Web site security - what's that?
By Stewart Twynham, Managing Director, Bawden Quinn Associates
Monday, 12 September 2005 06:44 EST
Many small businesses overlook web site security because they assume that their web site is of no interest to the hacker, particularly if they are processing little or no financial data. However hackers aren't just after credit card details these days - most small business web sites hold something far more valuable...
As someone who regularly gets to review the security of web sites I know more than most just how bad security can be. But don't just take my word for it - a recent study that reviewed 300 well known e-commerce sites found significant flaws in 97% of them. And these were big budget sites that should have known better.
The trouble is, security is rarely taken seriously at so many levels. From the customer not understanding the relevance of security, through to the web developers not understanding the power of the technologies they are using, it's hardly surprising 97% don't make the grade.
The problems usually start with the customer. Ask most small businesses how important web site security might be, and there will be much shrugging of shoulders as they explain that they don't handle credit card data so must be safe. After all, what should an Estate Agency, or Recruitment Company, or even Fan Club site have to fear when it comes to hackers?
Of course, that would be true if it weren't for two very important facts:
1. More and more criminals are using hacking as a way of committing their crimes in relative safety. Hacking can no longer be thought of as simple "vandalism", it's rapidly turning into a tool of the trade.
2. Identity theft is turning into a more lucrative line of business for many criminals than credit card fraud. And you'd be surprised just how many small business web sites collect valuable customer data - data which could easily be re-used to commit identity fraud.
In one recent example, we reviewed the security of a recruitment company who had just spent a small fortune on a website with sophisticated functionality that allowed the user to manage their "account details" online. Using their job search engine, which was open to all including unregistered users, it took about five minutes to turn a list of jobs into a list of names, addresses, bank account details, sort codes, national insurance numbers and Mother's maiden names. Need I go on?
Of course, this is by no means the exception. Which brings me on to another major cause of poor security - bad design. Too often, web site developers fail to understand important technical details in the rush to bring out something which looks aesthetically pleasing. Just because a site looks good doesn't guarantee it's safe.
In the case of the aforementioned client, the software had been developed off shore, but we've seen bad designs emanating from companies based in the UK, Europe, and the US / Canada, not just India and the Far East. Often naive developers with little experience of "real world" applications working to tight budgets often turn to the Internet to get the answers they need - and end up producing applications riddled with errors, bugs and security loopholes.
And of course hackers are becoming increasingly sophisticated at detecting and exploiting flaws in the very programming that makes up a web site. A few minutes surfing a site usually reveals enough information for a hacker to commence their attack with gusto. They know the loopholes in over-used under-protected software that's shared so openly on the Internet. They understand that the power and sophistication of most programming languages and databases is far more than the web developers could ever have imagined. And they use that knowledge against unsuspecting businesses with relative ease.
So how should a small business, with a limited budget and even more limited understanding of web technology get a foothold onto the Internet which is relatively safe? We would suggest the following guidelines:
1. Understand the importance of keeping any form of customer data (not just credit card details but names, addresses, phone numbers, social security and passwords) safe from prying eyes. Stipulate this in any contracts you have in place with web designers, and agree who will be held accountable if and when things go wrong. If necessary, ensure that you or your suppliers have appropriate levels of professional indemnity cover against such risks.
2. When choosing web developers, remember that you really do get what you pay for. Cut price labour usually ends up in cut corners - so make price your second or third choice.
3. Don't be too ambitious, especially if this is your first venture into an interactive web site. Consider reducing functionality or customer interaction if you feel there is a realistic trade-off to be made. If you cannot justify a reduction in functionality, look carefully at the information you are storing - don't aim to store any information that you don't really need for example Mother's maiden name.
4. Consider buying an off-the-shelf solution to your web site needs. Established products have often undergone rigorous testing and may prove more reliable and secure in the long run. Be careful, however, if you are creating a "bespoke" front end - which may itself introduce new security holes into an established product.
5. However you create your web site - be it in-house or outside, and even if it is an "off-the-shelf" solution - consider getting the site independently "penetration" tested. This may be expensive (perhaps 10-20% of the total cost of the site) but will be a fraction of the cost of a real-life break-in.
|
|
|
Latest News
Valentine’s Day: a powerful lure for spreading malware
09.02.07 As Valentine´s Day approaches, users should keep a wary eye on any romantic messages received by email, as many of them could contain malicious code.
Skype reads out your BIOS data
09.02.07 The Windows version of the Voice-over-IP software Skype reads and stores the BIOS and motherboard serial number of a user’s computer.
Utimaco SafeGuard Enterprise supports BitLocker
09.02.07 Utimaco has announced that its SafeGuard Enterprise now supports Windows Vista BitLocker drive encryption.
RSA 2007: Yoggie awarded Most Innovative Company
08.02.07 Yoggie Security Systems has announced that it has been named the Most Innovative Company at the RSA security conference 2007 for the development of Yoggie Gatekeeper Pro security appliance.
Microsoft launches new SSL VPN solution
02.02.07 Microsoft has announced the availability of Intelligent Application Gateway 2007, the company’s new security access solution that combines virtual private networking technology acquired from Whale Communication and Web application firewall.
MIMEDefang 2.59 for UNIX released
02.02.07 Roaring Penguin Software has announced the availability of MIMEDefang 2,59, the latest version of the company’s framework for filtering emails.
Ping of death comes to Solaris
31.01.07 Sun Microsystems has issued a security update intended for computers running Sun Solaris 10 operating system.
|
|
