| I am always amazed by the number of websites that | | | | SSL should be used for transfer of private and |
| suffer cyber attacks. Despite the enormous number | | | | sensitive data, but that's just one small part of website |
| of attacks, and despite widespread publicity about | | | | security. |
| these attacks, most website owners fail to scan | | | | 4. The Website Is Not Hosted With The Microsoft |
| effectively for common security flaws. These | | | | Operating System |
| attacks can range from simple nuisances to | | | | When it comes to vulnerabilites in software, and |
| dangerous compromises of sensitive data. Many | | | | patching of software, most of the news tends to be |
| overlook the possibility of the website being destroyed | | | | centered around Microsoft. Since Microsoft is quite |
| by a virus, even though it is a relatively common | | | | popular in use, it stands to reason that it would be |
| occurrence in the online world. | | | | mentioned the most. |
| With all of the work that goes into building a | | | | Many people feel that if their Websites are hosted on |
| comprehensive website over time, it can actually be | | | | other operating systems, such as Unix, then they are |
| more devastating to lose a website than to lose a PC | | | | safe. They fail to realize that these other operating |
| or even an operating system. When a website is | | | | systems still need to have patches and updates |
| brought down by a virus, it cannot be quickly replaced | | | | regularly applied. |
| like an operating system or PC. In fact, the damage | | | | Also, many security exploits (e.g. phishing, weak |
| that is done can take months to repair, especially when | | | | registration/login systems, cross-site scripting (XSS), |
| you consider how many negative events can transpire | | | | business logic flaws) are completely independent of |
| as the result of a worm attack. The most obvious | | | | the operating system. |
| effect will be the loss of traffic that will be seen soon | | | | 5. Website Is Protected By Firewall |
| after the worm has infected the website. | | | | Firewalls in front of a web server control traffic to that |
| Most hackers spend hours every day trying to find | | | | server. But the web server will need to see web |
| new exploits, hacking into sites and looking for | | | | requests, so these cannot be filtered. Web application |
| opportunities to steal cash from hard working business | | | | firewalls can assist in protecting known vulnerabilities |
| owners. Yet, the business owners do not put forth the | | | | and unusual traffic but cannot usually provide |
| same effort to protect their websites. It is important, | | | | protection against custom code vulnerabilities, valid use |
| during website development, that all possible security | | | | that corrupts data and zero day attacks, which takes |
| threats be considered to ensure adequate protection | | | | advantage of computer vulnerabilities that do not |
| of the website as well as end users. | | | | currently have a solution. They can be of use in |
| If website security is an extremely important | | | | temporarily filtering traffic when a vulnerability is |
| consideration for these online businesses, why are the | | | | discovered, but need to be thought of as a temporary |
| website owners not mitigating security risks and | | | | fix rather than a permanent repair. |
| building customer trusts? | | | | 6. The Website Is Always Backed Up |
| 1. The Web Developers Deal With Website Security | | | | Although it is very critical to always backup the |
| Many people who start up an online business typically | | | | website and database in case it is brought down, |
| hire other people to build their website. They assume | | | | backups are not a protective mechanism, they are an |
| that these web developers will incorporate security. | | | | assistance in recovery. But if the data has been |
| This unfortunately is not true, unless you ask them. | | | | altered maliciously, the backup may well also contain |
| As stated previously, it is important, during website | | | | this. Also, backups are unlikely to have everything |
| development, that all possible security threats be | | | | needed to rebuild the site. |
| considered. | | | | 7. The Website Has An Annual Infiltration Test |
| In other situations, people may create their own | | | | A vulnerability scanner tool will not be able to discover |
| website. They tend to forget about adding website | | | | all the vulnerabilities in your website. In particular |
| protection and security. Since most people, when they | | | | vulnerabilities in any custom-developed code are |
| first start out, are on a very low budget, security is the | | | | unlikely to be found by automated tools. Coupled with |
| last thing they worry about. Not even the most basic | | | | the fact that the hosting environment and website |
| security is incorporated which does not require any | | | | code are likely to change over a much shorter time |
| special software skills. This may not be perfect, but | | | | span, automated testing and analysis needs to be |
| at least it is better than having no security which | | | | undertaken more often. Best practice is to undertake |
| makes it easier for people to hack the website. | | | | automated testing weekly and have logging and |
| 2. No One Will Hack The Website | | | | alerting functions which highlight changes to files and |
| Many people tend to think it won't happen to them – | | | | potential intrusions on a live basis. |
| why would hackers go for their website when there | | | | 8. The Website Is Up Most Of The Time |
| are huge high profile targets around? Many are fooled | | | | Hosting providers usually define certain minimum levels |
| by this false sense of security. The sad fact is that big | | | | of uptime. You need to check how these are |
| companies can employ legions of experts to ensure | | | | calculated, what you are responsible for and what the |
| their website stays safe and secure. The smaller | | | | exclusions are. |
| websites tend to have limited resources, and may also | | | | Owners do not often consider what would happen if |
| be relying on the company that designed their | | | | their website were unavailable for a period other than |
| website. | | | | a few minutes. Many fail to have plans in place |
| The internet is a very dangerous place, especially for | | | | (disaster recovery and business continuity) to deal with |
| small business that conduct hundreds or thousands of | | | | the loss of, or access to the website. |
| dollars in eCommerce each and every day. These | | | | The falsehoods mentioned appear to be the most |
| smaller websites have emerged as the target of | | | | basic myths that most people are under the |
| choice for money hungry hackers. Just registering a | | | | impression of. I am fairly confident that many more |
| new domain name will mean it gets scanned for | | | | falsehoods could be added. |
| vulnerabilities and potentially targeted. | | | | The website owners must never forget that they are |
| 3. The Website Uses SSL Certificate (https instead of | | | | the website security. What they do or do not do is |
| http) | | | | what makes their websites secure. |
| The term "secure website" is often used for the parts | | | | Always remember that hackers, like burglars, are |
| of a website where the data transmitted between a | | | | opportunists. If you take the security measures to |
| user and the server is encrypted. SSL only means | | | | keep your website safe, a hacker will swiftly move on |
| the data in transit is encrypted. It does not actually | | | | to a site that is less well protected. Securing your |
| secure a website, its data, the server or its users. SSL | | | | website can take minutes, but gives you a lifetime of |
| has no ability to protect the information stored on the | | | | peace of mind. |
| website once it arrives. | | | | |