Web Application Security Case Study
Customer Situation
The website of a large non-profit organization was hacked. The organization discovered this when Internet search results displayed the URL for its website with a warning from Google reading “This site may harm your computer”. Significant web traffic that had taken years to develop decreased to a small trickle of visitors practically overnight.
Managers were concerned about the effect on the organization’s reputation, its ability to continue operating, as well as meeting its mandate to protect its visitors and partners. The non-profit was required by privacy legislation to demonstrate that they took reasonable measures to correct their vulnerabilities.
The Solution
Devfense, a web application security offering under the Boonbox brand by Pacific Coast Information Systems Ltd., helped the client improve its web security. PCIS began the process to remove the non-profit’s website from Google’s list of infected sites. The organization was advised to replace its hacked website with a single secure web page as a temporary solution to avoid infecting their website visitors’ computers with malware. In the meantime, the database needed to be checked for malicious code and all web security vulnerabilities needed to be fixed.
The non-profit’s database was found to be corrupted with code inserted by the hackers. PCIS IT security consultants removed all of the malicious code. Meanwhile, PCIS IT security consultants determined that the security breach was partly enabled by insufficient security measures on the part of its external web hosting company as well as a result of legacy code being left on the system, and web application code that had been developed with security gaps. PCIS experts helped secure access to the client's database, provided guidelines for requirement on their host provider as well as made recommendation for code fixes.
Devfense combines industry-leading technology with IT security expertise. It helps organizations keep their web applications and connected systems secure through proactive assessment of web vulnerabilities and fix recommendations. This solution enabled the hacked non-profit organization to soon resume operations and start rebuilding its brand reputation.
Lessons
All types of organizations are under continual threat of a security breach through their web applications. The web application layer is the target of about 75 per cent of all hacks by cyber criminals. Hackers use tactics like cross-site scripting and SQL injection to insert malicious code into websites. Sometimes these penetrations are facilitated by poor security on the part of the organization, the web hosting company, or both.
If the hackers are successful, the entire IT network of an organization will be at risk of a comprehensive security breach. As well, the malicious code may spread malware to the entire customer base of the organization that visits the infected website. Organizations are recommended to take proactive steps to protect their web applications. By being proactive, companies can avoid the higher cost of fixing vulnerabilities after a breach, which industry analysts suggest may cost as much as four times an investment in website protection.
Boonbox is a division of Pacific Coast Information Systems Ltd., specializing in products for web security, network security, password management and data backup.
PCIS is a
Vancouver-based company which provides strategic consulting,
application development, technology solutions and managed services to
companies and government organizations throughout North America.
