Business Security Information

Late last year it was announced by a couple of security researchers that cPanel was vulnerable to cross-site request forgery attacks (CSRF).  If you manage your business’ website, you know that cPanel is an administration interface that allows you to perform many tasks related to running a website.  This includes accessing website stats, email accounts, and log files, submitting tickets to the support desk, and a variety of other tasks.  Cross-site request forgery attacks allow attackers to exploit web-based services after the user has already logged into the web-based service.  In a cPanel attack, once you are logged in, you must be lured by the attacker to visit a malicious website that the attacker runs or has compromised.  Once you go to the malicious website, the attacker can execute unauthorized commands since you are already logged into cPanel, and no password would be necessary.

Secure Socket Layer (SSL) is used on the internet to encrypt connections to such sites as e-commerce and banking sites.  Most everyone has used and seen these sites.  They have the “https” at the beginning of the website URL along with a little padlock symbol that is usually found on the lower right hand side of your web browser.  If you click on the padlock icon, it will open up and give you information regarding the encryption method and the encryption certificate.  The purpose of SSL is to keep your information confidential while it is being transmitted over the internet from your browser to the website.

Web Application Firewalls

Web Application Firewalls are a market that is still hard to define, meaning what one vendors says is a web application firewall may not be what another defines as such.  For right now, many products fall under the web application firewall term.  For a business such as yours, this makes it hard to evaluate and compare products.  To overcome this confusion, first look at what your security needs are, the structure of your network, and the applications that are you using.  Then, look at what is available that fits your criteria.  Just by doing this first, you will narrow your search down from many to probably a few products that you are interested in researching and maybe testing further.  A few requirements for a web application firewall include:

This article covers a somewhat complex and lengthy security topic so I am breaking it into two parts.  The first part will discuss web applications, what they are, and the basics of website security including web application firewalls.  The second part of the article will go into more detail regarding web application firewalls, the PCI standard pertaining to web application firewalls, and, lastly, UTM and web application firewall capabilities.

Web Applications

Kaspersky Lab, an anti-virus/malware company, recently published a “Stop Cybercrime Guide” which I have read, and I think is an excellent overview of many of the computer security threats a business, home office or individual users may face.  Information covered in this short, 10-page document includes:

• Types of malicious programs and how to protect yourself against them.  Some of these protections you may have heard of before, such as installing security software, updating your software, backing up your data, and not using the administrator account except when needed, which I discussed in a previous article.

Websites and Phishers

I had just got done writing about recent website attacks on a variety of small business websites when I came across updated statistics from the Anti-Phishing Working Group that show even more of a need to protect your website.  The statistics indicate that the majority of criminals are actually using legitimate business websites when carrying out phishing scams.  The information shows that the fake or forged websites are only used by these con artists in 13 percent of the phishing attacks.  With a total of 30,454 domain names used by phishers in the last half of 2008, only 5591 of these domains were ones the phisher had set up themselves.  The remaining phishing attacks were using legitimate business domains.  This contradicts some of the information in my phishing article and is all the more reason to protect your business website and brand.

This week, news has come out regarding another wave of attacks against websites.  As of the last report from Websense, over 40,000 websites have been compromised.  The attacks have mainly targeted websites of small businesses.  When people try to visit the small business websites, they are directed to a site that appears to be Google Analytics but is actually a misspelled web address such as googleanalytlcs.net where an “l” not an “i” is used.  The person visiting the website is then redirected to a beladen.net domain where a variety of attacks are tried, and, if successful, a variety of malware is loaded onto the person’s computer.  As noted in previous articles once the malware is installed on the computer, it can be remotely controlled by the attacker.   As a small business owner of a website, you really don’t want your website redirecting your customers or potential customers to a site where their computer(s) will become infected with a variety of malware (bad software).  This is never good for business.