Jonas Thulin, Fortinet

Vulnerable Web sites aren’t just a reputation risk – they leave an open door to your backend systems and company data, says Fortinet.

The days of the enterprise Web site serving as a static “billboard” are long gone. Now, Web sites are a valuable brand ambassador, and crucially, they are often also a channel to market and a conduit to the enterprise backend systems. In some cases, your site is your business. Unfortunately, many South African companies still overlook the importance of effectively securing their Web sites.

A Web site’s greatest strength is also its greatest weakness – it is accessible to everyone. This makes it a natural target for the cyber criminal, hacker or hacktivist. Compounding this challenge is the fact that competition and business goals may drive web developers and designers to push site updates without proper security testing.

Regardless of the reason for the vulnerabilities or the motivation of attackers, a compromised Web site has serious implications – loss of r evenue, negative impact to a company’s reputation and theft of sensitive information such as credit card numbers and personal data.

In South Africa, most of the high pr ofi le hacks recently have been hacktivist-style attacks on controversial or high-profile organisations. We’ve seen the defacement of the Administrative Adjudication of Road Traffic Offences (AARTO) and Department of Health sites, the hack of the South African Police Service (SAPS) informants’ database, and the hacking of the Johannesburg City billing system, among others. These are just the widely-known cases. Unless cases go to court or ar e publicised, corporates are not likely to draw attention to site breaches.

In many cases, it requires extensive and careful forensic work to determine the extent of the breach. It is for good reason that hackers use the phrase “you’ve been owned” when they breach Web site security. Since most Web sites are connected in some way to multiple enterprise systems, there is a good chance that access via the Web site has allowed access to these systems. As a rule of thumb, enter - prises should consider all their systems potentially vulnerable once their site has been touched.

About the author: Jonas Thulin, security consultant at Fortinet