Would you say your company is secure if your employees are using laptops with no antimalware installed at all? Most business leaders would say that is an irresponsible approach, and they would be right. Why, then, do so many businesses run their websites and web applications with no protection at all?
An antivirus (or, more generally, an antimalware solution) is treated as a standard and common-sense element of any Windows installation – it’s rare to see a computer without one, especially in business settings. Yet, strangely enough, many businesses are perfectly happy to set up a website or web application without paying attention to security. This is even more surprising when you consider that web-accessible databases may hold far more sensitive data than your average office machine, such as your customers’ personal information.
Here are five reasons why you should pay as much attention to web application security as to personal computer security and endpoint security in general.
Reason #1: The move to the cloud
Twenty years ago, websites were just simple, mostly static presentations – digital billboards, in a way. Today, they can be full-fledged applications that allow us, for example, to create documents online rather than in a desktop word processor. Quite often, the only major piece of native software installed on a Windows machine is the web browser. Even if you also have something like Slack installed, that still uses web interfaces to communicate with the servers.
Unsurprisingly, companies are using their own servers less often, especially in day-to-day operations. For many employees, desktop computers and laptops are now basically thin clients that are only there to run a browser with web applications. This means your anti-malware software is essentially protecting an empty computer with no special software or data on it, just a browser. The only major risk to the business if such a computer is attacked is that a successful attack may enable bad actors to log into company web applications.
On the other hand, all your data and all your business-critical applications now reside in the cloud or will soon be there. And, unfortunately, all this is often left completely unprotected. So while 20 years ago, personal computer security was much more important than web security because web applications were barely used for business, nowadays it’s fair to say that web security is becoming more important than endpoint security for organizations.
Reason #2: Ease of access and attack
Preparing and executing a successful attack using malware takes a lot of work. Even if the attacker uses off-the-shelf malware, like well-known trojans, they still have to deliver it to the victim. In a typical scenario, this could mean creating a convincing phishing site and convincing phishing emails to get people to install the trojan. And even after a victim installs the malware, attackers could well find out that the victim’s computer has absolutely no value for them because the victim is usually a random person.
On the other hand, performing a successful web attack is much easier, especially with free and easily available tools that make it even simpler for the attacker. All they have to do is point the tool at your website, and the tool, which acts like an illegal vulnerability scanner, will probe your site for weaknesses and allow the attacker to exploit them immediately. Such an attack has a high probability of success because the attacker can pick a target site that they know will have valuable information.
Above all, cybercriminals like to make their lives easy and efficient. Why work hard to create complex blind phishing campaigns in the hope of scavenging some valuable data when they can perform an easy, automated, and precisely targeted attack and get results immediately?
Reason #3: No help from the outside
If your organization (like many) hosts its email accounts with a reputable cloud service provider rather than running its own mail servers, you can be reasonably confident that your provider has an effective anti-malware solution on their server to eliminate potential threats before they reach the eyes and devices of your employees. This means that whatever local anti-malware solution you are using on company devices is not needed at all for email because your provider handles that part of your security.
Strangely enough, we do not know of any web hosting providers that perform regular vulnerability scanning on the content they host. Unlike cloud email providers, web hosting providers usually don’t provide any kind of protection except generic web application firewalls that can stop the most common attacks but do nothing to eliminate vulnerabilities.
Therefore, until web vulnerability scanning becomes a standard part of cloud provider offerings (if it ever does), you are on your own. You are the only one who can find and eliminate serious vulnerabilities in your websites and web applications – even more reason to be regularly using a web vulnerability scanner.
Reason #4: Risk of attack
As mentioned above, your organization most likely has anti-malware solutions on the server side for all your email security needs. This could either be because your reputable cloud provider runs server-side anti-malware or you run your own server – and if you do, you would not dream of leaving that without anti-malware protection. In both cases, the probability of generic malware making it through via email is next to none.
In practice, the probability that one of your employees will get a virus from visiting a website they visit is just as low. This is because browsers won’t install anything on your local machine unless you give explicit permission. Also, your employees are unlikely to visit risky websites that may be spreading malware not only because of company policy but because your IT department will most likely be blocking them on company hardware. So even if you had no anti-malware installed, the probability of getting malware on an office machine is very low.
On the other hand, the probability that your website or web application will be the target of a generic attack is much higher, bordering on certainty. This is because black-hat hackers simply use automated software to scan for available websites and then probe them for vulnerabilities. If you use any kind of open-source web software with plugins, such as WordPress, Joomla, Drupal, Magento, etc., you’re risking the most. Remember: unlike your office laptops, your website or web application is exposed to the public. Anybody on the internet can access it and potentially try to hack it.
Reason #5: Becoming an accessory to crime
One final risk associated with cyberattacks, especially if they are web-based, is that of your organization becoming an accessory to crime. This is more likely than you think and may have far worse consequences than a direct attack. You might face legal action that hurts your reputation and your business. Whatever form of protection against attacks you have, it also needs to cover the possibility of your resources being used to attack someone else.
The goal of malware-based attacks is often to install botnet software. Such software is then used for massive DDoS attacks against other entities. Attackers may also install rogue VPN solutions that are then used to hide the original IP address of the attacker. If your organization is compromised, the victims’ server logs could show that the attack is coming from your systems, and people would start asking questions.
What is less obvious is that your web applications may also become accessories to crime. Suppose your web application has a cross-site scripting (XSS) vulnerability. Attackers could use the vulnerability to create convincing phishing attacks that look like they’re coming from your domain. The scope of such attacks is much greater than, say, for DDoS botnets, since a botnet is typically used against a single target at once. A phishing campaign exploiting your vulnerable website (and your business credibility) can go out to millions of individual users. Many of them might see your trustworthy domain linked in the email, fall victim to the attack, and then blame your organization for the consequences.
So if you don’t want to risk your reputation and your business, you should ensure that your websites and web applications don’t have vulnerabilities that bad actors could abuse to attack someone else and pin the blame on you. And the only way to do this regularly, efficiently, and automatically is by using a proven web vulnerability testing solution like Invicti or Acunetix by Invicti.