Getting started with web security for your business

If it's true that you don't get a second chance to make a first impression, many companies are squandering untold numbers of opportunities on account of their websites. Poor design, sluggish performance and – most of all – weak security can transform what should be a routine visit into a high-risk ordeal. 

Ensuring proper web security is not a simple task, since it requires mitigating risks in user-facing web apps as well as in the web servers and services that support them behind the scenes. Complex attack vectors such as cross-site scripting have fueled widespread exposure to cyberattacks, especially among SMBs. 

In 2018, only 28 percent of SMBs gave high marks to their capabilities for risk and vulnerability mitigation, while 67 percent reported having been attacked within the previous 12 months. The average SMB site is visited by millions of bots per week, some of which can initiate attacks. Let's examine these common security risks and others in more depth to understand the stakes for implementing reliable protection. 

Web security issues at a glance 

Let's start with the most commonly observed vulnerability in web apps, one that was identified in 82 percent of such applications in a 2018 survey: 

CROSS-SITE SCRIPTING 

Cross-site scripting (XSS) involves the injection of malicious scripts into the otherwise trusted code of a website. XSS may exploit legacy plugins such as Adobe Flash Player or ActiveX, but it most commonly takes advantage of JavaScript, the ubiquitous scripting language that is integral to modern web experiences. An XSS attack might fish for credentials, impersonate a user by stealing their session cookies, or deliver malware. The most common prevention techniques involve cleaning up and securing any user input on the site – like form-filling or button-clicking – before rendering the corresponding output. 

In addition to XSS, many other threats affect web applications and services, including: 

ZERO-DAY THREATS 

If an exploit is zero-day, then it has not been previously identified by either its original vendor or by antivirus software companies (i.e., they've known about it for zero days). It's easy to see why zero-days are major issues – in the interim between their discovery and the issuance of a patch, affected applications and services are highly vulnerable to exploitation, as there's no recourse other than possibly not using them at all. Zero-day examples include everything from the Stuxnet worm that targeted facilities in Iran using multiple exploits to gain access to their IT systems, to smaller flaws in OSes, plugins and applications. Browsers in particular are common victims of zero-days because of their ubiquity. Web application firewalls are one of the many solutions that can stem the damage from a zero-day, for instance by blocking HTTP traffic for specific affected apps. 

SQL INJECTION 

The Structured Query Language (SQL) is a common means of accessing items in databases. For example, when someone visits a website and enters a username and password combination, a SQL query might search a database to see if that combo exists and is valid. SQL injection exploits weaknesses in such workflows by making requests that may reveal additional (or all) contents of a database, and/or damage its information. The use of SQL parameters, which limit the input in SQL fields, is a common defense against SQL injection. 

BROKEN AUTHENTICATION SYSTEMS 

SMBs pay a high price for inadequate password management and access controls, with one vendor estimating that more than 80 percent of all data breaches are the result of stolen or weak passwords. The security issues above can all result in password harvesting, but in many cases the problem is more mundane, like someone using the same password for multiple apps or not enabling two-factor authentication (2FA) for added protection. 

What are your options for web security? 

Effective web security requires multi-layered defense, ideally with help from a managed security service provider (MSSP) who brings the latest technology and expertise to the table. Telesystem offers a comprehensive portfolio of managed security services, backed by the protection of a DDoS-protected network core. Customers gain access to: 

• Web application firewalls: Through targeted traffic filtering of content such as HTTP headers, forms and cookies, a firewall can defend against a wide variety of web threats. 
• Server protection: Encryption and virtual private networks (VPNs) reduce the total risk to key applications and services reliant on web servers. These measures shield sensitive data from interception and in turn protect against unauthorized access. 
• Application control: If a web app poses undue risk to your business, you can restrict access to it via application control policies. This approach can help contain fallout from a zero-day flaw that hasn't been patched yet. 
• Intrusion detection: Amid all of the activity that regularly occurs on a corporate network, it might seem impossible to flag every violation of a policy. Intrusion detection solutions help by "listening" for violations and relaying their findings to admins for possible further action. 

• DDoS protection: Telesystem's DDoS-protected core ensures your web properties are resilient even in the face of massive DDoS attacks that flood your site with meaningless traffic meant to make it unavailable. 

Learn more about our security services by viewing our managed services page, reading about our DDoS protections, or checking out our certifications. Our team is also available to answer your questions.