Those were the words that unfortunately I heard in the phone call of a person who had a system intervened and began to erase the information it contained, put pornography on their sites and as if that weren’t enough, they began to publish user data on social networks.
I went as fast as I could to the call and when I got there, the server was off, I had to turn it on again and I started backing up one of the web pages that had not been attacked but when trying to start the backup of the next page, it no longer the database existed because the hacker was attacking again and deleted the databases at that time, unfortunately all was lost for my friend.
When I had a little more time to analyze the system where the hacker sneaked in, I realized that it did not comply with basic security standards, much less comply with good security practices for that type of system. After looking at the source code I was not surprised that they had been hacked. So I started to inquire about why the system was in these conditions and I realized several things:
They have a programmer who reported the condition of the system and they wouldn’t let him repair it because there wasn’t time to do it.
No type of frameworks were used which help protect systems in terms of security.
There were bad security practices between the connections with the databases, which made it possible to access one database to all the others.
The passwords had no security at all, one of the passwords was Admin123
The server used a Windows Operating System which is very insecure and unstable and does not help at all in this type of situation.
With all this, I realized that for this type of situation to happen, it must be to have a total lack of control of what is happening in terms of programming in addition to not allowing the correct decisions to be made and depending on a non-technical person to determine the direction of important programming decisions. Avoiding hacking a system is a security issue and security is the first thing to take into account when handling large amounts of your customers’ data. Avoid Hacking your data so easily! After identifying these problems, I decided to help them and make them a protection and audit plan where I would evaluate the technical decisions that are made and avoid the existence of these types of problems from the technical point of view as well as for the company management, offering them advice to to be able to make the best decisions from the technical point of view, helping to avoid unnecessary expenses and helping them to get the most out of the person in charge of implementing the systems. Fortunately, the right decision was made and we are already working to redo the system with a much better elaborated security and productivity scheme (considerably improving development times) and obviously lowering production costs.