90% of UK websites are insecure
90% of UK organisations' websites contain one or more vulnerability that may enable external users to gain unauthorised system access or disrupt service availability. A further 33% of websites have been found to contain critical vulnerabilities that are widely known and actively exploited by hackers.
These findings form part of NTA's Annual Web Application Security Report 2007, which analyses data gathered from web application security tests undertaken on behalf of a variety of organisations, including financial institutions, legal practices, universities and local government bodies, during 2006.
Roy Hills, Technical Director at NTA Monitor, says: "Web applications are accessible 24 hours a day, 7 days a week and control sensitive data such as customer details, credit card numbers and proprietary corporate data. With an ever increasing number of people using the Internet for personal business such as banking, bill payments and shopping, and as a core part of their working lives in terms of remote working and resource sharing, it's high time that organisations take greater steps towards protecting these revenue generating and efficiency enabling systems."
As the number, size and complexity of web applications increases, so does the risk exposure. Attackers focusing on web application security problems are actively developing tools and techniques for exploiting them. Three key recommendations that organisations can follow to reduce their risk are:
- An account lockout mechanism should be in place to lock out accounts permanently or temporarily, to help prevent attackers from being able to brute force user accounts
- META characters such as single quotes, double quotes and semi colons should be disallowed in order to minimise the threat of SQL injection attacks, which are a high risk vulnerability
- In order to help protect against keystroke loggers, the mouse and keyboard should both be used during login processes, for instance, users should be asked to use drop-down boxes or radio buttons as well as keying in details
The full report contains further recommendations and not only looks at the different types of vulnerabilities found in organisations, but also examines how a range of industry sectors fair against the average findings. It is available from NTA by emailing marketing@nta-monitor.com
This article was first released on: 21st March 2007