By Alain Penel, Regional Vice President- Middle East, Fortinet
In today’s online world, properly securing your company’s website is more than just a good idea – it’s essential to protecting yourself, your customers and your reputation.
Ecommerce has so changed the face of doing business that the time when a company either did not believe that a website was an advantage or that the website was only a static “billboard” is long gone. The change is so complete that terms such as B2C, B2B, intranet and extranet have become part of the everyday business language.
Aside from being the public face of a company, websites are business conduits; prospects and customers looking for company and product information, business partners accessing resources and of course customers purchasing the company’s products. For companies like eBay, Amazon and others, their websites ARE their business. If the website is not working properly, regardless of the reason, there is a direct impact on their bottom line.
But the disruption of revenues is only part of the problem. A website’s greatest strength is also its greatest weakness – it is accessible to anyone and everyone. This accessibility makes a website a natural target for the cyber criminal, hacker or hacktivist. Regardless of the motivation or the methodology, a compromised website has serious implications – loss of revenue, negative impact to a company’s reputation and theft of sensitive information such as credit card numbers and personal data.
Website attack incidents have been widely reported in the media. These include:
- Eu Yan Sang, a Singaporean traditional Chinese medicine company, had its website defaced by Hacktivists in June 2013. The hackers protested against Singapore’s complaints against Indonesia for causing a haze in the republic through its open burning farming practices.
- 22 Sri Lankan Government websites were defaced in Dec 2012 by hackers who wanted to show that “No system is secured” from them.
- Drake International, a Canadian-based job placement firm, was a victim of a hacking scheme in Jan 2013 by a group seeking to extort payment in exchange for not releasing the personal information of people who have used Drake’s services.
But websites are more than just an easy way to access information or purchase something. More and more corporate applications are web based, accessed with the same browser that you just used to purchase that latest song or video game. Because of this transition from traditional to web based applications, the risk of sensitive corporate information being stolen or compromised has increased dramatically.
A recent study by Verizon has shown that the top two reasons for an attack on websites were theft (financial or personal gains) and hacktivism (disagreement or protest). These attacks can come in the form of exploits to existing security vulnerabilities in the operating system or web application software. More sophisticated forms of attacks like SQL injection and cross-site scripting are also used to gain access to sensitive data.
The difficulty in protecting web sites and their applications is their sheer architecture and dynamics. While network security is relatively straightforward − define security policies to allow/block specific traffic to and from different networks/servers – web sites are made up of hundreds, and sometimes thousands, of different elements including URLs, parameters and cookies.
Manually creating different policies for each of these items is almost impossible and obviously does not scale. In addition, web sites change frequently with new URLs and parameters being added, making it difficult for security administrators to update security policies.
The difficulty in protecting a website is further compounded by the ongoing discovery of software vulnerabilities of the actual website and the applications running on it, challenges in developing and applying updates, code revisions and updates, and time-to-market pressure.
Adding to this already complicated environment is the fact that behind most web sites is a distributed infrastructure of servers for the actual web site, its applications and databases, increasing the difficulty of securing these key elements.
The end result is that just like traditional applications and operating systems are considered inherently vulnerable, web-based applications cannot be assumed to be secure − they require independent security measures.
Protecting your website must take a holistic approach that includes the structure of the site and its applications as well as the underlying network. Fortinet recommends a three-pronged approach to tackling web application security:
- Secure Coding Practices and Code Reviews – Developing web applications securely and implementing a secure coding practice as part of the development life cycle should be an integral part of application development projects. By following the guidelines recommended by the Open Web Application Security Project (OWASP) and other bodies, users could build a more secure and trusted application, reducing the number of exploits throughout the application lifecycle. Once developed, the code should be reviewed by a third party, independent from the development team.
- Perform Web Application Vulnerability Assessment / Penetration Testing – Applications should either be reviewed manually or through automated application vulnerability assessment tools to identify vulnerabilities. This could be further followed up with specific application penetration testing exercises for critical applications.
- Utilize a web application firewall – A web application firewall (WAF) allows organizations to detect and block application layer attacks. Such a specialized firewall is needed in addition to conventional network security solutions because traditional firewalls are designed to detect and combat attacks at the network and network port levels, not the application level. By complementing an existing network firewall with a WAF, you can address the unique requirements of web based applications and increase the overall security level of the network.
Many variations of WAFs exist today. Fortinet’s FortiWeb appliance, for instance, combines a WAF with XML Firewall capabilities in a single platform with several add-on modules like Vulnerability Scanning, Application Acceleration and Server Load Balancing that further complement the basic capabilities offered.
Sophisticated attacks are blocked using a multi layered security approach. Incorporating positive and negative security models based on bi-directional traffic analysis and an embedded behavioural based anomaly detection engine, FortiWeb can protect against a broad range of threats without the need for network re-architecture and application changes.
As IT and automation enter more realms of our everyday lives, the volume and sensitivity of customer and business data residing in company databases can only increase. Coupled with growing and increasingly sophisticated online threats worldwide, it’s time for companies to take active steps to protect customer information under their care.
Building secure web applications, doing regular vulnerability testing and having a modern WAF all contribute to a defence-in-depth approach that can bring us closer to this goal.