Since the middle of 2018, the mega-hacks in major websites seem to grow exponentially in quantity and size. This article analyzes in what way the hubspot infrastructure can provide a higher level of security.
In September 2018, CNN reports a hack in facebook, accessing 30 million accounts, in October the turmoil continues, Fortune magazine already speaks of 50 million users. In November, Marriott reveals a data breach of 500 Million Starwood guests, On January 17, 2019, security research Troy Hunt reveals "The 773 Million Record "Collection #1" Data Breach". To be continued....
Many people, even myself start getting blackmail emails from malicious sources, demanding bitcoin money against non-exposure of whatever data. Imagine you are a hotel, and the criminal wants 100.000 EUR in exchange of not exposing the most private data of your clients. Or you are a technology company, and the blackmailers threaten to share you customer list with competition. In times where even governments buy stolen customer records, do you think competitors would not?
Is the world going nuts?
No not really. It is just a simple fact of life that criminals go where the money is. But why do they go to the internet now, and not 10 years ago? The reason is easy:
10 years ago, the Internet still mainly offered page-turners. That means more or less static html pages with not much interaction. Today we are in the time of the internet of services. That means, it provides services to the customer, and in exchange requires (and accumulates) more or less critical user data. In short: many mainstream websites have similar features like social media.
And the users access these pages through the web, via the browser. That makes them vulnerable!
The question is: how can we protect our website (and underlying IT architecture) as much as possible (and financially justifiable) against attacks and internet fraud?
And I dare to go even one step further: given the rising quantity of data breaches, and the increasing professionalism of the attackers, it is highly probable that any of use will be victim of such an attack one day. So the resulting question is: how can I limit the damage as much as possible, if I once got attacked?
In this article I describe and substantiate why I am convinced that HubSpot is a good way to get close to this goal, with a very limited budget invested.
5 Website Security Dimensions to Analyze
In the analysis, we looked at 5 factors:
- human factors
- procedural factors
- infrastructure factors
- physical factors
- legal factors
Human Factors
Security Awareness
HubSpot works with a dedicated team of security experts for site management and monitoring. An open flank for hackers in WordPress sites is the lower security awareness of site administrators, doing this activity only as a side-job with restricted availability. Not being trained regularly and not being focused 100% on the security issue leads to weaknesses in the system that are provenly exploited by hackers. Weak or old passwords are only one example of resulting mistakes.
Security Proficiency for the Complete Architecture
The strong factor at HubSpot is that they provide a dedicated security team who is 100% focused on protecting your website and data. In the WordPress case, there is no team available unless you pay for it. But even external security experts cannot cope with all the open source plugins and sources which you need to use to set up a decent website.
Availability
Another common open flank given by website operators is the lack of 24/7 availability (which would not make sense from an economical point of view). The Websites hosted by Hubspot are managed and monitored by a dedicated team with 24/7 availability.
In the WordPress case, monitoring depends fully on the management processes put in place by the Website operator. All 5 hacker attacks to one of our WordPress websites that we experienced in 2015 took place on a Saturday. Is that coincidence or proper planning by the hackers?
Access
Being close to the customer means that not only marketers but also the sales team has access to the website data. And through the many forms and points of interactivity, the prospects are given access to the platform (and consequently to one of the databases). The users might access from home, office, hotel, airports, mobile phones, etc. All these factors let the risk for attacks exponentially grow. From a business point of view, the rapid access is vital and should not be challenged.
Hubspot limits user access to data through user roles. A marketing person for instance is normally only getting the marketing, but not the sales data. The end-user's access is protected through many procedures.
The WordPress infrastructure is shows weaknesses in terms of protective measures through contaminated client computers. Roles are missing. So once the intruder cracked the admin password, he as access to all data.
HubSpot is pretty safe against malicious code - in fact it heavily restrains JavaScript code - the preferred cartridge of worms and Trojans.
Manual theft of customer data however, e.g., by a faithless employee, cannot be ruled out. Also the leakage of customer data after a stolen password cannot be excluded by 100%. However, there are routine scans for any kind of malicious use patterns on the website. In addition,
But My IT Personnel Is Against External Hosting
When I worked in factory automation in the early 1990s, I often came across shop floor people bringing up 100s of reasons my factory automation is not good. The reason was clear: they were afraid to loose their jobs. But in those companies, where automation did not take place, the workers lost their jobs anyway, as these companies, becoming rapidly under productive, got bankrupt or were simply closed down.
We have the same phenomenon today. The internal IT service personnel or the freelancer taking care of website and web-hosting is strongly against it. This is out of the same reasons: he is afraid of loosing his job. And in parts this fear is justified. Most of the content integration can be done by the sales and marketing team directly and on the fly. And the expensive hosting and server management within the company does not take place anymore. Lastly the IT person looses his influential stake-holding power over the security of the company. He becomes less important and much easier to replace.
If your IT personnel starts to argue in that direction, you might start asking yourself the question whether it isn't about time to get rid of him anyway.
Two Factor Authentication
For any internal user (sales, marketing, admin, finance, etc), Hubspot offers Two-Factor Authentication. Meaning the user gains access through the website with a code which is provided via a second device (mobile phone). The increases security significantly, as bots cannot endlessly try out passwords. They need the code from the phone as well.
Procedural Factors
Open Source vs. Centralism
WordPress’s strong point is the huge community of open source players who continue providing applications. Unfortunately, this is a weak point at the same time, as the community provides thousands of entry points to hackers. Let us not be negative about decentralized communities. Platforms like the Apple App store or Salesforce successfully work with an ecosystem of providers, but in a rigorously controlled manner that does not leave much scope for fraud. This is unfortunately not the case with WordPress.
Seamless and Holistic
HubSpot has become more and more holistic over the years. By now it covers all the buyer journey from first constant on the Website until the writing and follow up of a quote. Invoices will be added in the course of 2019.
This reduces the amount of APIs and open flanks required. And it reduces the time for recovery and relaunch if something happened.
Level of Freedom to the Website Operators
In WordPress, the website operator can change every line of code, he has access to the Web server and the file server likewise. The Web server in WordPress is the editor environment where you enter your text and configure the website. The file server is the more critical area. Here you upload files and plugins via an FTP or SSH connection. This is a hacker’s paradise.
HubSpot excludes any access to file servers. Also, any JavaScript that allows file uploads is excluded. That would have been the backdoor for hackers to smuggle their malicious software into the website. We tested various scripts to see how far we can go with JavaScript in Hubspot. The maximum we were able to do is to include embedded YouTube videos (technically this is an i-frame script).
Regular Implementation of Security Patches and System Scans - WordPress provides regular security updates. As plug-ins are of open-source origin, this includes the risk of aggravating the sites security situation or in the worst case of importing a worm or Trojan into the website.
In WordPress, this task needs to be done by the website operator, a time consuming and hence costly procedure.
In HubSpot, the high security infrastructure runs continuous scans and intrusion detection routines. HubSpot does all updates centrally, the website operator is not involved.
Rapid Escalation Routines
In order to insure business continuity, you need rapid escalation routines, environmental hazard plans, flood detection programs and so on. And you need a dedicated team who is in charge of it and able to implement it. With WordPress, it depends on the hosting provider you choose. Many of them have that service. That kind of hosting should definitely not given to self-storing startups. With HubSpot, the routines are certified for data center continuity and recovery plans with the SOC2-certification.
On mouse-click, you can revert to previous versions, or replay the website from the backup. A 24/7 hotline helps during recovery phases.
Digital Signatures
An attack form which is often underestimated is the so-called man-in-the-middle-attack. The attacker does not even need to be inside your computer. It is enough if he taps your email communication. Imagine you send out an invoice per email (pdf). He simply catches it off, and resends the email, with a modified invoice, having replaced your banking credentials with his ones.
HuSspot's system allows to add digital signatures (connected to your digital ID). Whoever tries to fake the invoice will turn the attached digital signature or seal to "ERROR". The customer becomes aware that something is wrong.
This approach is compliant to the European eIDAS Regulation for digital identity protection. It brings the probative value of such a signed document legally on the level of a handwritten signature, but it is much more difficult to fake.
Infrastructure Factors
Data Storage Security
When working with WordPress, responsibility for data storage is completely in the hands of the website operator. Normally, data is stored in an FTP environment at his website host, and everything else is up to the website operator himself. Given that, the website operator normally is not a security expert (but rather in the field of business which he tries to market with his site), it brings us back to the open flanks of human factors described above, and the related HR cost implications.
With HubSpot, storage has a whole series of security features:
- Data encryption following the TLS standard with a 2,048 bit key and application enforced authentication. TLS stands for transport layer security. This is an encryption standard which in this case protects the data at rest as well as the data which is being exchanged with the website user (through the authentication enforcement). In short, even if in a very unlikely case a hacker could intrude, he would be unable to understand the exchanged data, neither would he be able interfere with it.
- Network security to prevent unauthorized or unintended access to any internal storage, network or computing devices. HubSpot does this through a series of systems such as
- professional intrusion prevention systems (IPS).
- Web application firewalls (WAF) that protect the websites hosted at HubSpot. In fact, they bring firewall protection to the Web application layer, which is the only space where a website operator that uses HubSpot has access to.
- Distributed denial of service (DDoS) protection. Such systems protect websites against converted attacks which are often concurrently driven by thousands of bots from different addresses concurrently with the objective to make the website and its offerings unavailable to the outside world. You can compare this to a computer-driven “shit storm attack,” in a polite case only overloading the servers to compromise users from accessing the website. In more diabolic approaches, hackers are even trying to bring in malicious software or code. Especially banks or newspapers have recently been victims to such attacks.
- Proactive and continuous scanning and network testing through notable third-party auditors. A scanning every 24 hours would give potential intruders a head margin of worst case 23 hours and 59 minutes. Enough to destroy the system, steal the data and to publish sensitive customer data irrevocably in the Web. In the HubSpot case, it is done continuously..
- Comprehensive logging of all application access paths through web and application server logs. In other words, the system verifies whether the access behavior indicates efforts for malicious attacks, like access efforts form various IP addresses concurrently, continuous typing of wrong passwords, fraud-typical activities on the website, etc.
Multilayered Security
This security measure is more holistic, embracing network, storage and physical security issues. There are many subsystems in an integrated data chain from Web-communication to entry and handling of data in the CRM. The idea of multiple security zones with autonomous firewalls, virus scanning software and authorized personnel could reduce the risk of a full system failure.
In WordPress, such a system is costly to manage. In HubSpot it comes as included system component. Even the website operator himself is kept on the upper level of the website, the web server level. He has no possibility to access the file-servers (this is where hackers love to place malicious scripts and files). This might be disappointing for users who are accustomed to full liberty, but when looking at the security advantages, it might be worth it. In example, even the files and documents that the website operator uploads to the system are passed to the web server (a bit like when you upload videos to YouTube). The HubSpot system transfers these files into the heart of the website only after intensively checking them.
SSL Security (Secure Sockets Layer)
SSL is a cryptographic protocol that encrypts the communication between the website visitor (his browser) and the website. This allows for confidential communication which prevents website and user likewise from being tapped by hackers.
Since summer 2015, Hubspot offers a free-of-charge shared SSL to their website customers. Wordpress users can get an SSL protection from their host. For this, you need a private nameserver, which requires a more costly hosting service. The result is the same. Both alternatives allow for encrypted communication between the website and the customer’s browser. In both cases it is unlikely that communication cannot tapped by hackers.
SSL by the way has a positive SEO effect as Google awards the trustworthiness of such certified sites.
Physical Factors
Physical Security - This includes
- audited protected buildings and access control (ideally with staged security domains),
- 24/7 security staff,
- biometric scanning,
- video surveillance,
- redundancy in IT and communication infrastructures.
In the WordPress case this depends on the hosting service you use. When working with providers like 1&1 or Amazon, physical security is given.
Legal Factors and GDPR
With WordPress, all data security is in your hand and consequently in your responsibility. In case of a data law breach (e.g., sensitive customer data is stolen from your website), it is pretty impossible to claim and responsibility from your providers. There are too many (hosting service, WordPress, open source plug in providers) and there are terms and conditions which exclude any kind of responsibility for any damage or legal consequence.
Let us see how HubSpot will proceed. In my humble opinion, HubSpot will soon host its European data in Europe.
Hubspot support comfortable GDPR management routines. Compliance with the European Data Protection Regulation is provided by default.
CONCLUSION
Let us not be security maniacs. But let us also think of the losses we or our customers may face when our site is hacked, non operational and shooting down in page rank. Imagine the image damage that your customers face when their data is exposed and misused.
When the costs are compared between HubSpot and WordPress, we regularly follow discussions about the relatively high price of HubSpot as compared to the zero WordPress costs. But you need to compare all costs. If you count the personnel costs the calculation comes to a complete different result. An you may also think about costs caused by malicious intrusion, e.g., lost business or compensation of damage.
Our personal conclusion in most of our sites:
We cannot afford to be dead cheap. So please stop discussing the pros and cons of wordpress.
Be rather save than be breached out of your business. And please do not wait - predators will attack the easy prey first.