Is your site being hacked?

In around three-quarters of all cases, the hackers manage to break through even the most secure e-commerce sites and firewalls.

Criminals are also finding that hacking is becoming a far easier task as many companies move their business on to the web. Not always because the systems are deployed with inadequate protection regimes, but primarily because the designers and programmers have made basic, fundamental mistakes.

Such mistakes can cost companies very dearly indeed. If someone lowered the prices in your company's online catalogue, for instance, how quickly would you notice? Or if an individual were to hack into the site and raised your prices, and orders suddenly began to dry up, how soon would you make the connection?

Remember the Microsoft Hotmail hack from a couple of years ago, when someone discovered just how easy it could be to access the mailbox of any Hotmail user? Just include details of that user's account on the end of the hotmail.com URL and the system would divulge their details without thinking to ask for an ID or a password of any kind.

Bringing a commercial web site to its knees is often no more difficult than running a freely-downloadable (and free!) hacking tool, then typing in the URL address of the web server and watching as it crashes because of default settings and configurations.

Is your firewall sufficient?
Keeping your web-based business secure in today's hacker-ridden Internet means more than installing traditional network firewalls and intrusion detection, neither of which will detect or prevent the type of attacks mentioned.

You also need to ensure that the program code which drives your web site is bug-free and, most critical of all, designed with security in mind from the start. Hackers know all the tricks, so you can't hope to keep your system safe unless you know them too. Or unless you can find a way to automatically scan your application for known programming faults.

For example, financial institutions that allow their customers to execute money transfers or to apply other changes to their private bank accounts should make sure that web application will not allow a hacker to do the same from his or her browser.

Insurance companies that allow customers to purchase policies or adjust them to their needs should be extra cautious towards hackers buying an insurance policy for accidents that have already occurred by beginning a new policy with a retrospective start date before the accident occurred.

Think about this one, too... Does your e-commerce site pass the cost of an item to your credit card processing system via a parameter to the URL? If so, it's easy for a hacker to alter the price by simply changing the URL. Hackers have used this technique in the past to obtain products or services at a discount. Some even changed the prices to negative values, which credited their account each time they placed an order!

Although such attacks are easy to defeat if tangible goods are being sold and delivered, this isn't the case for intangible items such as downloadable software or expensive reports. Once a hacker has obtained the file, there's nothing to then prevent him or her from posting it on a public web site for everyone to see – and for all the search engines to find.

HTML and Javascript codes
Not all hacks require such a degree of technical competency. Every popular web browser lets users view the HTML source code of the current page, and many developers leave comments in HTML and Javascript code. Even something as innocuous as the name and telephone number of the programmer may be exploited by hackers skilled in social engineering.

When web sites comprised nothing more than a collection of HTML pages and fancy clipart, a web server on the receiving end of a hacker's attentions merely deprived customers from looking at your company's glossy electronic brochures for a couple of hours. However, as sites have become online versions of the traditional call centre – ie taking enquiries, processing orders and delivering quotes – a crash or hack which puts the site out of business for just a few minutes will cost your company real money and hit its revenues.

Does your e-commerce site pass the cost of an item to your credit card processing system via a parameter to the URL? If so, it’s easy for a hacker to alter the price by simply changing the URL. Hackers have used this technique in the past to obtain prod

The hardest part is actually knowing that you've been attacked, and thus realising that you need to take action. Checking your web pages, transaction database and security logs regularly cannot even ensure your continuing immunity. Security and IT directors beware!

Consider the current darling of the web development scene, namely Content Management Systems (CMS). In essence, a CMS product allows anyone in your organisation to update your web site using some simple HTML forms and a password, and they can do so from anywhere via the web. No need to have access to FTP as there aren't any files to upload.

Need to add a story to the front section of your company's site? Just enter a password and type away. But what if a hacker were to do this?

A malicious, untrue news release posted on your site for just an hour (and which found its way on to the Internet rumour mill) could well halve a company's share price. And the harder you work to publicise your denial of the story, the more people become alerted to the fact that you've been hacked. The hacker wins twice.

Keep abreast of OWASP
As a security professional, keeping tabs on hacker techniques is critical. As you might expect, the web is the key to doing so. One excellent site can be found at www.owasp.org, home of the Open Web Application Security Project (OWASP). This freely-accessible site contains a wealth of information to help developers stay on top of the most important techniques for ensuring hacker-proof e-commerce sites.

OWASP is a community project staffed by developers from around the world who have agreed to share their experience and expertise in order to identify common threats and advise on how to prevent them. There are separate areas dealing with Javascript, PHP, SQL, ASP and the common development languages.

Although the OWASP lists are comprehensive, ensuring that your code never falls foul of any weakness on the lists is a difficult and time-consuming task. One option is to use automated tools such as web application scanners to assist the process.

Web application scanners may be used during development, quality assurance or even in production. This saves both time and money, and allows you to scan continually rather than just every day or once a week. It's also essential to revise your security policy according to what the scan discovers. Exchanging vulnerabilities and positive attributes between the scanner and an application firewall can make sure that your web application is secure.

Essential points to bear in mind
However you choose to manager your IT and web security, there are several key points to remember if you want to prevent your company's web application from leaking important funds.

For one thing, use the aforementioned web application scanner to discover vulnerabilities and develop a security policy for each application based on its unique attributes.

When planning the security of a server, use a positive security model rather than a negative one. By default, turn off all access and then enable facilities on an 'as-needed' basis. Although starting with everything turned on – and then looking for paths that might be closed off – is always more convenient, it's also a huge security risk.

Install a web application firewall to ensure that all the security policies are enforced (in much the same way that you'd use a network firewall to secure your networks). Be prepared to act on what you discover during your scans by revising your business methods or, indeed, your entire security policy.

In addition, consider using an automated tool to check your server code against the OWASP Top Ten Web Application Vulnerabilities list. And install all server OS security patches.