1. How Can I Reduce The Risk Of A Cyber Attack?
fitcom.co /2014/01/21/how-can-i-reduce-the-risk-of -a-cyber-attack/
Every year, cyber- attacks cost website owners large amounts of money in damages to IT assets and disruptions to
daily operations. Having knowledge on managing the risks associated with cybercrime helps to reduce website security
risks.
For ecommerce website owners and key decision makers, a solid cyber security strategy requires a time investment
and careful consideration of many facets of an online business. The time investment is critical to business security and
continuity since cyber- attacks are on the rise as more businesses establish an online presence.
For this reason, ecommerce businesses must increase their awareness of the different types of website breaches to
help develop effective policies and security strategies to combat cyber- attacks. In this article, we will help you
understand the different types of cyber- attacks in addition to discussing some of the steps that are necessary to reduce
your exposure to online risks.
What is a Cyber Attack?
A cyber- attack consists of a program created on a criminal’s PC before it is launched against a website, network, or
individual PC. The motive for the attack is to compromise the availability, integrity, or confidentiality of a website,
network, or PC, and the information that is stored on it. The attack is designed to perform a variety of malicious acts
including:
Acquiring unauthoriz ed access to a website and the data associated with it.
Unexpected disruption of website services including the facilitation of entire website crashes.
Installation of viruses or malicious code (malware) on a website.

2. Unauthoriz ed use of a website for the purpose of committing criminal acts such as hijacking, phishing, stealing
sensitive data, and more.
Changes to the characteristics of a website for criminal purposes without the owner’s knowledge or consent.
See Wikipedia for Cyber- attack definitions.
The processes used for responding to the attack are dependent upon the type of attack itself. This is why a
comprehensive system covering a broad range of areas needs to be implemented since there is no one- siz e- fits- all
answer to the problem.
What are the Dif f erent Types of Cyber Attacks?
To effectively protect your website, first it is important to understand some of the ways that hackers can launch a cyberattack and gain access to your website. Here are a few of the common ways hackers can breach a website or the
network server where the website is stored.
Remot e Code Execut ion: This type of attack allows the hacker to run random system level code through a web
server vulnerability. The code allows the hacker to retrieve any type of information they desire including sensitive
information. See this article on remote code execution.
SQL Inject ion: This type of attack uses an older approach however; it is still popular with many hackers since it
is an effective way to gain access to information in a website database. Depending upon the security measures
you have in place, the attack can range from stealing basic information to complete compromise of a website and
the database associated with it.
Cross Sit e Script ing: Cross Site Scripting occurs on user login pages and comment pages that allow script
tags. In this instance, the hacker perpetrates an attack using the error message page that appears when the
wrong login information is entered or when script tags are used on discussion pages.
Denial of Service (DoS): A Denial of Service attack occurs when the hacker inundates the web server bandwidth
or the website resources with a massive amount of unnecessary traffic. The end result is complete loss of service
to your website with other specific losses that can be devastating depending upon how many attacking hosts are
operating simultaneously.
Trojans: A Trojan is a small software program that can emulate legitimate software on a website or it can be
hidden inside web applications such as links, ads, and other components. When the visitor downloads software
from your website or clicks on one of the components, the Trojan is installed on the visitor’s computer and is
designed to perform a series of malicious acts. See the virus encyclopedia on the Bitdefender website
Hijacking: Hijacking occurs when a hacker monitors and then controls your website configuration to commit
criminal acts. In this case, your website is setup to look like the real thing. When your customers enter their
personal data, the site is programmed to send the data to an external server where the criminal harvests it.
These are a few of the common ways hackers can breach your website. New hacking methods are being developed
on a regular basis which is why it is important to stay on top of the latest methods and deploy strategies designed to
counteract them.
What is involved with a Website Security Assessment?
Before you develop a website security strategy, it is important to assess existing security systems to determine where
improvements should be made. This involves an assessment of the web server, software, coding, and web
applications, to name a few areas. Additionally, if you are storing customer data and financial information, it is important
to ensure the compliance standards such as PCI, HIPPA, and others are being met.
In order to understand where security improvements should be made, the following areas should be reviewed:
Code Review: A large amount of website breaches occur as the result coding errors. Although coding reviews
can be expensive, the cost of a breach can be worse. A thorough coding review will tell you exactly where the
security vulnerabilities are in the website coding and if any weak coding practices or shortcuts are being used.
Discuss Coding wit h Developers: Ask your website developer if they are aware of some of the types of

3. cyber- attacks we mentioned above. If they understand what they are, make a point of asking them what they
have done in the coding to prevent the attacks. If they can provide you with a sensible answer, there should be
no problem with the code review and any apparent revisions.
On the other hand, if they cannot provide an answer, a code review should be an important step in protecting your
website. It will also help you to establish coding policies and standards for future website development.
Conduct a Web Vulnerabilit y Assessment : This type of assessment takes on the perspective of an outsider
and provides scenarios on how they might extract data from your system. The assessment focuses on areas of
your website that face the Internet, as opposed to the server side of the site that contains the coding and other
backend processes that are essential behind the scenes. A Web vulnerability assessment will help you to focus
on what aspects of the site are likely to be vulnerable to exploits and tests the areas that are the most likely to be
targeted.
Review IT Securit y Tools: It is important to review the current IT security tools you have deployed to determine
if they are providing sufficient protection or if changes are warranted. Depending upon your industry and the
requirements for your website, the security tools include but are not limited to an antivirus and anti- malware
protection system, firewall at the network level, firewall at the web application level, endpoint security
management, intrusion detection and prevention systems, and encryption technologies such as Secure Sockets
Layer (SSL) HTTPS, and more.
Mobile Devices: If your company uses mobile devices to access specific components of the website such as
CRM and others on the server side or backend, it is necessary to conduct a security assessment of mobile
devices. Although you may have a solid security strategy deployed, it can easily be compromised with mobile
device access.
There are many third party companies like this one that offer network and website security assessment services.
Conducting a local Google search should bring up the best results.
What Steps Should I Take to Reduce Online Risks?
Once you have assessed and defined the website security requirements, you should review the security policy to make
any necessary changes, how the security policy will be monitored and managed, how specific data is classified based
on sensitivity, and the effect a data breach would have on your business. This will help you to focus on the areas that
require the most protection. Other steps for reducing online risks include:
Level of Securit y and Ease of Use: Although website security is mainly about preventing data breaches and
information theft, the security practices you put in place should ensure the website remains available, offers fast
performance, and is in compliance with specific regulations for your industry.
Validat ion of Third Part y Dat a: Most of the websites in today’s ecommerce environment receive input from
other sources such as news feeds, social media, back office software systems, and other sources. Part of your
security strategy should include validating the incoming and outgoing data to protect the integrity of your website
infrastructure and prevent data breaches.
Conduct Securit y Reviews at Each Milest one: At each step in the development process, conduct a security
review at each milestone to ensure security issues are tackled immediately. The earlier you spot an issue, the
less costly it will be to mitigate the risks.
Creat e a Consist ent Development Framework: Web applications and software will always have errors
however, by creating a consistent coding framework for developers this minimiz es the security risks. It also
means you should include a reasonable time frame for developing the web application securely instead of simply
accomplishing the requirements for functionality.
Implement Secure Test ing: When testing for website vulnerabilities, a secure threat model should be created
to thoroughly check for what actions are unauthoriz ed and what actions are normal and intended functions.
Implement Audit ing, Logging, and Alert s: There is a host of software available for auditing website activity,
logging for detection of suspicious activity, and alerts which provide you with early warnings of potential issues.
The logs must also be protected from unauthoriz ed modification and include user identities capable of being
monitored.

4. Use Secure Deployment : When you are developing a new website or expanding an existing one, the test and
live environments may vary and be configured differently. This can cause security issues if the setup and launch
of the website is not executed in a controlled manner that ensures all necessary security controls are
implemented.
Cont ract and SLA Securit y: If you use external security protection services or sub- contractors, make sure
security is well defined in the contract or Service Level Agreement (see wiki – http://en.wikipedia.org/wiki/Servicelevel_agreement ). Use the same process to determine the level of security the provider uses and how security
breaches are identified and handled.
Disast er Recovery and Business Cont inuit y: Prepare your company with a backup plan in the event of
availability loss to your website. This includes identifying the probability of downtime and the effect it will have on
daily business operations. Define what actions should be taken to ensure business continuity in the event of an
outage.
In addition to the above steps, make certain the latest security technologies are deployed such as an antivirus and antimalware protection system, firewall at the network level, firewall at the web application level, endpoint security
management, intrusion detection and prevention systems, and encryption technologies such as Secure Sockets Layer
(SSL) HTTPS, and more. This may also include data protection technologies associated with meeting compliance
requirements for PCI (Payment Card Industry), HIPPA (Health Insurance Portability and Accountability Act), and other
industry- specific standards.
Featured image License: Royalty Free or iStock source: http://www.bigstockphoto.com/
Another article by Brian Morton. A professional IT consultant of 11 years and counting. You will find Brian’s articles across
on the internet on various technology sites.