This website is periodically a target of attacks from people looking to show me up. Since I am a security consultant, if someone could insert a script in a form on the website or do something similar, they think they have proven that they are smarter than I am. Every attempt up to now has failed and that is more due to others’ efforts than mine.
What the idiots that attempt these attacks may not realize is that every website/web server has some vulnerability or the other. There is no 100% secure site, unless you set it up and then put it in a strong room and never connect it to the internet. You may get a secure site that will never be successfully attacked, but what is the purpose of that site? Security always has to be balanced with functionality and business need.
As with anything man-made, the list of things that can go wrong with a piece of software (which is what a web server or application is), can be really long. Every website has one or more breaking points. The challenge is to identify the risks and manage them. This site uses a popular blogging software (anyone should be able to identify that without any problem) and will obviously have the issues present in that software. Even though the builders of the blogging software test and scan it for vulnerabilities, there will invariably be some that slip through the gaps.
I am aware of that and have implemented certain measures that will mitigate the risks. Among other things,
- The server is on a separate network and not connected to anything else.
- The server and the website are patched regularly and promptly to protect against new vulnerabilities.
- The server does not contain any sensitive data that will cause problems in the event of a breach.
- Whatever is on the server is backed up off-site on a regular basis. In the event of a successful attack, the contents of the website can be restored without major issues.
- Commenting, which can be an attack vector, is turned off and that reduces the risk of spreading the attacks. It also saves me the effort of moderating the comments. It does affect SEO, but I can live with that.
Even if the website site is successfully attacked and brought down, I really do not care since this site is not even in the same universe as some of the popular sites that can lose revenue when they are brought down. In fact, running this site costs me quite a bit and I have taken a deliberate decision against displaying ads on the site or monetizing it in any way. I set up this site for my own reasons and as long as those reasons are justified, I will keep this site up.
The only concern is that my site may be used in an attack against other individuals. But, I am aware that I can only do so much and everyone has to do their part in protecting themselves from attacks.
Instead of looking for bullet-proof solutions, at some point we have to decide if the benefits out-weight the risks and take the plunge. This is true, not just for me, but other individuals and organizations. Depending on their risks, individuals or organizations have to put adequate security measures in place. In case of a successful attack, they should have defined processes to bring their services back up and running with the least impact to themselves or their businesses.
The only thing these childish attack attempts tell me is that the perpetrators have low self-esteem and can only make themselves feel better by putting down another person. Copying an XSS script from RSnake’s cheat-sheet or a SQL injection attack from some article and using that on some website probably gives them a something to talk about with friends or at parties, bragging about how they (may have) made this or that security person look like a fool. I do not see any other purpose than to inflate their own ego.