Select Page

Web Security

Web security is the protection of information assets that can be accessed from a Web server. Web server security is important for any organization that has a physical or virtual Web server connected to the Internet. According to a report released in December by the Identity Theft Resource Center (ITRC), “2014 saw 783 security breaches in the U.S. alone, which exposed over 85 million records” and that’s just the breaches that were tracked! Who knows how many other security problems went unreported or, more worryingly, undetected? That’s why as a website/business owner, you would be wise to expect much of the same this year and online security should be at the very forefront of your mind. So if you’ve just bought a new website; are in the process of building one; or have an existing site that is already turning you a profit, you need to make sure it’s secure.

Website Security Check

It may seem obvious, but ensuring you keep all software up to date is vital in keeping your website security in check. This applies to both the server operating system and any software you may be running on your websites such as a CMS or forum. When website security holes are found in software, hackers are quick to attempt to abuse them. If you are using a managed hosting solution then you don’t need to worry so much about applying security updates for the operating system as the hosting company should take care of this. If you are using third-party software on your websites such as a CMS or forum, you should ensure you are quick to apply any security patches. Most vendors have a mailing list or RSS feed detailing any website security issues. WordPress, Umbraco, and many other CMSes notify you of available system updates when you log in.

Cost of Attacks on Websites

The costs associated with computer and website attacks can run well into the thousands and even millions of dollars for a small company. Many small businesses have been attacked — 44%, according to a 2013 survey by the National Small Business Association, an advocacy group. Those companies had costs averaging $8700. You may not think your site has anything worth being hacked for, but websites are compromised all the time. The majorities of web security breaches are not to steal your data or deface your website but instead attempts to use your server as an email relay for spam, or to set up a temporary web server, normally to serve files of an illegal nature. Hacking is regularly performed by automated scripts written to scour the Internet in an attempt to exploit known website security issues in software. Therefore, websites are unfortunately prone to security risks. And so are any networks to which web servers are connected. Setting aside risks created by employee use or misuse of network resources, your web server and the site it hosts present you’re most serious sources of security risk. Web servers by design open a window between your network and the world. The care taken with server maintenance, web application updates, and your website coding will define the size of that window, limit the kind of information that can pass through it and thus establish the degree of web security you will have.

Security Issues

It’s well known that poorly written software creates security issues. The number of bugs that could create web security issues is directly proportional to the size and complexity of your web applications and web server. Basically, all complex programs either have bugs or at the very, least weaknesses. On top of that, web servers are inherently complex programs. Websites are themselves complex and intentionally invite ever greater interaction with the public. And so the opportunities for security holes are many and growing.

Technically, the very same programming that increases the value of a website, namely interaction with visitors, also allows scripts or SQL commands to be executed on your web and database servers in response to visitor requests. Any web-based form or script installed at your site may have weaknesses or outright bugs and every such issue presents a web security risk.

Contrary to common knowledge the balance between allowing website visitors some access to your corporate resources through a website and keeping unwanted visitors out of your network is a delicate one. There is no one setting, no single switch to throw that sets the security hurdle at the proper level. There are dozens of settings if not hundreds in a web server alone, and then each service, application and open port on the server adds another layer of settings. And then the web site code… you get the picture.

Web Security Obstacles

A very small number of hackers are actually capable of discovering a new way to overcome web security obstacles. Given the work being done by tens of thousands of programmers worldwide to improve security, it is not easy to discover a brand new method of attack. Hundreds, sometimes thousands of man-hours might be put into developing a new exploit. This is sometimes done by individuals, but just as often is done by teams supported by organized crime. In either case, they want to maximize their return on this investment in time and energy and so they will very quietly focus on relatively few, very valuable corporate or governmental assets. Until their new technique is actually discovered, it is considered UNKNOWN.

Known Vulnerabilities

Countering and attempting to eliminate any return on this hacking investment you have hundreds if not thousands of web security entities. These public and private groups watch for and share information about newly discovered exploits so that an alarm can be raised and defense against unknown exploits can be put in place quickly. The broad announcement of a new exploit makes it a known exploit. The outcome of this contest of wills, so to speak, is that exploits become known and widely documented very soon after they are first used and discovered. So at any one time, there are thousands (perhaps tens of thousands) of known vulnerabilities and only a very, very few unknown. And those few unknown exploits are very tightly focused on just a very few highly valuable targets so as to reap the greatest return before discovery. Because once known the best-defended sites immediately take action to correct their flaws and erect better defenses.

The number of sites worldwide is so great and the number of new, as of yet undocumented and thus unknown exploits so small that your chances of being attacked with one are nearly zero – unless you have net assets of truly great value. If you don’t attract the attention of a very dedicated, well-financed attack, then your primary concern should be to eliminate your known vulnerabilities so that a quick look would reveal no easy entry using known vulnerabilities.

How to Accomplish Excellent Security

There are two roads to accomplish excellent web security. On one, you would assign all of the resources needed to maintain constant alert to new security issues. You would ensure that all patches and updates are done at once, have all of your existing applications reviewed for correct security, ensure that only security knowledgeable programmers do work on your site and have their work checked carefully by security professionals. You would also maintain a tight firewall, antivirus protection, and run IPS/IDS. Your other option: use a web scanning solution to test your existing equipment, applications, and website code to see if a KNOWN vulnerability actually exists. While firewalls, antivirus, and IPS/IDS are all worthwhile, it is simple logic to also lock the front door. It is far more effective to repair half dozen actual risks than it is to leave them in place and try to build higher and higher walls around them. Network and website vulnerability scanning is the most efficient security investment of all.

Regularly Scan Your Website

According to USA Today 12th of October newspaper by Joyce M. Rosenberg “Small businesses are particularly vulnerable to attacks because many owners believe they don’t have the time and money to invest in website security or consulting services to make systems more secure.” Therefore, your best defense against an attack on your website is to regularly scan a competently set up domain that is running current applications and whose website code was done well. Website testing, also known as web scanning or auditing, is a hosted service provided by Beyond Security called WSSA – Web Site Security Audit. This service requires no installation of software or hardware and is done without any interruption of web services.

Security staff has been accumulating known issues for many years and have compiled what is arguably the world’s most complete database of security vulnerabilities. Each kind of exploit has a known combination of website weaknesses that must be present to be accomplished. Thus by examining a server for the open port, available service and/or code that each known exploit requires, it is a simple matter to determine if a server is vulnerable to attack using that method.

In a matter of hours, WSSA can run through its entire database of over ten thousand vulnerabilities and can report on which are present and better yet, confirm the thousands that are not. With that data in hand you and your staff can address your actual web security vulnerabilities and, when handled, know that your site is completely free of known issues regardless of what updates and patches have been done and what condition your code is in or what unused code may reside, hidden, on your site or web server. In the complex, large systems it may be that daily web scanning is the ONLY way to ensure that none of the many changes made to site code or on an application may have opened a hole in your carefully established security perimeter!

 

 

Website Design - Call (425).336.0069

Serving Website Design & SEO to its local communities

Professional Website Development

 

SEO services offered nationally

Other states

Do NOT follow this link or you will be banned from the site!