5 Reasons Why Web Security Is as Important as Endpoint Security
Would you say that your company is secure if your employees are using laptops with no anti-malware installed at all? Most businesses would say that is an irresponsible approach. Then why would many businesses have websites and web applications with no protection at all?
An “antivirus” (an anti-malware solution) is perceived as a standard element of a Windows installation – it’s rare to see a computer without one. However, strangely enough, many businesses feel completely secure just setting up a website or web application without paying any attention to whether it is secure or not. This is even more surprising because web-accessible databases usually contain more sensitive data than an average office machine, for example, customer personal information.
Here are five reasons why you should treat your web security with as much attention as personal computer security and endpoint security in general.
Reason 1. The Move to the Cloud
Twenty years ago, websites were just simple, mostly static presentations – digital billboards in a way. Today, many of us are, for example, creating our documents online instead of using a desktop word processor – quite often the only software installed on our Windows machine is the browser. And even if there is some other software like Slack, it uses web interfaces to communicate with the servers. Companies are using their own servers less often. For many employees, desktop computers and laptops are basically thin clients that are there only to make it possible to access the web.
This means that your anti-malware software basically protects an empty computer that has no or special software on it, just a browser. The only major risk of such a computer being attacked is if the attack makes it possible to steal login credentials to web applications.
On the other hand, all your data, all your business support software, everything else is on the web or will soon be there. And, unfortunately, quite often it is left completely unprotected. Therefore, while 20 years ago personal computer security was much more important than web security (because the web was barely used), nowadays we would even say that web security is becoming more important than personal computer security.
Reason 2. The Ease of Attacking
Making a successful attack using malware takes a lot of work. Even if the attacker uses readily available malware, like well-known trojans, they still have to deliver that malware to the victim. This means that they have to, for example, create a convincing phishing site, a convincing phishing email, and get people to install the trojan. And even after the victim installs malware, the attacker may find out that the victim’s computer has absolutely no value whatsoever because the victim is usually random.
On the other hand, making a successful web attack is much easier and there are also free and easily available tools that make it even simpler for the attacker. All they have to do is point the tool at your website and the tool, which acts just like a vulnerability scanner, finds the weaknesses and allows the attacker to exploit them immediately. Such an attack has a great probability of success because the attacker aims at a particular victim and knows that the victim has valuable information.
Digital criminals like to make their lives easy. Why create blind, complex phishing campaigns hoping that maybe they’ll end up having some valuable data when they can perform an easy, automated, targeted attack and get results immediately?
Reason 3. No Help from the Outside
If your organization is using a renowned cloud service provider to host your email accounts, you can feel reasonably safe that they have an anti-malware solution on the server to eliminate potential threats before they reach the computers used by your employees. This means that your local anti-malware solution is not needed at all for email.
Strangely enough, we do not know of any web hosting providers that perform regular vulnerability scanning on the content that they host. Unlike cloud email providers, web hosting providers usually don’t provide any kind of protection except generic web application firewalls, which do not eliminate vulnerabilities.
Therefore, until web vulnerability scanning becomes part of cloud provider offerings (if ever), you are on your own. The only one who can find and eliminate serious vulnerabilities in your websites or web applications is you. This is even more of a reason why you should be regularly using a web vulnerability scanner.
Reason 4. The Probability of an Attack
As mentioned above, your organization most certainly has anti-malware solutions server-side for all your email needs. This could either be a renowned cloud provider offering server-side anti-malware or your own server, which you would not leave without anti-malware. Therefore, the probability of generic malware making it through email is next to none.
The probability of getting a virus from a website that you visit is just as low. This is because browsers won’t install anything on your computer unless you give explicit permission. Also, your employees usually don’t visit risky websites that may be spreading malware. Therefore, even if you had no anti-malware installed at all, the probability of getting malware on an office machine is very low.
On the other hand, the probability that your website or web application will be the target of a generic attack is much higher. This is because black-hat hackers simply use automated software to scan for available websites and then scan them for vulnerabilities. If you use any kind of open-source web software with plugins, such as WordPress, Joomla, Drupal, Magento, etc., you’re risking the most. Remember: unlike your office laptops, your website or web application is exposed to the public and anybody can access it and try to hack it.
Reason 5. Becoming an Accessory to Crime
If, as a result of a malicious attack, your business becomes an accessory to a crime, it may have even worse consequences than a direct attack against your business. It may cost you a lot of reputation and may put your entire business at major risk. Therefore, any form of protection against attacks must also take into account the possibility of someone using your resources to attack someone else.
The goal of malware-based attacks is often to install botnet software. Such software is then used for massive DDoS attacks against other entities. Attackers may also install rogue VPN solutions, which are then used to hide the original IP address of the attacker.
However, your web applications may become accessories as well. For example, if your web application has a cross-site scripting (XSS) vulnerability, this vulnerability may be used to create phishing attacks that will look like they’re coming from your domain. And the scope of such attacks is much greater than for botnets – a botnet is used to attack a single target at once. A phishing campaign can be sent out to millions of targets who would all then see your trustworthy domain and, possibly, fall victim to the scam.
So if you don’t want to risk your reputation, you should make sure that your websites and web applications don’t have any vulnerabilities that could be used to attack someone else. And the only way to effectively do this is by using a web vulnerability scanner like Acunetix.
Get the latest content on web security
in your inbox each week.
*** This is a Security Bloggers Network syndicated blog from Web Security Blog – Acunetix authored by Tomasz Andrzej Nidecki. Read the original post at: http://feedproxy.google.com/~r/acunetixwebapplicationsecurityblog/~3/_ofsB_MJzvc/