As many benefits that there are in doing business online across the borders of the world without too many restrictions, there are as many disadvantages, particularly where security is concerned. Below is an overview of what kinds of website security problems companies face when conducting business online.
The internet has revolutionised how many business industries operate and generate revenue. The concept of online business has allowed for many doors to be opened and barriers broken. Anyone from anywhere is able to receive access at any time. This is one factor that makes the internet so incredibly appealing to many businesses the world over. Less restriction can often mean the generation of more profit.
Since the internet operates over structured networks which are programmed, security problems are unavoidable. Loop holes, hacking and viruses are common areas where vulnerabilities will be taken advantage of with disruptive and disastrous results. Website security, otherwise referred to as web application security or webappsec, is imperative for all online business or website owners and requires constant attention and updates. There are always new ways for “internet criminals” or hackers to “beat the system” and cause disruptions, especially where a website offers its internet users interactive convenience facilities.
Website Security Risks
A webmaster is mostly affected by common issues and problems that internet criminals target. From the very minute that a web server is installed, a “window” (of opportunity) into a local network is opened. Anyone, anywhere with online access has the ability to “peer through” this window. Whilst most internet users are content with what they’re presented with and aren’t likely to “nose around” and peek at things that were never really intended for public consumption, many other individuals are “free” to figure out ways to snoop. This sort of behaviour can be likened to not being able to “look without touching”. These individuals will attempt to force their way inside this opened window and cause programming or structural damage by, for instance inserting a “bug”.
Surfing the web may, to the general, innocent internet user, be viewed as a safe and anonymous environment. The simple truth is that the internet isn’t quite all that safe and anonymous at all. In a sense the internet “has eyes” everywhere. Web browsers can be easily exposed to viruses and malicious software, causing a user’s personal system to experience malfunctions and problems. Web browsers also leave an electronic “footprint” whenever websites are visited. This footprint leaves a record of the user’s web surfing history, which creates an opportunity for internet criminals to create a profile of individuals’ tastes and habits, and potentially cause disruptions and problems. Personal detail confidentiality is one area where hackers can breach security vulnerabilities and allow data to be transmitted across the World Wide Web.
Types of security risks whereby network eavesdropping can occur include:
- Bugs or mis-configuration problems in a web server – this allows confidential documents to be “stolen”, commands on the server host machine to be modified and web server host machine vulnerabilities able to be “broken into” etc.
- Browser – side risks – this allows active for content to crash the browser, damage an internet user’s system and breach a user’s privacy.
- Interception of network data (sent and received) – this allows hackers the ability to operate from any point on the pathway between a web browser and server causing disruptions.
Common Website Security Problems
Website security problems can be divided into two categories:
- System Security – this ensures that a general internet user cannot change a website, altering content on web pages.
- Information Security – this ensures that the personal or private details of an internet user are secure and safe from prying eyes.
Human beings are not by nature, perfect. Mistakes are, one could say, inherently a part of our “general make up”. Consequently, most security problems on the internet come down to human error. Human beings programme and run websites. Where mistakes are made, vulnerabilities are created. Website developers need to properly plan and proof test scripts that are coded into website programmes and applications often as hackers and other internet criminals will find ways to extract confidential information and do with it as they please. Particular errors will be exploited where the opportunity presents itself.
More often than not, the general internet user will become too comfortable with the notion that internet surfing is “safe” and “anonymous” and openly part with personal details all too easily. Parting with this type of information could seemingly be as innocent as giving away a personal email address on a public forum and others of a more confidential nature such as credit card details. Hackers and internet criminals make use of “crawler bots” (small programmes coded to collect email addresses) who’s function it is to locate addresses and add them to mass emailing lists, for the sole purpose of distributing SPAM to internet users. This isn’t necessarily a serious security breach for websites, but when used in the same way to accumulate user names and passwords on sites, damage can be done.
Hacker’s generally have little information or none at all at their disposal about their specific targets and establish a breakthrough almost entirely based on his or her own knowledge. The general internet user is usually not the main target. Internet or website servers of large corporations and organisations generally suffer with regular security breaches and should constantly be updated with newer security software versions.
Passwords can be intercepted in the following ways by internet criminals and hackers:
- Guessing – simple passwords such as a mother’s maiden name, a pet’s name that can be easily guessed
- Brute force search which allows as many guesses as desired to be entered
- Social engineering – tricking people into revealing password information
- Obtaining stored passwords – passwords can be retrieved whereby people have stored them on computer systems etc
- Obtaining shared passwords – the same passwords may be used for more than one system
- Installing Trojans – “Trojan horse” software programmes may install invisibly on a computer and monitor key strokes made by a user.
- Interception – passwords are sent across an unencrypted connection, which can then be intercepted and transmitted.
Software that makes up a system can also provide problems whereby a flaw or loop hole becomes apparent. Bugs and security holes allow access even without a password. Flaws provide an opportunity for hackers to access a system and files even if a password isn’t requested. Firewalls can be used to prevent server access and help to reduce security breaches. If breaches occur, web pages can be modified or information wiped out completely. Software that is used must always be kept current.
Website developers make use of encryption to help keep information secure in transit. A “public key” scheme is the usual method this is done and allows a message to be transferred securely between parties who are unknown to one another. This message, even if intercepted by an internet criminal, cannot be easily decrypted. Problems occur whereby this system isn’t secure enough and messages can be decrypted (messages may be secure in transit, but not if the web server is hacked).
Where data exists, there will always be potential for it to be viewed and extracted. Website safety and security, especially where sensitive and personal information is concerned, is important to be implemented properly and updated or checked on a regular and consistent basis. It is a good idea to avoid storing data that is not needed on a website or its database. In a sense, this is inviting criminal activity in the form of theft, data poisoning, malicious file execution and disruption.