Last week Craig Beaudry co-owner of the 'Wiches Cauldron food truck discovered that his website had become a target for ISIS-motivated hackers. This attack has nothing to do with ISIS taking issue with this business and everything to do with Beaudry being an easy target. The National Post reported that more than 1500 websites have been targeted by the group since January.
In a world where the websites of food trucks become targets for attacks, everyone needs to protect themselves. I pinged our security and IT operations team inside CIRA to see what they made of this situation and what advice they'd offer would-be ISIL targeted small businesses.
“The reason for ridiculously obscure sites being hacked is because they are the low-hanging fruit. Or, rather, their hosting providers are,” said Jake Zack, systems administrator at CIRA. “An attacker can configure a piece of software to take control of the IP addresses for certain websites. If this is successful, I now have control of the compromised websites. These are often sites with low-cost content management software or hosting solutions that have not invested in security measures that could mitigate or prevent the damage to cut down on costs.”
So what's a food truck owner to do? It goes without saying that you should have a good password. Use a complex string of letters, numbers, and special characters that is nearly impossible to guess, but… it gets more complicated from there.
Asking your registrar to activate a registry lock on your domain can help prevent hijacking (also, a registry that offers registry lock is probably a registrar that takes the security of its clients seriously).
You should also make sure that any and all updates are complete (particularly if you use a third party content management system like Wordpress). Security updates and patches can't protect you if they're not installed.
“Small businesses need to focus on their service providers,” said Amanda Swain, Manager of IT Operations at CIRA. “They need to have a relationship with a reputable hosting provider that ensures on-time patching and security enhancements and they need to have a relationship with a reputable website provider that also advocates on-time patching and security enhancements. You need to secure the plumbing, or the network and the servers, and you need to secure the application, or the website. These are not one-time-and-forget-it endeavors. They require continual vigilance and ongoing work and effort to stay safe.”
The world is a dangerous place for website owners. Make sure you're protected.