Symantec United States
global sites
products and services
purchase
support
security response
downloads
about symantec
search
feedback


© 1995-2007 Symantec Corporation.
All rights reserved.
Legal Notices
Privacy Policy
Is Your Web Site Secure?

The decision was as dramatic as it was far-reaching. In June, the Federal Trade Commission (FTC) settled a case with Guess Inc. stemming from accusations that the clothing and accessory vendor had failed to take appropriate measures to secure its Guess.com Web site. The FTC had accused Guess of leaving its Web site open to “commonly known” attacks, including the well-known SQL Injection attack, even though the company claimed to protect consumer data. In February 2002, a SQL Injection attack caused the release of an undisclosed number of credit card numbers stored in the Guess database.

As part of the settlement, Guess is prohibited from misrepresenting the security of customers' personal information. In addition, Guess must maintain a comprehensive security program at its Web sites and submit an independent security auditor's report to the FTC every two years throughout the entire 20 years of the settlement.

Was this an isolated security lapse involving a large enterprise? Perhaps, but on this point, security experts agree: Web site attacks occur because the software that companies use has vulnerabilities. The first challenge for any business, large or small, is to find out what those vulnerabilities are.

Assessing your risk
Many companies react to security threats only after the damage has been done. But that’s no longer a viable option in today’s environment, where so-called “blended threats” are on the rise. By using multiple automated methods of attacking, these threats can spread to large numbers of hosts, causing rapid and widespread damage.

Blended threats also often exploit vulnerabilities that are known to the security community but may be unfamiliar to the average small business. For example, this summer’s devastating Blaster worm arrived just 26 days after Microsoft disclosed an RPC DCOM Windows flaw and released a patch for vulnerable systems. The worm took advantage of what some security experts have called the most widespread Windows flaw ever. For a time, Blaster was infecting as many as 2,500 computers per hour.

How can your company stay on top of the seemingly endless torrent of cyber threats? One of the best ways is by conducting thorough and periodic vulnerability assessments, usually in association with a third party. A vulnerability assessment will evaluate your systems for missing fixes to known problems, thus helping you to ensure your Web site’s guard is up and so prevent a potentially devastating attack. (In addition, an assessment can evaluate your company’s most critical and sensitive information systems, including firewalls, financial and personnel data, mail servers, etc.)

Besides identifying explicit Web site vulnerabilities, an assessment can also help highlight your company’s overall security practices. A thorough vulnerability assessment should result in a report that outlines any administrative, physical, and technical shortfalls that your company may have.

The prime offenders
So what are the top security vulnerabilities that an assessment is likely to uncover? In October, the SANS Institute and the FBI released a list of the 20 most critical Internet security vulnerabilities. As SANS officials noted at the time, the vast majority of worms and other successful cyber attacks are made possible by vulnerabilities in a small number of common operating system services:

“Attackers are opportunistic. They take the easiest and most convenient route and exploit the best known flaws with the most effective and widely available attack tools. They count on organizations not fixing the problems, and they often attack indiscriminately, scanning the Internet for any vulnerable systems. The easy and destructive spread of worms, such as Blaster, Slammer, and Code Red, can be traced directly to exploitation of unpatched vulnerabilities.”

SANS officials went on to say that although there are thousands of security incidents each year affecting the Windows and Unix operating systems, the overwhelming majority of successful attacks target one or more of the 20 vulnerable services that comprise the list.

Check the SANS Web site for the complete list of vulnerabilities. There SANS describes each vulnerability in detail, shows you how to determine if you are vulnerable, and indicates the steps you should follow to protect against the vulnerability.

One to watch out for: SQL Injection
Web sites that dynamically create pages are particularly at risk to SQL Injection attack – witness the Guess case described above. SQL Injection occurs when an attacker is able to insert a series of SQL (Structured Query Language) statements into a “query” by manipulating data input into an application. The result: a site’s entire back-end database can be downloaded by the attacker -- even from behind a firewall.

Sometimes attackers capitalize on database error messages in order to retrieve content. Don’t be lured into a false sense of security because you use stored procedures or mask error messages returned to the browser. There are techniques that allow attackers to determine if injected SQL statements executed even if error messages weren’t returned to the browser.

Bottom line: Although SQL Injection is easy to protect against, there are still a great many production systems connected to the Internet that are vulnerable to this kind of attack.

Conclusion
Making sure your company’s Web site is secure requires an ongoing commitment. Cyber threats evolve, and you need to stay on top of them. That’s why it is so important to conduct vulnerability assessments periodically. It’s the best way to ensure that your flagship Web site is secure today – and tomorrow.

home find a solution library tech resources