Website security is probably not top-of-mind for most Internet marketing managers, but in this interview, Colin Hall of web security specialists Watson Hall shows the problems that can arise and outlines how you can reduce the risks you face.
Which website security issues should you consider when commissioning a new site or auditing an existing site. In this E-marketing Essentials interview I ask web security specialist Colin Hall of
web site security consultants Watson Hall what you should consider.
Q1. I know you believe that security is often a relatively neglected requirement in website commissioning, design and implementation. Why do you think this is the case?
[Colin Watson] It's not something many people commissioning a website are familiar enough with. Many people often only associate web security with two things... 'viruses' and 'HTTPS' (pages on websites where the data is encrypted in transit) and therefore believe that having anti-virus software and a 'secure server' are sufficient. These provide protection against very few of the threats your website will see.
Information security covers a wide range of administrative, technical and physical issues and controls that are about protecting assets such as data, users, computers and reputation.
Information security is ensuring that no-one can just walk out your office with a copy of your website user data, it is making sure your website is available 24 hrs/day for your customers, it is ensuring only the correct people can administer the website's content, it is preventing unauthorised alteration or destruction of your data, it is avoiding your website being used to distribute other people's software, it is ensuring that your employees cannot accidentally delete valuable information, it is stopping your website being used to damage users' computers and it is protecting your reputation.
The Information Commissioner has announced his office will be taking a tougher line with organisations that have privacy breaches (1), so every organisation should make sure that they are building and operating websites with suitable due care to avoid an accusation of negligence.
Q2. The impact of a security breach for a transactional site both in terms of revenue loss and reputational damage is clear, but what about sites which aren't performing payment processing - do you have any examples of the type of problems that can arise?
[Colin Watson] The simplest of websites are likely to have a response form for enquiries for feedback. A malicious user could potentially include some code in their message which deletes database information or is run by the employee who reads the email. This could easily send emails to everyone in their address book, or simply send details of other employees to the attacker.
One company ran a marketing campaign where they sent codes to customer's mobile phones which the users had to go to a website, type the code in and validate their own personal details. Someone entered the wrong code and realised it displayed another customer's data - the codes were sequential numbers. This is a security breach and what information security is all about.
In another organisation, a user mis-keyed a date to a future year, the system displayed no records, but tidied up (by deleting) all the enquiries that were more than 2 years old... which of course included all the recent ones.
Q3. The Web 2.0 approach opens up new potential security issues. Which are the main security risks to protect against?
[Colin Watson] Web 2.0 doesn't change the types of security issues.... it just means there are more ways to exploit the usual issues. These sites require JavaScript enabled to work and use a real time flow of information back and forth making it difficult to maintain proper access control. Generally using frameworks for all types of development is better, but it is very simple to introduce problems with the way code is implemented or in custom modifications.
Some of the frameworks have been shown to have vulnerabilities within them, and sites which use them are easy to find using search engines. Whilst the recent problems have been fixed, many websites are still using the older code, and we will see other exploits discovered in due course. Fundamentally there are some problems, but be cautious and extra careful about testing.
Q4. How should someone commissioning a new or enhanced website ensure that security is built into the entire specify-design-build lifecycle?
People who commission websites put their trust in others for the development process, and often don't know the correct questions to ask. We see much more about usability and accessibility nowadays than several years ago, but who asks about security? It is true that some regulators will ask about security and there are more legal requirements for data protection, but good website design needs to consider security as part of the project in the same way as other requirements.
The core things are:
a) Define a security policy and what needs to be protected, and how critical it is
b) Build security reviews into the project milestones
c) Encourage developers to code securely (training, standards, best practice)
d) Incorporate security testing into the testing programme
e) Build in audit, logging and alerting facilities, and monitor these once operational
f) Think about business continuity and recovery in the event of a serious problem
It is possible to undertake security testing of an existing website, but it is much more expensive to add security in than to build it in from the start. One organisation undertook testing on their recently launched website and found a large number of problems. They went back to the design agency who said they had delivered what they had been asked for, but would make modifications at significant extra cost. So, make sure you ask the right questions and ensure sufficient security controls are defined in the specifications.
We have a Top 10 list of tips for website design which might also help (2).
Q5. Finally, a big question - do you see the phishing epidemic ever being countered successfully? What are the best approaches do you think?
[Colin Watson] An important question. Phishing is all about social engineering, and the websites that tend to be targeted are where there are financial transactions taking place such as banking or sites with e-commerce facilities. But phishing can also be used for identity theft, distribution of malicious software or by your competitors to try to gain access to your systems by targeting your employees. Educating users is a big start, but there are documented best practices that can help mitigate the risk such as:
- monitoring usage of your website closely
- providing users with a simple way to report phishing and other scams to you
- make sure you don't disclose your website users' personal information
- using HTTPS for all forms and sensitive data, avoiding pop-ups and using a simple consistent domain name
- putting your login form on a single separate page (not on every page or the home page)
- being careful of the format and content of your own emails to customers, suppliers, partners, etc
- define layouts and design in corporate identity definitions, policies and standards and adhere to these to help users identify variations
Some organisations are undertaking these types of activities, but even organisations that should know better can get it wrong. One bank sent emails with the subject line "Important message regarding your account" asking the customer to log in to their account to read the message. Although the message sounded like a phishing email, it was actually promoting a loan.
References
1 CEOs urged to raise their game following unacceptable privacy breaches
Information Commissioner's Office, 11 July 2007
2 Top 10 security tips for website design W
atson Hall Ltd, 19 July 2007