jueves, 26 de abril de 2012

9 Things Businesses Need to Know About Web Security

Incapsula co-founder and CEO, Gur Shatz, is a security industry veteran with more than 14 years of product leadership and engineering experience. Before founding Incapsula, Shatz held several key positions at Imperva.

Recently, someone posted a list of 5,012 websites on a hacker forum that were vulnerable to a SQL injection — the most common method of extracting website data. A quick glance of this list showed that most of the businesses were small. They included health clubs, charities, and even a pet service. Why would hackers waste their time on small companies? For a few reasons.

The cybercrime industry has gone through a bit of an industrial revolution in recent years. Today, swathes of it are largely automated and hacking kits are easy enough to buy. This has improved the efficiency, scalability, and profitability of an average attack. It also allows anyone to be a cyber criminal and any company can be a target.

Small businesses are of particular interest to cyber criminals. At any given time there are more than 750,000 websites — the vast majority are SMBs — being hacked or appearing on various hacker lists. The surprising part? This number grew by more than 50% in just the last 18 months.

Since the cost is so low, the risk is so slim, and the scale has the potential to be so large, SMBs have become an easy target for attackers. This is why all small businesses should know why they're attacked, how they're attacked, and the steps they can take to protect their property.


The Basic Facts of an Attack


  • It's About the ROI: Attackers tend to work together to increase the bottom line. Selecting a target is a business transaction. They want maximum gain with as little investment as possible.
  • It's Automated: Botnets, armies of unknowingly enlisted computers controlled by hackers, scan and probe thousands of websites every minute. They seek to exploit vulnerabilities and extract valuable data. Among the ways they do this is through brute force password attacks, spam, malware, and hurting a site's search engine results.
  • It's Not Personal: Automated attacks do not target specific individuals. Rather, they target the masses, using general selection criteria. For example, a botnet that drives an SQL injection attack or a brute force password attack will not discriminate between a large or small organization.

The Common Attack Types


  • SQL Injections: Data theft is most commonly administered through SQL injection. In the image above, Havij, an SQL injection tool that's basically a commercial-grade application with an easy-to-use interface, allows anyone (not just a trained hacker) to type in the URL they are looking to hack and execute a sophisticated attack. These hackers aren't just looking for financial data like credit cards. They also love to get administrative rights to websites. Several research reports suggest the use and deployment of SQL injections is a top chat topic on hacker forums. It is most definitely a lucrative approach. Consider the 2009 assault against Heartland Payment Systems, which resulted in $130 million dollars worth of lost records.

  • Business Logic Attacks: Recently, website hackers have begun to develop attacks that target vulnerabilities in the business logic, rather than in the code itself. Business logic attacks are often not looked upon as security risks but hold serious business implications for website owners because they generally remain undetected.

    The most common example of this is comment spam. This is where hackers insert automatically generated comments into a blog or online forum, directing people to bogus sites that promote bogus pharmaceuticals when it's actually malware. The implications of such attacks can range from a degradation in your company's search engine rankings to being blacklisted and completely removed from search results.

  • Denial of Service Attacks: This type of attack is usually executed as part of a blackmail scheme that forces a website owner to pay a ransom to free the site from a traffic overflow. For instance, attackers will threaten to shut down online gambling sites for a price. Recently, hacktivist group Anonymous developed the low orbit ion cannon, LOIC, for DDoS. This commercial-looking application allows anyone to execute a DDoS attack on any target. The attacker easily floods a site until it goes down.

Tips on Prevention


  • Invest in a Firewall Service: A Firewall service, as opposed to Firewall software, is a cloud service that will protect your company's administrative access, and offer some threat detection and management. So even if you're not being attacked, it will notice small things like non-human traffic such as spam.
  • Schedule Regular Scannings: Regular scannings should not be confused with uptime monitoring. Uptime monitoring tools alert you when your site goes down due to a server or network outage. Scanning tools search for website vulnerabilities so that the owner can fix them before they are exploited by hackers. There are free products like Nikto, or paid services, such as McAfee Secure.
  • Consider Comment Spam Tools: Comment spam tools are tools that prevent bots from posting bogus comments to your site. They are very effective and help companies avoid the need for a human moderator. A good example is Akismet.

    Image courtesy of iStockphoto, PashaIgnatov

No hay comentarios:

Publicar un comentario