AWS Root Account Security Best Practices
Learn more about AWS Root Account security best practices from Mission’s Senior Cloud Analyst.
If your business has a website and you are the owner, executive, or marketer, then this blog is for you. Don’t worry, we’re not going to get too technical in this blog, but we are going to cover some of the basics that we think everyone should know.
Website security is a topic that we deal with as an AWS managed services company on almost a weekly basis. My main goal here is to help you build awareness around the severity that vulnerable websites pose to your company and to your customers. Additionally, we will be providing some steps that should be taken to address this issue. With that said, I would like to mention that I think the managed services industry, as a whole, could do a better job at educating businesses about website security. We hope to help change that through blog post like this, webinars addressing best practices, and free technical consulting to help pinpoint vulnerabilities you might not be aware of.
Most people assume that once a website is launched, the project is now finished until the next redesign, or until new features need to be added. That’s what makes sense to most people and for several years that remained the standard. This is no longer the case. Whether you realize it or not, your website is a target waiting to be exploited through a multitude of ways, and it’s no longer a matter of if your website will be compromised, but a matter of when.
As of March 2017, Google reported hackers steal almost 250,000 web logins each week via the billions of usernames and passwords indirectly exposed by third-party data breaches on websites that were hacked. They discovered these compromised websites would steal information and install malicious software (or had some other malicious purpose), resulting in the theft of more than just usernames and passwords.
Because passwords are not often enough to access online accounts, cyber criminals are trying to collect other data, too. Researchers found that some phishers try and siphon location, phone numbers, or other sensitive data while stealing login credentials. Mark Risher, director of product management at Google, said this was one of the study’s key findings.
Based on Sucuri’s analysis of 2017, the three most commonly infected CMS platforms were WordPress, Joomla! and Magento. It is important to note, this data does not suggest these platforms are more or less secure than others.
In most instances, the compromises that were analyzed had little, if anything, to do with the core of the CMS application itself but rather with webmasters’ improper deployment, configuration and overall maintenance.
When most people think of a website being hacked, they think about a big news stories around companies like Facebook and Target, or a government agency like the IRS that was hacked and had valuable personal information stolen. These are companies and organizations that spent millions of dollars, have dedicated security teams, and have some of the best security in the world. They also store sensitive information like social security numbers, account login credentials, and credit card numbers. So why would anyone want to hack into your small business’ website? After all, you’re not a national or global enterprise, and you don’t collect, store social security numbers, or credit card information. So, there is nothing that makes you a target to hackers, right?
This is probably the biggest misconception out there. Contrary to still-common beliefs, hackers aren’t generally out there focused on that type of information. They aren’t even trying to take down your site or steal information. In most cases, they never even visit your website personally. These hackers use sophisticated software, which they have either built themselves or purchased from one of the numerous underground hacker websites, to automatically go out and scour the internet looking for any potential weak spots that allow them to break into websites.
Depending on the software, there are dozens (and sometimes hundreds) of potential entry points that can be probed. And all they have to do is find one; doing so will automatically grant them access and, within less than a second, their malicious code has been injected into your website. Some hackers do this to install programs that allow them to infect the computers of anyone who views your website.
This is what’s known as malware, which can then be used to gain access to your website visitors to try and steal any sensitive information that they have stored on their computers. They can then use it or sell it, causing identity theft. Additionally, hackers will inject code that can automatically redirect someone to any website of their choosing, and it’s often ones that contain pornography or sell pharmaceutical drugs like Viagra without a prescription. Some hackers will also place hidden links into websites, trying to game the system to help those websites rank at the top of Google. There are even some hackers who simply want to hack your website for the sport of it, or for bragging on the dark web to boost their reputation within hacker groups.
Hopefully, this helps change your mindset from thinking that there is a random teenager in his parents’ basement sitting there manually hacking into your website. That is just simply not the case. There are thousands of sophisticated programs that are running through the Internet 24x7, and it’s just a matter of time before they gain access to your site. This can take weeks, months, or even years before you become aware of it and how it’s been harming you. If you have read this far, I’m sure that you can see how this could really damage your company’s brand and cause all sorts of adverse issues.
Now that you understand there is a risk, you might be wondering what are some factors that make your particular website vulnerable? Learn more from Mission’s CTO Jonathan LaCour in our Free Webinar on AWS Security Best Practices.