Panic caused by security breaches is still a major reason for implementing website security. So said Ilia Kolochenko, CEO of Swiss info-security company High-Tech Bridge, among the speakers at the SC Congress in London.
He told the event: “Loss of reputation and legal consequences of losing valuable customer data are driving website owners and security professionals to implement web security.”
The scale of the online security challenge is huge: zone-h.org defacement archive contains snapshots of 9.5 million hacked websites while the market researchers Frost and Sullivan state that four out of five websites are vulnerable to attack.
Eighty-six per cent of all websites have at least one serious vulnerability, according to White Hat Security in 2013, and High-Tech Bridge Security Research Lab issues at least one new Security Advisory per week citing web vulnerabilities that can affect about 10,000 live websites.
Kolochenko spoke to an IT audience who discussed topics including online privacy during a national crisis, mobile security, ethical hacking, and the evolving state of security in the cloud.
As both large and small businesses and public sector organisations increase their online presence, Kolochenko believes that they implement inadequate online security measures, or worse still none at all. While small businesses hesitate to spend money on automated solutions and cannot afford manual penetration testing, they: Remain vulnerable. Get hacked. Panic. As such, small businesses are easy pickings for hackers.
While larger organisations that are vulnerable to targeted attacks spend their budgets inefficiently on inappropriate solutions. Often they don’t realise RoI from web security testing, so they stop or suspend independent security auditing projects that are not required by law. Unfortunately, Kolochenko suggested, they react when it is already too late and spend or waste even more money investigating security breaches and calming shareholders, management and the public.
Kolochenko claimed there is a lack of innovation when it comes to helping companies build in web security early and prevent attacks. Security as an afterthought is all too often the norm as SMEs continue to find their budgets restricted. Large organisations are also more and more at risk as they are targeted for economic gains or become the victims of hacktivists.
As an example, High-Tech Bridge earlier this year identified a vulnerability on the World Economic Forum’s (WEF) website that gave access to world leaders’ private email addresses just days before its annual Davos meeting kicked off. “If basics like website security are not in place for larger organisations like the WEF”, asked Kolochenko, “then what hope do the little guys have?”
High-Tech Bridge also recently revealed how Pastebin, a website commonly used to share text online, had over 300,000 user credentials for various services, websites and emails – including personal data and passwords of law enforcement and security agencies – available to the public.
The firm said that major threats come from Cross-Site Scripting
Organisations that are trying to protect themselves use automated scanners, Software-as-a-Service Automated Assessments or manual penetration testing (ethical hacking). Even with these approaches, however, according to Kolochenko, there are some general obstacles to testing website security – there is a focus on performance, compatibility and design and security is considered an add on.
Kolochenko made the point to Professional Security before his talk that ethical or white hat hackers are often out of many SMEs’ reach cost wise. Traditionally, small firms expect to pay upwards of £1,500 for a one- to two-day security audit, with larger firms paying much more depending on how extensive their network is and how much inventory detail they can provide the ethical hackers.
“The value of ethical hacking is clear, but most SMEs just can’t afford it, rely on their hosting companies to do security audits or think it won’t happen to them, so still remain vulnerable. These SMEs have limited choices unfortunately – ethical hackers (costly and reliant on a person’s skills) or vulnerability scanners (machines aren’t always accurate and there are always new threats that rules don’t yet exist for).”
Kolochenko said: “Now is the time for innovation in the ethical hacking space, so that’s why we introduced ImmuniWeb
