Nov 27, 2013 (Wed): Malaysian businesses are strongly advised to strengthen their website security or risk intrusion by cyber criminals resulting in business disruption, triggering revenue and productivity loss. Company websites are an important avenue to market their goods and services as many conduct their essential businesses on their websites including applications for their employees, transactions with business partners (B2B), and transactions with their end customers (B2B, B2C).
“Cybercrime is the fastest growing area of criminal activity today and businesses must act quickly to make sure they are protected. Websites and web applications are easy targets to hackers because they are public facing and open to the Internet,” said Dato’ Seri George Chang, Fortinet’s Vice President for Southeast Asia and Hong Kong.
“Website hacking can take several forms including website defacement, information theft and denial of service. Such malicious activities will not only lead to loss of reputation and trust, but also costly litigation should sensitive customer information such as credit card numbers are stolen,” explained Chang. He cited a recent study by Verizon which showed that the top two reasons for an attack on websites were theft (financial or personal gains) and hacktivism (disagreement or protest).
Of late, there has been a steady rise in the number of targeted website attacks in the region. In June 2013, Singaporean traditional Chinese medicine company Eu Yan Sang had its website defaced by hacktivists. In 2012, a hacker defaced and blocked access to rare earths producer Lynas Corp’s website as part of a campaign against the opening of the company’s processing plant in Malaysia.
Challenges in Securing Web Applications
The difficulty in protecting web applications is its sheer architecture and dynamics. While network security is relatively simple − define security policies to allow/block specific traffic to and from different networks/servers – applications comprise hundreds, and sometimes thousands, of different elements including URLs, parameters and cookies. Manually creating different policies for each of these items is almost impossible and obviously does not scale. In addition, web applications change frequently with new URLs and parameters being added, making it difficult for security administrators to update their security policies.
Protecting Company Websites
Companies can mitigate against such attacks with the right tools and processes. Fortinet recommends a three-pronged approach to tackling web application security:
- Secure Coding Practices and Code Reviews – Developing web applications securely and implementing a secure coding practice as part of the development life cycle is an integral part of application development projects. Once developed, the code should be reviewed by a third party, independent from the development team.
- Web Application Vulnerability Assessment / Penetration Testing – Applications should either be reviewed manually or through automated application vulnerability assessment tools to locate existing vulnerabilities. This could be further followed up with specific application penetration testing exercises for critical applications.
- Install a web application firewall – A web application firewall (WAF) allows organizations to detect and block application layer attacks. Such a firewall is needed in addition to conventional network security solutions because traditional firewalls detect network attacks and inspect Internet Protocol and ports with minimal application awareness.
Many variations of WAFs exist today. Fortinet’s FortiWeb appliance, for instance, combines a WAF with XML Firewall capabilities in a single platform with several add-on modules like Vulnerability Scanning, Application Acceleration and Server Load Balancing that further complement the basic capabilities offered. Sophisticated attacks are blocked using a multi layered security approach. Incorporating positive and negative security models based on bi-directional traffic analysis and an embedded behavioural based anomaly detection engine, FortiWeb can protect against a broad range of threats without the need for network re-architecture and application changes.