Hi All,
I own a Cyber Security Firm “Security Thinkerz“. Its in my habit that when ever I visit a website or a portal, I run few manual test to check that, that particular website or portal is vulnerable or not and Its is very surprising that 75-80% websites are vulnerable and can be hacked just in few minutes. But owner of these websites or portals don’t do any thing to rectify this. They take security as the least priority. Most of these websites are developed by some third party, so developers take very casual approach to develop the codes and even they never pay attention to even the smallest security issues in their code that can be exploited.
Now next question is Can these security issues affect my business? If yes, How? ( Good Question ;))
Lets take an example: suppose you run a ecommerce website (zzzz.com) and you are doing really good. Now lets see what all data you use or store in your database:
1. User details (Name, address, Phone number etc.)
2. Login credentials (username, Password, email ids etc.)
3. User Payment Details (Credit/Debit Card Numbers, Account numbers, CVV, etc.)
4. Your daily selling details and other financial details.
5. You (zzzz.com) website admin credentials.
I hope, I have covered all the imp data type here (If I missed some thing, please add it).
So, Imagine if some one uses the smallest vulnerability of your website and exploit it and gain access to your database and take a copy of full database, sell it to your rival or to any underground website (what all hacker call them, here you can sell and buy user details like name, username, password, email, your payment details etc.), Now when all your important and confidential details are leaked, you can not do business for a long time because now they can not trust with you with their confidential data.
One small mistake and every thing is lost.
PS. Its not applied only to eCommerce, any website which requires user data can be a victim of this thing.
So, what one should do to avoid these kinds of security issues and prevent themselves? ( Wow..!!! Again Great Question :D)
To avoid or safe guard your websites from these attacks, get a “Vulnerability Assessment and Penetration Testing (VAPT)” done.
What is Vulnerability Assessment and Penetration Testing (VAPT)? (You are super intelligent, you asked a good question again :))
VAPT is a complete sets of methods and practices that cyber security experts use to know the status of a website or portal or network, here status means how vulnerable that website is? you can say cyber security experts are those hackers who hack to your website and portals with your permission only to tell you how it can be exploited and how to patch it so, that no user can do any malicious activity.
These procedures can be divided into 2 part, Vulnerability Assessment and Penetration Testing
Vulnerability Assessment:
Vulnerability assessment, is a process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure. In addition, vulnerability analysis can forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they are put into use.
Vulnerability analysis consists of several steps:
1.Defining and classifying network or system resources
2. Assigning relative levels of importance to the resources
3. Identifying potential threats to each resource
4. Developing a strategy to deal with the most serious potential problems first
5. Defining and implementing ways to minimize the consequences if an attack occurs.
If security holes are found as a result of vulnerability analysis, a vulnerability disclosure may be required. The person or organization that discovers the vulnerability, or a responsible industry body such as the Computer Emergency Readiness Team (CERT), may make the disclosure. If the vulnerability is not classified as a high level threat, the vendor may be given a certain amount of time to fix the problem before the vulnerability is disclosed publicly.
The third stage of vulnerability analysis (identifying potential threats) is sometimes performed by a white hat using ethical hacking techniques. Using this method to assess vulnerabilities, security experts deliberately probe a network or system to discover its weaknesses. This process provides guidelines for the development of countermeasures to prevent a genuine attack.
Penetration Testing:
Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.
Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings.
The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization’s security policy compliance, its employees’ security awareness and the organization’s ability to identify and respond to security incidents.
Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in.
One last question Who will help me in finding Vulnerabilities in my website or portal?
Any organization with good knowledge and experience in this field can provide you these services. But I insist on prevention is better then cure, a good coding practice, analysis of codes on regular interval, making good IT Security Policy are the basic rule, using these rules you can prevent it on ground level itself. (You only can prevent it because no system is foolproof).
Let me know what you think about the security issues.
PS: If you want a “Vulnerability Assessment and Penetration Testing (VAPT)” For your website/Portal.
Please get in touch with me on peeyoosh.kumar@securitythinkerz.com or visit Security Thinkerz.
For Rodinhood Members 10% Extra Discount. (Limited Time offer :))
asha chaudhry
peeyoosh,
can you pls respond to this fb comment –
Krishna Chandran
Hi Peeyoosh,
Nice Article. Thanks for sharing this. This is a new information for many of us.
As Vikram posted, security is often considered as web hosting providers concern. Please correct me if I am wrong.
We do build websites, but we host it on a third party provider. Most of our companies doesn’t have the financial capability/need to buy a server rather we go for third party hosting providers. I understand that we will have service level agreements for a breach as well as downtime with these hosting providers. So how can we take remedial measures other than the codes? Would be grateful if you can throw some more light on this. Thank you.
Peeyoosh Kumar
Hi Krishna,
happy to know that you liked the article.
as Vikram said security is considered to be web hosting providers concern, here I am not completely agree what Vikram said, since if your website is hosted on a vulnerable server all the website hosted there are at risk and might get hacked, also you’ll surprised to know that if only your website is vulnerable even then the server on which your website is hosted and all the website hosted on that server are at risk.
also, Coding errors plays a critical role in these security issues, 90-96% of security risks arises due to coding error or not using best practices in coding. Let me give you an example:
Say you have a website called idhar-udhar.com, here you ask users to give their feed back about their locality, while designing and developing this your coder and designers outdid themselves and created the most awesome feedback page. here in this feedback form you asking users to fill their small details and their feedback with their pictures. now here your developer made a small mistake, he forgot to check that the image that is being uploaded to the server with feedback is valid image type or not. Now if you check, this mistake is not very big for you but it makes your website completely vulnerable, you’ll ask me how, so let me tell you, when you are not checking the valid image format any user can upload any files, so a malicious user will upload any script (php, asp,aspx etc. which hackers call “BACKDOOR”), basically backdoors provides in gaining access to the hacker, na he can login to your server without using any login credentials. So a small error in coding made you complete vulnerable here.
Remedial measures one can take are:
If you’ll follow the steps, definitely you’ll protect yourself. If you need more detail on any of this, Please let me know.
#StaySecure
Thanks
Peeyoosh Kumar
Peeyoosh Kumar
Yes, Asha replied to the post. 🙂