E-commerce has so much changed the face of doing business that the time when a company either did not believe that a website was an advantage or that the website was only a static ‘billboard' is long gone. The change is so complete that terms such as B2C, B2B, intranet, and extranet have become part of the everyday business language.
Aside from being the public face of a company, websites are business conduits; prospects and customers looking for company and product information, business partners accessing resources and of course customers purchasing the company's products. For companies like eBay, Amazon and others, their websites are their business. If the website is not working properly, regardless of the reason, there is a direct impact on their bottomline.
But the disruption of revenues is only part of the problem. A website's greatest strength is also its greatest weakness-it is accessible to anyone and everyone. This accessibility makes website a natural target for the cyber criminals, hackers, or hacktivists. Regardless of the motivation or the methodology, a compromised website has serious implications-loss of revenue, negative impact to a company's reputation and theft of sensitive information such as credit card numbers and personal data. Cyber attacks against Indian websites increased exponentially in 2013, despite the government building a credible cyber defense system. According to reports by CERT-In (Indian Computer Emergency Response Team), 4,191 Indian websites were defaced or hacked into in August, 2,380 in July, 2,858 in June, and 1,808 in May, 2013.
Website attack incidents have also been widely reported in the media. These include:
- Central Bank of India had its website defaced by Pakistani hackers in November, 2013. The defaced page said that it was hacked by the Pakistan cyber army and team MaDLeeT.
- Eu Yan Sang, a Singaporean traditional Chinese medicine company, had its website defaced by Hacktivists in June 2013. The hackers protested against Singapore's complaints against Indonesia for causing a haze in the republic through its open burning farming practices.
- 22 Sri Lankan government websites were defaced in Dec 2012, by hackers who wanted to show that ‘no system is secured' from them.
- Drake International, a Canadian-based job placement firm, was a victim of a hacking scheme in Jan 2013, by a group seeking to extort payment in exchange for not releazing the personal information of people who have used Drake's services.
CHALLENGES IN SECURING WEB APPLICATIONS
But websites are more than just an easy way to access information or purchase something. More and more corporate applications are web based, accessed with the same browser that you just used to purchase that latest song or video game. Because of this transition from traditional to web-based applications, the risk of sensitive corporate information being stolen or compromised has increased dramatically.
A recent study by Verizon has shown that the top two reasons for an attack on websites were theft (financial or personal gains) and hacktivism (disagreement or protest). These attacks can come in the form of exploits to existing security vulnerabilities in the operating system or web application software. More sophisticated forms of attacks like SQL injection and cross-site scripting are also used to gain access to sensitive data. The difficulty in protecting the websites and their applications is their sheer architecture and dynamics. While network security is relatively straightforward-define security policies to allow/block specific traffic to and from different networks/servers-web sites are made up of hundreds, and sometimes thousands, of different elements including URLs, parameters, and cookies.
Manually creating different policies for each of these items is almost impossible and obviously does not scale. In addition, websites change frequently with new URLs and parameters being added, making it difficult for security administrators to update security policies.
The difficulty in protecting a website is further compounded by the ongoing discovery of software vulnerabilities of the actual website and the applications running on it, challenges in developing and applying updates, code revisions and updates, and time-to-market pressure.
Adding to this already complicated environment is the fact that behind most websites is a distributed infrastructure of servers for the actual website, its applications and databases, increasing the difficulty of securing these key elements.
The end result is that just like traditional applications and operating systems are considered inherently vulnerable, web-based applications cannot be assumed to be secure-they require independent security measures.
PROTECTING YOUR ONLINE ASSETS
Protecting your website must take a holistic approach that includes the structure of the site and its applications as well as the underlying network. Fortinet recommends a three-pronged approach to tackling web application security:
- Secure Coding Practices and Code Reviews: Developing web applications securely and implementing a secure coding practice as part of the development life cycle should be an integral part of application development projects. By following the guidelines recommended by the Open Web Application Security Project (OWASP) and other bodies, users could build a more secure and trusted application, reducing the number of exploits throughout the application lifecycle. Once developed, the code should be reviewed by a third party, independent from the development team.
- Perform Web Application Vulnerability Assessment/Penetration Testing : Applications should either be reviewed manually or through automated application vulnerability assessment tools to identify vulnerabilities. This could be further followed up with specific application penetration testing exercises for critical applications.
- Utilize a Web Application Firewall: A web application firewall (WAF) allows organizations to detect and block application layer attacks.
Such a specialized firewall is needed in addition to conventional network security solutions because traditional firewalls are designed to detect and combat attacks at the network and network port levels, not the application level. By complementing an existing network firewall with a WAF, you can address the unique requirements of web based applications and increase the overall security level of the network.
Many variations of WAFs exist today. Fortinet's FortiWeb appliance, for instance, combines a WAF with XML Firewall capabilities in a single platform with several add-on modules like Vulnerability Scanning, Application Acceleration and Server Load Balancing that further complement the basic capabilities offered. Sophisticated attacks are blocked using a multi-layered security approach. Incorporating positive and negative security models based on bi-directional traffic analysis and an embedded behavioral based anomaly detection engine, FortiWeb can protect against a broad range of threats without the need for network re-architecture and application changes.
As IT and automation enter more realms of our everyday lives, the volume and sensitivity of customer and business data residing in company databases can only increase. Coupled with growing and increasingly sophisticated online threats worldwide, it's time for companies to take active steps to protect customer information under their care. Building secure web applications, doing regular vulnerability testing and having a modern WAF all contribute to a defense-in-depth approach that can bring us closer to this goal.