Charities Have "Least Secure Websites" - Report

According to a new internet security report from the UK Not for Profit organisations have the least secure websites compared to industry and government sector groups with security risks or ‘vulnerabilities’ for the NFP sector having tripled in just 12 months.

The NTA Monitor’s 2009 Annual Security Report says Internet security vulnerabilities are on the rise generally, revealing that many organisations are battling against a steady stream of security issues.

The report showed that Charity organisations performed worse than all other sectors, with a higher than average number of security risks and an above average number of medium to low vulnerabilities when compared to the average.

Of the ten sectors tested IT, government, services and Not for Profit have all seen an increase in the number of vulnerabilities found.

Among the most commonly occurring flaws found were:

No account lockout mechanism in place (medium)

User accounts are not locked out after several incorrect login attempts. This means that an attacker, given a valid username, could perform a brute force attack on the password, i.e. repeatedly guess the password until he finds the correct one.

Web servers advertise software type and version (low)
Web servers advertise type and version number of software that is being run when a remote system connects using HTTP. This information could be used by a potential attacker to determine any known vulnerabilities associated with the Web server software you are running.

Additional HTTP options supported (informational)
Web servers support additional HTTP methods other than the common GET, POST and HEAD methods. Other methods should only be supported if you require the extra functionality such as PUT or TRACK etc. The availability of certain methods can aid the fingerprinting of your server software.

In the high risk area the report says one of the most common vulnerabilities is:

Web Applications vulnerable to SQL Injection (High)
Some applications are vulnerable to an attack known as “SQL Injection”, which enables attackers to modify the database queries initiated from an application. This vulnerability could enable users to delete, create, update database records, enumerate other SQL servers and execute commands on the server or an organisations database.

The report says it could be interpreted from the study that organisations are becoming a little complacent when it comes to maintaining a secure gateway. However, it says considering the fact that, of the top ten most commonly occurring high risk security issues identified in this report, seven were not featured in the 2008 top ten, and this indicates that the threat landscape being faced by organisations and their IT departments is constantly changing.

Of the top ten risks, nine of these flaws were associated with services that are being made available to Internet users, demonstrating yet again that with increased functionality comes the threat of reduced security.

The report makes recommendation to improve web security including:

Regular independent testing
In order to ensure that your Website’s visitors can use the site securely, it is essential to conduct regular, independent Web application testing.

Staff involvement
Educating and training staff on Internet security issues can make a significant difference to the number of holes in your network security. For instance, some risks discovered in this report, such as permitting users to choose insecure passwords, can be completed by any individual, and one who knows little about network security will not consider the consequences of their action.

Clear and up to date security policy
Develop, publicise and update a clear security policy. Make sure that as staff and the business change, everyone is aware of measures that they can personally take to maintain network and Internet security. Adherence to the company security policy should be tied in with staff contracts and disciplinary procedures.

Configuration
Configure all systems according to the security design and use a standard build for all perimeter systems types. This ensures that all systems are hardened to the same standard. If a flaw is identified in one system, a tested patch can be readily applied to all identical systems.

Ongoing vigilance
Maintain awareness of latest threats, software flaws and countermeasures. Monitor security newsgroups and subscribe to security alert and vendor mailing lists.

Management focus
Allocate sufficient management time, focus and control to ensure that preventative actions are carried out on an ongoing basis to minimise security flaws at all levels. Provide sufficient staff resources to address vulnerabilities that threaten your business. Good housekeeping results in good security and as a large proportion of the risks discovered were an informational risk level, this indicates that security housekeeping is poor.

Security SLAs
When choosing new Internet or managed service providers, insert a security SLA (Service Level Agreement) into the contract. This should define what risk level and time-to-fix the vendor will commit to for the systems managed on your behalf. At the very least, the vendor should agree to fix security holes identified by your staff or independent security advisors.

The report can be requested at www.nta-monitor.com