I had not thought about web site security until one of my web sites was hacked. Thankfully it was not major, but it was a hassle to fix it. Furthermore Google (thankfully) noticed that it had malware and alert me (and all visitors to the site) about the problem.
Alan Wlasuk, Managing Partner of 403 Web Security helps us understand how we can protect our web sites.
What are things business owners can do to protect their own web sites?
The most important thing an owner of an existing business website can do to protect their site is have it tested for security flaws. Even the most security conscious company with skilled developers will have a potentially vulnerable site unless they frequently run security scans. Thousands of possible security flaws may exist in any site, with potentially millions of ways that the site must be tested in order to discover these flaws. Only after a security check has been done will a business owner be able to understand their risks and breach tolerance.
On the other side, any business owner thinking about the development of a new website should start with security in mind. Make sure their developers have web security development skills (most do not). If possible, build the site under proven, secure platforms as opposed to building the site from the ground up. And, as before, have the site tested for security during and after its completion.
Why are hackers targeting web sites?
Web sites get hacked for many reasons; three of the more prevalent are greed, social activism and social acceptance. Greed would be the largest and most obvious reason. For example, the criminal profits that will be made from spear phishing from the Epsilon Breach data has been projected at hundreds of millions of dollars. Social activist groups (e.g., PETA, extremist religious groups) will deface a site or steal private information just to make a statement, there is usually no monetary goal in mind. Social acceptance runs along two fronts. Kiddie Scripters are young, relatively inexperienced hackers who just want to play with easily hacked sites for the sake of just doing it. They use simple tools and get their education from YouTube. More serious hackers look forward to the challenge of breaking into a difficult site to raise their status in the professional hacker community.
Is there any way to have a 100% (maybe 99%) full proof and protected web sites?
Unfortunately, there will never be a 100% protected web site. Even the best and most secure site will only be as secure as current knowledge at the time of implementation allows. New attack methods and introduced flaws in updated supporting systems (e.g., operating systems, databases) will ‘age’ a web site over time. In addition, many sites get hacked as a result of an inside job; some social engineering ploy has allowed a hacker to steal password or gain access through naïve employees – there will always be bugs in the human hardware.
Companies like 403 Web Security – what do they do to protect web sites?
Two issues in protecting websites are the discovery of security flaws and the remediation of flaws once discovered. Discovery is done through manual and automated external testing (simulated attacks from outside the website) and code reviews (where security developers review the software associated with the website), both are needed in order to find the vulnerabilities in a site. Remediation is the work of repairing the security flaws within a site that were unearthed by the discovery phase. It is essential that manual and automated external tests be run after remediation to verify all security flaws have been repaired and no new flaws have been introduced.
403 is unique in that we are an accomplished security testing company (external manual and automated testing as well as code reviews) as well as a company whose primary focus is the remediation of vulnerable websites. Said differently, most security companies will only tell you about your security problems, 403 is designed to discovery and remediate.