Table of Contents
How SMEs check websites for security vulnerabilities
Small and medium-sized enterprises are often helpless when faced with the task of ensuring the security of their web applications. Yet there are many ways to protect web presences from attackers - even for SMEs with a small budget. This article presents the most important options for testing websites for security vulnerabilities and sealing them off from hacker attacks.
Security gaps in web applications can cost any company dearly. In the event of a successful attack, customer and partner data and other sensitive information is often tapped, modified, deleted, encrypted - or published on incriminated websites. Time and again, criminals use the stolen data for further hacking attacks and other crimes.
In the worst case, attackers gain full access to the website and the entire IT network is infected with malware. The infected computers can then be misused unnoticed to send spam and phishing emails or for industrial espionage. The image loss and monetary damage in such cases are enormous.
While corporations and large companies have cybersecurity under control by and large, smaller companies are moving into uncertain territory when it comes to securing their applications. Too often, they lack sufficient financial budget and human resources to be adequately armed against website attacks and hacker attacks. SMEs are therefore a grateful victim for cybercriminals.
The good news is no matter what the financial and technical requirements of an SME are, every company can take precautions and check how vulnerable its website is to hacker attacks. In this article, you'll learn what smaller businesses can do to ensure the security of their web presence and what steps they should take to do so. The article is based on interviews with security experts who specialize in SME concerns.
Download: Your complete data protection technology guide
How to reliably identify privacy gaps on your customers' websites using free tools.Download now
The testing tool: penetration tests
The usual means of checking websites for security vulnerabilities are penetration tests, or pentests for short. In such a test, web applications, individual systems or the entire IT infrastructure are scanned for vulnerabilities from the perspective of a potential attacker - with the aim of identifying possible security gaps. Ultimately, this is a controlled intrusion attempt.
How does such a test work? A security expert attempts to penetrate computer systems and networks via the company's website. To simulate an attack that is as close to reality as possible, he uses techniques that are also used by external attackers. The result of such a scan test is usually a security audit, which evaluates the measures taken to date to secure the website and IT.
The analysis and test results of the penetration test provide information about which targets could be successfully achieved from an attacker's point of view and which measures are required to counteract possible threats. Companies should then implement the recommended measures, close the gaps, and improve the security of their web presence.
There are basically two options for conducting a pentest: First, companies can consult a cybersecurity service provider who will have all the steps performed manually by an expert - as just described. This person tests, monitors and evaluates the IT security.
Secondly, penetration tests can be performed automatically - this can also be done by a service provider. However, if the conditions are right, the test can also be carried out by the IT department of the SME or the operator of the website itself.
Manual pentesting - Comprehensive service providers
Cybersecurity service providers for manual pentesting usually offer comprehensive security checks. In addition to web applications, the testers also check computers, servers, and entire networks for security vulnerabilities. The testing methods range from attack simulations, in which a complete attack on the company is imitated and the company is penetrated as deeply as possible, to vulnerability analyses and code checks.
In a manual pentest, the service provider addresses the specific situation of the SME. "Comprehensive pentests, which are primarily characterized by a manual selection of test procedures and tools, include an individual preliminary discussion with the client in advance," says Jan Bindig of Leipzig-based security specialist Pentest24. "The tests are then tailored accordingly to the intended use and any feared vulnerabilities are illuminated in more detail."
Individual support is at the forefront of comprehensive pentesting by a service provider. "During a joint discussion in advance, we try to find out the critical functionalities that we know from experience should be tested," explains Emanuel Böse, business manager of Lutra Security GmbH, a Munich-based cyber security service provider. "In this way, we end up determining a framework that makes sense for the customer."
Often, manual pentests are further supplemented by technical audits and interviews with contacts to get a more comprehensive overview of the security level. A test report then documents the status quo and provides the operator with the information it needs to address the identified vulnerabilities.
In terms of time, such a penetration test can take several days - between two and ten days, depending on the effort involved. The normal case is probably an average of five test days. In the case of very sophisticated social engineering methods, the test phase can take more time, but shorter test phases are also possible - especially in the case of purely tool-based audits.
Manual penetration tests are usually billed at daily rates, which typically range from 1,000 euros to 1,800 euros for experienced pentesters with certification. The specific price depends on the complexity of the system and the criticality. Assuming a test duration of between two and ten days, the costs for a manual pentest therefore vary between 2,000 euros and 18,000 euros. With an average test duration of five days and the most favorable daily rate of 1,000 euros, the total cost is 5,000 euros.
Today, modern software solutions make it possible to perform pentests in a largely automated manner. "Automated pentests are performed by preconfigured tools and scripts from a platform or also individualized," explains Pentest24 expert Jan Bindig. They can be executed both as an external test without intranet access or internally through a provided relay within the intranet."
Automated pentests have several advantages. They are less time-consuming than manual tests and reduce costs. SMBs get an initial overview for little money. Even large, complex IT environments can be scanned for vulnerabilities quickly and efficiently in this way. Results are usually available after just 48 hours. What's more, automated tests are reproducible and guarantee consistent, standardized quality - making them ideal for repeated testing.
Regular security checks through pentests are an important aspect. "Penetration tests only provide a snapshot of a company's security status at any given time," points out Thomas Moosmüller, Managing Director of Regensburg-based Breakinlabs GmbH. "Already tomorrow, a vulnerability may become known that could not be taken into account during such a test. For this reason, penetration testing should take place regularly."
Most companies that conduct pentests do so only once a year so far, according to a study by cybersecurity provider Pentera. This is mainly because manual testing is very time-consuming and cost intensive. "Automatic tests, on the other hand, are very well suited as daily or weekly scans due to the lower effort and favorable price between manual pentests, which should be carried out in larger time spans of a few months to a year depending on the situation," says Thomas Moosmüller. Regular repetition also makes it easy to compare results and establish uniform testing procedures at different sites.
Provided the budget allows, automated pentesting should be done in cooperation with an experienced cybersecurity service provider that has the appropriate references and expertise. Automated pentests are often offered by cybersecurity service providers as managed security services. The cost of an automated test by a service provider ranges from 800 to 1,500 euros, depending on the individual effort required. A list of service providers for automated pentesting can be found here.
Tools - Performing pentests yourself
IT teams can also perform automated pentests themselves without a great deal of personnel effort. They can make use of a whole range of paid and free tools.
Among the free open-source tools, the following solutions can be recommended, for example:
- Karkinos is efficient and easy-to-use penetration testing tool for various security tests. With a combination of modules, Karkinos can be called a "Swiss army knife" for penetration testing.
- Sifter is also a powerful tool that consists of information gathering tools as well as vulnerability scanning modules. It combines several modules into a comprehensive penetration testing suite that can quickly scan for vulnerabilities, perform reconnaissance tasks and list local and remote hosts.
- Nmap is another security monitoring and network discovery tool that helps administrators perform service availability monitoring and manage upgrade schedules, among other tasks.
- Zaproxy, from the Open Web Application Security Project (OWASP), offers developers and users a range of features, including Web app interception and inspection, active scanning, and decryption of SSL requests.
A comprehensive list of free penetration testing tools can be found here.
Two solutions in particular stand out from the commercial, paid solutions segment.
- Burp Suite is a comprehensive set of pen-testing software that is easy to use and designed for users with minimal technical knowledge. The software suite is very user-friendly. The testing software is available from 8,000 euros.
Challenges with homemade automated tests
With knowledge and experience around network security, automated pentests can be carried out by oneself using the tools just mentioned. "As an SME with a small IT department, this is definitely possible - and you can probably get it done without IT at all," says Emanuel Böse of Lutra Security. Security service providers can assist with tests conducted independently. "If an SME comes to us to do an automated vulnerability scan on their own, we can happily show them how to do the scans. We recommend tools and demonstrate the options."
However, automatic tests are not a foregone conclusion. There are two challenges to consider when carrying out scan tests yourself, warns Daniel Jonka, IT security specialist and pentester at Hamburg-based mioso - IT Solutions GmbH & Cp. KG. "Some of the automated tools are very active in testing out specific vulnerabilities." If the scanner then finds a vulnerability, it can trigger unwanted actions. "There have been cases where an automated scanner has looked for a database vulnerability - and at the same time triggered a mass sending of tens of thousands of emails. This can result in the company's domain ending up on spam lists, from which it's hard to get back down."
All these aspects would be explained in the report in the case of a manual pentest or in the case of a supervised automated test, and it is described how to repair the gaps. So, if the in-house expertise is not there to evaluate and understand the results, then you should get support from specialists as part of a security validation.
The crucial question: manual or automated?
So, when does a manual test make sense for SMEs - and when does it need more? Basically, both types of tests have their advantages and disadvantages. The manually performed tests by service providers are more thorough and comprehensive, but often exceed the budget of small businesses in terms of price. Automated tests are less expensive, can be performed in-house and regularly, if necessary, but are less thorough and in-depth and require a certain level of expertise.
For Lutra security specialist Emanuel Böse, both types of tests have their justification, but different objectives "Regardless of economic possibilities, I would perform automated scans regularly and manual tests several times a year - for example, in the case of major changes in the IT infrastructure or in applications." Only if the budget for a manual test is not available at a KMJU can such tests be dispensed with. "Automated tests are still better than nothing," says Böse.
Complex manual tests are not absolutely necessary for simple web presences with standard components. "If a small SME only operates a website on which the company profile is displayed and otherwise a simple office infrastructure, then a manual pentest in great depth does not make much sense," explains Daniel Jonka from mioso. "For example, if an SME only has a WordPress site and uses a standard Microsoft environment internally (with Active Directory), then we as a service provider don't necessarily need to get into the corporate network and do hard port scans, etc." In this case, an automatic scanner can detect gross blunders in the security configuration. "In this case, more security is provided by a brief security consultation and cyber hygiene training for employees," explains Daniel Jonka.
However, the further a website deviates from the industry standard, the more a manual pentest provides real insight. "If your website is hosted on your own server and you have misconfiguration or custom software there, these tools can be overwhelmed," Jonka said. "The more third-party code, custom code, or low-distribution code is in the applications, the more difficult it becomes to detect problems through standard testing. In this case, a service provider should urgently be called in to manually check where potential vulnerabilities can be found."
Does outsourcing make sense?
With all this potential effort, many SMEs are tempted to outsource the security issue. This is obvious: many SMEs work with agencies that have worked out and designed the Internet presence and could take over the security support at the same time as a comprehensive service. Good Internet agencies are usually familiar with the requirements for security systems and are involved in the development of appropriate measures in an advisory capacity. It therefore seems obvious to outsource the management of security requirements to an external agency.
However, experts advise against agency support in security matters. "It doesn't make sense to hand over responsibility," explains Emanuel Böse. "If the site is hacked, if it is taken over by attackers, or if my customer data is leaked, the operator suffers the financial loss - and above all the loss of reputation. The SME may be able to refer to the agency and the assurance that everything is in order security-wise. But that's not much use in a worst-case scenario."
In the end, it is always the company that must pay for such security incidents. And legally, the responsibility cannot be shifted: "From a purely legal point of view, the responsibility always lies with the operator of the website - and he should therefore also take care of it.
CONCLUSION: The matching test
Consulting a cyber security service provider who performs manual pentests is the optimum solution when a website is to be checked for security vulnerabilities. These somewhat more complex and cost-intensive tests should be carried out for a complex web presence that includes, for example, a store system or proprietary developments. Here, the risk of vulnerabilities and security gaps is particularly high.
Automated pentests make it possible to run security checks cost-effectively as a regular process. An automated test can be sufficient for a simple web presence with standard components. With the appropriate know-how, it can also be carried out autonomously with the available tools - but the interpretation of the results can cause problems.
If you are not confident enough to carry out a test yourself, you should consult a service provider - for example, in the form of a managed security service. The service provider then carries out the test or provides support in interpreting the results. In this way, the effort required for the test is reduced to a minimum and support is also provided for the implementation of measures.
In any case, automated tests are better than no tests at all. This should be considered especially if the budget does not allow for larger expenditures for more extensive, manual tests.
Author: Dr. Klaus Manhart
Dr. Klaus Manhart is a freelance author for information technology and science. He holds a doctorate in philosophy of science and was an editor for IT and Internet journals for many years. Today he lives as a freelance author in Munich.