Protecting your clients’ laptops and other endpoints from malware is a fundamental and common-sense practice. Keeping websites and applications safe from constant cyberattack attempts should be equally obvious, yet many organizations still don’t pay nearly enough attention to their web application security.
Would you say your clients are secure if their employees are using laptops with no anti-malware application installed? Most business leaders would say that is an irresponsible approach, and they would be right. Why, then, do so many businesses run their websites and web applications with no protection at all?
An antivirus (or, more generally, an anti-malware solution) is treated as a standard and common-sense element of any Windows installation. It’s rare to see a computer without one, especially in business settings. Yet, strangely enough, many businesses are perfectly happy to set up a website or web application without paying attention to security. This is even more surprising when you consider that web-accessible databases may hold far more sensitive data than an average office machine, such as customers’ personal information.
Here are four reasons why you should push web application security as much as personal computer security and endpoint security to your MSSP clients:
1: Migration to Cloud Changed the MSSP Security Game
Twenty years ago, websites were just simple, mostly static presentations – digital billboards, in a way. Today, they can be full-fledged applications that allow us, for example, to create documents online rather than in a desktop word processor. Quite often, the only major piece of native software installed on a Windows machine is the web browser. Even if your clients have something like Slack installed, that still uses web interfaces to communicate with the servers.
Unsurprisingly, companies are using their own servers less often, especially in day-to-day operations. For many employees, desktop computers and laptops are now basically thin clients that are only there to run a browser with web applications. This means anti-malware software is essentially protecting an empty computer with no special software or data on it, just a browser. The only major risk to businesses if such a computer is attacked is that a successful attack may enable bad actors to log into company web applications.
On the other hand, all your data and all your business-critical applications now reside in the cloud or will soon be there. And, unfortunately, all this is often left completely unprotected. So while 20 years ago, personal computer security was much more important than web security because web applications were barely used for businesses, nowadays it’s fair to say that web security is becoming more important than endpoint security for organizations.
2: Ease of Access Without Web Application Security
Preparing and executing a successful attack using malware takes a lot of work. Even if the attacker uses off-the-shelf malware, like well-known trojans, they still have to deliver it to the victim. In a typical scenario, this could mean creating a convincing phishing site and convincing phishing emails to get people to install the trojan. And even after a victim installs the malware, attackers could well find out that the victim’s computer has absolutely no value for them because the victim is usually a random person.
On the other hand, performing a successful web attack is much easier, especially with free and easily available tools that make it even simpler for the attacker. All they have to do is point the tool at your clients’ websites, and the tool, which acts like an illegal vulnerability scanner, will probe sites for weaknesses and allow the attacker to exploit them immediately. Such attacks have a high probability of success because the attacker can pick target sites that they know will have valuable information.
Above all, cybercriminals like to make their lives easy and efficient. Why work hard to create complex blind phishing campaigns in the hope of scavenging some valuable data when they can perform an easy, automated, and precisely targeted attack and get results immediately?
3: No Help with Application Security From Cloud Servers
If your clients host email accounts using a reputable cloud service provider rather than running its own mail servers, they can be reasonably confident that their provider has an effective anti-malware solution on their server to eliminate potential threats before they reach the eyes and devices of their employees. This means that whatever local anti-malware solution they are using on company devices is not needed at all for email because your provider handles that part of your security.
Strangely enough, we do not know of any web hosting providers that perform regular vulnerability scanning on the content they host. Unlike cloud email providers, web hosting providers usually don’t provide any kind of protection except generic web application firewalls that can stop the most common attacks but do nothing to eliminate vulnerabilities.
Therefore, until web vulnerability scanning becomes a standard part of cloud provider offerings (if it ever does), your clients are on their own. The client’s staff are the only ones who can find and eliminate serious vulnerabilities on their websites and web applications, even more reason to be regularly using a web vulnerability scanner.
4: Risk of Attack on Clients’ Web Applications
As mentioned above, your clients most likely have anti-malware solutions on the server side for all their email security needs. This could either be because a reputable cloud provider runs server-side anti-malware or they run their own server, and if they do they would not dream of leaving that without anti-malware protection. In both cases, the probability of generic malware making it through via email is next to none.
In practice, the probability that one of your client’s employees will be exposed to a virus from visiting a website they visit is just as low. This is because browsers won’t install anything on their local machine unless they give explicit permission. Also, the client’s employees are unlikely to visit risky websites that may be spreading malware not only because of company policy but because their IT department will most likely be blocking them on company hardware. So even if they had no anti-malware installed, the probability of getting malware on an office machine is very low.
On the other hand, the probability that your website or web application will be the target of a generic attack is much higher, bordering on certainty. This is because black-hat hackers simply use automated software to scan for available websites and then probe them for vulnerabilities. If your clients use any kind of open-source web software with plugins, such as WordPress, Joomla, Drupal, Magento, etc., they’re at a high risk of attack. Remember: unlike office laptops, websites or web applications are exposed to the public. Anybody on the internet can access and potentially try to hack them.
If you don’t want to risk your clients’ reputations and your businesses, you should ensure that their websites and web applications don’t have vulnerabilities that bad actors could abuse to attack someone else and pin the blame on you. And the only way to do this regularly, efficiently, and automatically is by using a proven web vulnerability testing solution like Invicti or Acunetix by Invicti.
Guest blog courtesy of Invicti, an international web app security company headquartered in Austin, Texas. See more Invicti guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.