Three Simple Steps to Combat Website Threats and Increase Security Now

Anurag Agarwal and Trey Ford
April 16, 2009 | COMMENTS

Websites are currently a favorite target for hackers as they are easily exploitable and conveniently monetized. Many organizations believe that network security measures will protect their Web applications, but as the recent spate of attacks has proven, this is not the case. Security can often be an after thought, as intense time-to-market pressure results in vulnerable production websites that are easily exploited by the bad guys. Credit unions are not immune to the rise in website breaches. With $200 billion reaped in the sale of data (credit card numbers, social security numbers among others) in 2006, it is clear that these attacks will only increase over time. Recent attacks have included a Pennsylvania credit union association and a Virginia federal credit union.

According to WhiteHat Security's Website Security Statistics Report, more than 80 percent of all websites have a critical vulnerability (meaning it should be fixed the same day) and more specifically, 67 percent of all financial websites have a critical vulnerability. Credit unions must act now to increase their website security and avoid costly breaches, meet compliance goals and take the offensive against new threats.

The cost of a breach can run well into the millions depending on its scope. Additionally, there are expensive notification and forensics procedures, as well as fines, both state and federal.

The payment card industry (PCI) ramped up its requirements for Web application security compliance last year. For many, the standards outlined in PCI Data Security Standard section 6.6 were confusing and left them wondering where to begin. With the stakes high—imagine your credit union losing the ability to process credit card transactions—every organization needs a plan that provides compliance and security. In the current economic climate, it may seem like an insurmountable task, but with your organization's livelihood and brand at stake, it is necessary and surprisingly straightforward to take control of website security. Follow these three steps and you'll be on your way.

Step One: Asset Tracking—Know What You Have

Hackers often strike paydirt at sites that companies are unaware even exist. Typically, these are websites created independently by business units or departments, or by employees who are no longer with the company. These websites are fertile ground for a persistent attacker. An easy way to avoid these opportunistic attacks is to have a clear idea of your website inventory and their value to the business.

Prepare a list of all your websites, their business owner and IT owner(s). The next step should be to identify the data they touch and under which compliance regulations they fall (PCI, HIPAA, etc).

Once you have identified all the websites, the next step is to assign a dollar value to each. This can be achieved by attributing the cost of loss of information like credit card numbers, bank account information, medical records, etc. For example, the loss of one credit card number typically costs a company $50-$100 (as a fine). Then there is the potential cost of forensics and mandated increased audits, which can cost millions. There are other intangible costs like brand damage and loss of customer confidence..

Next, prioritize each site's importance according to business impact and value, then secure the most critical applications first. This will also help to identify the level of investment to secure those applications. After all, you don't want to invest $100,000 dollars to secure an application that is worth $50,000.

Step Two: Vulnerability Assessment—Know Where You Stand

Once you have inventoried and valued your assets, it is important to determine the security posture of those websites. The best way to measure this is to conduct vulnerability assessments on those websites. This will give you an initial snapshot of how vulnerable you are and where you need to focus financial and professional resources. Remember, the bad guys need just one vulnerability to get in.

As we know, the threat landscape can change rapidly, even if your application does not. So, here are a few things to keep in mind as you implement a website vulnerability assessment solution:

• Frequency of assessment is critical to keep up with the latest attack trends. Attackers are continually discovering new methods to gain access to your data. To prevent being victimized, conduct regularly scheduled assessments of your websites, particularly the most critical.
• Cover the full scope of threat types for greatest security. Website vulnerabilities differ from those on the network side of the house. Custom applications beget custom vulnerabilities that do not have vendor patches available. Familiarize your security team with the Web Application Security Consortium's list and make sure you are checking for everything.(link to threat classification: http://webappsec.org/projects/threat/).
• Compliance does not equal security. While meeting various compliance standards will satisfy your auditors, real security is about identifying and mitigating issues before they become a problem.

Step Three: Establish an Ongoing Protection and Prevention Plan

Now that you know where you stand, how can you mitigate critical issues and prevent future vulnerabilities? Credit unions, like all financial institutions, are operating with limited resources and a limited pool of qualified website security professionals. It is therefore even more important now to make a plan for success.

Every security professional wants to fix vulnerabilities as quickly as possible. However, with little control of the development process, this is often a difficult task. Security needs an effective means to protect websites until code fixes can be implemented. Web Application Firewalls (WAFs) are a good mitigation strategy for open vulnerabilities. Companies usually have a process in place for production deployment and that process might delay fixing vulnerabilities on short notice. WAFs block vulnerabilities in real time so that they cannot be exploited on a production website, giving the team the luxury of time to fix and test the vulnerability in development prior to pushing the fix to the production site.

In addition, it is important to train your development and QA staff on the latest and greatest Web application threats and vulnerabilities. In a perfect world, developers would write totally secure code and testers would ensure that websites go to production vulnerability-free. However, in the real world, we know that this is nearly impossible. In our work, we routinely find different vulnerabilities on production sites vs. QA sites for no apparent reason.

Ultimately, training does shorten the time to fix and reduce costs, which makes it a valuable investment even in difficult times, and sometimes at no cost. Many companies don't realize that 47 out of 50 states provide funding to companies to train their employees. Credit unions can take advantage of these funds to keep their developers and QA teams up-to-date on the latest website attack tactics.

By following these steps, credit unions can immediately increase their website security while maintaining their brand integrity, meeting compliance regulations and safeguarding their data from attack. The most important step is to get started now.

Anurag Agarwal is director of education services and Trey Ford is director of solutions architecture for WhiteHat Security, a security and audit provider for enterprise commerce and communications.