Security threats puzzle almost every organization across the world. If you are in an online business, then you are very well aware of web threats that compel you to take prompt action to run your business in a secure environment. According to you, what is the biggest security threat for your online business?
To get the answer of this important question, I discussed with security experts, managers, and other respected leader of organizations on this emerging issue, and below concluded their finest answers. So, have a look over their opinion that whom they believe are the most security threats in organizations.
Experts Opinion:
Security experts have expressed their opinion of various security threats are as under.
Kevin Carlson:
According to Kevin Carlson, a chief security officer at Optaros, “Hackers consistently push the envelope and find new avenues into a company’s back end systems. Security threats come from all angles — through web applications, POS systems (such as the Target breach), and one that is often overlooked by the media, internal attacks.”
“Some of the most common attempted hacks we see are cross-site scripting, cross-site request forgeries, SQL injection, Trojan horse, and improper configuration of security.”
Simeon Simeonov:
Simeon Simeonov, Founder & CTO, Swoop said, “Online security risk assessment has focused on site-directed threats ranging from exploits of security vulnerabilities, bad actors (traffic using phished credentials) and multi-party fraudulent transactions (what nearly killed PayPal before CTO Max Levchin put together their fraud detection system). Mitigation strategies range from application assurance & penetration testing (IBM, Veracode) to device reputation management to online transaction suspicious behavior detection services (an emerging market with mostly startup vendors). The threat landscape has shifted substantially to a new type of threat: network-directed as opposed to site-directed.”
Kurt Elster:
According to Kurt Elster, a managing partner at Ethercycle believes that “The two most common intrusion attempts we see are vulnerability scans and brute force password cracking. Fortunately, circumventing brute force password attacks is straightforward. Anywhere a password is required, login attempts must be limited, and bans placed on repeat offenders.”
“Depending on the situation, one can further harden their install by restricting server access by IP and time where appropriate. Vulnerability scans are even more commonplace than brute force password cracking. Most people can limit the affect of these attacks using a firewall (or even a service like CloudFlare) or by filtering for those vulnerabilities on the web server itself.”
Won Tamura:
Won Tamura, a Marketing & Publicity Manager at Common Key said, “One clear example that comes to mind is the use of unsecured and primitive password management tools, which often are just spreadsheets and post-it notes.”
Sarah Elder:
Sarah Elder at LEWIS PR Global Communications said, “One of the biggest security threats for online businesses today is getting attacked by hackers or experiencing a slowdown in their service due to distributed denial of service, essentially hackers flooding the network with so many requests that it crashes.”
Britni Zandbergen:
Britni Zandbergen, a Sr. Director, Marketing at IDology, Inc said,” The major one, of course, is identity theft – fraudsters are stealing legitimate identities and then racking up fraudulent charges on online goods and services.”
“That is why it is important for them to implement security processes such as identity verification and fraud prevention in order to make sure that their customers are who they say they are.”
Matt Boaman:
Matt Boaman at EZSolution expresses his thoughts about security threats like
“SQL Injection means a hacker attempting to access a database to steal private information through insertion of malicious code into a URL string on your website. When websites are coded, all information that is submitted in forms must be escaped and encoded before being entered into a database.”
“Scripting involves a hacker putting a malicious script onto the web server through an upload function in a form.”
“Server Loopholes are always being found and Microsoft and other software companies release patches and security fixes on a regular basis.”
Marc Gaffan:
According to Marc Gaffan, co-founder of Incapsula, most MiTM (Man-in-middle) attacks occur because of three reasons:
- The end user was duped to a fraudulent website (acting as the MiTM) and the website neither did not have a SSL cert nor had a cert for a different domain (which the user did not notice).
- The end user has a key logger Trojan on their device that will catch the user’s credentials before they are encrypted by SSL
- The end user has a Trojan on their device that injects code into the browser page (executing a Man in the Browser Attack) which once again will steal the sensitive information before its encrypted.
Conclusion:
From the above opinions of security experts, it is clear that some common security threats have really influenced security experts’ mindsets, which are
| SQL injection | Brute force | Trojan horse | Identity theft | Man-in-middle attack |
| Scripting | Server loopholes | DDoS attack | Phishing | Server loopholes |
Security precautions from Experts:
Many experts showed concern over weak security parameters and force to comply necessary security measurements to avoid such security threats.
- According to Simeon Simeonov, “Mitigating this threat requires more advanced security solutions and well as structural approaches to simplify and control the value chain.”
- Kurt Elster said, “One could further harden their install by restricting server access by IP and time where appropriate. Adding two factor authentication schemes or using SSH keys instead of passwords help as well.”
- Won Tamura said, “Use your own password management cloud platform that allows a team leader or HR director to easily manage employee access to specific company accounts”.
- Ian Aronovich, Co-founder and CEO of Government Auctions said, “This is a secure way of processing database information such as usernames and passwords. You don’t want any key information like personal phone numbers, dates of birth or addresses to somehow leak out into the wrong hands.”
- Matt Boaman said, “Use a third party scanning tool that can be used to run against a website, especially if you are choosing to be PCI compliant. Nessus and Security Metrix are two of the most well-known for finding security vulnerabilities with your site.”
- Bill Carey at VP of Marketing at Siber Systems contributed security precautions,
- Regularly update software to eliminate security weaknesses. Windows, Macs, and all browsers regularly provide free software updates; take advantage of this to close security loopholes!
- When you are done with using a website, log off and close your browser. This will prevent others from gaining access to your account.
- Create passwords with combinations of upper and lowercase letters, numbers and special characters.
- Do not use personal information in your password, such as your name, your partner’s name, your child’s name, your occupation, telephone number, birth date, etc.
- Small businesses have to hold their employees accountable for their security. Employees must adopt safe security habits to keep their information and the company’s information protected. Consider putting a formal cyber-security policy into effect.
- Make sure that you use a PIN or #password on your mobile phone.
- Use the ‘Keystroke’ method for making passwords. Choose a password and create a keyboard mapping system.
- Disable pictures on your email and read it in plain text. The sender will not be able to identify if you have opened the email.
- Do not keep a record or list of your passwords in unencrypted files on your computer or phone.
- Have a disposable e-mail address. Only give your actual e-mail address out to who people who need it. This will avoid mass spam and keep your inbox clean.
At last, besides the above security threats we can further list out some areas in an organization like insider threat, unpatched software, inadequate security policies, hactivism, mobile device security, cloud computing that also needs proper observation in organizations.
