Thursday, May 20, 2010

Why So Many Websites Are At Risk

I am always amazed by the number of websites that suffer cyber attacks. Despite the enormous number of attacks, and despite widespread publicity about these attacks, most website owners fail to scan effectively for common security flaws. These attacks can range from simple nuisances to dangerous compromises of sensitive data. Many overlook the possibility of the website being destroyed by a virus, even though it is a relatively common occurrence in the online world.

With all of the work that goes into building a comprehensive website over time, it can actually be more devastating to lose a website than to lose a PC or even an operating system. When a website is brought down by a virus, it cannot be quickly replaced like an operating system or PC. In fact, the damage that is done can take months to repair, especially when you consider how many negative events can transpire as the result of a worm attack. The most obvious effect will be the loss of traffic that will be seen soon after the worm has infected the website.

Most hackers spend hours every day trying to find new exploits, hacking into sites and looking for opportunities to steal cash from hard working business owners. Yet, the business owners do not put forth the same effort to protect their websites. It is important, during website development, that all possible security threats be considered to ensure adequate protection of the website as well as end users.

If website security is an extremely important consideration for these online businesses, why are the website owners not mitigating security risks and building customer trusts?

After doing some research and speaking with various website owners, I believe I may have come up with some falsehoods most people tend to believe concerning their websites:

1. The Web Developers Deal With Website Security

Many people who start up an online business typically hire other people to build their website. They assume that these web developers will incorporate security. This unfortunately is not true, unless you ask them. As stated previously, it is important, during website development, that all possible security threats be considered.
In other situations, people may create their own website. They tend to forget about adding website protection and security. Since most people, when they first start out, are on a very low budget, security is the last thing they worry about. Not even the most basic security is incorporated which does not require any special software skills. This may not be perfect, but at least it is better than having no security which makes it easier for people to hack the website.

2. No One Will Hack The Website

Many people tend to think it won’t happen to them – why would hackers go for their website when there are huge high profile targets around? Many are fooled by this false sense of security. The sad fact is that big companies can employ legions of experts to ensure their website stays safe and secure. The smaller websites tend to have limited resources, and may also be relying on the company that designed their website.
The internet is a very dangerous place, especially for small business that conduct hundreds or thousands of dollars in eCommerce each and every day. These smaller websites have emerged as the target of choice for money hungry hackers. Just registering a new domain name will mean it gets scanned for vulnerabilities and potentially targeted.

3. The Website Uses SSL Certificate (https instead of http)

The term "secure website" is often used for the parts of a website where the data transmitted between a user and the server is encrypted. SSL only means the data in transit is encrypted. It does not actually secure a website, its data, the server or its users. SSL has no ability to protect the information stored on the website once it arrives.
SSL should be used for transfer of private and sensitive data, but that's just one small part of website security.

4. The Website Is Not Hosted With The Microsoft Operating System

When it comes to vulnerabilites in software, and patching of software, most of the news tends to be centered around Microsoft. Since Microsoft is quite popular in use, it stands to reason that it would be mentioned the most.
Many people feel that if their Websites are hosted on other operating systems, such as Unix, then they are safe. They fail to realize that these other operating systems still need to have patches and updates regularly applied.
Also, many security exploits (e.g. phishing, weak registration/login systems, cross-site scripting (XSS), business logic flaws) are completely independent of the operating system.

5. Website Is Protected By Firewall

Firewalls in front of a web server control traffic to that server. But the web server will need to see web requests, so these cannot be filtered. Web application firewalls can assist in protecting known vulnerabilities and unusual traffic but cannot usually provide protection against custom code vulnerabilities, valid use that corrupts data and zero day attacks, which takes advantage of computer vulnerabilities that do not currently have a solution. They can be of use in temporarily filtering traffic when a vulnerability is discovered, but need to be thought of as a temporary fix rather than a permanent repair.

6. The Website Is Always Backed Up

Although it is very critical to always backup the website and database in case it is brought down, backups are not a protective mechanism, they are an assistance in recovery. But if the data has been altered maliciously, the backup may well also contain this. Also, backups are unlikely to have everything needed to rebuild the site.

7. The Website Has An Annual Infiltration Test

A vulnerability scanner tool will not be able to discover all the vulnerabilities in your website. In particular vulnerabilities in any custom-developed code are unlikely to be found by automated tools. Coupled with the fact that the hosting environment and website code are likely to change over a much shorter time span, automated testing and analysis needs to be undertaken more often. Best practice is to undertake automated testing weekly and have logging and alerting functions which highlight changes to files and potential intrusions on a live basis.

8. The Website Is Up Most Of The Time

Hosting providers usually define certain minimum levels of uptime. You need to check how these are calculated, what you are responsible for and what the exclusions are.
Owners do not often consider what would happen if their website were unavailable for a period other than a few minutes. Many fail to have plans in place (disaster recovery and business continuity) to deal with the loss of, or access to the website.

The falsehoods mentioned appear to be the most basic myths that most people are under the impression of. I am fairly confident that many more falsehoods could be added.

The website owners must never forget that they are the website security. What they do or do not do is what makes their websites secure.

Always remember that hackers, like burglars, are opportunists. If you take the security measures to keep your website safe, a hacker will swiftly move on to a site that is less well protected. Securing your website can take minutes, but gives you a lifetime of peace of mind.

If you want more information on plugging the security loopholes in your website, please visit the following website:

No comments:

Post a Comment