Would you say a company is safe if its employees use laptops without any anti-malware installed? Most companies would say this is an irresponsible approach. So why would many companies have websites and web applications without any protection and why would many MSSPs not offer any type of web application security services to their customers?
An “antivirus” (an anti-malware solution) is seen as a standard part of a Windows installation – it’s rare to see a computer without one. However, oddly enough, many companies feel completely safe just setting up a website or web application without worrying about whether it’s secure and many MSSPs don’t offer them any security for their web assets. This is all the more surprising since web-accessible databases typically contain more sensitive data than an average desktop machine, for example, personal customer information.
Here are five reasons why you, the MSSP and your customers should treat web security with as much attention as personal computer security and endpoint security in general.
Reason 1. The move to the cloud
Twenty years ago, websites were just simple, mostly static presentations – digital billboards of sorts. Today many of us, for example, create our documents online instead of using a desktop word processor – quite often the only software installed on our Windows machine is the browser. And even though there are other software like Slack, it uses web interfaces to communicate with servers. Businesses use their own servers less often. For many employees, desktops and laptops are essentially thin clients that are just there for web access.
This means that anti-malware software basically protects an empty computer that does not contain any special software, just a browser. The only major risk of such a computer being attacked is if the attack steals web application login credentials.
On the other hand, all the data, all the business support software and everything else is on the web or will be there soon. And, unfortunately, very often it is left completely unprotected. So, whereas 20 years ago personal computer security was much more important than web security (because the web was little used), today it even seems that web security is becoming more important than web security. personal computers.
Reason 2. Ease of attack
Achieving a successful malware attack takes a lot of work. Even if the attacker uses easily available malware, like well-known Trojans, he still has to deliver this malware to the victim. This means that they must, for example, create a convincing phishing site and a convincing phishing email, and get people to install the Trojan. And even after the victim installs malware, the attacker may discover that the victim’s computer is absolutely worthless because the victim is usually random.
On the other hand, it is much easier to pull off a successful web attack and there are also free and easily available tools that make it even easier for the attacker. All they have to do is point the tool at your website and the tool, which acts as a vulnerability scanner, finds the weaknesses and allows the attacker to exploit them immediately. Such an attack has a high probability of success because the attacker targets a particular victim and knows that the victim holds valuable information.
Cybercriminals like to simplify their lives. Why create indiscriminate and complex phishing campaigns hoping that they might end up with valuable data when they can perform a simple, automated and targeted attack and get results immediately?
Reason 3. No help from outside
If your customer uses a reputable cloud service provider to host their email accounts, they can be reasonably confident that they have an anti-malware solution on the server to eliminate potential threats before they reach computers. used by your employees. This means that a local anti-malware solution is not necessary for email at all.
On the other hand, most web hosting providers do not perform any vulnerability scans on the content they host. This means that the responsibility for protecting web assets for customers rests entirely with the MSSP.
Reason 4. The probability of an attack
As mentioned earlier, most of your customers have server-side anti-malware solutions for all their email needs. This can either be through a reputable cloud email provider offering server-side anti-malware or through your MSSP services. Therefore, the likelihood of generic malware arriving via email is almost nil.
The likelihood of catching a virus from a website your customer visits is equally low. This is because browsers won’t install anything on your computer unless you give explicit permission. Additionally, employees generally do not visit risky websites that may spread malware. Therefore, even if there was no anti-malware installed on your customers’ desktops and laptops, the likelihood of getting malware on a desktop machine is very low.
On the other hand, the likelihood of your client’s website or web application being the target of a generic attack is much higher. Hackers simply use automated software to scan available websites and then scan them for vulnerabilities. If your client is using any type of open source web software with plugins, such as WordPress, Joomla, Drupal, Magento, etc., they are most at risk as these plugins often have many vulnerabilities. Remember: unlike desktop laptops, your client’s website or web application is exposed to the public and anyone can access it and try to hack it.
Reason 5. Become an accomplice to the crime
If, as a result of a malicious attack, your client’s business becomes complicit in a crime, it can have even worse consequences than a direct attack on that business. This can be costly for you and your customer and can put both companies at major risk. Therefore, any form of attack protection must also consider the possibility of someone using your client’s resources to attack someone else.
The goal of malware-based attacks is often to install botnet software. This software is then used for massive DDoS attacks against other entities. Attackers can also install malicious VPN solutions, which are then used to hide the attacker’s originating IP address.
However, web applications can also become accessories. For example, if a web application has a Cross-Site Scripting (XSS) vulnerability, that vulnerability can be used to create phishing attacks that will appear to originate from your customer’s domain. And the range of these attacks is much greater than for botnets – a botnet is used to attack a single target at a time. A phishing campaign can be sent to millions of targets who would then see your trusted domain and eventually fall victim to the scam.
So, if you don’t want to risk your reputation, you need to make sure your customers’ websites and web applications don’t have any vulnerabilities that could be used to attack someone else. And the only way to do it effectively is to use a web vulnerability scanner.
Bog guest courtesy of Invicti, a global web application security company headquartered in Austin, Texas. See more Invicti guest blogs here. Regularly contributed guest blogs are part of the MSSP Alert referral program.