All Articles

A Learning Experience in Web Security

QTake forbes.com for instance which email and publishing systems were accessed and many users email addresses and hashed passwords including articles were downloaded illegal by #SEA.

If such big names on the internet can be hacked, what is the fate of small business online who are trying to survive on the internet?

Web Security

The following during the course of my research are some facts that I’ve gathered concern the breach or hacks been done on various websites:

Illegal URLs and Phishing Mails:

A lot of users don’t know how dangerous phishing mail is as it lures users into clicking a “somehow” familiar links, which directs theme to web page filled with malicious software (malware) where attackers steal or swipes the details of the users. Sometimes these mails can redirect user into a “private” login details similar to theirs and users most times get trapped without paying close attention to the mail URL. In my opinion it is sensible to avoid such spam links especially in organization that seems ripe fruits for cyber culprits and the likes.

Fake Login Web pages:

Some emails that lets user access their account using a login screen has been seen crippling into users emails these days. A user innocently enters his/her details without knowing that the page is a mirage (a fake website that looks similar to its original). Other attacks like CSRF (Cross-Site Request Forgery) is been used to hack the sessions of the browser of the users. Attackers then install malware to into the browser to steal the information from the website. To avoid such it will be advice to always look for web pages that provides security and authentication of pages before submitting credentials. Such web pages include SSL certificate security into their site to ensure user’s details stay encrypted. Look for the sign https:// whenever you need to access private and sensible data online else flee.

Lack of Continuous Online Security Monitory (COSM):

It is a must that all business online have a system in-place to monitor suspicious activity of their server or network. Most organization do not have CSIRT (Computer/Cyber Security Incidence Response Team) in place. They wait until an attack has taken placed before they start putting some measures in place. (Arggghhh!!!). For smaller business, you can utilize technologies like Sucurri and Pingdom to help monitor and check the health of your websites and for Bigger business, you should put CSIRT in-place which include Security Expert capable of responding to the major four threats on the internet currently which include: (More on these later in my blog…research on the move)

  • Botnets
  • Distributed denial-of-service (DDoS) attacks
  • Insider threats
  • Advanced Persistent Threats (APTs)

Uneducated Employees :

One of the biggest concern in security is termed “Social Engineering” where an attacker tries to obtain personal information of someone and impersonate him/her to gain access to sensitive areas in a company. Lack of security knowledge among employees of a company is very high and this leads me to propose that Companies should perform security trainings and sessions for their staff every 2 weeks or once in month at least to keep them up-to-date with the current trends in security. Organization should provide enough security knowledge to its employees, which must cover organization’s security policy, immediate action against suspicious activity, policy about sharing details online and web surfing guidelines etc.

In summary, I would say that the listed concerns are just part of the whole that will be rediscover as time passes but below are some of the suggestions I received and I perceive that are legitimate to apply irrespective of the organization

  • Install essential tools to check the ability of your web server against DOS or DDOS attack (I recommend you try Sucuri they have such services)
  • Install phishing detection tool on your server (A Web Application Firewall will do)
  • Keep a day-to-day backup of sensitive data or create a schedule to backup your files remotely
  • Make use of SSL Certificates in your business websites if providing sensitive data or access personal data.
  • Install anti-phishing and antivirus tool that regularly scans server for any vulnerability.

If however you need help in keeping your Web Presence Secured on online and you need my consulting, Give me a call or better still contact me.

Cybercrime is on the increase and hackers are getting smarter and smarter everyday. Thinking and staying ahead requires great efforts and investment. Any company can be a target. It is better to take precaution rather than to suffer the loss. “Thou hast been warned”