This is the Part 2 of our series ‘Web security and its importance in today’s world ‘. In this series we will share the importance of web security for individuals and organizations, and also share how to secure yourself and your organization from various security breaches and cyber criminals.
Read part 1 here : Why Security is Important for Your Business
In the recent years we have seen a never-ending stream of cyber threats and data breaches, affecting retailers, banks, gaming networks, governments and more.
With technology advancing day by day, attacks have also become more sophisticated. While a typical DDoS attack in 2012 may have ranged into 3 or 4 Gbps, the new attacks have bursts of more than 100 Gbps.
It’s time for companies and administrators to ensure that their websites are secured as once a website is compromised, it can be a great loss for the organization. Website security (also referred to as web application security, or webappsec) is a broad field, but most websites have common security issues that need to be addressed, regardless of the particular technologies used or functions deployed.
Here are the list of top 5 web security issues that needs to be taken care of :
1. Validation of input and output data
The most common web application security weakness is the failure to properly validate input from the client or environment. This weakness leads to almost all of the major vulnerabilities in applications, such as Interpreter Injection, locale/Unicode attacks, file system attacks and buffer overflows. Data from the client should never be trusted as the client has every opportunity to tamper with the data. All the data that is being used by a Website, be it from the from users, other websites or internal systems must be validated for type e.g. numeric, date, string, length e.g. 200 characters maximum, or a positive integer and syntax e.g. Indian mobile numbers have 10 digits.
2. Malicious file execution
Malicious file execution vulnerabilities are found in many applications. On many platforms, frameworks allow the use of external object references, such as URLs or file system references. When the data is insufficiently checked, this can lead to arbitrary remote and hostile content being included, processed or invoked by the web server. Uploaded files or other data feeds may not be what they seem. Never allow user-supplied input to be used in any file name or path (e.g. URLs or file system references). Uploaded files may also contain a malicious payload so should not be stored in web accessible locations.
Using this vulnerability an Attacker can do the following
• Remote code execution
• Remote root kit installation and complete system compromise
• Internal system compromise may be possible through the use of PHP’s SMB file wrappers
Phishing is one of the most used techniques by cyber criminals. Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. Phishing can be best tackled through user education but the way the website is designed, its architecture and how it communicates with users can reduce the risk.
4. Denial of service
A Denial-of-Service attack, which is also knows as DOS attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic, or sending it information that triggers a crash. In both instances, the DoS attack deprives legitimate users (i.e. employees, members, or account holders) the service or resource they expected. Today Attackers don’t necessarily need to steal your product or service, they just have to make sure you can’t deliver that product or service to your customers which will eventually bring bad name to the company.
5. System information leakage
Revealing system data such as Web servers, errors, staff, partner organizations, search engines or debugging information helps an Attacker learn about the system and form a plan of attack. Using this information an attacker can easily learn about technologies, business logic and security methods used by a company and can compromise its system. So it is important to avoid system information leakage as far as possible.
One should understand that it is not possible to secure a server or a computer completely. Every day new Exploits and Zero-days make their ways to digital communication. But by following Security practices an organization can avoid cyber attacks to a large extent.
Only truly secure system is one that is powered off, cast in a block of concrete