Many website owners donít even realize that they were compromised. The majority of the attacks remain undetected and unperceived today because of the high level of sophistication of these attacks, as well as the low level of security awareness among the victims. This is why I decided to write a short and simple piece about web application security to help small online merchants secure their websites and avoid security breaches and data leakages.
Why do web security incidents happen? Targeted, semi-targeted and untargeted web attacks
Iíd highlight three main types of attacks: targeted attacks, semi-targeted and untargeted attacks. The concept of a targeted attack is very simple Ė the final target of hackers is your website (or any other technical infrastructure) and nothing else. In the sector of SMB, e-commerce targeted attacks are fortunately quite rare, as they are quite time-consuming, complex and expensive to conduct, while the outcomes from a targeted attack against a small e-commerce website can hardly cover its cost. Hackers are good economists, and will rarely spend more money on the attack than the benefit they can get from it.
However, donít get excited too fast. Many website owners have a false feeling of safety being convinced that, due to the small size of their business [website] or due to an absence of known enemies, nobody will ever try to hack their website. Letís have a look on semi-targeted attacks to demonstrate that this presumption is wrong.
A semi-targeted attack is when hackers target you (quite often among a dozen other resources), but you are not their final target. To become the victim of a semi-targeted attack itís enough that your web server is hosted in the same subnet of a large datacenter where that large companyís server [the final target] is located as well. I am not even speaking about shared web hostings, where one web server has hundreds of different websites, and quite often itís enough to compromise just one to get access to the others. Hackers always follow the most efficient way: compromising the weakest link in the security perimeter, and your website or web server may perfectly fall into the weakest link category in many cases. Sufficient that a person hunted by the hackers has an account on your website, shop, forum or blog: for hackers itís much easier to compromise your website and try to reuse his or her password on other resources rather than attacking front-end of Gmail or PayPal to get access to his or her account there [the final target].
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.