Spent the better part of the past week in Albuquerque, New Mexico at the National Association of Government Web Professionals (NAGW) conference. A conference designed to bring together web professionals from federal / state / local municipalities in an effort to help organize, educate and otherwise collaborate. It was a great event in helping to understand how municipalities work, but it also helped to reaffirm some of my thoughts around the challenges facing website security across all industries.
Regardless of industry, there are common points shared by each that are overly familiar when speaking to website security:
- Lack of ownership
- Lack of understanding and knowledge
- Lack of appreciation for impact
Website Security Challenges Defined
Interestingly enough, the greatest challenges the website security industry faces has little to do with the technology, evolution in attacks, hosting environments, development habits, open source, or anything in between. No, the challenges are more at the core of the mindset of the web, not just amongst the web users, but those that are deploying and managing these environments.
It revolves around two very simple, yet overly complex points, for me:
- Education and Awareness.
- Webmasters, or the lack there of.
Education and Awareness
The biggest challenge, and one I struggle to get my head around is basic education and awareness.
Surprisingly, you’d think this would be reserved to non-technical individuals, but that’s wrong. As technical people, we often joke that it really doesn’t matter what you achieve, to your family you’ll always be the IT guy. Interesting enough, even as technical people we apply the same stereotypes to one another.
Oh, you’re a developer? Great, can you fix my server?
Oh, you’re a designer? Great, can you build me a website?
Oh, you’re a system admin? Cool, can you design me a website?
Put this into the same context that we complain about with those that don’t understand technology jobs, and you’ll quickly start to see similarities emerge. Funny enough, the same applies in the niche environments of systems and security.
Oh, you’re a security guy? Cool, can you see if I have any vulnerabilities in my code?
The most distressing observation, is the lack of empathy or concern against the impacts of a compromise and its great affects on the psyche of the web users as a whole. While I hate the analogy, there are so many similarities to insurance it hurts my soul.
I don’t need car insurance. Crap, I just got in accident.
I can’t be too frustrated with this mindset however, I myself have had and probably still have the same perspective on various things someone deems “I should be worried about” and yet rarely do…
And so, the great challenge presents itself, how do you educate? How do you bring about awareness to a growing problem?
Just this week, Google released a very insightful post on the current state of hacked websites.
Thus far in 2015 we have seen a 180% increase in the number of sites getting hacked
While the growth percentage is a bit ambiguous as the term “hacked” can have so many different definitions, perhaps more on the categorization of the term (i.e., malware distribution, seo spam, phishing, etc..), it’s still a very interesting statistic.
The lack of knowledge around website security is understandable. What is more concerning though is the lack of concern or ownership that I continue to experience.
Hi, content / web manger, how do you manage your websites security? Don’t know, that’s not my department, my IT group handles that.
Ok, I can appreciate this sentiment. Let’s chat with the IT group..
Hi, IT group, how do you manage your websites security? That’s not in my group, that belongs to the web / content group.
Does this sound familiar? It should, I hear time and time again, across all industries. This right here is why bad actors will continue to win.
The sad reality is that organizations across all domains are strapped for resources, both in terms of skills and money and as important as having an online presence is, there is very little tolerance, or care, for the security of that property, at least until something happens.
I wrote on article earlier this year on the impacts of a hacked website, I’d encourage everyone to read it. Then ask yourself, what if this happened to my organization?
Webmasters, or the lack there of…
As if education and awareness was not hard enough, I want to place some focus on the actual administration of websites.
Back in 2012 I wrote an article about the True Vulnerability in a very popular open-source platform, WordPress. Interestingly enough, while targeting specifically the WordPress platform the insights and opinions are very generic and cross all spectrums of web technologies.
I still feel, and it’s confirmed daily through our customers and the various audiences I engage with, that the biggest shortcoming, second only to education and awareness, is that dire state of website administration. Sadly, this plague traverses all industries, from small businesses, to large enterprises to federal and state organizations.
I have friends that make fun of my use of the term of webmaster. They say it’s very 1990, and that’s not what website owners are. I argue however that it is, and their point is, while they may be, it’s not how they recognize themselves and to engage them you must speak to them as they recognize themselves.
If it walks and talks like a duck, it’s probably a duck.
I appreciate the point and sentiment, and from a marketing and sales perspective, I get it, but it’s not to say I don’t find it highly infuriating. It’s this very mindset that sets each website up for failure; it propagates into their behavior and actions which inevitably find them knocking on someone’s door after a compromise.
I empathize with the struggles organizations find themselves with.
Every day there are new things they must be doing, they must be employing as an organization to stay ahead of the continuously evolving landscapes. You find anyone with the remotest of interests in taking something on, and breathe a sigh of relief it’s no longer on your shoulders. Yet, we can’t forget that in doing so it doesn’t mean that ownership is no longer yours, and we must arm them with the skills, especially knowledge, they require. Especially when it comes to administering or managing something that directly represents and has the potential to negatively affect your audience[s] and brand[s].
If you are that poor soul that has stepped up, I commend you, but you too must understand that, “that’s not my responsibility” is just not an acceptable answer. If you step up, ownership is now yours whether you want it or not. Every day I see the devastating impacts this has on website owners around the world. There is no worst feeling you will have than when you single handedly have a hand in the loss of revenue and brand recognition for your organization, or worst yet, play a role in someone losing their life savings because the website you manage is responsible for delivering a banking Trojan that stole someone’s financial credentials.
Website Owners Have a Great Responsibility
It’s easy to think that when we’re managing a website the job is simply to push content, update design, or any number of the associate mundane tasks. Trust me, I know your pain. To this day, both my partner and I are the last two to review every piece of code that is pushed to our properties. Granted, our work is simplified as we have a culture of security first in all things we do, making things a lot easier for us, but it should help denote the importance we place in the process.
Beyond the actual administration of the site however, the focus is and should be on the greater impact our web properties have on the internet as a whole. Website are still one of the main distribution mediums for all forms of malware, although one could argue that desktop and mobile apps are quickly starting to chew into that dominance.
Our websites are digested by people of all calibers, from Presidents of countries and organizations, to civil servants and families, to people working in enterprises around the world. We’re all living and engaging in a complex and ever evolving connected world, and as such we have to do our part in working to make that experience as safe as possible.