Your business website is beautiful. It’s effective. It is consistently driving new traffic to your business.
But it can still be a liability if it isn’t safe.
We’ve all seen what happens in the business world when sensitive information gets compromised. And it’s not pretty. While web security is not the most glamorous of topics, it’s perhaps one of the most important issues to address when working on your business website.
Security can be a dense issue to navigate, especially if you’re not a software developer. But it’s still important to understand the basics to make sure that your web provider is taking care of you, and your customers, in the way that you expect.
So where can we get started?
Yes, Small Businesses Are At Risk Too
Well, the first step is acknowledging that small businesses are at risk. It’s easy to think that only huge corporations like Amazon, Target, and the like are in the crosshairs for attackers.
But just because your business is small, doesn’t mean it’s not a target.
An important misconception about security threats is that hackers are explicitly targeting your website directly. In reality, they’re attacking the application that supports your site.
Most websites are powered by a CMS or web application, and some of these are more secure than others. Not all of the risks to applications that we’re going to discuss will apply to your business. But as a rule, know that the more custom programs you use, (CMS, CRM, etc,) the more vulnerable you may be to attack.
How is Risk Assessed, Anyways?
In what ways can your website fall vulnerable to security risks?
The Open Web Application Security Project (OWASP) is an “open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted.” They keep an eye on major threats and provide guidance for developers around the world. They also have tons of free resources to help further the mission of an open and secure web.
One of these resources is their Top 10 Security Risks document, recently revised in 2017. In it, they take a comprehensive look at the 10 biggest security risks for websites. Just in case you don’t have the time to get a software engineering degree, we thought we would break it down and explain why each is important.
There are 4 basic dimensions to take into account when analyzing security risks:
- Exploitability– How easy it is for a hacker to carry out the attack (1: Difficult to Exploit, 3 Easy to Exploit)
- Prevalence– How commonly this attack vector is used (1: Uncommon, 3: Widespread)
- Ease of detection– How difficult is is recognize a threat to this attack vector (1: Difficult to detect, 3 Easy to detect)
- Technical Impact– How much havok this attack can wreak (1: minor impact, 3: severe impact)
Here’s a table, based on the OWASP report, to help us understand the most prevalent risks, and how they relate to the 4 dimensions of security in terms of how easy they are to exploit.
|Risk||Exploitability||Prevalence||Ease of Detection||Technical Impact|
|Sensitive Data Exposure||2||3||2||3|
|XML External Entities||2||2||3||3|
|Broken Access Control||2||2||2||3|
|Using Component w/ Vulnerabilities||2||3||2||2|
Let’s get into the risks themselves:
Risk #1: Injection Flaws
Exploitability: 3, Prevalence: 2, Ease of Detection: 3, Technical Impact: 3
The web operates through requests and data transfers. Code – in the browser, on a server, in a database, etc – is responsible for marshalling requests and data from one entity to another.
An injection flaw happens when an attacker hijacks one of these commands to send untrusted data into a system. It tricks the system into executing unintended commands or accessing data without proper authorization.
It’s fairly common. It’s easy to exploit. And it can severely compromise your system. For instance, WordPress had a large vulnerability that exposed tens of thousands of websites to the risk of website takeover.
The solution? Short of being a developer, the best you can do is update, update, update! Software developers are constantly looking for bugs in their code or vulnerabilities they may have missed. When they find bugs or vulnerabilities, they release patches to plug them.
Staying current on software reduces the risk of injection attacks because it reflects the patches that developers have implemented. The older an application, the more likely an attacker has a record of how to exploit it in their database.
Risk #2: Broken Authentication
Exploitability: 3, Prevalence: 2, Ease of Detection: 2, Technical Impact: 3
Do your customers have accounts on your website? When your clients log in, you’re authenticating their identification. Proving that they are who they say they are, to make sure you’re keeping private information private.
When authentication is weak or broken, it allows hackers to assume someone’s identity in that system. They can pretend to be that authenticated user and commit all sorts of fraudulent activity.
The reality is that attackers have access to hundreds of millions of valid username/password combinations. (And, as we know, many people don’t update their passwords regularly.) They can make fraudulent default admin accounts. They have automated tools to hack systems, and good eyes to manually spot vulnerabilities in sites where they should use those automated tools.
And they may only need access to one account to infiltrate your system.
To protect against this kind of attack, set up multi-factor authentication whenever possible. The more hoops an attacker has to jump through, the harder it is to get into your system. Also, be sure to pay attention to session management and set application timeouts properly. When they close a browser, log them off the system. Anytime a user walks away from a session while still logged in, the whole system remains vulnerable.
Risk #3: Sensitive Data Exposure
Exploitability: 2, Prevalence: 3, Ease of Detection: 2, Technical Impact: 3
Over the last 5 years, the most common and impactful attacks have been by the mere exposure of too much sensitive data. Software that passes sensitive information via sessions, URLs, or poorly constructed code, increases the risk of this vulnerability.
While most small business owners don’t really need to worry about constructing URLs, it’s worth knowing that if you see personal information in a browser URL, you should ask some questions.
Also, keep an eye out for mismatched keys, which can suggest that the site you’re attempting to go to and the one being authenticated against are different. Ever see that “this application can’t be trusted” notice on google?
It’s often an indicator of such behavior. If that sounds like your website, let us know.
Risk #4: XML External Entities
Exploitability: 2, Prevalence: 2, Ease of Detection: 3, Technical Impact: 3
XML processors evaluate/process external references inside XML documents when making requests. When these processors are compromised, they can be used to disclose sensitive internal files.
It’s an important risk factor for developers, but isn’t usually relevant for small business websites unless you’re running a lot of custom programs. If you do use custom programs, make sure that your web developer and support service are aware of these issues.
Risk #5: Broken Access Control
Exploitability: 2, Prevalence: 2, Ease of Detection: 2, Technical Impact: 3
It’s important to control who has access to which portions of your website.
This shouldn’t be confused with broken access, as we mentioned above.
For example, let’s say you give a contractor admin privileges to your website. Did you remove that access when they were no longer working for you? What about your Google information? Your email service?
The more lapsed yet valid access points to your system, the more vulnerable you are to attack. Attackers can get into your system and modify your data without you even knowing it. And employees with too much access can break something, intentionally or not. So make sure you know who has access, always!
Risk #6: Security Misconfiguration
Exploitability: 3, Prevalence: 3, Ease of Detection: 3, Technical Impact: 2
This is perhaps the most common risk we see business websites exposed to. Using default configurations and poor password protection for elements in your system.
Let’s say you buy a router. Or a printer. Or a shared storage system, cloud-based or otherwise. That new component came with a default username and password. Let’s say you set it up and didn’t change that password.
If an attacker has a list of default usernames and passwords at the ready, they can jump right into your system.
Make sure that you are changing your passwords and keeping them updated. If you leave insecure default configurations on your system, you are asking for trouble.
Risk #7- Cross-Site Scripting
Exploitability: 3, Prevalence: 3, Ease of Detection: 3, Technical Impact: 2
Let’s imagine for a moment that your website can act as an unwitting accomplice for an attacker. When a visitor gets to your site, the attacker uses YOUR site to execute scripts in a victim’s browser, hijack user sessions, and redirect the visitor to malicious sites.
Sadly, you don’t have to imagine: that threat is all too real. (And fairly common.)
When attackers use cross-site scripting, they capture the user’s cookies and sensitive information, redirect traffic, and can even modify your existing page!
There are ways to prevent this: from using secure forms to coding the site in such a way that visiting browsers can only interpret data and not modify it. Make sure the support team for your website are aware of these ways to mitigate that risk.
Risk #8- Insecure Deserialization
Exploitability: 1, Prevalence: 2, Ease of Detection: 2, Technical Impact: 3
Converting data into a stream of bytes to store or transfer data is called serialization. When your site’s serialization is insecure, the underlying code inappropriately serializes data and transmits it. If the wrong people get your data, bad things happen.
It’s tough to exploit from the outside, so isn’t the number one thing on the radar of most small business sites. Just make sure that your software uses good serialization practises.
Risk #9- Using Components With Known Vulnerabilities
Exploitability: 2, Prevalence: 3, Ease of Detection: 2, Technical Impact: 2
Your site is only as secure as the components that it uses.
When installing libraries, plugins, frameworks and the like, be sure that they are updated and verified. Like we mention in our Ultimate Guide To Securing Your Business Website, most people gravitate toward free, open-source options when it comes to themes and plugins. But free components may not be updated as often, and may be more susceptible to attack.
And if you install an insecure component, you put the whole site at risk.
This risk can be particularly acute if you’re using a self-hosted CMS (like WordPress!) and using plugins to get custom functionality. So make sure that your web developer/support team is vetting components appropriately and giving them correct access to your system.
Risk #10- Insufficient Logging & Monitoring
Exploitability: 2, Prevalence: 3, Ease of Detection: 1, Technical Impact: 2
If your site isn’t consistently logging information, and if those logs aren’t being consistently monitored, you won’t know if attackers have broken into your system. If attackers access your system, they can persist there, and even pivot into another system.
Only accurate logging, and consistent response, can ensure that your system hasn’t been breached. The more detailed your logging, and the better your monitoring, the better the chances of catching aberrant behavior quickly. So again, be sure that your website is being monitored and supported!
How safe is your website? Sign up for a free audit and learn how the Pros can secure, support, and optimize your small business website.