Vulnerable Web sites aren’t just a reputation risk – they leave an open door to your backend systems and company data. The days of the enterprise Web site serving as a static “billboard” are long gone. Now, Web sites are a valuable brand ambassador, and crucially, they are often also a channel to market and a conduit to the enterprise back-end systems, says Jonas Thulin, security consultant at Fortinet.
In some cases, your site IS your business. Unfortunately, many South African companies still overlook the importance of effectively securing their Web sites.
A Web site’s greatest strength is also its greatest weakness – it is accessible to everyone. This makes a Web site a natural target for the cybercriminal, hacker or hacktivist. Compounding this challenge is the fact that competition and business goals may drive Web developers and designers to push site updates without proper security testing.
Regardless of the reason for the vulnerabilities or the motivation of attackers, a compromised Web site has serious implications – loss of revenue, negative impact to a company’s reputation and theft of sensitive information such as credit card numbers and personal data.
In South Africa, most of the high profile hacks recently have been hacktivist-style attacks on controversial or high-profile organisations. We’ve seen the defacement of the AARTO and Department of Health sites, the hack of the SAPS informants’ database, and the hacking of the Johannesburg City billing system, among others. These are just the widely-known cases.
Unless cases go to court or are publicised, corporates are not likely to draw attention to site breaches.
In many cases, it requires extensive and careful forensic work to determine the extent of the breach if a site has been hacked. It is for good reason that hackers use the phrase “you’ve been owned” when they breach Web site security.
Since most Web sites are connected in some way to multiple enterprise systems, there is a good chance that access via the Web site has allowed access to these systems. As a rule of thumb, enterprises should consider all their systems potentially vulnerable once their site has been touched.
Challenges in securing Web applications
A recent study by Verizon showed that the top two reasons for an attack on Web sites were theft (financial or personal gains) and hacktivism (disagreement or protest). These attacks can come in the form of exploits to existing security vulnerabilities in the operating system or Web application software. More sophisticated forms of attacks like SQL injection and cross-site scripting are also used to gain access to sensitive data.
The Verizon 2012 Data Breach report says that while network security is relatively straightforward − define security policies to allow/block specific traffic to and from different networks/servers – Web sites are made up of hundreds, and sometimes thousands, of different elements including URLs, parameters and cookies. Manually creating different policies for each of these items is almost impossible and obviously does not scale.
In addition, Web sites change frequently with new URLs and parameters being added, making it difficult for security administrators to update security policies.
The difficulty in protecting a Web site is further compounded by the on-going discovery of software vulnerabilities of the actual Web site and the applications running on it, challenges in developing and applying updates, code revisions and updates, and time-to-market pressure.
Adding to this already complicated environment is the fact that behind most Web sites is a distributed infrastructure of servers for the actual Web site, its applications and databases, increasing the difficulty of securing these key elements.
The end result is that just like traditional applications and operating systems are considered inherently vulnerable, Web-based applications cannot be assumed to be secure − they require independent security measures.
Protecting your online assets
Protecting your Web site must take a holistic approach that includes the structure of the site and its applications as well as the underlying network. Fortinet recommends a three-pronged approach to tackling Web application security:
* Secure coding practices and code reviews – developing Web applications securely and implementing a secure coding practice as part of the development life cycle should be an integral part of application development projects. By following the guidelines recommended by the Open Web Application Security Project (OWASP) and other bodies, users could build a more secure and trusted application. Once developed, the code should be reviewed by an independent third party.
* Perform Web Application vulnerability assessment/penetration testing – applications should either be reviewed manually or through automated application vulnerability assessment tools to identify vulnerabilities. This could be further followed up with specific application penetration testing exercises for critical applications.
* Utilise a Web application firewall – a Web application firewall (WAF) allows organisations to detect and block application layer attacks. Such a specialised firewall is needed in addition to conventional network security solutions because traditional firewalls are designed to detect and combat attacks at the network and network port levels, not the application level.
By complementing an existing network firewall with a WAF, you can address the unique requirements of Web based applications and increase the overall security level of the network.
Many variations of WAFs exist today. Fortinet’s FortiWeb appliance, for instance, combines a WAF with XML Firewall capabilities in a single platform with several add-on modules like Vulnerability Scanning, Application Acceleration and Server Load Balancing that further complement the basic capabilities offered.