixing a problem before you have time to fact-check.
- Threats of legal action or financial penalty if you do not immediately comply.
- Evasion and escalated emotion when you ask identity-verification questions.
If someone claims to be from your bank, you should be able to reach that person by calling your bank’s publicly listed phone number and being routed by an operator. Likewise, if an email appears to be an invoice from a service provider, that provider will typically have an online portal or publicly listed customer service phone number you can call to confirm any outstanding bills.
11. SPAM and Phishing
SPAM, or unsolicited email messages (often in high volume), are not a new security problem. SPAM has been a headache for decades at this point, and many of us still receive these emails in our inboxes which we must delete. A threat that many overlook is email account compromise, which then allows a spammer to send their own messages from your mailbox. Not only does your domain’s email reputation suffer, leading to blacklisting, you also receive potentially thousands of email bounce-backs and error messages generated by the spam.
Phishing isn’t exactly an attack, much like fishing isn’t exactly hunting. The hackers can cast a wide net, sending the same generic bait to thousands of targets. In more focused attacks, they will use bait tailored to specific prey, known as spear phishing.
In spear-phishing attacks, staff may receive fake notifications from internal systems, with links crafted to capture logins to those systems. Also, hackers sometimes go whaling by hunting a single high-profile target with convincing bait.
How to Prevent: The best way to avoid falling victim is to approach the threat much like you would social engineering: trust no incoming messages. Use the following practices to gain protection from SPAM and phishing attempts:
- Use strong passwords that you change regularly.
- Use mailing lists or email aliases for shared mailbox purposes (i.e., info@ or sales@).
- Use Captcha or other human verification on all contact forms.
- Verify the source of any messages you receive that prompt action.
- Do not click login links in email messages. Opt instead to open the relevant websites manually or by bookmark.
- Do not blindly trust any email attachments.
12. Insider Threat
Betrayal from the inside can harm your company on multiple levels. A trusted employee or contractor can damage your systems, steal confidential information, and even sabotage team unity. The attacker doesn’t even need to be an employee. They could be anyone you trust, like a customer or a delivery driver. Much as with social engineering, you simply cannot rely on your ability to judge character to keep yourself safe.
How to Prevent: Beyond initial vetting and background confirmation of any new employee or contractor, you can further protect yourself by limiting users’ access within the organization. Only grant access to systems required for assigned tasks and only the minimum level of access necessary to complete said tasks.
Accountability is also critical. A malicious insider, like any hacker, prefers to be undetected. Do not use single shared logins for any systems. Do not give a contractor or employee your CMS login. Instead, create a specific login only for them with appropriate permissions. Disable this login when it isn’t needed anymore.
Staff should also stay current on security best practices. Lock workstations in your office or shop with a strong password any time they’re unattended. Also, disable automatic mounting of external disk drives.
13. Sensitive Data Leak
Data leaks, like ransomware, tend to make news when they occur. Data leaks can include customer data or confidential intellectual property like source code. Anything that’s a secret is a target for hackers. This data is most often well secured, and compromise usually occurs through other methods such as insider threats or social engineering.
How to Prevent: Be sure to keep private data behind network security and login restrictions. Limit the number of users authorized for access. Ensure that all user access is secured with strong passwords and multi-factor authentication where possible and that users change these passwords regularly. Consider using a secure managed email platform to filter out phishing and malicious links. Also, restrict physical access to critical systems.
14. No Backups
As we covered earlier, we add layers of security, assuming that previous layers will someday fail. Therefore, it’s important to have a recovery plan in place in the event of a total loss, whether from catastrophic system failure or malicious exploit of one of the web security problems discussed here. The best recovery plans always begin with thorough, regular backups and adequate backup retention policies.
How to Prevent: Specifics will vary by your needs but revolve around three backup best practices: The scope of your backups, the scheduling of your backups, and your backup retention policy.
- Scope: Make sure the backup scope covers all specific items you’d need to restore site functionality or business operations. It could be as little as a directory of files and a database or two or entire disks. Include any non-default server configurations or custom application installations. If you can’t afford to lose it or can’t recreate it quickly from a default installation, include it in your backups.
- Scheduling: This can be one of the hardest decisions to make. An appropriate backup schedule will save backups often enough to catch updates and ensure any restored site will be reasonably current – but not so often as to negatively impact site performance or cause sequential backups to be essentially identical.
- Retention: A common mistake here is simply keeping one backup from the previous night to allow restoration after a server failure. But what happens if a site compromise is small and goes unnoticed for a day or more? Then the only available backups are compromised as well. The farther back you can rewind the clock, the better your options are.
15. Not Updating or Patching Regularly
While unpatched systems are perhaps the easiest security issue to avoid, they are also one of the most commonly exploited. Nearly every software update contains at least a few security patches for known vulnerabilities. As hackers discover exploit methods, they share this information within their community. Many freely-available automated hacking tools contain vast databases of these known vulnerabilities. Yet, many CMS installations are rarely (or never) updated after they're initially deployed.
How to Prevent: You must keep all components updated to their latest available supported release. Keep branched releases (such as WordPress) current within the installed branch. Development sites are just as important to update as live production sites. Remember, the attacker doesn’t care whether you’re actively doing business through a given CMS installation or not. They only care whether it’s vulnerable. Abandoned test projects and old demos are prime targets for hackers.
Keep Your Systems Secure with Liquid Web
An attack against your website is not a matter of if, but when. Taking basic, reasonable precautions and erring on the side of distrust can save you a lot of trouble concerning Internet security issues. Have a thorough, tested recovery plan for a total loss or full compromise.
At Liquid Web, we have over 24 years of experience helping customers resolve web security problems and prevent further attacks. Our dedicated server hosting and cloud servers come pre-configured with basic security measures, and more advanced protections are also available.
Need Help Securing Your Entire Infrastructure? Download Your Complete Security Infrastructure Checklist for SMBs.
Josh Escobedo is a professional Linux System Administrator with Liquid Web.
Keep up to date with the latest Hosting news.