Common website vulnerabilities include poor passwords, cross-site scripting vulnerabilities, SQL injection, vulnerable software, and insecure permissions. The Open Web Application Security Project Top 10 list is the authority on how most Web servers get compromised.
Many times it isn't the Web server or its application software but some link or advertisement that gets hacked. It's fairly common for banner ads, which are often placed and rotated by general advertising agencies, to end up infected. Heck, many times the malware guys simply buy ad space on popular Web servers.
Because many of the evildoers present themselves as businessmen from legitimate corporations, complete with corporate headquarters, business cards, and expense accounts, it's not always so easy to separate the legitimate ad sources from the bad guys, who often begin advertising a legitimate product only to switch out the link in the ad to a rogue product after the ad campaign is under way. One of the more interesting exploits involved hackers compromising a cartoon syndicate so that every newspaper republishing the affected cartoons ended up pushing malware. You can't even trust a cartoon anymore.
Another problem with hacked websites is that the computers hosting one site can often host multiple sites, sometimes numbering in the hundreds or thousands. One hacked website can quickly lead to thousands more.
No matter how the site was hacked, the innocent user, who might have visited this particular website for years without a problem, one day gets prompted to install an unexpected program. Although they're surprised, the fact that the prompt is coming from a website they know and trust is enough to get them to run the program. After that, it's game over. The end-user's computer (or mobile device) is yet another cog in someone's big botnet.
Nation-state cyber warfare programs are in a class to themselves and aren't something most IT security pros come up against in their daily routines. These covert operations create complex, professional cyber warfare programs intent on monitoring adversaries or taking out an adversary's functionality, but as Stuxnet and Duqu show, the fallout of these methods can have consequences for more than just the intended targets.
Crime and no punishmentSome victims never recover from exploitation. Their credit record is forever scarred by a hacker's fraudulent transaction, the malware uses the victim's address book list to forward itself to friends and family members, victims of intellectual property theft spend tens of millions of dollars in repair and prevention.
The worst part is that almost none of those who use the above malicious attacks are successfully prosecuted. The professional criminals on the Internet are living large because the Internet isn't good at producing court-actionable evidence. It's anonymous by default, and tracks are lost and covered up in milliseconds. Right now we live in the "wild, wild West" days of the Internet. As it matures, the criminal safe havens will dry up. Until then, IT security pros have their work cut out for them.
Sign up for CIO Asia eNewsletters.