Photo - Dato' Seri George Chang, Fortinet's Vice President for Southeast Asia and Hong Kong, Fortinet
Malaysian businesses must ramp up their website security with a three-pronged strategy or risk intrusion by cyber criminals and hactivism, according to network security specialist Fortinet.
Fortinet vice president for Southeast Asia and Hong Kong Dato' Seri George Chang said any interruption caused by attacks results in business disruption, revenue and productivity loss.
"Cybercrime is the fastest growing area of criminal activity today and businesses must act quickly to make sure they are protected. Websites and web applications are easy targets to hackers because they are public facing and open to the Internet," said Chang.
"Website hacking can take several forms including website defacement, information theft and denial of service, he said."Such malicious activities will not only lead to loss of reputation and trust, but also costly litigation should sensitive customer information such as credit card numbers are stolen."
He cited a recent study by Verizon, which showed that the top two reasons for an attack on websites were theft (financial or personal gains) and hacktivism (disagreement or protest).
There has recently also been a rise in the number of targetted website attacks in the region, said Chang. "In June 2013, Singaporean traditional Chinese medicine company Eu Yan Sang had its website defaced by hacktivists. In 2012, a hacker defaced and blocked access to rare earths producer Lynas Corp's website as part of a campaign against the opening of the company's processing plant in Malaysia."
Chang said businesses faced especial difficulty in protecting web applications due to architecture and dynamics. Whereas network security is relatively simple - define security policies to allow/block specific traffic to and from different networks/servers - applications comprise hundreds, and sometimes thousands, of different elements including URLs, parameters and cookies."
"However, manually creating different policies for each of these items is almost impossible and obviously does not scale," he said. "In addition, web applications change frequently with new URLs and parameters being added, making it difficult for security administrators to update their security policies."
Chang said businesses should include the following three pronged approach:
- Secure Coding Practices and Code Reviews - Develop web applications securely and implementing a secure coding practice as part of the development life cycle is an integral part of application development projects. Once developed, the code should be reviewed by a third party, independent from the development team.
- Web Application Vulnerability Assessment / Penetration Testing - Applications should either be reviewed manually or through automated application vulnerability assessment tools to locate existing vulnerabilities. This could be further followed up with specific application penetration testing exercises for critical applications.
- Install a web application firewall - A web application firewall (WAF) allows organizations to detect and block application layer attacks. Such a firewall is needed in addition to conventional network security solutions because traditional firewalls detect network attacks and inspect Internet Protocol and ports with minimal application awareness.
Sign up for CIO Asia eNewsletters.