Recent events have forced us to look again at the security of our website. Could anyone hijack your website and publish any information he wants on it?
The answer, and this is probably not what you wanted to hear, is “yes, they can”… that is, if you let them.
eServices manager Frederic de Comarmond says there are millions of web attacks every hour and he daily registers on average 1 attack every 5 minutes on his servers.
“There’s no need to panic. Online attacks have always been a common and known threat; the trick is to be aware of this and to be equipped to deal with it.”
"Creating a website today is made to look so easy and simple
that we tend to forget there is more to it than a nice design or a few functional pages.
You need a solid basis and a reliable interface."
Who are hackers? What do they want?
There are two types of hackers. The ones that do it for fun, to prove their skills and to show off. These ones can attack your website as part of a competition and typically have fun changing the information on your website.
Others have harmful intentions. They want to retrieve credit cards information, personal information, access private database… They do it for money.
How do hackers do it? Are there different types of attacks?
Very often, hackers will scan websites for vulnerabilities and choose the websites with the less security as their next prey.
The most common forms of attacks are SQL injections, a code injection technique that exploits a vulnerability in the website programming.
86% of successful web attacks are due to a weakness in web interface.
An SQL injection can allow the hacker to modify the content of your website, insert a virus, slow down your website or redirect your site somewhere else so when users open your site, they are actually transferred to the content of another site.
The most dangerous attacks are attacks on the DNS server, which ensures the visibility of your website. If this server is under attack, then nobody can access or view your website.
What consequences can these attacks have for a website owner?
The consequences can be catastrophic. The company’s image and reputation can be seriously damaged by such event where hackers will publish wrongful information or give a virus to your website visitors. The company risks losing its credibility and the public’s trust.
How can we know our website is under attack?
In some cases, you can tell by visiting your website. A good practice is to check your website every day. If any information is strange, you know someone is tampering with your site.
Some types of attacks are harder to detect, such as the slowing down of your website.
At eServices, we also receive email alerts for every attempted attack. While we do not investigate all attacks – there are so many of them –, serious attacks, such as redirecting of website content or failure in servers, attract our immediate attention.
What should we do to protect our website?
The first ground rule is to have your website done by an experienced developer who will ensure your website is safe from the known and most common threats.
Since your website can never be 100% secured, the second most important thing is to ensure a rigorous monitoring of your site to be able to detect any unusual activity as quickly as possible.
You can also install specific software that will regularly scan your website and certify the authenticity of its content and ensure it is free from malware and harmful codes.
We recommend that any serious business, especially large corporations and financial institutions, opt for this additional security feature.
What should we do if we suspect our website has been hacked?
The key is to react fast. Any attack can be reversed quickly and efficiently if it is detected rapidly. The more you wait, the more time you give the hacker to do more damage, the more people access that wrongful information and the more risks you have of losing control.
If you suspect your website has been attacked, you should immediately call your service provider to report it.
We have a set of procedures for this kind of situation. Usually you would attempt to remove the flawed version of the website as soon as possible and restore a correct version. You would of course need to identify the source of the attack and remedy to it to prevent further similar attacks.
At eServices, we also have backups for our DNS servers so if anything happens to one of them, we can still rely on others and your websites keep being accessible while we work on restoring the servers.
Do online shopping websites or online banking interfaces face the same risks?
Yes they do but they typically have a far tighter security. The website itself and the interface where you do transactions are separated; there are additional encryption devices and security parameters. This is essential for this kind of businesses.
Are Mauritian websites well equipped to face online attacks?
Unfortunately, a lot of Mauritian websites can easily be attacked. While it is a risk for the company, it can also be dangerous for people who use this website and trust it with personal information.
Companies often overlook the security of the website due to a lack of awareness of the risks involved. It is often when it is too late, and your website has been hacked, that you actually realise how important it is to protect and monitor it.
Common mistakes include using only an in-house or freelance designer to create a website when they are often not qualified developers and cannot ensure a secured website. Using a software to publish a website also exposes the publisher to more risks as these software are typically known by hackers and more prone to attacks. Those companies using content management software for their website should ensure they are constantly upgrading their security patches.
Creating a website today is made to look so easy and simple that we tend to forget there is more to it than a nice design or a few functional pages. You need a solid basis and a reliable interface.
