Would you say that a company is secure if their employees are using laptops with no anti-malware installed at all? Most businesses would say that is an irresponsible approach. Then why would many businesses have websites and web applications with no protection at all and why would many MSSPs not offer their customers any kind of web application security services?
An “antivirus” (an anti-malware solution) is perceived as a standard element of a Windows installation – it’s rare to see a computer without one. However, strangely enough, many businesses feel completely secure just setting up a website or web application without paying any attention to whether it is secure and many MSSPs provide them with no security for their web assets at all. This is even more surprising because web-accessible databases usually contain more sensitive data than an average office machine, for example, customer personal information.
Here are five reasons why both you, the MSSP, and your customers should treat web security with as much attention as personal computer security and endpoint security in general.
Reason 1. The move to the cloud
Twenty years ago, websites were just simple, mostly static presentations – digital billboards in a way. Today, many of us are, for example, creating our documents online instead of using a desktop word processor – quite often the only software installed on our Windows machine is the browser. And even if there is some other software like Slack, it uses web interfaces to communicate with the servers. Companies are using their own servers less often. For many employees, desktop computers and laptops are basically thin clients that are there only to make it possible to access the web.
This means that anti-malware software basically protects an empty computer that has no special software on it, just a browser. The only major risk of such a computer being attacked is if the attack makes it possible to steal login credentials to web applications.
On the other hand, all the data, all the business support software, and everything else is on the web or will soon be there. And, unfortunately, quite often it is left completely unprotected. Therefore, while 20 years ago personal computer security was much more important than web security (because the web was barely used), nowadays we would even say that web security is becoming more important than personal computer security.
Reason 2. The ease of attacking
Making a successful attack using malware takes a lot of work. Even if the attacker uses readily available malware, like well-known trojans, they still have to deliver that malware to the victim. This means that they have to, for example, create a convincing phishing site and a convincing phishing email, and get people to install the trojan. And even after the victim installs malware, the attacker may find out that the victim’s computer has absolutely no value whatsoever because the victim is usually random.
On the other hand, making a successful web attack is much easier and there are also free and easily available tools that make it even simpler for the attacker. All they have to do is point the tool at your website and the tool, which acts just like a vulnerability scanner, finds the weaknesses and allows the attacker to exploit them immediately. Such an attack has a great probability of success because the attacker aims at a particular victim and knows that the victim has valuable information.
Digital criminals like to make their lives easy. Why create blind, complex phishing campaigns hoping that maybe they’ll end up having some valuable data when they can perform an easy, automated, targeted attack and get results immediately?
Reason 3. No help from the outside
If your customer is using a renowned cloud service provider to host their email accounts, they can feel reasonably safe that they have an anti-malware solution on the server to eliminate potential threats before they reach the computers used by your employees. This means that a local anti-malware solution is not needed at all for email.
On the other hand, most web hosting providers don’t perform any vulnerability scanning on the content that they host. This means that the responsibility of protecting web assets for customers lies fully at the hands of the MSSP.
Reason 4. The probability of an attack
As mentioned earlier, most of your customers have anti-malware solutions server-side for all their email needs. This could either be through a renowned cloud email provider offering server-side anti-malware or your MSSP services. Therefore, the probability of generic malware making it through email is next to none.
The probability of getting a virus from a website that your customer visits is just as low. This is because browsers won’t install anything on your computer unless you give explicit permission. Also, employees usually don’t visit risky websites that may be spreading malware. Therefore, even if there was no anti-malware installed at all on your customers’ desktops and laptops, the probability of getting malware on an office machine is very low.
On the other hand, the probability that your customer’s website or web application will be the target of a generic attack is much higher. This is because black-hat hackers simply use automated software to scan for available websites and then scan them for vulnerabilities. If your customer uses any kind of open-source web software with plugins, such as WordPress, Joomla, Drupal, Magento, etc., they’re risking the most because such plugins often come with a lot of vulnerabilities. Remember: unlike office laptops, your customer’s website or web application is exposed to the public and anybody can access it and try to hack it.
Reason 5. Becoming an accessory to the crime
If, as a result of a malicious attack, your customer’s business becomes an accessory to a crime, it may have even worse consequences than a direct attack against that business. It may cost both your customer and you a lot of reputation and may put both businesses at major risk. Therefore, any form of protection against attacks must also take into account the possibility of someone using your customer’s resources to attack someone else.
The goal of malware-based attacks is often to install botnet software. Such software is then used for massive DDoS attacks against other entities. Attackers may also install rogue VPN solutions, which are then used to hide the original IP address of the attacker.
However, web applications may become accessories as well. For example, if a web application has a cross-site scripting (XSS) vulnerability, this vulnerability may be used to create phishing attacks that will look like they’re coming from your customer’s domain. And the scope of such attacks is much greater than for botnets – a botnet is used to attack a single target at once. A phishing campaign can be sent out to millions of targets who would all then see your trustworthy domain and, possibly, fall victim to the scam.
So if you don’t want to risk your reputation, you should make sure that your customer’s websites and web applications don’t have any vulnerabilities that could be used to attack someone else. And the only way to effectively do this is by using a web vulnerability scanner.
Guest bog courtesy of Invicti, an international web app security company headquartered in Austin, Texas. See more Invicti guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.