Hacking Prevention: Ways to Improve Website Security

Website security is a caricature to the brick and mortar business’ physical security. With the various ways that cybercriminals have taken advantage of weaknesses, especially those that persist of using outdated vulnerable scripting engines and platforms. With hundreds of millions to billions of sites existing today, a portion of them using vulnerable software is a problem waiting to happen.

Websites with questionable permission setup are at huge risk. The most recognizable form in which the “Default Permit” dumb idea manifests itself is in firewall rules. Back in the very early days of computer security, network managers would set up an internet connection and decide to secure it by turning off incoming telnet, incoming remote login, and incoming FTP. Everything else was allowed through, hence the name “Default Permit.” This put the security practitioner in an endless arms race with the hackers. Suppose a new vulnerability is found in a service that is not blocked – now the administrators need to decide whether to deny it or not, hopefully, before they got hacked. The opposite of “Default Permit” is “Default Deny” and it is a really good idea. It takes dedication, though, and understanding implementing a “Default Deny” policy, which is why it is so seldom done. It’s not that much harder to do than “Default Permit” but it is much more secure.

For every harmless, legitimate application, which includes webpages (as web pages today operate similarly to an app, AKA Web 2.0), there are dozens or hundreds of pieces of malware, worm tests, exploits or viral code against it. Approximately around 100,000 viruses that might infect a webserver if it is running Windows, compared to a Linux-based server. Thanks to all the marketing hype around disclosing and announcing vulnerabilities like the Pwn2Own and the Blackhat conference, there are between 200 and 700 new pieces of vulnerabilities hitting the Internet every month. The world has significantly changed, attacking a firewall/software/website/whatever from the outside, identify a flaw in it and repeat is a common steps a hacker does and no one seems to stop them.

The premise of having security researchers is that they are helping the community by finding holes in software and getting them fixed before the blackhat hackers find them and exploit them. The premise of the vendors is that they are doing the right thing by pushing out patches to fix the bugs before the hackers and worm-writers can act upon them. Both parties, in this scenario, are ineffective because if the vendors were writing code that had been designed to be secure and reliable then vulnerability discovery would be a tedious and unrewarding game, but the reverse is true. This has been proven by the SMBv1 vulnerability that made WannaCry the most successful malware in terms of total profit it made for its authors due to ransom payment: $4 billion in 2017.

Dealing with things like attachments and phishing is another case of “Default Permit” – one of the causes of all security problems. After all, if admins let their users receive and open attachments in their E-mail as a default permit, it is a recipe for disaster. A better idea might be to simply quarantine all attachments as they come into the enterprise, delete all the executables outright, and store few safe file types. Installation of a staging server where users can log in with a TSL-enabled browser (SSL 3.0 and older are unsafe) is a wise choice. There are freeware tools like MIMEDefang that can be easily harnessed to strip attachments from incoming E-mails, write them to a per-user directory and replace the attachment in the E-mail message with a URL to the stripped attachment.