In a report published at the end of 2012 on the growing hacking threat to websites, research firm Frost and Sullivan found that of all cyber security vulnerabilities, more than 98% were discovered by third-party researchers, while less than 2% were discovered by the people who made the applications that contained the vulnerabilities.
According to Frost and Sullivan, more than 80% of websites have at least one known vulnerability. If that vulnerability is known to security researchers, you can bet it’s also known to hackers who use automated tools to sniff out unpatched vulnerabilities, millions of websites at a time.
And as it turns out, four of the top five of all known vulnerabilities have something to do with websites – Adobe Shockwave Player, Adobe Acrobat, Apple QuickTime, and Microsoft Internet Explorer.
The report also found that the most common attacks on websites include:
- Password exploits – a hacker uses brute force to crack a password, or steals it, or simply tricks an employee into revealing it. Once the hacker has the password, he or she can then pose as that employee, contact tech support, and ask for access to certain applications or an escalation of their access privileges.
- Social engineering – posing as an unhappy customer, the hacker can send an email to the website’s help desk with an attachment containing what the hacker claims is a copy of an unauthorized charge. But the attachment contains a piece of malware that when opened, is activated and begins exploiting whatever applications it can find.
- SQL exploitation – using readily available hacking tools, the hacker can search for common SQL vulnerabilities to access the admin panel for the website, begin running scripts, and even take control of the entire website and everything on it.
So what advice does Frost and Sullivan offer?
- Better testing of web applications by the people who develop them.
- Constant updating not only of web applications but also of the servers they run on.
- Regular security testing conducted by an independent third-party company, with experience and detailed knowledge of web security.
“This threat is just as real to small companies as it is to large organizations. SMEs are much less prepared, which leaves them in a tight spot. With hacking on the rise, from organized criminal groups, amateurs and political activists, the threat is not going away.”
Of course, the easiest way to secure your website is to use SiteLock. We look for all the same vulnerabilities as hackers. And when we find them we fix them, before a hacker finds and exploits them. To learn more give us a call at 855.378.6200,