This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Cyber attackers will do whatever it takes to exploit vulnerabilities and plant malware that might eventually allow them to infiltrate an unsuspecting user's computer. From there it's easy to gain entry to the corporate network where the hacker can cause all kinds of havoc.
One hacking technique pervasive today is to corrupt a legitimate website and plant malware that is poised for download whenever an innocent visitor comes visiting. According to Google, almost 10,000 websites a day are infected with malware that is intended to harm site visitors. Websense claims that 85% of all malicious web content is hosted on legitimate websites that have been hacked.
It's not surprising that attackers have shifted their focus toward hacking websites. Web technologies were originally created with ease of use in mind, not security. The interactive nature of today's websites make them prime targets because of a wide range of vulnerabilities that can easily be exploited—like SQL injection, cross site scripting (XSS), URL redirection and a long list of others.
It seems no organization is immune. The Wall Street Journal reported the data breach that recently struck global banking behemoth JP Morgan Chase & Co. may have started with a zero day vulnerability in one of the bank's websites.
If a company with the security resources of JP Morgan can be hacked, then less tech-savvy companies – especially small and medium sized businesses (SMBs) – must be ripe targets. Website security firm 6Scan claims that, on average, 7% of all traffic to small business websites is attempting to detect and breach vulnerabilities of those sites.
6Scan CEO Chris Weltzien says the problem is particularly acute for SMBs. "There are about 40 million websites today that are associated with small businesses," says Weltzien. "Most of these companies don't have the tools or the technical expertise to address the issue of website security. Many of them don't understand, conceptually, the threat that their website is potentially an open door into their own business, or that it can pose a threat to those who visit that website."
Formed more than three years ago by a group of security industry veterans, 6Scan focuses its services on the SMB space. The vendor's key value proposition is automating the detection and remediation of website vulnerabilities and embedded malware. "There are a lot of solutions on the market today for scanning websites and identifying vulnerabilities or existing malware," Weltzien says. "Our solution goes a step further in that we automatically remediate all the issues we detect. We remotely patch for vulnerabilities and remediate malware without the customer having to do anything other than providing us with the credentials for their website."
6Scan operates three types of scans. The first looks for security vulnerabilities like SQL injection, XSS and more. The second is based on the platform of the website; for instance, content management systems like WordPress, Drupal or Joomla. 6Scan maintains a huge database of signatures based on platforms and scans websites for those signatures. And finally, the third type of scan is for malware on the website.
The company's cloud-based scanning service is free. Anybody can enter their email address and web address and 6Scan will scan the site for issues. The results are presented in a custom dashboard that is exclusive to that user. Companies that discover their website has a problem can then subscribe to 6Scan's remediation service to automatically patch the vulnerabilities and quarantine malware and close it off so it can't participate in any malicious activity. 6Scan's security experts can remove the malicious code from the website to prevent further harm.
The vendor has a simulation engine that allows it to act the way a hacker would to find and exploit a vulnerability, such as SQL injection. This engine basically bangs against a website to identify vulnerabilities, and if any are found, the company applies a virtual patch for those specific vulnerabilities. After applying the patch, 6Scan performs a test to determine whether or not the vulnerability is still exploitable.
It is the rare SMB that would have the time, knowledge and expertise to conduct this testing and remediation on its own. Weltzien says his solution's big value is in the automated remediation. "When malware is detected, it can take hours or days for someone who really knows what they are doing to manually remove it," he explains. "Most SMBs don't have the capability to do this on their own. We recently launched the malware quarantine piece of our solution to automatically prevent detected malware from communicating with a command-and-control server, serving malicious downloads and participating in malicious activity such as a botnet. Once the malware is neutralized, we can remove it from the website."
Websites that are found to harbor malware are routinely blacklisted, and people using browsers such as Google Chrome are blocked from reaching that website. 6Scan helps its customers get off the blacklist once the malware on their websites has been remediated. "As soon as we quarantine the malware on a website, we submit a request for the keepers of the blacklists – companies like Google and StopBadware.org – to rescan the website to have it removed from the lists. This speeds up the process of clearing the website for general access once again," says Weltzien.
Any organization that presents a website to the public has a moral if not legal responsibility to ensure its site is not going to cause harm to people who visit. It's just good business to keep a website from forcing malware on someone, or acting as part of a malicious botnet. What's more, the owner of the website might find that vulnerabilities that are exploited could be used against that company, as is suspected to be the case in the recent JP Morgan breach. With a service like the one offered by 6Scan, keeping a website clean doesn't have to be a big burden on a company with sparse technical resources.