Monday to Wednesday, 10am - 4pm, ET
1.855.281.5499 (toll free)

Learn the ABCs of Online Security Threats

Note: This blog post was originally written by TechSoup. This post has been adapted and expanded for a Canadian audience by TechSoup Canada. 

Online dangers and security hazards are bad enough, but understanding what they all mean is enough to give you a headache. DDoS? XSS? MITM? OMG. It’s enough to confuse anyone. We’ll help you get the gist of what all these security threats mean, and tell you how you can protect yourself and your organization.

DDoS — Distributed Denial of Service Attack

A denial of service attack is, simply put, when an attacker (or attackers) overloads a website, preventing others from being able to visit that site. In a distributed denial of service (DDoS) attack, attackers employ the use of a botnet, a type of malware that allows cybercriminals to remotely control scores of infected computers — sometimes in the millions — to do their bidding. By instructing computers in a botnet to try and load and reload a website repeatedly, attackers can effectively knock a website offline temporarily.

Sometimes, attackers carry out DDoS attacks merely to cause mischief, but attackers have also used them to make statements, political or otherwise. A larger website can sometimes weather a DDoS attack, but if you run a smaller site (and as a nonprofit, you probably do), a DDoS attack can be more difficult to ward off.

Some companies do offer protection against DDoS attacks, however. CloudFlare, for example, offers a service that can help mitigate the effects of a DDoS attack. It is a paid service, though, and your organization would have to contact CloudFlare for pricing information. It's hard to say whether or not the protection offered is worth the price, but if your organization's site has been the target of an attack in the past, it might be something worth considering.

Also, some blogging systems, such as EllisLab's ExpressionEngine, include a throttling feature that limits how frequently someone can load your website, thus limiting the effects of a DDoS attack. The full version of ExpressionEngine costs $299, but EllisLab offers a slimmed-down "Core" version that's free for noncommercial and nonprofit users.

XSS — Cross-Site Scripting Attack

Cross-site scripting — or "XSS" for short — is something of a nebulous concept. In general, it refers to a type of security flaw where an attacker is able to insert malicious code into an otherwise legitimate website in order to nab your personal information, among other things. For example, hackers might use an XSS attack to hijack one of your organization's online accounts, or to steal specific bits of personal information, such as your financial information.

Unlike other methods of getting your personal data, such as phishing, there may not be any obvious indicator that something's wrong. You won’t necessarily be able to look at a website address and tell that a site hosts a cross-site scripting attack, for instance, and XSS attacks don't rely on malware and viruses. Sneaky, sneaky.

One way to help prevent XSS attacks is to disable Flash or JavaScript in your web browser — common website development technologies that attackers target. This is less than ideal because you'll end up missing out on sizable chunks of the web. A better option is to use a browser with a built-in XSS filter, or to use a browser add-on that does the job. Internet Explorer 8 and later has a built-in XSS filter, while most other browsers include some form of protection against malicious websites.

If you run a website, you can reduce your risk of becoming a target for an XSS attack by keeping your blogging system — and other website development tools — current.

MITM — Man-in-the-Middle Attack

When you were in grade school, you may have played a schoolyard game called Monkey in the Middle. The game's concept is simple: You and another person throw a ball back and forth to each other, while a third person in the middle tries to intercept it.

A man-in-the-middle attack works much the same way, but instead of a ball, the "man in the middle" tries to get at information that's being passed between your computer and the website or online service that you're using. Criminals usually accomplish this by looking for security holes in software that let them get at the data being exchanged between you and the website you’re visiting.

Attackers usually target public Wi-Fi networks like the one at your local cafe, but if your nonprofit has a Wi-Fi network that anyone can connect to without entering a password or security key, it too could be susceptible to this kind of attack.

Man-in-the-middle attacks are one security threat you can readily guard yourself against by avoiding public and unprotected Wi-Fi networks whenever possible. If you have to use a public Wi-Fi network, make sure any site that you enter personal information into is encrypted.

To see if a website is encrypted, check if the website's address begins with "https." If it does, then you're connected securely to that website, and it'll be much more difficult for anyone to intercept any data sent between you and that website (most browsers also display a lock icon to denote an encrypted connection). That doesn't necessarily mean the site on the other end is trustworthy, but it does mean that prying eyes won't have as ready access to your data along the way.