Name: Joshua Hammer – Title: Sales Operations Manager
Hey everybody. Once again this is Joshua Hammer. I’m a sales operations manager here at Sucuri. A little bit about me if you haven’t seen the other webinars, I’ve been here for about four years. Once again, the sales operation manager, married to a beautiful wife with two little girls. And I love games, video games, board games, even security is a game. So let’s have some fun and learn a little something.
So today, we’re going to go over hacker motivation. The age old question of, “Why me,” why your single page site is important to secure, and easy and cheap prevention tips. So that brings the question, “Why me?” Why were you targeted? Well, why are hackers targeting you? Why are hackers hacking? Well, money. There’s a lot of money out there. Redirects can give them money. There are some black cat SEO companies out there that boost your SEO ranking by hacking other sites. Not saying it’s common, but they are out there. Pharmaceutical hacks, of course you know, the ever popular Viagra hacks.
Crypto mining is a big one right now. So they can use your servers resources to mine for Bitcoin. Or there’s data theft out there. Why else do they hack? Well, they do it for credibility. Of course they can hack the sites and show thheir friends, “Hey, look what I did.” Or show the different hackers in the community, “Hey, look. My name’s on that site.” Maybe they do it just for the lulls. They do it because it’s fun. They find a little secret or a tip and they can go in there and just hack it.
So one of the big questions and one of the big thought processes out there is that the hackers are out there looking for you. They target the sites individually.
So, “My site’s not important. They’re not going to target my site, so I don’t have to worry about it.” But that’s just a myth. The truth is that it’s bots. I mean if you look, 21.8% of the traffic out there are bad bots. 20.4% are good bots. Just taking a look at that, that means that 42% of the traffic out there is bots. It’s almost half of the traffic on the internet is just computers. So these hackers, do they target sites? I’m sure some of them do, but for the most part it’s just bots that are sent out there looking for vulnerabilities. When they find one, that’s when the hackers come in and attack.
So who gets targeted? Well, the low hanging fruit. Humans like order. We like to pick the path of least resistance, right? So the hackers are the same way. They’re going to go after whatever’s easiest to obtain. If we take a look at some sites, I mean you’ve got your mom and pop website. These are the ones built at home or by a small developer. They’re left alone. They’re not managed. There’s no security. Maybe if there is security, it’s a small, free plug in.
On the other side of that, you got the big business website. They’re built by a large team. They’re managed. They have a plan for updates. They have a test site, a live site. The security is there. It’s always up to date. They pay for protection. They’ve got an inhouse team protecting the site.
So if you had these two sites and both of them could make you money, which site would you attack? I don’t know about you, but it’s going to take me a heck of a lot less time to probably target that mom and pop site than it would be to target Walmart’s site. There’s going to be easier for me to get that vulnerability on the mom and pop site. So the path of least resistance? Mom and pop websites. The small websites. So that brings us to, “Come on. I’m not made of money. What am I supposed to do here? I’ve got to protect my sites. I’ve got to do something. But I can’t throw tons of money at it. I don’t make the money that Walmart makes.” So there’s different things. You’ve got backups. You’ve got plugins. You’ve got the web application firewalls, updates, all of this stuff. But let’s look at them a little bit more closely.
So backups. Big key here for the backups is rolling off site backups. I’m going to say it again. Off site. So I can’t tell you how many times when we go to clean a site, we see a backup folder right on the host. Horrible idea. If I’m in there and I’m playing around and I’m hacking your site, and your backups are sitting right there in the same folder, yeah, I’m just going to upload some malware into the backups too. When you restore, you’re restoring my malware. Fantastic. Thank you. You got to get them off site.
The nice part is, there’s tons of plugins out there for WordPress, Joomla, Drupal, all those. They all have backup plugins. Some of them are free. You could download it right to your own computer, to a different server. You can pay companies to do it. Of course I’m going to say, “Hey. Come to Sucuri. We’ll do it for you.” We offer backups for $5 a month. It’s a 90 rolling backup. So if you need to go back 15 days, we got it for you. If you need to go back 19 days, we got it. You need to go back three months, we got it for you. No, it’s an add-on. It’s not something that we do by itself. You’ve got to have one of our other products, but it is an option out there.
What else can we do? We can get some security plugins. The plugins out there, there’s tons of security plugins. Our plugin, which of course I know the most about, is a free plugin for WordPress. It monitors simple changes. If you update WordPress, is it going to alert you? Absolutely. The files have changed, so it’s going to tell you, “Hey. The files changed.” If you go, “Well, I just updated WordPress. Makes sense. Files changed.” But if you haven’t touched it in like two months, haven’t done anything, and all the sudden you’re getting alerts that files changed, that may be a key. I may want to restore to a backup or I may want to take a look and see what’s going on there. Once again, knowledge is power here.
What else can we do? Well, firewall. A way for web application firewall. So there are tons of firewalls out there. Everybody’s got a firewall. Your host has a firewall. Heck, if you’re watching this video, I guarantee you there’s a firewall on your computer and you probably even have a second firewall that’s your router, your modem in the other room. They’re both firewalls, but they’re both designed for different things. Your host’s firewall is designed to protect the server. Your site is not the server. It’s completely different. So because a firewall on your computer won’t protect your website because it’s designed differently, different things attack computers and websites. A web application firewall’s designed to protect your website. Most of them, they’re inexpensive. Our plans start at $10 a month, go up from there. But any kind of web application, firewall’s going to help you out. It’ll protect your site if it’s a good firewall, even if your site’s out of date, it’ll virtually patch your site for you. That way you can take your time for your updates. They’re relatively easy to install. At $10 a month, they’re pretty inexpensive.
I’m going to flash back to one of our other webinars that we did not too long ago about cross-site contamination. Guys, if you’re just protecting one site on your host with a web application firewall, all those other sites are just back doors. So you want to make sure you protect every site on your host.
So what else? Update. Updates are fantastic. You’ll hear us say this over and over again in our blog posts, online in tweets, and on all of our webinars. Keep your stuff up to date. However, you’ve got to have an update plan. How often are you checking for updates? Just saying that my site’s up to date, how often do you check that? Do you have a system in place for it? Do you have somebody whose job is to check it every 10 days? Or maybe it’s your job. Do you have a calendar reminder to make sure you check for updates? Do you just hit a button to update it or do you have a test site that you update first, see if it breaks anything, and if it doesn’t break anything, then you update your main site?
If you’re using a test site, do you have a web application firewall that is in place that protects your site for those 10, 15 days until you update your main site? Because during that time, basically when a security update comes out, what it’s doing is saying, “Hey guys, we have a vulnerability on our stuff. Hey, everybody out there. Vulnerability.” If you’re not updating it right away, they just announced that these are the vulnerabilities we patch, so anybody who’s out of date, guess what, these are the vulnerabilities you can use.
In there with the update plan, I threw in a password manager because … You know, it’s funny to me. I’m still seeing passwords out there that are still ABC123 or password. I think there’s an old hacker movie that said the most common passwords are like love, god, sex, they’re still being used. Heck knows why.
I put in this old password, this is one that company I used to work for a long time ago said you know what, we’re going to make everybody’s password their last name, their first initial, and a number. Hammerj1. Hey, it’s easy to remember, right? Well, guys out there, there’s password managers out there. 1password is one of them. The one that a lot of us here at Sucuri use is Lastpass. They’re easy. Lastpass is the one I use, so I know more about it. $12 a year and you can sync it with your phone, keep all of your passwords on your phone. I don’t even know what my passwords are. They’re this weird combination of letters, numbers, symbols, all that, that are like 20 to 30 digits long that are impossible to crack. But impossible to remember, so Lastpass is my key for all of those.
So hopefully this give you an idea here that the, “Why me,” question, it wasn’t you. It was the path of least resistance. Once again, since this’ll be my last webinar for a little while, I want to give out some more prizes. So I picked at random five people from today. I’m going to go ahead and shoot you out a website firewall trial. Jose Colito, Julie Vargo, Kuno Gupta, Paul Fiello, Adrena Baduna,