The morning of Sep 7th 2017 started off normally for most Americans. Coffee in hand, many of us powered up our computers, only to find our routines disrupted by news of a security breach. It was revealed that Equifax’s database which holds sensitive data including names, social security numbers, and addresses had been hacked. The breach was one of the largest in history, possibly affecting 143 million people (or over a third of the U.S. population). For many, that morning revealed the changing landscape of web security.
Many of us diligently install antivirus software on computers, avoid questionable websites, and delete emails with unknown attachments hoping that that will ensure the security of our private information. However, large-scale breaches remind us that by virtue of living in this day and age, personally identifiable information (PII), often stored in many large-scale databases is vulnerable to being exposed when websites get hacked, which is why the looming threat of security breaches has been and continues to be top of mind for IT professionals.
"Websites are neither static nor impenetrable, and they’re often not developed or redesigned in one go by one team. As such, we often see the sites we work on come in with a myriad of security vulnerabilities. What people don’t often realize is that the way in which a site is coded is key to avoiding security breaches."
Businesses want to protect the theft or loss of customer data, and invest a lot of time, money, and energy to stay on top of web security measures. However, in the ever-changing landscape of web security threats and breaches, it is an ongoing and evolving process. Often, a lack of knowledge and experience are the main reasons for vulnerabilities in websites. Fortunately, it’s possible to empower developers with the knowledge and resources necessary to avoid the most common issues, devise a plan to shore up websites, and stay on top of new vulnerabilities and issues as they arise.
What is Web Security?
Web security is the protection of information assets (such as data and information behind a paywall) from unauthorized access, and involves shielding the application layer from security breaches. Security breaches can include the theft of information, access to areas a user shouldn’t be in, impersonation of actual employees by outsiders, and the use of the application or site in unintended ways. A security breach can be used as a vector to spread malware to other machines, or to infect and spread malicious code such as ransomware to machines within a company.
If we think of the concept of security in the physical world, we’d want to secure every single possible entryway into a building since even an unsecured attic window provides access to the entire building. Similarly, we need to be aware of every possible entry point into a website since even one vulnerability can become the entry point to expose additional data and content. Since website vulnerabilities often occur at a code level, security is an important aspect to keep in mind throughout the redesign process of a website.
Understanding Hacker Motivations
In general, hackers can be driven by any number of things—ranging from economic motives (stealing money), ideological leanings (defacing or removing content from a site with an opposing political viewpoint), retaliation (as a disgruntled employee), sabotage (taking down a competitor site), or simply getting attention, among other things. Examining the motive hackers may have with regards to a particular site can help us determine what types of attacks such sites may be vulnerable to, allowing us to take strategic steps to protect against them. There tend to be two types of hackers: those who generally cast a wide net and attempt to find security flaws on any site, and those who are going after a particular site or type of site with a specific agenda.
With the first type of hacker, we want to start by addressing low-hanging fruit. If a hacker is trying to breach a site, we want to fortify a site to make it difficult enough that the hacker gives up and moves on to other sites, not unlike a thief who is likely to try a number of doors to see if any are unlocked, without focusing too much effort on any one door in particular.
The second type of hacker on the other hand is likely to hone in on websites that have a strong political or ideological focus whose messaging they oppose. Highly-motivated hackers of this type will often tend to focus all of their resources and efforts on taking down or damaging such sites. If a site is a likely target of such motivations, it’s crucial that we do due diligence to secure all areas of the site in a timely manner, ahead of any anticipated events (such as scheduled protests or a change to a law of significant public interest) that may draw publicity and therefore trigger such hacking attempts.
The Cost of Security Issues at Various Stages of Development
The cost of security issues grows the further along in the coding process they are discovered. For example, if an issue is discovered during development, it’s possible to fix it with nearly no repercussions, and often without much additional cost. The cost and time to create a site that is secure should be built into the project from the get-go. If the site is released and then a security flaw is discovered, the cost is greater, but often, the issue isn't unmanageable if it is addressed quickly and efficiently. If the vulnerability is discovered by someone outside of the development team, the cost is even greater as there is often some amount of damage control needed since other areas of an organization may be aware of the issue by this point. By the time a breach is discovered outside of an organization, costs add up even more because there is potential for damage to the brand and the company’s reputation.
Protecting Brand Reputation
Brands encompass a myriad of things from trademarked elements such as logos, to the look and feel of a website, to the overall image of the business. A positive brand reputation is important to building trust and loyalty, ultimately driving sales. A company or organization’s brand can be worth millions, and sometimes even billions of dollars. No client wants their website defaced or hijacked. Depending on the scope of a breach, businesses can lose customers and sales due to tarnished reputations. When a company has made a huge investment to launch or re-launch a website in order to promote their brand in a certain way, it is critical to protect the site from hackers who could damage it. Ultimately, it’s about making sure that no one but the company has the power to speak on its behalf.
With the website being a primary mode of communication, a hacker who is motivated to spread malicious rumors or false information may try to break in with the intent of damaging a brand’s reputation. Unfortunately, after the damage is done, it takes considerably more money, time, and effort to retract any falsified messaging and win back the trust of customers. If a client knows their site is being attacked, they may choose to take their site down to find and fix the vulnerability before more harm is done.
As you can see from the examples above, careful planning and preparation is vital to protecting against security breaches. In Part 2 of this post, we’ll be talking about our process around web security, beginning with our technical audit. We’ll also cover how we train and empower our developers to be security-minded when they work on projects.
In the meantime, we’d love to hear your thoughts on your challenges and experiences with web security. Please add to the discussion via the comments below.