The Verizon 2011 Data Breach Investigations Report states that the Web is the second most common infection vector for malware. The recent lilupophilupop.com SQL injection attacks infecting over a million web pages is a good example of what can happen. According to Google’s Four Years of Web Malware report, a lot of this malware is stopped in its tracks by the search giant. Good for us. But as Google’s report highlights, the threat of web malware isn’t going away any time soon. I suspect it’s only going to become more complex and elusive.
Stepping, back though, what are the chances that web malware will actually cause a problem? Pragmatically speaking, without getting into fancy threat models and risk calculations, I believe there’s no way to know what the chances really are. It’s like getting sick – you never can tell when a cold, food poisoning or other ailment is going to strike. One thing’s for sure: they’ll strike when we’re least expecting it or when we can least afford for it. There are, however, certain things you do – or don’t do – that can result in an infected website such as the website platform you use, how much you’ve locked down your systems, the functionality of your site and even the general browsing habits of your users.
The reality is that the odds are pretty good that your website will become a target at some point in the future. Whether or not it’s automated, a targeted attack could very well lead to a breach of some sort if the criminal threat is savvy and persistent enough. That said, being a “target” doesn’t mean that a successful exploitation will occur. Even if exploitation does occur, that doesn’t mean it’s the end of the line for you or your web presence.
In the end, when it comes to protecting against web malware, we could go on all day arguing for our limitations and trying to justify why we don’t need adequate protection. To have a secure website is the ultimate business decision you should make given the information you have. The important thing is to understand that the risk is there and it’s not going away. It’s how you choose to address the issue that’ll make the difference.