Jan 2019 Security Newsletter: Two Hackers Walk Into A Website...
Two hackers walk into a website...
This isn't just the start of a joke, it's a very real occurence, and what happens next can depend on a number of factors.
Types of Hackers
First, you have your white-hat hackers. These are security minded professionals, whose only goal is to find flaws in your system and help you patch them. They are paid for their services, and do their work with the full permission of someone in the company, even if the penetration testing is done in a "real-world" fashion. If they are not doing real-world testing, these folks may even have access to your source code to speed up finding and disclosing vulnerabilities. They will never intentionally leave lasting damage to your system, and they will not exfiltrate data from your system out into the wild.
Next, you have your gray-hat hackers. These are a varied spectrum, but they all generally have good intentions, even if they aren't completely on the up and up with how they pursue it. At the darker end of this spectrum are people who obviously deface your site, and at the lighter end are people just like the white-hats, but acting without any explicit permission from the companies or services they are working on. It's important to remember that any encounter with these folks should be taken as a learning experience. Often times they will also not leave any lasting damage, or at least nothing that can't be fixed with a quick restore from a backup. However, they are also known to exfiltrate data into the wild, not anything too damaging, but enough that you might be convinced to take your security seriously.
Finally, you have black-hat hackers. These folks will try to operate as close to invisible as they can. They have one goal in mind: how can they turn the flaws in your security into money? This can take many forms: they will steal your database and mine it for personal details that can be sold. They will incorporate code into your website to serve ads from an ad network they control. They can use your website to take control of your host server, turning it into a node on a botnet for use in other projects. And new ways of generating money off of compromised websites are being discovered all of the time, but they all have one thing in common: the longer they can go without detection, the more money they can make off of you.
In all combinations, a sort of competition will begin.
More often than not, white-hats won't run into each other on accident, and they will usually be working as a team. But, they might start a friendly competition to see who can break the defenses the fastest, or to find the most ridiculously convoluted way to do so, and if they run into anyone else, they'll likely follow the work, to see how they got in, and reveil the vulnerability to their contact.
Two gray-hats will probably just keep over-writing each other's work, both competing to take credit for the site, or even try to clean things up for you and let you know they did, but sometimes they'll just laugh that someone beat them to it and move on, looking for another target.
But if a black-hat runs into anyone, they will try to lock the other person out or work to quickly remove all traces of their activities, and they do this to the extreme. There was a relatively recent WordPress malware, termed Baba Yaga, that went so far as to implement remote updating of the WordPress core, full backups of the entire site, and simple malware scanning and removal. The philosophy behind it was simply that as long as Baba Yaga was installed and unnoticed, it could generate revenue for its controller, and anyone who threatened that needed to be quickly and quietly removed before they triggered a full investigation.
What Do You Do?
At the end of the day, no application is perfect, websites included. The longer your website is online, the more likely you are to run into one or more variety of hackers. In an ideal situation, your encounters will be with the more ethical side of this spectrum. You might get defaced by a relatively ethical gray hat who grabs a root password and emails it to you to prove they did, which will convince you to consult a security expert who will work as a white-hat to help you bolster the defenses you have; however, black-hat compromises to websites are only becoming more common.
In all cases, the best defense is knowledge. Knowing where your vulnerabilities are. Knowing what you have in place to limit those vulnerabilities. Knowing what files should and shouldn't look like. Knowing who has access to change those files and when. Knowing how to balance the needs of your application with the risk involved in its implementation.
How Can Armor Help?
Our goal is to take that burden of knowledge off your shoulders. We have automated reporting systems capable of notifying us when your site changes. We have the framework knowledge to look at files and understand exactly what they should and should not be doing. We have methods of tracking users of your website that allow us to footprint vulnerabilities, track them to the sources, and close the holes they used. We maintain regular backups of your files and database that we can quickly deploy to recover your site should the worst happen.
Website security is a full-contact sport, and disregarding it can seriously hurt your business, but with Armor in your corner, you can be sure you'll have the knowledge you need to win most fights, and get back on your feet quickly when you do lose.