EXECUTIVE BRIEF. IT and Business Professionals Say Website Attacks are Persistent and Varied. In this Paper

Transcription

1 Sponsored by IT and Business Professionals Say Website Attacks are Persistent and Varied EXECUTIVE BRIEF In this Paper Thirty percent of IT and business professionals say their organization was attacked in the last two years Personal data, intellectual property, and credit card information were among the types of data compromised Lack of budget and a shortage of trained personnel are holding back the website security efforts at some organizations

2 Introduction Successful strategies for improving website security and preventing costly attacks are proving elusive to some organizations, despite the widespread attention given to highprofile attacks and their consequences for businesses and consumers. According to a survey commissioned by Symantec and conducted by QuinStreet Enterprise, 30 percent of IT and business professionals report their organization suffered a website security incident in the past two years. An additional 15 percent of respondents said they did not know if their organization was the victim of an attack. Among the respondents who reported their organization was attacked in the past two years, 13 percent said their organization was attacked five or more times in that timeframe, a testament to the persistence of online attackers and the vulnerability of organizations that lack a sound website security strategy. The attack methods used against the organizations that suffered a website security incident in the past two years varied greatly, with no single method responsible for 25 percent of the events (see Figure 1). Content spoofing attacks are used to trick website visitors into believing the content they see on a site is being served by the site they visited, when in fact it is being served by a different source. Using dynamic HTML elements like frames, for example, the address bar in a reader s browser can show the expected domain, but an attacker can include a fake log-in form to capture credentials. Also called arbitrary code execution, remote code execution takes advantage of software vulnerabilities that give an attacker the ability to execute code on another machine and Attack Method attacks Content spoofing 24% Remote code execution 23% Information leakage 17% SSL vulnerability 17% Brute force attack 16% SQL injection 13% Cross-site scripting (XSS) 12% Format string vulnerabilities 10% Username enumeration 9% Inclusion vulnerability 8% Cross-site request forgery 5% Other 18% Figure 1: Attack methods used in website security incidents. In the past two years, 13 percent said their organization was attacked five or more times. essentially take control of that machine and its processes. The vulnerabilities are often exploited by malware and can go undetected without proper security methods. Nearly half (45 percent) of the respondents whose organizations were attacked described the type of data that was lost as 2

3 personal data. More than one-third (35 percent) of respondents said intellectual property was lost in the attack(s). Ten percent said credit card numbers were compromised. The mean amount of damage in dollars caused by the online attacks cited by the survey respondents was $525,510. The median cost was $62,820. Website Security Strategy Improving website security requires a comprehensive strategy, and increasingly such strategies involve multiple roles in the organization. Poor website security increases risk, which gets the attention of business executives like CEOs, finance leaders like CFOs, and even board members. Benefit Safeguarding customer/ business information customers can add up quickly, but businesses also pay a price in lost business and harm to their reputation. respondents 74% Reputation 63% Great customer service 49% Better ROI 36% Higher brand value 33% Figure 3: Benefits of a sound website security program. More than half (57 percent) of the survey respondents said IT personnel dedicated to security led the push to improve website security in their organization (see Figure 2), followed by CIOs and IT executives (33 percent) and CEOs and business leaders (24 percent). Role IT personnel dedicated to security CIO or other executives in IT organization CEO or other business executives Customer experience/ customer service professionals CFO or finance executives organizations 57% 33% 24% 17% 14% Board members 7% Other 12% Figure 2: Who is driving the push to improve website security in your organization? In a world where data breaches at large organizations make headlines on a regular basis, protecting information can carry a number of benefits for businesses that develop and implement a comprehensive website security strategy. Obviously the costs of an attack, in terms of actual damage and reparations to affected A solid website security strategy also serves as a competitive differentiator. It can increase customer satisfaction and help lure customers from businesses that fall victim to an attack. Safeguarding customer and business information was the most cited benefit of a sound website security program, according to the survey respondents, but they also cited reputation, customer service, ROI, and brand value among their responses (see Figure 3). The survey also explored the obstacles that stand between the respondents organizations and an effective website security strategy. As with any critical function, website security requires adequate funding, hiring the right people, and having the proper solutions to get the job done. The IT and business professionals responding to the survey cited lack of budget and a lack of trained personnel as the most common pain points affecting their organizations (see Figure 4). Businesses pay a price in lost business and harm to their reputation 3

4 Website security pain point respondents Lack of budget 41% Lack of trained personnel 38% Too many point solutions 24% Solutions from too many vendors Lack of ownership of website security 23% 22% Lack of automation 22% Lack of executive buy-in 14% Figure 4: Website security pain points affecting respondents organizations. There are a number of technologies available to help organizations create an effective website security strategy. Nearly half (47 percent) of the IT and business professionals surveyed said they were extremely or very familiar with Extended Validation SSL (EV SSL) technology, which offers the strongest encryption level available for website security and uses highly visible indicators in the browser to inform website visitors of the site s security. Forty-one percent of those surveyed said they were extremely or very familiar with Transport Layer Security (TLS), another protocol used to secure communications between browsers and servers. More than one-third of survey respondents said they were extremely or very familiar with Certificate Signing Requests (CSRs), which are messages sent from an applicant to a certificate authority (CA) in order to apply for a digital identity certificate, and with the cryptographic algorithm known as Secure Hash Algorithm 2 (SHA2). Perhaps more interesting are the findings around website security technologies that IT and business professionals said are not familiar to them. Those technologies include Elliptic Curve Cryptography (ECC), Rivest Cipher 4 (RC 4), and X.509 (see Figure 5). Clearly there are approaches to website security that are stronger and more efficient to procure that remain unfamiliar to many IT and business professionals. There are also technologies now proven less effective (such as RC4) still in use today. Developing a Website Security Strategy with Symantec The vast majority of survey respondents indicated they used only one vendor for website security solutions, and the most popular vendor cited was Symantec. In the early days of online transactions, it was not uncommon for customers to be hesitant about conducting business online, whether it was purchasing a product from an online shop or doing their banking. Today website security is, for many Internet users, an afterthought until one of the world s largest brands suffers a breach and it makes the news or suspicious charges appear on a payment card statement. From multinational brands to local merchants venturing into e-commerce, website security needs to be as important to doing Term Elliptic Curve Cryptography (ECC) Rivest Cipher 4 (RC 4) X.509 Unified Communications Certificate (UCC) SAN Certificates What is it? An approach to public-key cryptography that uses a smaller key size, reducing storage and transmission requirements. A stream cipher originally known for its simplicity and speed that has now been rendered insecure by vulnerabilities. A vital part of the TLS protocol that manages digital certificates and public-key encryption. An SSL certificate that can secure a primary domain name and up to 99 additional Subject Alternative Names (SANs) with a single certificate. An SSL certificate capable of securing up to 25 domain names with a single certificate. Figure 5: Website security terms cited as Not at all familiar by survey respondents. Respondents Not at all familiar 63% 62% 59% 59% 48% 4

5 business online as accepting credit cards. As a leader in online security, Symantec provides solutions that help businesses from SMBs to the enterprise secure their transactions, protect data, deliver top-notch customer service, and protect their reputations. Using SSL certificates from Symantec helps organizations of all sizes meet a variety of security and business needs: A successful local shop can confidently expand its business worldwide with an online store A major healthcare organization can protect sensitive personally identifiable information (PII) in accordance with regulations like HIPAA A large business can protect its data and intellectual property by ensuring encryption for internal s An online flower shop can improve its search engine optimization because the strength of encryption is now a factor in Google web page rankings Multinational corporations can protect their servers from unwanted intrusion by securing server-to-server communications Using EV SSL the most stringent verification process in SSL a financial institution can assuage the concerns of its customers by providing the best possible protection and assure them they aren t visiting a phishing site. There are a number of CAs and resellers that can help When it comes to security, Symantec offers its customers the strongest available encryption. organizations take the basic steps necessary to secure their websites. But a large part of developing a website security strategy as oppose to simply implementing website security is choosing a partner that understands the needs of the business and can adapt and scale as those needs evolve. As IT analyst firm Frost & Sullivan put it, A SSL certificate is a small part of a larger commitment. 1 When it comes to security, Symantec offers its customers the strongest available encryption in ECC, which has a 256-bit key length that is stronger than the RSA 2048-bit key length. Beyond the strength of the encryption, Symantec also provides the tools necessary for the inventory and management of SSL certificates so customers can better understand the state of their website security. Website administrators rely on Symantec s tools to: Ensure their encryption is in compliance with industry standards and company policies Configure SSL certificates for externally facing websites and internal networks Regularly scan their SSL certificates for vulnerabilities Automatically renew SSL certificates On today s Internet, website security is part of a larger experience. As a leading CA, Symantec ensures its SSL certificates have ubiquitous support for Web browsers and server operating systems, and it delivers fast load times when checking for SSL certificate revocation. Taken with the signs of a secure transaction using EV SSL such as https, the green address bar, and the organization s information Symantec delivers consumers and businesses more than security, they get a fast, safe, trusted customer experience. Symantec works hard to extend that trust to its customers through each phase of the process, from installation to ongoing technical support, and account management because it sees website security as a strategy that requires a true partnership, not just a transaction. 5

6 Survey Methodology The survey was sent to members of the QuinStreet Enterprise database via an invitation between March 24 and March 29, Nineteen percent of the 221 respondents claimed a job title of Sr. Director of IT, 15 percent said they held other IT staff positions, and 11 percent said they were VPs or Directors of IT. Ten percent said they held CTO, CSO, or CIO titles; 9 percent claimed C-level business titles; and 10 percent said they held other business management positions. Thirty-five percent of respondents worked at organizations with one to 99 employees; 45 percent worked at organizations with 1,000 or more employees. The first 100 of the 221 respondents were offered a $10 Amazon gift card. All respondents were entered into a drawing for a $300 Amazon gift card. The survey has a 6.89 percent margin of error at the 95 percent confidence interval. 1 Frost & Sullivan, Six Golden Rules for Selecting an SSL or TLS Certificate, A solid website security strategy also serves as a competitive differentiator. 6