How Secure is Your Website?13-09-2019
Table of Contents
Did you know that 70% of websites contain vulnerabilities that can lead to the theft of sensitive corporate data such as credit card information and customer lists? Web-based applications such as shopping carts, forms, login pages and dynamic content are what hackers excel in. And it’s easy to see why. These applications are accessible 24/7 and control valuable data since they often have direct access to back-end data. If these web applications are not secure, then your entire database of sensitive information is at serious risk. A Gartner Group study reported that “75% of cyber-attacks and Internet security violations are generated through Internet applications.”
With the hacking community also being very close-knit, newly discovered web application intrusions, known as Zero-Day exploits, are posted on various forums and websites known only to members of that exclusive underground group. Postings are updated daily and are used to propagate and facilitate further hacking.
Although we hear about these realities all the time, many people’s natural reaction to them, unfortunately, is “What are the odds that the hacking community would ever target my business?” From our 19 years of experience handling mission-critical projects from a variety of industries, be it aviation, financial services, logistics, retail and much more, we’ve come to truly understand how no industry is immune to hackers’ attacks. For this reason, whenever embarking on a new project, we’ve made it a point to always put IT security as our number 1 top priority.
So, you might ask, how secure is my website? And where do I start in ensuring its utmost security?
The first step to achieving a strong handle on web security issues that may potentially impact your business is understanding the difference between ‘threat’, ‘vulnerability’ and ‘risk’. These buzzwords are so often confused and used interchangeably.
In simple terms, a vulnerability refers to a weakness in a system. One single vulnerability could exploit a whole system, say, a single SQL Injection attack could give an attacker full control over sensitive data. In order to gain more control, an attacker could also chain several exploits together, thus taking advantage of more than one vulnerability. SQL Injections, Cross-site Scripting, server misconfigurations and sensitive data transmitted in plain text are all examples of common vulnerabilities.
On the other hand, cyber threats or simply threats can be defined as cybersecurity circumstances or events with the potential to cause harm by way of their outcome. A few examples of common threats include a social-engineering or phishing attack that leads to an attacker installing a trojan and stealing private information from your applications, political activists DDoS-ing your website, an administrator accidentally leaving data unprotected on a production system causing a data breach, or a storm flooding your ISP’s data centre. Cyber threats can also become more dangerous if threat actors leverage one or more vulnerabilities to gain access to a system, often including the operating system.
When it comes to ‘risk’, this refers to the potential for loss or damage when a threat exploits a vulnerability. Therefore, a risk is a scenario that should be avoided combined with the likely losses to result from that scenario. Examples of risk include financial losses as a result of business disruption, loss of privacy, reputational damage and legal implications.
In this day and age, there are several preventive measures one can take to secure a website, with the easiest one being SSL certificates. This website security measure may be basic but it’s indispensable. In fact, since July 2018, Google Chrome has started to alert website visitors whenever a website doesn’t have an SSL certificate installed. SSL certificates protect the data collected by your website, like emails and credit card numbers, as it is transferred from your site to a server. Since SSL only protects data in transit, it’s crucial to take further steps for a fully secure website.
A web application firewall stops automated attacks that typically target small or lesser-known websites. Malicious bots are responsible for carrying out these attacks as they automatically look for vulnerabilities they can exploit, or cause DDoS attacks that slow or crash your website. Besides, installing security plugins to your content management system is another common practice for preventing website hacking attempts. When maintaining such plugins, it’s imperative to keep them up-to-date. This is because many of these tools are created as open-source software programs, which means their code is easily accessible – to both good-intentioned developers as well as malicious hackers.
Creating secure admin passwords, hiding your admin folders, storing user passwords in a hashed format, preventing users from uploading files and keeping error messages simple are amongst other industry-proven best practices in website security. But that’s not all.
Many wrongly assume that having firewalls and SSL certificates in place are enough to protect their website in the face of web application hacking. The truth is that any defence at the network security level will provide no protection against web application attacks since they are launched on ports 80/443 – which have to remain open to allow the regular operation of the business.
What’s more, manually auditing all your web applications for vulnerability is complex and time-consuming since it generally involves processing large volumes of data. A high level of expertise coupled with the ability to keep track of considerable volumes of code used in a web application is also necessary. Above all, there’s the pressure knowing that hackers are constantly on the lookout for new ways to exploit your web application.
As the world moves further towards automation, it comes as no surprise that nowadays you can find tools on the market that offer automated web application vulnerability scanning. Within minutes, an automated web application scanner can scan your web application, identify all the files accessible from the internet and simulate hacker activity in order to identify vulnerable components. On top of that, an automated vulnerability scanner can also be used to assess the code which makes up a web application, allowing it to identify potential vulnerabilities which might not be obvious from the internet, but still exist in the web application, and can thus still, be exploited.
To further enhance our proactive approach towards IT security, our team of IT specialists have put together ICON.secure in partnership with Acunetix, a global web security leader. As the first company to build a fully dedicated and fully automated web vulnerability scanner, Acunetix carries unparalleled experience in the field and has been entrusted by various Fortune 500 companies including HSBC, VISA, European Central Bank and Deutsche Bank.
Think it’s time to take IT security as seriously as possible? Smart move.
Get in touch with us today and benefit from the knowledge, expertise and experience of our team of highly skilled IT security engineers. We’ll guide you towards keeping up with the latest trends and practices in the world of IT security as well as manage services such as Acunetix for you, taking the stress out of daily operations. Act now and don’t let the bad guys win!