Save content
Have you found this content useful? Use the button above to save it to your profile.
AIA

Step nine: Top ten security failings of websites

by
25th Dec 2005
Save content
Have you found this content useful? Use the button above to save it to your profile.

Bawden Quinn LogoIn the ninth in this series of articles written for Business Management Zone by Stewart Twynham of Bawden Quinn, we look at the Internet Service Providers and the horrors of web site design with regard to the often overlooked security issues.

With the advent of broadband, many people now view high speed internet access as something of a commodity, traded on the basis of price. As one delegate at a recent conference put it ' most small businesses face a higher milk bill each month. Yet price isn't everything, since the reliability of your internet connection, the security of your systems, and the level of customer support are also important too.

Finally websites ' a critical component in many a marketing and/or brand strategy ' yet often overlooked when it comes to security. As websites have become more powerful, the confidentiality and importance of the data they process has gradually crept upwards. We look at the most common mistakes that mean almost 100% of recently tested sites have major flaws.

Internet Service Providers or ISPs
ADSL has a great deal to answer for. Three years ago, if your business required a 512k connection to the Internet ' you would have probably paid around £1,000 a month for the privilege ' possibly a whole lot more.

Today, ISPs up and down the country are offering such speeds for as little as £20 per month. Clearly, this kind of price drop isn't the result of some new miraculous technology ' after all, ADSL only runs from your telephone socket to the local telephone exchange ' no further. It doesn't take a mathematician to work out that somewhere along the way some things had to go to pay for this £980 drop ' typically:

  1. Quality of service
    As most ADSL users will note, you are effectively sharing your Internet bandwidth with 20 or 50 other people. The impact of this can depend on the service provider. Consumer-centric providers tend to be hit hard when viruses and worms are doing their rounds ' home users and smaller businesses rarely have any defences, and so tend to flood these networks with rubbish fairly quickly. If your business needs more assurances, choose a business-centric ISP.

  2. Customer Support
    Your internet connection is great until it goes wrong. Things will break ' that's for certain ' and the last thing you need is an 090 premium-rate support number to get you going again. The best providers have a dedicated support team that can deal with you queries quickly ' as with most things, you get what you pay for.

  3. Security
    Businesses that could afford a leased line could also afford the security that came with an "always on" connection ' including firewalls and a team of experts to run them. Although many ISPs are beginning to offer "security" packages to ADSL users, most are based on software firewalls ' the weakest and most vulnerable form of protection. Those few ISPs that offer "proper" firewalls, only do so as a sideline ' often outsourcing the service to another company, and lacking any in-house firewall expertise, especially support.

It is our direct experience that the only ISP in the UK that scores well on all three of the above is Star Internet ' part of Star Technology Group, which is BS7799 registered and includes MessageLabs, the only Anti-Virus service in the world that provides a 100% SLA. Not only are they a business-centric ISP that's recognised by most large enterprises and the Government, they have good quality customer support, and have built their business from day one to providing secure Internet services.

Choose your ISP carefully ' and remember that a few pounds saved is of little consequence if your business cannot function without a reliable Internet connection.

Websites ' the weakest link
In a recent survey, 97% of the 300 e-commerce websites tested had such serious flaws that anyone could easily steal confidential information or deface the site. Anyone in the industry will tell you that there is no such thing as a "secure" web site, however most of the sites that we've tested on behalf of customers could be hacked by Daffy Duck!

Myth: We use SSL ' that means we're safe!
SSL or Secure Sockets Layer is a form of encryption ' designed to ensure that credit card details, and other confidential information, remain secure as it crosses the Internet. It's a great idea ' but it seems nobody consulted the hackers!

Hackers rarely have the ability or access to reliably capture data on its way through the Internet, which is why they've ALWAYS targeted the destination ' the server that stores the details. After all, sitting listening patiently on the Internet for the odd insecure credit card number is never as rewarding as breaking into just one server and stealing a million sets of numbers in one hit!

Gone are the days of boring single-page static web sites ' complete with lurid backdrop and a multitude of crazy fonts. A growing number of small companies have invested heavily in websites with at least some dynamic content, perhaps a secure area for clients, an application, or maybe it's e-commerce enabled so that customers from anywhere in the world can now sample the delights of their particular widget.

Suddenly, even the most junior web designers are required to understand about databases, secure transactions, form validation, scripting, and application development using some bizarre (even proprietary) technology. The word "junior" is significant ' the economy within IT has been tough enough to ensure that the most qualified and experienced developers have been abandoned in favour of the less experienced (and cheaper) alternatives.

And herein lies the problem. No-one seems to have cottoned on to the fact that the Internet is a dangerous place full of nasty people. In fact the Internet is the most demanding place you can publish any form of application. Without proper design rules, procedures, robust validation and testing practices (above and beyond "does it appear to work"), you are heading for a fall.

If you process confidential information on your site, you will be breaking Data Protection rules if it isn't secure. That aside, Data Protection will be the least of your worries when your customers find out! Even it the data isn't confidential ' then it's probably business critical in some other way ' meaning that your brand and / or your trade marks could be in serious trouble.

Top ten security failings of websites
This is our own list of top ten faults that we regularly find on business websites. This list is not exhaustive, and is in no particular order. If you're a web developer take note:

  1. Failure to validate forms and / or check for boundary conditions. When sending data from web based forms, especially to databases, few web designers provide consistent checking ("parsing") of the data to ensure that it won't have an undesirable effect. Effects include crashing the server, bypassing all login security, revealing confidential data, allowing the creation or destruction of information and/or web pages, etc.

  2. Over-zealous error messages. The first job of the "cracker" is to discover the underlying technology ' e.g. type of database. Sending "rubbish" to an insecure script usually reveals a complex database driver error which means nothing to the man in the street, but tells the cracker just about everything they need to know.

  3. "Cut and Paste" scripting. Very few web designers (come on, we've all done this') develop anything from scratch. It's much quicker to simply cut and paste from an example on the Internet ' et voila ' instant success. The trouble is, these standard scripts ' which could be anything from a secure login facility to a fully fledged e-commerce system ' may not be secure, and will often use ridiculously obvious table and column names (e.g. "username", "password", etc).

  4. Inconsistent testing of scripts. Every file on a web server is a potential security hole. Often, any testing that is done is focused on ensuring the correct operation of the script, not security. If security is tested, seemingly unimportant scripts are often ignored to save cost and time ' yet these scripts may be a useful backdoor into the "secure" database.

  5. Inadequate hosting. The list here is endless. Lack of any regular data backups, lack of denial of service (DoS) protection, irregular patching of servers, uncontrolled third party access to servers, poor physical and environmental security, and so on. Read the small print carefully when you buy any form of web site hosting, and remember caveat emptor.

  6. Transactional / confidential data hosted with the web site. Web servers are typically "low grade" storage and should NEVER hold confidential or otherwise business critical data.

  7. Default scripts not disabled / directory permissions not checked. Most web server software includes a plethora of standard scripts and tools designed to allow easy management of your web site. These are often the "tools of choice" for many an opportunistic cracker' Also, default directory security is rarely suitable for Internet use "out of the box".

  8. Default stored procedures not disabled. Most database software comes with yet more useful tools to assist in the creation and management of databases in the form of stored procedures. These can make cracking a database driven site a breeze.

  9. Insufficient / unchecked access logs. If and when someone does break in, it might be nice to actually find out about it before all your customers ring up and complain. Few sites have the facility to accurately log all transactions, and most aren't routinely checked until AFTER a breach has occurred.

  10. Lack of warning notices on secure areas. The Computer Misuse Act 1990 is not particularly effective when it comes to websites. You are skating on thin ice if you fail to ensure that the cracker is knowingly committing a criminal offence by attempting to break in to your site.
Next week: New technology. With Bluetooth, USB devices, Wireless LAN, and a host of mobile / handheld devices on the market, we discuss the risks associated with each technology, and how to stay safe!

Previous articles

Tags:

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.