The value of information
As stated on Wikipedia, “Information Security, sometimes shortened to InfoSec is the practice of defending information from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction”. Now that may seem like a nerdy way of looking at it, but one thing is clear: information security should not only be very important for every individual who has an online presence, but also of the utmost importance to businesses.
Business value in information security
However, securing your information is not an easy process and the bigger the business, the more expensive and important it gets. Why pay specialists to secure your information, you may ask? Why does it bring business value? In this series of articles, we will answer a lot of these questions, as well as detail the most common security flaws in websites; did you know that more than 60% of websites are vulnerable to at least one common exploit? This may sound complicated, as if only hackers could take advantage of it, but that is no longer the case. Anyone with enough time and perseverance can find hacking software online and all they would need to do is learn to use it; no coding necessary.
To understand the value of information, we must first define what information we hold and why it is important that unauthorised access is prohibited. At the very least, businesses will hold sensitive information on employees, as well as financial results, business plans etc. Individuals, on the other hand, hold sensitive information such as private photos, videos, personal documents, but also do online shopping (using credit cards), do online payments (using services such as internet banking or PayPal), etc. All of this information is stored electronically and transmitted across the internet.
Imagine someone could see every key you press on your keyboard using software on your computer you have no idea is running (this is called a keylogger; we will detail this in future articles). Would you be ok with that? You shouldn’t. Every time you enter your password for your e-mail account, that person would see it. Let’s not even get into online payments; that’s how bank accounts get “hacked” and drained out of your hard earned money.
You don’t need to be an expert to “hack”
All websites are freely accessible. That is the whole idea of the internet: get your business known to other people through an easy to access “place” where people can go to sitting comfortably at their computer (no matter the form factor); however, all websites have hidden information to the common eye (backend services such as the webserver, database server – where usernames, passwords and all types of information are stored) that should not be accessed by anyone except the administrators – this is where hackers want to gain access, this is the information they want to drain out of your business. This can be done in a number of ways (such as XSS scripting, Code injections, SQL injection, etc. – these methods will be detailed in future articles) and protecting against the most common security flaws can be a life saver. This requires not only securing your website, but also educating yourself and, if possible, your website’s users; most attacks rely on user’s naivety.
We care and we test
At SiteUP we take protecting your information very seriously and write code taking into consideration industry standard best practices; we can also perform security audits for your websites and, with your permission, try to hack it to see if we can access sensible information using Top 10 Security Flaws for the year 2013 from OWASP (Open Web Application Security Project – more details here); we are not trained hackers; in fact, we have no idea what we’re doing. We’re just tech savvy people that know where to search for vulnerabilities and use software written by others which can be downloaded for free online (such as burp and firebug); but just imagine this: if we can gain access to your information so easily, imagine what a real hacker could do.