Every week the headlines carry news of high profile cyber-attacks, in fact every day cyber criminals compromise thousands of websites – often without the site owner knowing. A recent study of 15,000 websites found nearly half contained a ‘high-severity’ vulnerability waiting to be exploited (Acunetix Web Application Vulnerability Report 2015).
The sad fact is that most organizations will suffer some sort of cyber-attack at some point and having a plan in place to reduce this possibility is of course a great idea.
It’s not just the major companies under attack, any size of organisation is likely to be targeted so no-one is immune. Don’t forget security is a best effort scenario – no-one can say their web presence is 100% secure, but you can identify problem areas and fix them by following these 4 steps to help significantly reduce the chance of a cyber-attack:
1. Understand your assets
Understand the assets you have under your control and what you are trying to protect. For example, say you hold product inventory and a customer database. Both datasets are important but, if a breach occurred, which are critical and therefore have a higher priority? Which one should you focus on protecting first? Probably the latter as it contains personal and competition-sensitive data.
The next question to ask is: which parts of your systems are within your control and which are not? For example, service providers that maintain databases or even entire applications for your business, or cloud services – these systems are not entirely in your control, or you may have no control at all over them. Sometimes it’s actually better to rely on proven service providers, especially for SMEs, but you need to understand what security measures they are taking to keep your applications and data safe. Also, you should take advantage of all the security controls third-parties provide, such as two-factor authentication to secure your corporate accounts. Most attackers are after ‘easy-wins’ – quick, low effort and scalable criminal operations – therefore any processes that makes your applications and business processes more secure make you a less attractive target.
2. Bake security in
Next we need to consider security in the development cycle. The newer high profile security breaches show that security needs to be baked into the application. So if you are trying to bolt it on afterwards, it’s basically like plugging holes. Security needs to be a mindset in the design and development process – the more secure it is, the more robust it is too.
Start with your mission-critical apps. Once these have been reviewed and security tested with no glaring vulnerabilities move on to other apps, beginning with the ‘low hanging fruit’. Remember if automated scripts can find a vulnerability, whether obvious or more hidden, then an attacker can also.
As you get more comfortable with security you can start to integrate the mindset into the development process and scale up activity, such as regular penetration testing in between security audits to ensure security is maintained. Don’t forget that while human pen-tests are great at identifying vulnerabilities, especially logical flaws in an application, using automated scanners allows you to easily scale your security efforts economically and effectively.
3. Understand your requirements
It’s not just the application itself you need to think about, you need to understand the environment your application is deployed in and what dependencies it has. The approaches you take here have major security implications. Ask yourself important questions such as: Does this application’s management interface need to be accessible to the public Internet? Should this port be open? Do I need this WordPress plug-in?
Understanding your requirements is crucial – a piece of software might have all the bells and whistles (most of which you might not need) but the more code involved – especially if it was not written by you – the bigger the scope for it breaking. And the more room for bugs, so be careful.
4. Never trust the user
One mantra to use is ‘never trust the user’. It should be irrelevant whether a legitimate user or a malicious attacker is filling out a form, your application’s design should always assume that a user is set to do the worst. Consider a web form, such as a humble log-in page – is the application handling that input correctly, or can an attacker manipulate the SQL query to the application’s database? So a developer must design the form to handle both, following basic steps to make applications more secure and therefore more robust.
Don’t discount security as a feature. Your management will notice if the app is not fast enough, but won’t notice if it’s insecure… perhaps until it’s too late.