Hi All,
I own a Cyber Security Firm “Security Thinkerz“. Its in my habit that when ever I visit a website or a portal, I run few manual test to check that, that particular website or portal is vulnerable or not and Its is very surprising that 75-80% websites are vulnerable and can be hacked just in few minutes. But owner of these websites or portals don’t do any thing to rectify this. They take security as the least priority. Most of these websites are developed by some third party, so developers take very casual approach to develop the codes and even they never pay attention to even the smallest security issues in their code that can be exploited.
Now next question is Can these security issues affect my business? If yes, How? ( Good Question ;))
Lets take an example: suppose you run a ecommerce website (zzzz.com) and you are doing really good. Now lets see what all data you use or store in your database:
1. User details (Name, address, Phone number etc.)
2. Login credentials (username, Password, email ids etc.)
3. User Payment Details (Credit/Debit Card Numbers, Account numbers, CVV, etc.)
4. Your daily selling details and other financial details.
5. You (zzzz.com) website admin credentials.
I hope, I have covered all the imp data type here (If I missed some thing, please add it).
So, Imagine if some one uses the smallest vulnerability of your website and exploit it and gain access to your database and take a copy of full database, sell it to your rival or to any underground website (what all hacker call them, here you can sell and buy user details like name, username, password, email, your payment details etc.), Now when all your important and confidential details are leaked, you can not do business for a long time because now they can not trust with you with their confidential data.
One small mistake and every thing is lost.
PS. Its not applied only to eCommerce, any website which requires user data can be a victim of this thing.
So, what one should do to avoid these kinds of security issues and prevent themselves? ( Wow..!!! Again Great Question :D)
To avoid or safe guard your websites from these attacks, get a “Vulnerability Assessment and Penetration Testing (VAPT)” done.
What is Vulnerability Assessment and Penetration Testing (VAPT)? (You are super intelligent, you asked a good question again :))
VAPT is a complete sets of methods and practices that cyber security experts use to know the status of a website or portal or network, here status means how vulnerable that website is? you can say cyber security experts are those hackers who hack to your website and portals with your permission only to tell you how it can be exploited and how to patch it so, that no user can do any malicious activity.
These procedures can be divided into 2 part, Vulnerability Assessment and Penetration Testing
Vulnerability Assessment:
Vulnerability assessment, is a process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure. In addition, vulnerability analysis can forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they are put into use.
Vulnerability analysis consists of several steps:
1.Defining and classifying network or system resources
2. Assigning relative levels of importance to the resources
3. Identifying potential threats to each resource
4. Developing a strategy to deal with the most serious potential problems first
5. Defining and implementing ways to minimize the consequences if an attack occurs.
If security holes are found as a result of vulnerability analysis, a vulnerability disclosure may be required. The person or organization that discovers the vulnerability, or a responsible industry body such as the Computer Emergency Readiness Team (CERT), may make the disclosure. If the vulnerability is not classified as a high level threat, the vendor may be given a certain amount of time to fix the problem before the vulnerability is disclosed publicly.
The third stage of vulnerability analysis (identifying potential threats) is sometimes performed by a white hat using ethical hacking techniques. Using this method to assess vulnerabilities, security experts deliberately probe a network or system to discover its weaknesses. This process provides guidelines for the development of countermeasures to prevent a genuine attack.
Penetration Testing:
Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.
Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings.
The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization’s security policy compliance, its employees’ security awareness and the organization’s ability to identify and respond to security incidents.
Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in.
One last question Who will help me in finding Vulnerabilities in my website or portal?
Any organization with good knowledge and experience in this field can provide you these services. But I insist on prevention is better then cure, a good coding practice, analysis of codes on regular interval, making good IT Security Policy are the basic rule, using these rules you can prevent it on ground level itself. (You only can prevent it because no system is foolproof).
Let me know what you think about the security issues.
PS: If you want a “Vulnerability Assessment and Penetration Testing (VAPT)” For your website/Portal.
Please get in touch with me on peeyoosh.kumar@securitythinkerz.com or visit Security Thinkerz.
For Rodinhood Members 10% Extra Discount. (Limited Time offer :))