It seems like multiple times each year there’s some major breach at a big name company.  2016 saw Sony’s email system hacked early in the year resulting in many large-scale deals being made public before they were ready.   Later in that same year, we saw Target’s customer database get compromised, putting millions of customers data at risk, including credit card information.  In 2017 we saw Equifax get hacked resulting in millions of customers personal information being taken.  We’ve also seen multiple instances of hackers stealing media from companies and holding them for ransom, threatening to release movies weeks before the impending release.  At this point, it’s negligent of any company with an online presence to not consider the security of their systems.  Here are some simple things you can do to protect from common cyber threats.

Distributed Denial of Service (DDoS) Attacks

One of the most common threats is a distributed denial of service (DDoS) attack.  These are pretty common because they’re rather simple and can be done cheaply.  The concept of a DDoS is to simply clog up all the ways into your site so that actual clients can’t access it.  It’s like jamming your store with Black Friday at Wal-Mart levels of customers.  Because these are so simple they have become incredibly common, with more than 2000 attacks observed daily.  Unless you have a dedicated IT team monitoring your traffic, it can be too late to do anything when you realize there’s a problem.  With DDoS, the best case is to be prepared.  While there are many hosting options to choose from, choices like cloud based hosting are the best defense because of the ability to scale quickly by spinning up new servers to absorb the increased traffic and still maintain usability for actual clients.

SQL Injection Attacks

While recent years have seen a rise and subsequent fall in noSQL database options, SQL options like SQL Server and MySQL are still by far the largest database providers.  And whenever you have consistency in technology, you have risk.  The more people use a technology, the more worthwhile it is for an attacker to find and take advantage of a flaw in the system.  Anytime raw data can be observed either in web service calls from the browser to the backend or being passed as URL parameters in an address bar, attackers see it as a possible entry point.  If those parameters are passed back to the database, the attackers could put SQL script in place of those parameters cause the site to erroneously return more data than intended, create user accounts for themselves, or even just completely wipe the database.  This type of attack, however, is easily avoidable if you’re careful.  There are numerous methods to sanitize your inputs to ensure that malicious code doesn’t make it to your database servers.

Cross-Site Scripting (XSS) Attacks

Cross-Site scripting (XSS) attacks are very similar to SQL injection in that malicious code is being injected and run.  The difference is that XSS attacks target the site’s visitors, not the site itself.  While this doesn’t put the sites data at risk, it can damage the reputation of the site, resulting in customers being unwilling to visit the site for fear of attack. Typically the attacker will utilize some form of interaction whether article comments, product reviews, or contact forms and post JavaScript code that will execute when someone else loads the page.   As JavaScript becomes more and more powerful, the threat this attack poses increases.  As with SQL injection, however, this type of attack is preventable by sanitizing any place where visitors can add content to your site.

Passwords (Seriously, guys, we still have to bring this up?)

While many regard passwords as security theatre, they still represent a legitimate way to protect your site and contents therein.  Despite numerous attempts to educate people in choosing passwords intelligently, people will still give in to their laziness and choose simple passwords that are easily deduced.  While a password is no more than an inconvenience to a legitimate hacker, it could prove to be a stopping point to many who are just trying to give you a hard time.

As hackers become more and more sophisticated, it’s important not to forget the simple attacks that could be easily prevented or absorbed.  When we consider the risk that these malicious parties pose to our companies and our customers, it’s negligent not to.