When it comes to website security, a little bit of paranoia can be a good thing. With the number of cyber attacks growing every year, we strongly advise our clients to prioritize website security best practices. The usual behavior is to act after an attack has occurred. By then, it might be too late. The damage to your business may be beyond repair. Your website is always vulnerable to cyber threats. It’s not a question of “if”, rather, it’s a question of “when”.
Every day, cybercriminals are launching attacks on websites all over the Internet. Cybercrime has become a profitable industry. According to a study conducted by Hewlett-Packard, a cyber-attack can cost a company $7.7 Million in a year. The cost is double for an American company at 15.4 Million.
Statistics on cybercrime from the University of Maryland showed that a website is being hacked every 39 seconds.
That website could be yours.
If you do not take a proactive position on website security, your website could be the next victim. Therefore, you must be aware of the areas where your website is most vulnerable to attacks.
Top 8 Website Vulnerabilities
A website can have several areas of vulnerability. In this article, we will discuss the 8 most common vulnerabilities that can be taken advantage of by hackers.
1. Injection Flaws
To put it simply, an injection flaw occurs when there is unfiltered data from the SQL server to the browser and to the LDAP server. In the process, hackers can steal your information by injecting their programs into these areas.
It is absolutely important to filter all data that your applications receive from all sources, especially those which cannot be trusted. And that is the challenge there – knowing with 100% certainty that the input or the source can be trusted.
For example, if your website received 100 inputs and you were able to filter 99 of them, does that mean your website is 100% safe? No, because the 1 input which was not filtered could be the Trojan horse that destroys your website.
It is a good idea to make sure your website’s filtering frameworks are routinely scrutinized and fortified as often as possible.
2. Broken Authentication
When you visit a website, be informed that it may contain session cookies. These cookies may have data that can retrieve sensitive information such as username, passwords, and account numbers.
Before you log out, make sure the cookies are invalidated. Otherwise, the data from the cookies will remain in your system.
A good example would be a person who uses a PC in a public network such as an Internet café may visit a website that contains such cookies. If the person fails to invalidate the cookies before logging out, the cookies will remain in the system.
A cybercriminal can visit the website, search for the user’s session and steal his/her private data.
You should likewise check the strength of your current system for authentication and session management.
3. XSS or Cross Site Scripting
Cross Site Scripting is related to Injection Flaws. XSS injects code into the application’s output for the purpose of manipulating a user’s browser. XSS grants hackers access to the user’s browser and steal valuable data such as passwords, usernames, and account numbers.
Website designers can fix the problem by not returning HTML tags to the user. This has the additional benefit of protecting the website from HTML injections whereby the cybercriminal injects annoying plain HTML content.
4. Insecure Direct Object References
A direct object reference occurs when a file or database key is exposed to a website user. The problem starts when the reference originates from a hacker or an agent with malicious intent. If your authentication process gets bypassed or overcome, the hacker can gain access and manipulate your website.
The website’s password reset function can also be an access point for this type of vulnerability. For example, a hacker can simply modify or alter the “username” field in the URL and input a popular keyword like “admin”.
5. Misconfiguration of Security Network
It is not uncommon for applications and web servers to have security networks that have been misconfigured simply because there are several ways this can happen.
• A debug function can be enabled while the application is running.
• A directory listing contains key information; often sensitive data. It can be leaked out if the directory listing is enabled on the server.
• Your website still uses or runs software that has not been updated.
• Your PC contains applications and other services that are hardly used or not necessary.
• Passwords and default keys are not changed.
• Error handling information is visible to attackers.
6. Exposure of Sensitive Data
Every time someone goes on the Internet, they are vulnerable to cyber-attacks. If you are running an e-commerce website or one that requires sensitive information to be disclosed, no ifs and buts, sensitive data must always be encrypted.
This is especially true if you are handling user passwords and credit card data. These types of information should never be transmitted without encryption. Google has already started penalizing websites that do not have SSL certificates.
You can read our article about this topic on “Is Google Punishing Sites Without SSL Certificates?”
7. Cross Site Request Forgery
As the term implies, Cross Site Request Forgery involves misrepresenting your identity to a website that can grant access to data with monetary value. It should of no surprise that banks are usually targets of CSRF.
In the event of CSRF vulnerability, a third party will issue a request to the target website, for example, your bank. The third party can do this through your browser by using your session cookies.
If your bank is vulnerable to this type of attack and you are logged on to their website, another tab can lead to your browser misusing its credentials for the benefit of the hacker. The end result referred to as a “confused deputy problem” with your browser being the deputy.
A CSRF attack can have a hacker manipulate a transaction that can result in an unauthorized transfer of money from your bank account to the hacker’s account.
8. Maintaining Flawed Website Components
We briefly touched on this issue in #5. It is worth mentioning again the importance of making sure the apps and programs you use for your website are updated.
WordPress is the most popular Content Management System (CMS) on the Internet. One reason WordPress is commonly used is the massive number of plugins that are available. It is easy to update the features of your website.
However, some website owners are negligent on this responsibility. If you don’t update your plugins, these can become potential entry points for hackers. The same goes for apps and services that are hardly used.
Cybercriminals are always trying to stay ahead of cybersecurity measures. Like a common criminal, they will look for ways to overcome your defenses. They will study flaws in your website design and structure.
For sure, a cybercriminal will capitalize on your weaknesses and make you pay for your carelessness.
This is why several of our clients signed up for our Extreme WordPress Care Programs. Our clients can rest easy and focus on their core business tasks while we make sure their website is in perfect health.
We schedule frequent website audits and see to it that all security networks are in fine working order and all plugins have been updated.
If you want to learn more about how we can help secure your website, please do not hesitate to give us a call or to drop us an email. Let’s discuss the importance of website security over our free 30-minute consultation!