How Can I Reduce The Risk Of A Cyber-Attack?


Published on

A professional guide to reducing the risks of a cyber attack on your business. A professionally written article that would be suitable for a technical IT blog.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

How Can I Reduce The Risk Of A Cyber-Attack?

  1. 1. How Can I Reduce The Risk Of A Cyber Attack? /2014/01/21/how-can-i-reduce-the-risk-of -a-cyber-attack/ Every year, cyber- attacks cost website owners large amounts of money in damages to IT assets and disruptions to daily operations. Having knowledge on managing the risks associated with cybercrime helps to reduce website security risks. For ecommerce website owners and key decision makers, a solid cyber security strategy requires a time investment and careful consideration of many facets of an online business. The time investment is critical to business security and continuity since cyber- attacks are on the rise as more businesses establish an online presence. For this reason, ecommerce businesses must increase their awareness of the different types of website breaches to help develop effective policies and security strategies to combat cyber- attacks. In this article, we will help you understand the different types of cyber- attacks in addition to discussing some of the steps that are necessary to reduce your exposure to online risks. What is a Cyber Attack? A cyber- attack consists of a program created on a criminal’s PC before it is launched against a website, network, or individual PC. The motive for the attack is to compromise the availability, integrity, or confidentiality of a website, network, or PC, and the information that is stored on it. The attack is designed to perform a variety of malicious acts including: Acquiring unauthoriz ed access to a website and the data associated with it. Unexpected disruption of website services including the facilitation of entire website crashes. Installation of viruses or malicious code (malware) on a website.
  2. 2. Unauthoriz ed use of a website for the purpose of committing criminal acts such as hijacking, phishing, stealing sensitive data, and more. Changes to the characteristics of a website for criminal purposes without the owner’s knowledge or consent. See Wikipedia for Cyber- attack definitions. The processes used for responding to the attack are dependent upon the type of attack itself. This is why a comprehensive system covering a broad range of areas needs to be implemented since there is no one- siz e- fits- all answer to the problem. What are the Dif f erent Types of Cyber Attacks? To effectively protect your website, first it is important to understand some of the ways that hackers can launch a cyberattack and gain access to your website. Here are a few of the common ways hackers can breach a website or the network server where the website is stored. Remot e Code Execut ion: This type of attack allows the hacker to run random system level code through a web server vulnerability. The code allows the hacker to retrieve any type of information they desire including sensitive information. See this article on remote code execution. SQL Inject ion: This type of attack uses an older approach however; it is still popular with many hackers since it is an effective way to gain access to information in a website database. Depending upon the security measures you have in place, the attack can range from stealing basic information to complete compromise of a website and the database associated with it. Cross Sit e Script ing: Cross Site Scripting occurs on user login pages and comment pages that allow script tags. In this instance, the hacker perpetrates an attack using the error message page that appears when the wrong login information is entered or when script tags are used on discussion pages. Denial of Service (DoS): A Denial of Service attack occurs when the hacker inundates the web server bandwidth or the website resources with a massive amount of unnecessary traffic. The end result is complete loss of service to your website with other specific losses that can be devastating depending upon how many attacking hosts are operating simultaneously. Trojans: A Trojan is a small software program that can emulate legitimate software on a website or it can be hidden inside web applications such as links, ads, and other components. When the visitor downloads software from your website or clicks on one of the components, the Trojan is installed on the visitor’s computer and is designed to perform a series of malicious acts. See the virus encyclopedia on the Bitdefender website Hijacking: Hijacking occurs when a hacker monitors and then controls your website configuration to commit criminal acts. In this case, your website is setup to look like the real thing. When your customers enter their personal data, the site is programmed to send the data to an external server where the criminal harvests it. These are a few of the common ways hackers can breach your website. New hacking methods are being developed on a regular basis which is why it is important to stay on top of the latest methods and deploy strategies designed to counteract them. What is involved with a Website Security Assessment? Before you develop a website security strategy, it is important to assess existing security systems to determine where improvements should be made. This involves an assessment of the web server, software, coding, and web applications, to name a few areas. Additionally, if you are storing customer data and financial information, it is important to ensure the compliance standards such as PCI, HIPPA, and others are being met. In order to understand where security improvements should be made, the following areas should be reviewed: Code Review: A large amount of website breaches occur as the result coding errors. Although coding reviews can be expensive, the cost of a breach can be worse. A thorough coding review will tell you exactly where the security vulnerabilities are in the website coding and if any weak coding practices or shortcuts are being used. Discuss Coding wit h Developers: Ask your website developer if they are aware of some of the types of
  3. 3. cyber- attacks we mentioned above. If they understand what they are, make a point of asking them what they have done in the coding to prevent the attacks. If they can provide you with a sensible answer, there should be no problem with the code review and any apparent revisions. On the other hand, if they cannot provide an answer, a code review should be an important step in protecting your website. It will also help you to establish coding policies and standards for future website development. Conduct a Web Vulnerabilit y Assessment : This type of assessment takes on the perspective of an outsider and provides scenarios on how they might extract data from your system. The assessment focuses on areas of your website that face the Internet, as opposed to the server side of the site that contains the coding and other backend processes that are essential behind the scenes. A Web vulnerability assessment will help you to focus on what aspects of the site are likely to be vulnerable to exploits and tests the areas that are the most likely to be targeted. Review IT Securit y Tools: It is important to review the current IT security tools you have deployed to determine if they are providing sufficient protection or if changes are warranted. Depending upon your industry and the requirements for your website, the security tools include but are not limited to an antivirus and anti- malware protection system, firewall at the network level, firewall at the web application level, endpoint security management, intrusion detection and prevention systems, and encryption technologies such as Secure Sockets Layer (SSL) HTTPS, and more. Mobile Devices: If your company uses mobile devices to access specific components of the website such as CRM and others on the server side or backend, it is necessary to conduct a security assessment of mobile devices. Although you may have a solid security strategy deployed, it can easily be compromised with mobile device access. There are many third party companies like this one that offer network and website security assessment services. Conducting a local Google search should bring up the best results. What Steps Should I Take to Reduce Online Risks? Once you have assessed and defined the website security requirements, you should review the security policy to make any necessary changes, how the security policy will be monitored and managed, how specific data is classified based on sensitivity, and the effect a data breach would have on your business. This will help you to focus on the areas that require the most protection. Other steps for reducing online risks include: Level of Securit y and Ease of Use: Although website security is mainly about preventing data breaches and information theft, the security practices you put in place should ensure the website remains available, offers fast performance, and is in compliance with specific regulations for your industry. Validat ion of Third Part y Dat a: Most of the websites in today’s ecommerce environment receive input from other sources such as news feeds, social media, back office software systems, and other sources. Part of your security strategy should include validating the incoming and outgoing data to protect the integrity of your website infrastructure and prevent data breaches. Conduct Securit y Reviews at Each Milest one: At each step in the development process, conduct a security review at each milestone to ensure security issues are tackled immediately. The earlier you spot an issue, the less costly it will be to mitigate the risks. Creat e a Consist ent Development Framework: Web applications and software will always have errors however, by creating a consistent coding framework for developers this minimiz es the security risks. It also means you should include a reasonable time frame for developing the web application securely instead of simply accomplishing the requirements for functionality. Implement Secure Test ing: When testing for website vulnerabilities, a secure threat model should be created to thoroughly check for what actions are unauthoriz ed and what actions are normal and intended functions. Implement Audit ing, Logging, and Alert s: There is a host of software available for auditing website activity, logging for detection of suspicious activity, and alerts which provide you with early warnings of potential issues. The logs must also be protected from unauthoriz ed modification and include user identities capable of being monitored.
  4. 4. Use Secure Deployment : When you are developing a new website or expanding an existing one, the test and live environments may vary and be configured differently. This can cause security issues if the setup and launch of the website is not executed in a controlled manner that ensures all necessary security controls are implemented. Cont ract and SLA Securit y: If you use external security protection services or sub- contractors, make sure security is well defined in the contract or Service Level Agreement (see wiki – ). Use the same process to determine the level of security the provider uses and how security breaches are identified and handled. Disast er Recovery and Business Cont inuit y: Prepare your company with a backup plan in the event of availability loss to your website. This includes identifying the probability of downtime and the effect it will have on daily business operations. Define what actions should be taken to ensure business continuity in the event of an outage. In addition to the above steps, make certain the latest security technologies are deployed such as an antivirus and antimalware protection system, firewall at the network level, firewall at the web application level, endpoint security management, intrusion detection and prevention systems, and encryption technologies such as Secure Sockets Layer (SSL) HTTPS, and more. This may also include data protection technologies associated with meeting compliance requirements for PCI (Payment Card Industry), HIPPA (Health Insurance Portability and Accountability Act), and other industry- specific standards. Featured image License: Royalty Free or iStock source: Another article by Brian Morton. A professional IT consultant of 11 years and counting. You will find Brian’s articles across on the internet on various technology sites.