Risk Free News

Vulnerability and security of financial websites

In a recent report published by Menlo Security, they found that one out of every three of the top million websites currently on the net are either ‘vulnerable to hacking or already hacked.’ Menlo detected no vulnerabilities on 66% of the sites, but the remaining 34% were classified as "risky":

- 22% were running on vulnerable infrastructure.
- 10% of all sites are running a vulnerable version of the PHP application framework.
- 8% are running vulnerable Web server software, evenly split between Apache and IIS.
- 2% of the sites run vulnerable content management systems, evenly split between WordPress and Drupal.
- Some niche categories had vulnerability rates much higher, up to 80%.

‘Existing security technologies consistently fail to detect and stop infections’ (Menlo). One recent example has been the Forbes.com website; having been hacked, it lasted a couple of days in late 2014 before they regained control. The hackers were linked to a Chinese cyber espionage group.

In 2014, it was estimated that businesses lost nearly $400 billion as a result of cyber-crime. In many cases, a company’s own employees put the business at risk, often unintentionally, by browsing to a trusted website or clicking on a link in an email that brought them to a compromised site. Simply navigating to a compromised website or opening a document can unleash a whole host viruses onto a user’s computer. Once compromised, an attack can quickly spread to other systems both within and outside the company.

There are roughly over one billion websites on the Internet, with more than 100,000 new sites coming online daily. One study reported that over 70% of Web domains exist for just a single day. And as the Forbes.com incident showed, the notion of a “trusted” site is often illusory, because a vulnerable site cannot ever be trusted.

"As one of the leading software as a service (saas) providers to the UK’s Lender market, we have to continually added in new security features to our systems, including patches, firewalls, and SSL certificates. Many specialist lenders continue to ignore these simple measures." said Anthony Roy, Technical Director.

"We believe many lenders are putting themselves at unnecessary risk and will not take any action until it is too late (often when they have been hacked and client data is compromised). Most companies only install antivirus software after the event. Lenders must realise that they need to protect client data, only to protect their reputation and business, but also from a compliance prospective.”

Website infrastructure can be compromised at any point. It’s worth noting that Information regarding a site’s underlying software infrastructure is routinely returned to any browser that makes a Web request. Attackers need no more than a standard browser to find vulnerable sites to exploit. Hackers are often sophisticated, unchecked and experts in what they do. As a business, do you know the vulnerabilities of your website and systems? What have you put in place to counter these?

A quick to checking the vulnerability of your web services:

• Use a reputable ‘online scanner’ to test your website.
• Ensure your serve has a good firewall, it’s locked down and has no open ports.
• Protect the forms on your website from ‘SQL injection’ where these forms can be used to manipulate code on your website.
• Reduce or stop the ability to upload unnecessary documents on your website or ‘executable files’ – block particular file types which run executable code.
• ‘Denial of service attacks’ – disable the ‘ping’ on your website and server.
• Limit the amount of connections from a particular IP address.
• Make sure your server is updated with the latest ‘updates’ from your supplier.

Risk Free would be happy to offer advice and guidance to Lenders, who are worried about protecting their systems and client data.