Website Security Against Russian Cyber Warfare

The Russian-Ukraine conflict may seem miles away, but it’s really as close as your website or inbox.

According to the US Government, both countries are gearing up for large-scale attacks on each other’s websites and internet infrastructure. Russian hackers may also be getting ready to target US banks and websites in retaliation for US sanctions, according to the Department of Homeland Security.

Ukraine Protests Lead to Website Security Issues
KIEV, UKRAINE – JANUARY 2014: Barricade with protesters at Hrushevskogo street on January 25, 2014 in Kiev, Ukraine. Photo by Sasha Maksymenko

The best weapon in their arsenal is the distributed-denial-of-service (DDOS) attack. This method of attack is like an entire neighborhood trying to call 911. The first two or three calls get through, but the next hundred simply jam up the phone network so no other calls can get through. 911 is effectively shutdown.

Hackers can do this by secretly enlisting the resources of sites with poor website security or by enlisting unsuspecting email users. Hackers implant software that waits for their command and creates an ever larger network that can create ever larger attacks. In just the first quarter of 2014, the US has seen nearly a 2% increase in attacks compared to all of 2013. The US has also seen nearly a 50% increase in the amount of fake traffic a hacker can trigger. This proves that they have more resources at hand.

Stopping cyber assaults means better website security and email security. Here’s some tips that we’ve found works best.

Website Security

  1. Require Complicated Passwords: If you have content that requires security, ensure everyone’s passwords have at least 10 characters and is made up of upper and lowercase letters, numbers and at least one special character, like a dollar sign or percent sign. 
  2. Don’t Use Onsite Comments: Comment sections are an easy gateway to exploit a website. Instead, use a service like Discus to allow comments while managing the risk of an exploitation.
  3. Block International Visitors: If you’re not doing business with Russia, China, Poland, Nigeria or Ukraine, block their traffic. Your website security is not worth it. The only traffic you’ll get from those countries are hacking attempts or attempts to catalog your website for viewers who will never use your services. It’s a waist of bandwidth and a security risk. You could setup a firewall and block this traffic based on its IP address, or you could install a service that automatically redirects selected international traffic away from your website. We like WordFence for WordPress and SecurityCheck for Joomla.
  4. Hide Your Login Page: Never use “login” as your login page. Rename it to something generic, like “sally” or “johnjohn”.
  5. Host with a Reputable Service: You get what you pay for with cheap hosts and sometimes that means a lack of security. With several national hosts we’ve tried, we even found that they moved our sites to Ukraine, which is one of the countries we always block. We really like a host called Thesba.com.
  6. Replicate Your Site: Use a website security service like CloudFlare to copy your website globally. It will copy your website content every day to three days and place it on servers closer to your actual customers, meaning your website appears faster to your customers while also being more secure. It also protects you against DDOS attacks as there is always a live backup.

Email Security

  1. Click Nothing: We never click a link, even if we know the address. This is the easiest way for attackers to hijack your computer and email list as you’re helping them bypass your own security. We always type that link directly into Google, read Google’s response and click Google’s link. 
  2. Patch Your Computer: Make sure your computer subscribes to automatic updates for your operating system. Also, subscribe to the live versions of anti-virus software like Avast to protect you from web surfing hazards, or when you click that bad email link by accident.
  3. Watch for Weirdness: If you notice that an email window suddenly opens up without your click, scan your computer. You’re probably infected with a virus.
  4. Only Open Email with a Valid Reverse DNS Entry: Ensure your email service is setup to block as spam any email that doesn’t have a valid reverse DNS check. Valid companies will take the time to add this feature to their domain, which allows anti-spam software to check that a domain name and the number of its server are identical. Hackers will try to fake the domain and computer number where an email was sent, but this is very hard to fake with a valid reverse DNS entry.