Business Security Information

You hear about customer and employee personal information being lost or stolen from businesses quite frequently.  This information is accessed using a variety of attack methods including SQL injection, buffer overflows, use of default accounts, and even the loss of unencrypted backup tapes.  No amount or type of security will guarantee absolute database security for your business, but until you implement some basic database security measures, you are wasting your time and money on more elaborate security measures.

Late last year it was announced by a couple of security researchers that cPanel was vulnerable to cross-site request forgery attacks (CSRF).  If you manage your business’ website, you know that cPanel is an administration interface that allows you to perform many tasks related to running a website.  This includes accessing website stats, email accounts, and log files, submitting tickets to the support desk, and a variety of other tasks.  Cross-site request forgery attacks allow attackers to exploit web-based services after the user has already logged into the web-based service.  In a cPanel attack, once you are logged in, you must be lured by the attacker to visit a malicious website that the attacker runs or has compromised.  Once you go to the malicious website, the attacker can execute unauthorized commands since you are already logged into cPanel, and no password would be necessary.

A lot of today’s websites are dynamic, meaning they can deliver different content to a user depending on the user’s needs.  Dynamic content is achieved with the use of web applications.  This sounds great, but dynamic websites are open to an attack called cross-site scripting.  If you have been in business long and pay attention to the variety of security issues that you have to protect your business from, you probably have heard of this term before.  Cross-site scripting is a type of exploit where the attacker inserts or embeds malicious programming code into a web link which the attacker disguises so it appears that it is coming from a trusted source. 

Web Application Firewalls

Web Application Firewalls are a market that is still hard to define, meaning what one vendors says is a web application firewall may not be what another defines as such.  For right now, many products fall under the web application firewall term.  For a business such as yours, this makes it hard to evaluate and compare products.  To overcome this confusion, first look at what your security needs are, the structure of your network, and the applications that are you using.  Then, look at what is available that fits your criteria.  Just by doing this first, you will narrow your search down from many to probably a few products that you are interested in researching and maybe testing further.  A few requirements for a web application firewall include:

This article covers a somewhat complex and lengthy security topic so I am breaking it into two parts.  The first part will discuss web applications, what they are, and the basics of website security including web application firewalls.  The second part of the article will go into more detail regarding web application firewalls, the PCI standard pertaining to web application firewalls, and, lastly, UTM and web application firewall capabilities.

Web Applications