While cyber security is as important to SMEs as it is to larger corporations, the approach to formulating a comprehensive protection strategy differs.This is largely the result of differences in the availability of resources, personnel and budget.
When it comes to protecting a company’s website the types of threats also differ based on the nature and scope of the organisation in question.
Larger organisations – such as international brands, gambling sites or large e-commerce sites – are more prone to high impact attacks that are triggered by certain events, for example a betting site being targeted on the eve of a football final.
These typically take the form of DDOS attacks – distributed denial of service – in which the usability of the website is targeted in an effort to disrupt its service.
DDOS threats do remain a concern for the smaller organisation but the major source of alarm comes from the potential defacement, misuse or corruption of its website.
This could include manipulating content, changing images or planting malware. SMEs therefore need the ability to implicitly control the way in which the website is used.
Policy enforcement for website browsing
The first step in this process is to guide users through the website to ensure its proper usage and is accomplished by having visitors follow a series of well documented links throughout the site.
A web application firewall provides a straightforward way in which the organisation can ensure the correct behaviour of users and policing of the website.
The platform is placed in front of the company’s website and is taught what the correct behaviour is by security staff who navigate through the website using the correct links. It therefore learns what good or known behaviour is and is able to combine this knowledge with what is deemed bad behaviour.
The web application firewall then develops a rule set that dictates what visitors may see and do on the website.
DDOS mitigation
Once a website becomes a critical business tool – such as an ecommerce site – the basic structure of policy enforcement needs to be augmented with DDOS mitigation. If a business has identified that it is a potential target, then the use of web application security becomes imperative.
One of the best ways to guard against DDOS attacks is the use of a so-called honey trap. Essentially what this does is present hackers with an attractive vulnerability that they can take advantage of. This vulnerability, however, is not a true flaw in the website but rather a lure to encourage hackers down a particular path where they can be trapped, blocked and identified.
Intrusion prevention systems
Taking web security a step further, the implementation of an intrusion prevention / detection system (IPS/IDS) can guard an organisation against known potential exploits. Again, this depends on what the website is used for.
A website that fulfils mainly an informative function with largely static content would benefit from a web application firewall.
However, a website with constantly changing information making use of a SQL database, for example, would be more secure with the presence of both the web application firewall and the IPS/IDS.
The IPS/IDS uses layers of defence to protect an organisation from both external and internal threats. It goes beyond simple monitoring by validating users and essentially identifying threats and then using higher level defence technology to deal with them effectively.
Conclusion
The best approach to website, and indeed network, security is a layered one.
Depending on the nature and purpose of the website a number of solutions can be implemented to ensure that it is used correctly and does not open up any avenues of exploitation to hackers or cyber criminals.
Regardless of the solutions used, it is a multi-layered approach that holds the key to success.
