Castlerock reposted this
We love Tom Liston's post about website security and couldn't agree more. Your organization’s reputation and long-term success depend on, in part, your ability to protect data assets and stay out of harm's way. Your web-based applications are mission-critical, and with ever-evolving technology, these systems can become outdated or vulnerable to security breaches at any time. There is nothing wrong with admitting you don't know something or need help! That's why we encourage technology teams to focus on writing software, which is what they do best, and let us manage cloud operations and security. It's simply good teamwork and an incredibly important partnership that best protects your business. #informationsecurity #cybersecurity #castlerockcs
Expert in Cyber Security, Risk Mitigation, Technology Innovation, Development, and Security Education | Seeking Corporate Board Opportunities | Retired - Serving in an advisory capacity at Counter Hack Challenges, LLC.
I've been asked several times over my career, "What is the biggest security threat to small- to medium-sized businesses?" Rather than choosing a standard answer like phishing or ransomware, I'll say something completely different: people who think they know more than they do. I've run into that several times lately. As many of you know, I use some Google-fu each week to find compromised websites and try to contact the organizations to let them know so the owners can clean up their sites. Recently, I tried contacting the owners of a compromised website through LinkedIn. After sending them several messages, they finally responded that they had "run numerous cybersecurity scans and found no threats." I replied with a list of multiple URLs, leading to pages attackers added to their site. All the pages added to their site suddenly disappeared, and I heard nothing else back. Today, after exhausting multiple methods of contacting a different organization, I finally decided to give them a call. I don't particularly enjoy calling people because it rarely ends well, but I was determined to get through to them. I spoke to the receptionist and asked to speak with someone in charge of their website. She transferred me to a gentleman, and I explained that I was a security researcher who had noticed their site was compromised while investigating other hacked sites. He immediately got defensive. I explained that attackers had added pages to their site advertising questionable things. "Like what?" he asked. I explained that the added pages advertised techniques for viewing private Instagram profiles, among other things. I asked him if he could look at something in a web browser, preparing to give him a Google search string. He explained that he was "looking at the site right now" and saw nothing wrong. I explained that the attack was different from what he would see on the main site because attackers had added unlinked pages. Then he hung up. If you think you understand more about website security than you do, you'll likely miss many things, like the fact that most website hacks aren't easily visible. In this case, the attackers wanted these new pages to hang around as long as possible to get the SEO bump associated with having links on a popular web page. Of course, they won't make it easy to spot the hack! If you work in a small- to medium-sized business, you have so much on your plate that you can't be an expert in everything. If someone contacts your company and tells you someone has hacked your organization, listen. Be skeptical—I would never say otherwise, but please listen. You might find out something important. You might find out that someone has hacked your website.