For businesses, web security doesn’t just mean keeping users from accidentally installing malware. IT must also make sure the company’s own sites don’t become compromised and used in cyber attacks.
Unfortunately that’s a significant challenge — and the majority of websites are vulnerable to hacks, according to a new report from WhiteHat Security.
Attacking websites is one of the preferred methods for hackers — it’s one way for them to steal a company’s data, and they also often compromise trusted sites to spread malware or launch other attacks.
And it isn’t too hard for hackers to find websites they can attack. In fact, 86% of websites have at least one serious vulnerability that could be exploited by cyber attackers, based on data collected from thousands of websites managed by 650 WhiteHat customers.
The most common vulnerabilities discovered by the study were:
- Information leakage (55% of sites were vulnerable)
- Cross-site scripting (53%)
- Content spoofing (33%)
- Brute force attacks (26%)
- Cross-site request forgery (26%)
- Fingerprinting (23%)
- Insufficient transport layer protection (22%)
- Session fixation (14%)
- URL redirector abuse (13%)
- Insufficient authorization (11%)
- Directory indexing (11%)
- Abuse of functionality (9%)
- Predictable resource location (8%)
- SQL injection (7%)
- HTTP response splitting (4%)
What IT can do
The study points out that many of the practices companies follow to keep their websites secure may not be working that well. For example, organizations that used Web Application Firewalls had 11% more vulnerabilities than those that didn’t, and companies that conducted static-code testing on their sites had 15% more bugs.
While preventing all security problems is impossible, one thing IT departments can do better is monitor their sites to find and patch those bugs quickly. The bugs discovered in WhiteHat’s study were fixed within 30 days in just 18% of cases.
Another key: Offer security training to the employees who are developing the websites. Companies that did experienced 40% fewer vulnerabilities and fixed problems 59% faster than others.
In addition, it’s important to keep an updated inventory of all the websites the company operates. In many cases, according to WhiteHat’s report, vulnerabilities aren’t fixed because a site is expected to be decommissioned — but then the site is forgotten about and stays online.
Someone within the IT department should be given responsibility for managing that inventory and seeing that all sites are kept patched or taken offline when they’re no longer needed.