This week marks the 25th anniversary of when the WWW was made available to the public. Security experts from Ipswitch, ForgeRock, Barracuda Networks and WhiteHat Security commented below.
Michael Hack, SVP of EMEA Operations at Ipswitch:
“The World Wide Web has come a long way since it was opened up to the public 25 years ago. However, in the grand scheme of things, it is still in its infancy. Rapid adoption and fast paced development of Web technologies have, however, meant that innovation has outpaced security and our data isn’t always as secure as we’d like.
“Whilst Governments and regulators work to try and fix this with initiatives such as GDPR and the Data Privacy Shield, and technologists work around the clock to keep one step ahead of cyber criminals, we are still and are always likely to be playing catch up.
“There are steps businesses can take to help keep data safe. Ensuring that perimeter defences and secure file transfer technologies are up to date is key. As is making sure policies and regulations are adhered to. However, training the staff that both administer and use a Web enabled network is essential. A proper understanding of how to keep data safe and widespread recognition of common pitfalls is an essential tool in Web security. We might have come a long way since the Michelangelo virus which, in 1992 was expected to create a digital apocalypse by wiping all data on March 6, there’s still a long way left to go.”
Simon Moffatt, EMEA Director, Advanced Customer Engineering at ForgeRock:
“From its birth a quarter of a century ago, the world wide web has become a core part of our daily lives and we trust it with much of our personal information. Unfortunately, consumers are still largely unaware just how easy it is for fraudsters to access the pieces of data they need to build an identity. There is also a growing familiarity and trust in the internet, with consumers almost blindly expecting websites to keep their details safe.
“In reality, social networks, retailers and other websites have very little incentive to help protect users’ identities. A huge proportion of websites generate revenue through highly-targeted advertising, which is based upon the user’s personal information. Given this, it is in the website owner’s interest to actually encourage users to provide as much information as possible.
“Alongside limited government involvement, industry standards, or incentives to educate consumers about identity protection, it is not surprising to see that there has been a spike in identity fraud cases in recent times. Although the issue of identity fraud does not yet seem to be a mainstream concern, if the number of such cases continues to rise, it likely will be, sooner rather than later.”
Jason Howells, EMEA Director, MSP Solutions at Barracuda Networks:
“Today, there are close to a billion websites on the world wide web. Even taking account of the millions of inactive sites that exist, the Internet presents one enormous, lucrative attack surface. It only takes one person clicking on the wrong web link or pop-up advert, or opening the wrong email attachment, to give cyber attackers the chance they need.
“We are fast reaching a point where businesses are simply unable to effectively secure themselves with their internal resources. As the web threat landscape continues to rapidly change, it’s apparent that many of those internal IT and security professionals know in their hearts that they will likely buckle under the pressure.
“For service providers, this means it’s now virtually impossible to bid on an IT project that doesn’t include provisions for cyber security. Whether they develop that expertise internally or partner to deliver it doesn’t matter. Any proposal that doesn’t include a robust web security component is going to be dead on arrival.”
Ryan O’Leary, VP Threat Research Centre at WhiteHat Security:
“Many organisations today have hundreds, if not thousands, of consumer-facing web applications and websites. Our research has found that each of these websites has anywhere from five to 32 vulnerabilities and the majority exhibit two or more serious vulnerabilities. This holds true for every industry, at any given point in time. Together, it means that there are thousands of vulnerabilities across the average organisation’s websites, with each of these vulnerabilities increasing the chance of a breach.
“By prioritising the critical and high-risk security flaws for remediation, security professionals stand a good chance of reducing the number of days that serious vulnerabilities remain open to attack. They should also aim to participate in devops team meetings to drive the secure application agenda and plan to have both static and live code tested for vulnerabilities on a regular basis. It only takes one persistent hacker to leverage a single flaw to create what could become a catastrophic data breach incident. Businesses must create a culture of cross-team collaboration and cooperation to prioritise website security.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.