The Truth About Website Security

Before we separate fact from fiction, let's make a couple of distinctions.

Most people's perception about security on the web is singular. They believe that one form of security exists to protect all manner of hardware and software. The fact is, there are many different types and many different levels of security.

The three basic types of security are PC security, Internet security and Website security. All three are completely different and perform in different ways. Understanding the differences between the types is the first step in making an intelligent purchasing decision. Understanding which type fits your need is the second step in your purchasing decision.

But how do you know exactly what security vulnerabilities you face and how do you determine which product will address them? The available choices of security solutions offering you fixes are staggering. Trying to compare them to to eachother for a good purchasing decision is almost impossible. It is a case of comparing apples to oranges. This dilema is caused by the absence of an industry standards and disclosure policy. The security industry is still in the wild west phase. There are no standards and there no mandated list of ingredients on the back of the product box.

By now you are probably saying to yourself, "Wait, what about all the talk of compliance that I've heard about...isn't there an organization NOW dictating a certain level of standards and compliance?...I thought there was."

Yes and No!

This is exactly why there is confusion in the marketplace; it is once again a case of comparing apples to oranges. Chances are you are most likely referring to PCI compliance. PCI compliance is headed by the credit card industry and is a standard that is being inforced to slow down the rate of credit card theft during a transactional transmissions. Although it is labeled as SECURITY, it only applies to the small window of time in which the transaction takes place. This is only protection for the bankers (although the system is far from being fool-proof). They could care less about your website or your business. This type of security, for instance, has no regard for securing your database or your website from getting hacked. This is a brief explanation, but it demonstrates where the emphasis lies.

After years of owning and operating e-commerce sites, I have learned this truth the hard way. Many of my sites had SSL Encryption and were PCI compliant, and displayed the seals of a famous top brand security service. Yet, my sites were still hacked, and thieves still managed to take us for $15,000. These services do not offer website protection. They do not offer the types of protection needed to prevent hackers from secretly gaining access to your website resources and data.

As an illustration, the following are real world everyday types of attacks; Flood Attack, SQL Attack, URL Attack, Form Attack, Cookie Attack, XSS Attack, Address Bar Attack, Remote File Attack, Double Hyphon Attack, Directory Transversal Attack, Rude Script Attack, Live Script Attack, Firewall Pollution, PHP Injection, Form Code Stripping.

The aforementioned are the most popular types of invasion and represent about 80% or more of all web attacks. Yet, most security solutions make no mention of these. You may have to dig deep to find this information on their websites or brochures. You would think that since these examples represent the majority of attack types, these products would address how they aim to prevent them before asking for your money.

A good example of a website security product that lists all the types of attacks that it blocks can be found at SecureLive. As the following link demonstrates, not all security products are created equal. A website security product that actually shows all the features listed in a easy to follow chart.

My research has found that most of the top trusted products simply do not protect your website or server at all. They only claim they do. Most offer vulnerability reports and suggest lite remedies for a fix. Most have more to do with marketing than security.

The irony is that many have security holes themselves and lack true protection from the 80% existing attacks types. Apparently, many also only respond to "holes" in their products after damage has occurred and someone has filed a complaint. Very often, the damage has to be on a wide enough scale to prompt a attention. A recent case in point is Hacker Safe and McAffee (see this report in "InformationWeek"). Excuses and denials seem to be the typical response.

Here is one person's comment on the same report about McAfee / Hacker Safe Group at "InformationWeek"

by: Jonathan Villa
commented on May 23, 2008 2:26:45 AM
To dismiss XSS as just something that "can't be used to hack a server" represents a lack of understanding of what "hackers" do to steal customer data. I would expect that a company that sells a service called "hacker safe" would take any vulnerability on the OWASP Top Ten as a serious issue and not dismiss it because it does not allow entry into a server. In my opinion, if a vulnerability on my website causes one customer to lose the confidentiality of their personal information, then I failed to do my job to protect my customer.

It is appararent that many security companies resent criticism about their product and reject and recommendations from the industry itself. Interestingly enough, some security product companies have actually gone on the offensive when researches have dared to point out their products's weaknesses. Using "intellectual property right" lawsuits they have attempted to silence the researchers. The following video is a good example of such activity (watch it here). Is this right? ....

By knowing this information, you should be better equipped to choose an effective security solution for your website. Notice I said website and not your PC or the Internet. Those are totally different security issues. You may need to to protect your database and website with one product, secure your payment transactions using PCI compliant solutions and protect your PC using a third solution. They are all different vulnerabilities and require different soloutions. Trying to get one to do it all is sure to be a compromise in your security.

Consider the following scenario; you have a security seal protecting the purchases of your customers on your website. The transactions are encrypted and the transmission of the data ( credit card numbers, personal data) passes securely from your customer to your payment gateway for processing. After the information has passed, the data is stored on your server unprotected. Thanks to better security during transmission, the data was protected from being swiped....but afterwards the data is sitting in your database unprotected and waiting to be copied or stolen.

I hope to expose the real issues involved and to offer an intelligent and truthful view about what is and what isn't security. What is protected and what is not. Who is protected and who is not. What you can do to become better secured against hackers and thieves. The fact that there are products and services ranging from $29 to $5,000 claiming to do the same thing should be proof enough that more scrutiny is needed.

More to come....