Although acts of vandalism such as defacing corporate websites are still commonplace, nowadays, hackers prefer gaining access to the sensitive data residing on the database server because of the pay-offs in selling the data.
The costs of not giving due attention to your web security are extensive with a possible financial burden that may result in:
• Loss of customer confidence, trust and reputation with the consequent harm to brand equity and possible effects on revenue and profitability
• Negative impact on revenues and profits arising from any falsified transactions and from employee downtime
• Website downtime which is in effect the closure of one of the most important sales channels for an e-business
• The expenditure involved in repairing the damage done and building contingency plans for securing compromised websites and web applications
• Legal battles and related implications from Web application attacks and poor security measures including fines and damages to be paid to victims.
Web Security Weaknesses
Hackers will attempt to gain access to your database server through two main routes including:
• Web and database servers.
• Web applications.
Proof of such exploits are readily available on the Internet.
Web Security Scanning
Web security, therefore, contains two important components: web and database server security, and web application security. Addressing web application security is as critical as addressing server security.
Firewalls and similar intrusion detection mechanisms provide little defense against full-scale web attacks. Since your website needs to be public, security mechanisms will allow public web traffic to communicate with your web and databases servers (generally over port 80).
Scanning the security of these web assets on the network for possible vulnerabilities is paramount. For example, all modern database systems (e.g. Microsoft SQL Server, Oracle and MySQL) may be accessed through specific ports and anyone can attempt direct connections to the databases effectively bypassing the security mechanisms used by the operating system. These ports remain open to allow communication with legitimate traffic and therefore constitute a major vulnerability. Other weaknesses relate to the database application itself and the use of weak or default passwords by administrators. Vendors patch their products regularly, however, hackers always find new ways of attack.