For many SMBs, the company’s website is not just the front-most means of public communication but the main gateway through which business is conducted: e-commerce websites, SaaS with web-based dashboards and administration interfaces, communication platforms – all of them depend on a web interface that must always be available and secure
Vulnerabilities in a company’s website are the ones that come under the most scrutiny because it is a platform that is inherently public. Furthermore, modern web systems such as content management systems (CMS) are very complex and rely on a highly complex set of libraries, programs, and programming languages. The amount of code required to host even a moderately-complex website is enormous – so even if the chances of the code containing security vulnerabilities are small, the sheer amount of code means that major vulnerabilities are found in such software all the time. This is referred to as the “attack surface” of a computer system – the user-facing computer code which, if incorrectly written, can be exploited to disrupt its execution, bypass its authentication mechanism, gain access to its data and so on.
For example, WordPress, the popular blogging platform, has had no fewer than 21 discovered vulnerabilities in 20178. Some of them are extremely serious: for instance, one vulnerability9 announced in February 2017 allows an attacker to execute database query commands on the database server used by WordPress. A cybercriminal can leverage such vulnerabilities to disrupt the company’s website (by simply erasing the database), steal data available to the WordPress installation (by dumping the database contents), or use the website for malicious purposes (by using the data obtained from the database to gain editing or administration privileges on the website and then insert malicious ads or phishing pages). A security update resolving this vulnerability has been published very quickly, but until a WordPress installation is updated, it remains vulnerable – and if it has been breached before being updated, it can remain vulnerable even after the update.
These problems become even more difficult to cope with when the data handled by the website is sensitive. A dangerous vulnerability10 found in the popular e-commerce solution Magento in January 2017 allows an attacker to cause Magento to execute some of the attacker’s own code besides the one hosted on the server during certain requests. But where a simple company website containing nothing but a few WordPress pages typically contains little more than content and maybe login data for the website’s administrator and content writers, breaching an e-commerce site can reveal sensitive customer data, such as email addresses or financial data.
Even data that seems relatively harmless can turn out to be disastrous. Many computer users have the same password for all the services that they use. For cyber criminals, obtaining a set of passwords and email addresses from a breached website is a pure goldmine: in many cases, the password used for that website turns out to be the same one used for that users’ email account. The email account can now be broken into – and that, in turn, can be used to break into the users’ banking or PayPal accounts, obtain sensitive personal data or conduct phishing attacks on other users.
There are several measures that can be taken to mitigate such attacks. The most popular and accessible ones include:
Use fast, automated deployment and updating systems for your website. A company should be able to provide (or, for a tailor-made solution, implement and/or assist in deploying) an administration panel, such as cPanel, through which any deployed component can be quick – and often automatically – updated whenever a security update is published. This minimizes the time available for an attacker to discover that a website is vulnerable and to capitalize on their discovery.
Use well-known, well-scrutinized solutions. It may seem, from the example above, that WordPress is a very insecure solution – 17 vulnerabilities just in 2017 seems like a lot. But it’s important to realize that any disclosed vulnerability is a patched vulnerability that has been sealed and can no longer be exploited. Less popular software is often just as vulnerable as popular software, but there is no telling who will stumble upon the next vulnerability and whether they will disclose it, sell it on the black market, or actively exploit it for weeks, months or even years, until a victim can finally afford a security audit that discovers the problem and notifies the company selling that software or publishes their own patch. The vast majority of users never fall victim to a zero-day exploit in a popular program, even if it makes the spotlight.
Continuously assess the security of your website through scanning and penetration testing. Companies that specialize in security solutions, as well as many cloud hosting providers, offer a service known as “penetration testing”, in which they attempt to break into their client’s website or network and report any exploitable vulnerabilities that they encounter. This is a proactive measure which increases your chances of finding a breach – and sealing it – before an attacker can find and exploit it.
A less extreme form of this technique is implemented by services such as SiteLock, which automatically monitors a website and identifies vulnerabilities that an attacker could exploit. Unlike penetration testing – which is performed by security experts who can find previously unknown vulnerabilities – this technique can only detect problems that have already been publicly disclosed. However, these are the problems that are most easily – and most often – exploited. Finding a new vulnerability in a software package is difficult and very expensive undertaking, whereas exploiting an existing vulnerability in an unpatched website can be relatively easy (depending, of course, on the vulnerability itself) and very cheap – or even practically free, if it can be automated.
While they might appear dangerous, services like penetration testing are entirely safe and widely used (so widely, in fact, that there is even a name for services of this type: “ethical hacking”). According to a PricewaterhouseCoopers survey11, more than 40% of the companies with an active online presence use penetration testing services.