Posts

startup CEOs

3 Web Security Services for Startup CEOs

startup CEO

Startup CEOs should secure their business

In 2013, Target, a massive retailer in the US, suffered a major web hacking incident that stole thousands of customers’ credit card information. After the event, Target was negatively affected as news leaked and company shares dropped by 1.5% the following year. These kinds of web attacks prove that nobody is completely safe from web hacking.

Now, we know that web security is not a hot topic that drives a conversation every day. However, as a startup CEO, it is imperative to have a basic knowledge of what web security options are available, so that you can do your best to protect your clients’ private information. Here are 3 options to help you better protect your company’s sensitive data.

Web Application Firewall (WAF)

Web Application Firewalls help monitor your incoming and outgoing HTTP/HTTPS traffic to your website. You can almost think of a WAF as a security scanner that we see at the airport. People with the right credentials will get past through the gates, but any visitor that may have malicious intents will be barred from entering your network. WAFs use specialized rules or patterns to help identify whether a web visitor or traffic is dangerous. WAFs can be the essential first line defense for any website owner to help protect your website from the network perimeter.

Malware Scanners

Having a WAF is a great way to protect for your web security. However, it won’t help your business much if you are already infected. Therefore, it will also be helpful to help you search for malicious programs already residing in your servers.

Infected sites can be a major turn off for customers, especially if it can infect their computers. This is a double edged sword because not only can you affect your customers, but once Google gets wind of this then you can also be SEO blacklisted. It can detect websites that have been infected by malware and warn customers away. So having a protected and clean website is not only good for the customer but also for business. Using a malware scanner for your internal network can help keep your website safe. For optimal security, one should always maintain a routine scan on servers. Better to be safe than sorry.

Database Encryption

Encryption is the process of transforming the data in a database into undecipherable data. An encryption program uses a series of complex algorithms and possesses a master key to turn the data back into its original form. Your database is where all the data of your business, such as specific customer banking information, is stored. It is one of the core elements of any online business; therefore, malicious hackers are always looking for a way to get their hands on it.

One of the world’s most popular database management systems called MySQL is open source, so it can be highly vulnerable to attacks. Many CMS frameworks like Drupal, Joomla, and WordPress all use MySQL as their default database. It is critical that you take every precaution to protect yourself from any would be attackers. One way to do this is to utilize a database encryption software. This can bring a third layer of protection in case any savvy web hackers get into your internal system.

The recent increasing number of startups has made these businesses attractive targets to hackers to exploit. Customers entrust their information to businesses and they should feel obligated to keep that information safe from hackers with malicious intents. One can’t be too careful when it comes to security. Get more in tune with your website and its security by installing these 3 great security solutions!

employee using laptop and coding injection

Web Vulnerabilities 101: What’s SQL Injection?

If you’re familiar with the digital or cyber world at all, you have probably seen the terms “SQL” or “SQL injection” thrown around. SQL is a simply put, a database language. In fact, SQL stands for Structured Query Language, and it was designed to operate database systems like the aptly named MySQL, Microsoft SQL Server, SQLite, or Oracle. SQL injection is an attack where SQL statements that were not meant to be there are inputted. This changes the code from what it was originally meant to do.

My name is Hold Please and I make a phone call to my credit card company to complain about my bill this month. When asked by an automated customer service system about what my name is, I say “Hold Please.”

The customer service rep holds…

This is SQL Injection, in a nutshell.

sql injection comic strip by xkcd

The injection could affect any website or web application that uses an SQL-based database (like MySQL or Oracle). Thus, the vulnerability is one of the most prevalent types of web application vulnerabilities. In fact, in 2013, SQL injections were ranked the #1 threat of the year by OWASP (Open Web Application Security Project).

SQL Injection consequences?

The above examples could be humorous. So perhaps your response is, “Well, it’s not really hurting anyone.” But let’s add on more to the story.

Instead of answering “Hold Please,” when the customer service representative asks for my name I say, “Hold Please, and throw away any record of my credit card bills.” If the customer service rep did exactly what I asked, they just lost out on my payment.

  • SQL could be used to delete important information. It could affect how a web application could function
  • Data could be altered, and could cause repudiation issues. It could even alter a balance on an account. This could compromise your company’s integrity.
  • SQL Injection can be used to get past authentication or even impersonate users and administrators

To take it one step further, let’s say I have a huge grudge against this company. So when asked my name I say, “Hold Please, and throw away any record of my credit card bills. Also, go ahead and throw out the rest of the company’s customer accounts.

  • Hence, worst case scenario: SQL Injection could be used to wipe out entire databases

As you can see, while you might say that SQL injection is a rather simple concept, it can bring with it an unending variety of dangerous consequences. Important information could be lost, data could be released, website defacement could occur, and your whole system could slow down or even cease to exist because of this injection.

Prevention of SQLi

Then how do you prevent it? SQL Injection is a common vulnerability and very widespread. But that does come with a silver lining: there are various ways to prevent the vulnerability and ensuing attacks. Here are just a few to get you started.

  • Update regularly: vulnerabilities are being found each and every day. It’s essential to have updates regularly patched.
  • Use parameterized queries: This means that your variables aren’t query strings that would accept arbitrary SQL inputs. Set parameters of given types are necessary. Parameterized queries require the developer to define all the code. It distinguishes between code and data. For example, let’s say that I would need to input a username into a field. Without parameterized queries, I could input any kind of SQL code into the field, and perhaps have the database erased, but if the parameters were set to ‘@username’ then I would only be able to put in a username without any kind of code.

Instead of saying “Hold Please” int0 the automated system, the system now requires that I input my 16-digit credit card number and then press #. This means the parameters are set to a certain number of digits and then the pound key only.

  • Web Application Firewall: This is by far one of the best things you can do in order to protect your applications. Coming in many forms (appliance, software, cloud-based), a WAF can help to filter and find malicious data. The one thing you should concentrate on, however, is what kind of method the WAF uses to detect the vulnerabilities. For example, while many companies use a pattern-based WAF that can have many false positives, Penta Security’s WAF, WAPPLES, uses a logic based engine rather than looking for a pattern. This logic-analysis engine will use 26 different search parameters to accurately analyze traffic, resulting in very low false positives.

Conclusion?

SQL injections are common, but that doesn’t mean that you shouldn’t take any precautions against it. Overall, it’s a simple concept but with an unending variety of dangerous consequences. Important information could be lost, data could be released, website defacement could occur, and your whole system could slow down because of this injection. If you run a business on a website or hold a valuable amount of data, SQL injection could spell disaster.

Make sure to protect yourself from potential loss by investing your time in these solutions to further the benefits in your future!

profile

Security Solution Goes Global

A Korean solution provider is now the talk of the town by entering its security solution into 60 countries through its new ‘Dual Licensing’ security solution sales strategy.

Data encryption and web security provider Penta Security Systems Inc. (CEO/Founder Seokwoo Lee, www.pentasecurity.com) announced that MyDiamo, Penta Security’s encryption solution for MySQL and MariaDB, has successfully entered into 60 countries with its dual license (free for personal use but not for commercial use) policy since its release in March last year.

security solution mydiamo

Most Korean IT security companies export to other countries with a sole distributor or an overseas branch office. Penta Security broke this established business model and tried a new sales strategy to reach its customers. Now, the security solution MyDiamo has entered 60 countries, including the United States, China, Russia, Germany, Sweden, Norway, Denmark, and many more in just little over one year.

MyDiamo has been sold to the countries in which Penta Security has not expanded its sales network, and the number of countries that have adopted the encryption solution is the largest among all Penta Security’s products. It also has reached the largest number of countries for Korea’s formidable domestic IT security industry. In all, more than 3,600 total licenses have been downloaded.

MyDiamo, the security solution

MyDiamo is an encryption solution for MySQL and MariaDB, which are the most popular databases with the top market shares. MariaDB is a database developed by Michael Monty Widenius, the founder of MySQL. The number of MariaDB user has rapidly increased due to its improved performance over other open-source DB environments.

MyDiamo secures these popular databases with technology from Penta Security’s data encryption platform D’Amo. MyDiamo provides one-way encryption, index-column partial encryption and column-level encryption using trusted international standard encryption algorithms, such as AES. It complies with PCI-DSS and provides masking features for credit card numbers.

Duksoo Kim, CTO of Penta Security, stated “We could not remain in the small domestic market, so we had to go global. However, it was not easy to export IT security products because there were differences in distribution channels and cultures.” He continued, “Last year, the dual licensing policy we chose instead of existing sales policy has brought us this wonderful and unexpected outcome.” He added, “We are not settling for this, however, and we are preparing various strategies, including cloud computing and on-demand services, to enter the global market.”