What are the different types of website security issues, risks and threats, and what can make your business and website an attractive or susceptible target? Many small businesses feel they do not represent a worthwhile target to attackers, but as you will read, this assumption is plain wrong. All online entities face a variety of security risks and threats that should be understood and assessed.
Types of security threats
Security threats evolve as fast as the technology they seek to compromise. The CVE(Common Vulnerabilities & Exposures) database alone includes over 59,000 known information security threats, and a search in the database for apache brings up a list of over 500 known vulnerabilities.
While the techniques used to access data and alter code vary greatly, a security breach usually has one of the following four goals:
- Database access and the theft or corruption of personal or sensitive data
- Altering website code in order to change what users see
- Intercepting personal and sensitive data
- Denial of Service (DoS) attacks that render services unavailable
Hacker motivation, and why security attacks happen
Hackers’ motivations for attacking a website range from obtaining very specific information, to facilitating an attack on a larger target, to the challenge of altering a well known or well protected website. Some things can encourage a security attack, and these are outlined below. If you are an SMB and you think this only applies to large corporations, think again.
Valuable data and information
The more valuable the information in your database, the more likely it is to be targeted. If your records include sensitive or financial information that could facilitate fraud, your database will be more appealing to hackers who can use or sell this information for financial gain. As a way of protecting consumers against this kind of risk, ecommerce and other websites that collect customer credit and payments must be PCI (Payment Card Industry) compliant.
Remember that even basic personal information can also be valuable. It may be used to impersonate someone, to spread malware or simply as a means to disrupt your services for personal motivations.
Industrial and political espionage
Information in your databases or on your company servers may not be useful to fraudsters, but may be very useful to competing or related companies, industries or even governments. Stolen data or usernames and passwords could provide someone with access to your customer accounts and data, or to your organization’s intelligence, confidential files or emails.
As Bloomberg reported:
“China has made industrial espionage an integral part of its economic policy, stealing company secrets to help it leapfrog over U.S. and other foreign competitors to further its goal of becoming the world’s largest economy, U.S. intelligence officials have concluded in a report released last month.”
If your differentiator or your competitive advantage emanate from proprietary intelligence or code, or even from a first mover advantage or campaign that you want to keep under wraps, you could be the target of espionage or theft.
Being an easy target
Automated vulnerability scanning, combined with the increasingly fragmented social interaction between businesses and their customers, mean SMBs who put fewer resources towards combating threats represent an increasingly higher volume of increasingly easier targets. According to Symantec.com, target attacks against small businesses accounted for 31% of all security attacks in 2012, up from 18% the previous year.
Web Application Vulnerability Scanners scan websites for insecure server configuration and other known security vulnerabilities that facilitate attacks like XSS (cross-site scripting), SQL injection, command execution, directory traversal and insecure server configuration. If your site has vulnerabilities, it is increasingly likely they will be identified and exploited by hackers.
As communication through social media increases, consumers have become used to receiving remarketing and CRM communications from companies via a range of social media, often offering coupons, discounts and other incentives. This makes the phishing scams – the impersonation of an organization to obtain personal and financial information, or to spread malware – more popular than ever with would-be attackers.
Springboard attacks
Nor are smaller businesses immune to espionage. Those with weak security defenses are increasingly targeted as the ‘springboard’ to more valuable attacks against the larger organizations to which they are suppliers.
For example, attackers could steal personal information and files relating to one of your larger customers to create a well-crafted email aimed at someone in that organization (known as “social engineering”). Your website or application could also be used to facilitate the installation of malware on the computers of a target organization who is known to use it, achieved by injecting code into your website to redirect the user to a separate site, that then infects the target’s computer (known as a “watering hole” attack).
Non-financial motivation
Not all hacking has financial motives. For hackers who treat attacking websites as sport, websites with the best security, such as those of Internet security experts themselves, can make a challenging target. Similarly websites with natural political or social enemies can be popular targets.
Recently the newly launched ‘Obamacare’ website was no stranger to security attacks from its detractors. Banks are common targets of anti-capitalist and other organizations. And this article on darkreading.com considers the potential for large-scale security attacks during busy ecommerce periods, as more and more commerce moves online.