A company’s website is often a prime target for hackers. Cybercriminals can use vulnerabilities in sites to gain access to sensitive company information. Or, they can hijack those legitimate sites to spread malware to visitors’ machines.
The good news: As awareness of the threats is increasing, websites are becoming more secure, according to a study of 7,000 websites monitored by WhiteHat Security. Last year, an average of 230 security vulnerabilities were found on each site studied. In this year’s report, that number dropped to 79, a 66% decrease. That continued a steady decline seen by WhiteHat since 2007.
Organizations are also getting better at mitigating problems, as vulnerabilities were fixed in an average of 38 days, which was a big improvement over the 116 days it took a year earlier.
But just because companies have gotten better at securing their websites, it doesn’t mean hackers have given up — they’ve just changed their approaches. For example, many hackers are using more specialized attacks and targeting specific businesses, rather than rather automating the process to look for common vulnerabilities in thousands of sites at once.
When hackers target a site, what security holes are they most likely to see? These were the top 10 vulnerabilities found in the websites studied:
- Cross-site scripting (55% of sites were vulnerable to this type of attack for some period of time)
- Information leakage (53%)
- Content spoofing (36%)
- Insufficient authorization (21%)
- Cross-site request forgery (19%)
- Brute force attacks (16%)
- Predictable resource location (12%)
- SQL injection (11%)
- Session fixation (10%)
- Insufficient session expiration (10%)
What’s behind those vulnerabilities — and what leads attackers to find and exploit them? Here are five of the common reasons websites are hit by attacks from hackers:
1. Missing patches
As with many types of security flaws, vulnerabilities in websites often start with applications that aren’t patched and kept up to date. One recent study found that exploiting outdated software was the most common method hackers used to attack websites.
2. Reopened vulnerabilities
The vulnerabilities found exist for various reasons, such as bad code or improper configurations. And in some cases, when those problems are fixed, they reappear again later. In fact, 20% of the vulnerabilities discovered by WhiteHat were fixed but later reopened at some point. That happened for a variety of reasons, such as if problematic code was corrected but then overwritten during a software update, or if an update restored a vulnerable configuration that had previously been fixed.
3. Lack of firewalls
WhiteHat’s report points out that many of the most common vulnerabilities can be mitigated by using a web application firewall, which, like a network firewall, protects the website from malicious attacks and monitors inbound and outbound traffic. The report estimates that the technology could fix 71% of vulnerabilities.
4. Faulty log-in procedures
Some of the vulnerabilities on the top 10 list are caused by unsecured log-in procedures, including log-in sessions failing to expire properly, as show by the last item in the list. In another example, many brute force vulnerabilities were present because the website log-in page revealed which entry, the user name or password, was in incorrect after a failed log-in. Since many sites use email addresses as usernames, spammers can use those sites to mine for valid email addresses.
5. Lack of knowledge about vulnerabilities
While the organizations in the study were customers of WhiteHat’s monitoring service, and therefore knew about their problems, many vulnerabilities go completely unnoticed by the websites’ owners and administrators. In fact, over half of web admins don’t know when their sites are hacked, according to a recent survey from security firm Commtouch.
To protect against those vulnerabilities, WhiteHat recommends organizations make a list of all their sites and prioritize them based on how secure they need to be and how critical they are for the company’s business.
Then, IT should test those sites periodically to make sure vulnerabilities stay fixed and to catch new ones when they appear.