Ai Editorial: Tightening website security, and dealing with it if hacked

First Published on 11th November, 2016

Ai Editorial: Be it for identifying areas of vulnerability, acting on identified risk or acting swiftly when attack happens, gearing up for website security is of paramount importance, writes Ai’s Ritesh Gupta


Why do websites get hacked and what to do when it happens?

Being ready for the same is an ongoing exercise, and it needs to be an integral part of any crisis management plan today.

Travel brands have been at the receiving end, so it’s important to keep a tab on areas of vulnerability. Specialists label forms, login pages and dynamic content are soft targets.

One needs to assess the modus operandi behind web application attacks.

They can happen over free open-source software and commercial or custom-built applications.

One can evaluate the sturdiness of web applications such as Joomla, PHPbb, and threats such as unvalidated or unencoded user input within the output generated (running a vicious JavaScript code), performing of malicious SQL statements that control a web application’s database server etc.

Areas of vulnerability

Today it’s mandatory for every organization to comprehend aspects of an application’s information security.  

Airlines need to gear up for penetration tests. This evaluates the effectiveness of information security controls implemented in the real-world. Advantage of penetration testing: Knowing a system’s vulnerability before an invader gets to know it.

Access is considered to be a critical aspect when one talks of hacking.

One needs to have a detailed look at how does one log into hosting panel, server, website, a device etc. A detailed study of how a fraudster/ attacker tends to evade a web application’s authentication and authorization process and ends up gaining access to content of an entire database is must.

Injection errors emanate from a failure to sort out untrusted input. Other than SQL injection, other common mistakes are sensitive data not being encrypted at all times and Cross-site Scripting (XSS) attack (a web application makes use of unvalidated or unencoded user input within the output it generates). An XSS vulnerability results when malicious script that one inserts eventually get parsed in the victim’s browser. Today there are automated web vulnerability scans that are available for guarding one against XSS attacks. The pace with which new code gets deployed today, it is imperative to automate security of a web application.

There is also need to guard against manipulation of software vulnerability, featuring crooked Uniform Resource Locator (URL) or POST Headers. One also can’t ignore instances where a malicious website, email etc causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

Once a vulnerability surfaces, an organization needs to tackle the risk associated.

As Acunetix, a web application security software specialist, recommends, the level of risk can be ascertained from numerous data points – “the severity of the vulnerability, the consequence should the vulnerability be abused, and threats the application faces.” So a Stored Cross-site Scripting (XSS) vulnerability in the authenticated area of a business-critical application hosting sensitive information may appear as a bigger risk than a Blind SQL Injection vulnerability in an internal application that does not pile up sensitive data.

As for new technology, ecommerce sites are relying on analytics and machine learning for real-time cognitive fraud detection. For instance, IBM has come up with new behavioral biometric capabilities that incorporate the use of machine learning to help understand how users interact with banking websites. Fraudsters have a cognitive behavior just like users and it is quite different than a real user. Suspicious behavior is being tracked in new ways to detect new account fraud for online banking and eCommerce sites and malware/ bot activity.

What if attack happens?

Travel brands have faced situations where severe attacks have happened, and it’s a dreadful situation.

Foregenix, a specialist in digital forensics and information security, recommends that organizations need to take compressed backup of the entire web root, and export any database associated with the website. So if payment card data has been stolen then this back-up will needed when there is an investigation by card brands and/or law enforcement. Again, in order to support any inspection, rather than eliminating suspect files from a website, store a copy in a secure, compressed, offline location, recommends Foregenix. Inform processor and acquiring bank. This is in turn will help in dealing with Visa, Mastercard, Amex and the other brands if payment card data has been stolen.  

Spot the IP addresses used during the attack. This will help in identifying attack patterns inside of web server logs and other system logs.

Acunetix suggests that companies need to identify accounts that have been compromised. Change the credentials for these accounts. Also, check for malware, malicious software that is developed with the intention of infiltrating a computer or website without the consent of the owner. Check how it works. Viruses, worms, and Trojan horses are examples of malicious software. This is important as most malware are designed to infect other systems. There have been cases where companies have worked with forensic experts and swiftly removed the offending malware.

Being accountable: A leading hotel brand, when its credit card data was breached around a year back, chose to address the question from a consumer’s perspective - How do I know if my credit card has been compromised? The answer from the chain – “If you suspect any unauthorized activity on your card, we recommend you contact your credit card provider directly”. The group also acknowledged that despite having leading data security systems in place, the malware was “undetectable” by all anti-viral systems.  Brands are expected to be answerable at all times by customers, and organizations need to be prepared for all external communication related to any such attack.


Follow Ai on Twitter: @Ai_Connects_Us