Like water, hackers take the path of least resistance. Today, this path leads over Secure Sockets Layer (SSL) to get past most corporate firewalls, where nothing exists between a hacker, a Web site and the information it holds. Using a browser and a few simple tricks, hackers can penetrate a Web site, access its credit-card database and make off with the goods, sight unseen.
With firewalls and patch management now being standard practices, the network perimeter has become increasingly secure. Determined to stay a step ahead, hackers have moved up the software stack, focusing on the Web site itself. According to a Gartner analyst, more than 70 percent of cyberattacks occur at the application layer. So To improve the security of the Web, you must dispel five largely held misconceptions.
1. "The Web site uses SSL, so it's secure."
SSL by itself does not secure a Web site. The tiny SSL lock symbol located at the bottom of a Web browser indicates that the information sent to and from a site is encrypted. Nothing more. SSL does not protect the information stored on the site once it arrives. Many sites using strong 128-bit SSL have been hacked just the same as those that do not. In addition, SSL has nothing to do with how a user's private information is safeguarded. When private data is stored on the Web site, the risk is at the server, not in between.
2. "A firewall protects the Web site, so it's safe."
Firewalls allow traffic to pass through to a Web site but lack the ability to protect the site itself from malicious activity. Meanwhile, Web applications that turn a site into an e-commerce bank, store, auction, credit union, message board, etc., remain vulnerable to attack. In the traditional network-security mindset, the idea has been to let the good guys in and keep the bad guys out through the use of firewall access-control lists (ACLs). Securely configured ACLs will deny everything from passing into a network except an allowed set of activities, such as Web traffic and e-mail. Generally speaking, all other traffic is blocked by the firewall. But after an ACL has allowed a visitor to the site, all security protections provided become meaningless.
3. "The vulnerability scanner reported no security issues, so the web site is secure."
Vulnerability scanners have been used since the early '90s to point out well-known network security flaws. However, they neglect the security of custom Web applications running on the Web server, which usually remain full of holes.