As a systems engineer, I consider security a vital aspect of my job, yet it’s the least understood and most frequently overlooked aspect of a customer’s website. Something I hear frequently when discussing security and the associated cost is, “It’s just a WordPress site; we don’t process credit cards; it doesn’t have anything valuable on it.” On the surface this seems like a reasonable defense, if your stored data were truly what attackers were after. Hackers, spammers, phishers and their botnet tools crave something entirely different: your site’s reputation.
The truth is yes, attackers don’t really care about your data or your site. Most websites aren’t engaged in payment card processing or storage of sensitive personally identifying information (e.g., social security numbers, medical records, financial data). However, attackers do crave legitimate domains from which to launch more complex attacks. They want to enlist your domain’s reputation and hosting resources (CPU, memory and network bandwidth) in their botnet to enhance their ability to conduct any number of illegal activities.
Unfortunately, there’s money to be made in many of these activities: injecting links and ads into your website that drive traffic to other monetized sites, spreading malware in search of juicier targets like your internal corporate IT infrastructure, and installing cryptocurrency miners. Most of the time you don’t realize you’ve been hacked until your domain is blacklisted by Google and others, at which point every visitor to your site sees something like this:
The process of cleaning your site and removing your domain from these blacklists is difficult and time-consuming. The effort to repair damage to your brand is even more so. We should be concerned about protecting our brands. After all, we’re in the business of crafting a reputation for each community that evokes a sense of trust, safety and belonging. At GlynnDevins, we’re serious about protecting what our clients have invested capital in and what we’ve worked hard to craft, tune and perfect on their behalf.
Look at a case from October 2017 where one of our client sites was attacked on a Saturday, which is a favorite time for hackers as they know most people aren’t closely watching their sites on the weekend. Every website hosted by GlynnDevins generates logs for each access attempt and every error that occurs. Those logs are shipped to a secure service that indexes them and allows us to search and inspect with ease. Throughout Saturday morning, we’d been receiving alerts from our log shipping service about brute force login attempts on one of our production hosting servers. The alert notifications were consistently arriving every 5-10 minutes, which is anomalous and an indicator of an ongoing attack. After a closer investigation a pattern emerged:
Once we’d identified the specific website that was being targeted, we switched to watching the live traffic view of the web application firewall. From our logging service and the firewall, we learned that the attacker was rotating IP addresses every two to three attempts to keep from being blocked by the firewall. The IPs were from all over the world, but there was one piece of each request that was similar and allowed us to add a custom rule to block that traffic. We successfully tested that rule before pushing it out to all sites managed by GlynnDevins and smiled as we watched the “200 OK” responses turn into “403 Forbidden,” effectively slamming the door in the attacker’s face.
Not only were we actively monitoring 24/7 with an on-call systems engineer, but we could trace the attack as it developed, identify the attack vector and resolve the issue in a matter of minutes, something we’ve been doing all year. In 2017 alone, we blocked over 7 million attacks on our clients’ sites.
Supply chain attacks are increasing against WordPress plugins and themes. Last year, several plugins were compromised when they were purchased by a malicious actor. Backdoor code was added to each plugin’s codebase, and a new version was released. On another occasion, a plugin owner granted to someone he believed to be reputable access to make changes to his plugin’s code. That person too inserted a backdoor.
Most WordPress sites follow the recommended practice of turning on the auto update feature. Any site with these plugins installed, and with auto update enabled, would have automatically updated the plugins to the latest version and happily installed a backdoor into your site.
In 2017, attackers demonstrated incredible ingenuity as they exploited both known and unknown vulnerabilities in servers, browsers, browser extensions and plugins. They’re creating new malware and are applying sophisticated phishing and social engineering attacks on a scale we’ve not seen before. Put these together with the incredible combined processing and attacking power of growing botnets, and it looks like we’re in for a wild ride in the months and years ahead.
Anyone can put a site online for cheap these days. However, not everyone is staying educated and monitoring this ever-changing threat landscape. As we connect more and more devices, botnets will continue to grow and evolve in new and creative ways, especially now that there’s considerable money to be made in Bitcoin and other cryptocurrencies. There simply is too much incentive for attackers not to develop new tools and methodologies. Nevertheless, the attackers are not the only ones active in this struggle.
GlynnDevins stands ready to defend your brand and your reputation with a vigilant, proactive team using the best tools the industry offers – and some we’ve created ourselves.
Find more senior living-related entries on a variety of subjects here.