Recent reports of a Russian crime ring hacking into 420,000 websites and stealing 1.2 billion sets of credentials shocked many readers, but what surprised us was that the number of hacked sites seemed low for an attack of this scale.
At 6Scan, we analyze the security of millions of pages across hundreds of thousands of websites every month. Forty percent of the sites we scan have vulnerabilities, and a significant percentage of these are serious enough to give hackers access to the site. Overlay this percentage across 200 million public-facing websites in the world, and you get an addressable target size of 80 million sites that can be compromised, right now, using widely available tools. So this crime ring hit 0.5% of the addressable market. I’m sure their investors expected a bigger number.
FREE Ebook: The Security Industry´s Dirty Little Secret
If it seems that the CyberVor attack could have been much worse, the most recent data on website vulnerabilities backs up this conclusion. Verizon identifies web applications as the top attack vector for successful data breaches. Websense reports that 85% of malicious links are hosted on hacked legitimate websites. Cisco has dubbed the technique of hacking websites to attack visitors (which is what the CyborVor gang did) “a highly efficient infection strategy.”
Even with clear evidence of the security threats facing firms in the small-to medium-business (SMB) environment—which encompasses tens of millions of websites—few have effective strategies for prevention and remediation of risks. We see three major attitudes on the part of SMBs that contribute to this situation:
1.) “What threat?”
Even with the recurring headlines from high-profile attacks, the SMB market is essentially unaware of the threats that target its websites. The influencers and “experts” in the space bear some of the responsibility for this. The FCC’s Cyber Security for Small Business website fails to list website insecurity as a threat, and the Small Business Administration website ignores it entirely. Website security needs to be on every top ten list of “Things to Protect.”
2.) “We’re good”
This is the most frustrating obstacle to proactive website security. If a website is generating traffic, leads and orders, there is an overwhelming sense of “if it ain’t broke, don’t fix it.” Well, guess what? It is broken. And the hackers know it—but they are too busy stealing your data and infecting your customers to let you know. Worse, even when companies are informed of vulnerabilities, some choose to ignore the problem. In May, 6Scan published a blog post about an NFL team website that had an active Cross Site Scripting vulnerability. We reached out to them directly and through partners, yet today the vulnerability still exists! And this from an Alexa top 5K site in the US, which puts thousands of visitors at risk every week.
3.) “What do we do?”
Once the potential for attacks has been acknowledged, there are substantial resource and workflow challenges to be resolved. Few SMBs have dedicated IT staff to identify and remediate website security issues, but outsourcing IT functions can be expensive. At 6Scan we focus on “set and forget” solutions to overcome this critical hurdle. This includes scheduled daily scanning to identify problems and automated remediation to patch vulnerabilities and quarantine malware in real time. Information on threats and resolution is presented clearly, in easy-to-understand language, on a dashboard summary.
The key for all businesses is to identify and quickly react to vulnerabilities, for it turns out Russian cyber gangs are doing exactly the same thing.
By Chris Weltzien, CEO, 6Scan
About 6Scan
Headquartered in Tel Aviv’s booming technology startup district, 6Scan’s mission is to reverse the rising trend of successful website hacks, making the Internet a safer place for website owners as well as for users. As more and more websites use 6Scan’s one-click, always-updated protection, hackers will have less and less surface area to perform their attacks.
To learn more about 6Scan, please see this report published by 451 Research.
[wp_ad_camp_5]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.