In a blog post titled “Why Attackers Hack Small Sites“, Pilar Garcia of Sucuri outlines some of the key reasons that attackers will hack small websites. The article expands on an issue I pointed out in my article about protecting your WordPress website: The fact that you don’t need to be big to be a target. In the article, Pilar postulates that the two key reasons websites get hacked are money and exposure. I agree with Pilar’s list, but would add three more very important points to it.
What Else Is There?
There are three more things that an attacker gains when they hack any website, large or small:
By hijacking websites and other Internet devices, attackers can chain these devices together in ways that makes it very difficult (or even impossible) to trace their origin. Without being able to trace their origin, they gain anonymity. And that anonymity gives them invincibility. Which is much more scary than giving them money, in my opinion: People with money can be caught. People who are untraceable can’t.
Not only can they act with impunity, they can also assume the identity of these devices and the users these devices contain, allowing them to gain access to even more resources. Like most things in life, power begets power, and this is no different. ‘Climb the corporate ladder’ just took on a whole new dark & sinister meaning.
Further, they can also chain these devices together to make virtual “super computers” which massive pools of computing power and bandwidth. This bandwidth can be used to do a lot of harm, from attacking large & important sites, blocking services, cracking passwords, etc. It’s like they have the worlds largest mainframe and internet connection which they didn’t have to pay for (and might even be making money from.)
Fix the Small Stuff to Fix the Big Stuff
That’s why, in my view, the first priority we should have (on a world scale) is to secure the little things. For example, the shit-ton of wide open internet enabled devices (routers, appliances, etc) and websites / servers that hackers exploit. And then to educate the average joe on common sense security thinking and practices, such as having the skills and intuition to discern between a legitimate and fake email.
You may have heard of the crime program in New York where they cracked down on small crimes like graffiti and jumping subway gates and ended up seeing significant reductions in large/serioous crimes. I believe that securing the little things in the world would have a similar effect. By robbing attackers of their key source of power, namely: anonymity, bandwidth, and the ability to impersonate, we can make it much harder for them to operate with impunity and virtually unlimited power.
It’s not going to stop everything, but right now it feels like it’s the Wild West out there. Everything is easy ‘pickins. This is a much bigger topic, which I’m sure I’ll want to explore further later.