A Web security policy can save you money and embarrassment
Posted Thursday, September 3 2009 at 00:00
In the last one month, I have come across about 11 local sites that have been hacked and defaced.
Out of these, 50 per cent were government or government agency websites.
The other 50 per cent was among corporates and some reputable IT companies in the country. This is a trend that is now common and we should expect more hackers as we open up to the large digital arteries that the fibre optic cables will provide.
According to a recent report by the Web Application Security Consortium, 24 per cent of website hackers aim at defacing a site rather than financial gain.
The report found the majority of defacements were of a political nature, targeting political parties, candidates and government departments, often with a very specific message related to a campaign.
The second most popular motivation was stealing sensitive information, which scored 19 per cent.
That was followed by planting malicious code, scoring 16 per cent, and causing monetary loss, at 13 per cent.
The remaining attacks cause downtime or denial of service for a website, planted viruses and linked spam and information warfare.Whatever the motivation, website hacks are costly to organisations and are not that complicated.
Organisations need to use professional web developers who understand the security implications of the sites they build.
How they do it
Hackers normally use the soft under bellies of buggy web applications to launch their attacks. This can happen at two levels, at the web application server level or at the web browser level.
For instance, the moment you install a web server at your office, you’ve opened a window into your local network that the entire world can peer through.
Most visitors are content to window shop, but a few will try to peek at things you don’t intend for public consumption.
Others, not content with looking without touching, will attempt to force the window open and crawl in. The results can range from the merely embarrassing, for instance, the discovery one morning that your site’s home page has been replaced by an obscene picture, to the damaging, such as the theft of your entire database of customer information.
So, there are impending risks for moving your business online. These include buggy software or mis-configuration problems in the web server that allow unauthorised users to steal confidential documents not intended for their eyes, execute commands on the server, allowing them to modify the system.
Some of the applications are developed by amateur programmers who have no consideration for security risks in their application design.
These risks can, however, be mitigated.