WebSafe Shield
Home Compare Compare FAQ Account How We Scan PCI Compliance
 
 
Security

 

Introduction

Protecting your website and your customers' sensitive information involves a multitude of different approaches; servers' operating system, applications running on these servers, network devices, employees, access policies and controls, management support, etc.

In a world where the protection of systems (and the information they hold) is a constantly evolving effort, and the challenges multiply as those driven by money join the hobbyists, a website owner must always be on guard. While you may "do everything right" and your system is "secure" against known vulnerabilities, situations change and if you're not careful, your system can easily become exposed to malicious activities.

The following is by no means an exhaustive list. It is meant to explain some of the more common attack methods employed today, and to help you and your company start taking a broader approach to website security.

SQL Injection

SQL Injection is one the most pervasive security vulnerabilities on the web today. It basically takes advantage of poorly constructed stored procedures.

This method allows the attacker to create, read, update, or delete any arbitrary data accessible. The most serious scenario is when the attacker can completely compromise the database system and associated services.

Software Not Kept Up-to-Date

There tends to be three reasons why software is not kept up-to-date:

1. Lack of Awareness: Despite all the discussions around website security, and how just keeping the software up-to-date would make a significant impact on keeping your site secure, it's still not as widely acknowledged and practiced as it should be.

2. Not a priority: Closely related to the bullet above, when maintaining a website in a secure fashion is not a clear corporate priority, it often takes a backseat to other activities.

3. Compatibility with Other Software: Depending on the number of different applications that are used, there may be a multitude of different updates that a website owner would need to apply. It's a commonly accepted practice that before any upgrade is applied, thorough testing to ensure compatibility is required. With this important QA process in place, it's easy to sympathize with any website owner that has to deal with this situation. However, ensuring the website has the latest upgrades, especially those patching on critical security flaws, can save the website owner time, effort and grief in the long-run.

Cross-Site Scripting (XSS)

Cross site scripting, also known as XSS, is another common security vulnerability.

XSS allows websites to be defaced, malicious code to be added, and support phishing attempts, among other issues.

Essentially a malicious person can use this methodology to send a script to an unsuspecting user. The recipient’s browser assumes the code can be trusted and will execute the script. The script can access any cookies, session tokens, or other sensitive information retained by the browser and used within that site. It's also possible to change the content of the webpages on the website.

Social Engineering

This is a little different from the above vulnerabilities, because this section focuses on the people rather than just looking at specific vulnerabilities in specific pieces of software or configurations.

In short, social engineering involves gaining trust with the target's employees. A recent incident shows how this can be successful used. A CEO was traveling to a seminar where he was to deliver a keynote speech. The CEO's travel and presentation was quite broadly and publicly announced.. A malicious attacker called up the company a few minutes before the presentation, stated they were helping their CEO prepare for the meeting but needed access to the network. Of course the employees, wanting to help their CEO, especially during a critical time, immediately helped the malicious attacker with the requested information.

On a more positive note, training and documenting procedures can certainly help ensure that basic, yet very important, processes are observed.

It's important to understand the various ways social engineering takes place, and educate your team to only disclose information to people that are known.

Phishing

Phishing is when someone sets up a website that is designed to look like another website. eBay is a very well known example of very frequent phishing attempts. Malicious attackers will setup a website that looks exactly like the target website (early phishing attempts were more amateurish, but has recently evolved into some very authentic-looking sites) and ask users to "sign in". Once the user "signs in", which essentially divulges the username / password to the malicious attacker, the malicious attacker is able to access their account.

Phishing is a little different from other malicious attacks in that the website owner has practically little ability to combat this method. Organizations have been formed to identify, and readily disseminate information on sites that are being used for conducting phishing attacks.

Summary

The limit in the number of methods to gain access to a system is only limited by human beings' imagination. We clearly have some very imaginative people who have the skill and desire to test your site's vulnerability.

Engaging in remote security scan service is one of the key arsenals a website owner needs to ensure a secure environment for their customers.

 

 
 
Home | About Us | FAQ | Seals | Security Review | Affiliate Program | Terms of Service | Privacy Policy | Careers | Contact Us
WebSafe Shield, Inc.