There has been a growing concern among stakeholders about the recent streak of cyber heist and hacks in different organisations, government websites and applications. As a result, security is currently the top priority for owners of every single website, e-commerce initiative and web application.
We, web developers, are now facing more questions related to cybersecurity than at any time in the past. Every time some remote application of a remote sector gets hacked, we have to answer to our client: "Are you sure hackers won't hack our web application like that?"
Information related to security is just a few keystrokes away, so everyone has their point of view. In a recent meeting with a prospective client, we were asked to build everything from the scratch. No third party libraries, no open source cms (Content Management System). A car buyer never asks the manufacturer to re-invent the wheel. Why do we web developers have to build everything from the scratch?
I am not against the client's curiosity regarding how things work. I always try to explain the mechanism to them in layman terms. Most of the clients often get perplexed with terms like cloud computing AWS, CDN, firewall, two-factor authentication, VPN, SSL etc. They pay hefty prices for tools that they do not need for their static HTML website.
The government's actions to digitise all sectors has boosted growth in the software industry. The number of medium and large projects has grown tenfold. There has been a shift in the demand of the clients too. Nowadays they no longer think that a software can be bought for Tk5,000 only. Many local clients are now willing to allocate a good budget to build a robust system.
The infrastructure of the web server and the architecture of the web application are important to take actions against a possible threat. But the organisations and their managers are overlooking two crucial threats - social engineering and insecure communication.
Social engineering is the art of manipulating people so they give up their secret information. This technic is popular among hackers. It can be used to hack your system without any tool or code. All it requires is smooth-talking skills. Social engineering relies on convincing someone to expose his or her confidential information over the phone or other media.
For example, imagine you have built your precious e-commerce website from company X. One day you get a call from an unknown number. The person says- "Good morning sir, I am developer Y from Company X. Our MD John Doe gave me your number. Sir, due to one of our security run, we need to change your password in the admin panel. I can send you our two-step process, where you will get an email to reset your password where you have to answer a few security questions. That should not take more than 20 minutes. Or it would be easier if you could give me your current password now. I will let you know the updated password right away."
If you are smart enough you might not fall for this trap. But do you think all the employees of your company are smart enough to avoid this trap? Did you train them or conduct small training to avoid leaking any confidential information over a phone call?
It's not that difficult to get your or your developer company's information, thanks to Facebook and LinkedIn.
Sharing information via insecure channel can expose you to hackers. Let's look at some common mistakes:
1. Writing down the username and password in the paper. Later you throw this in the garbage without disposing them properly. That can go into the wrong hands.
2. We send confidential data over a non-encrypted email channel. If you are using Gmail or other email services, you should be more careful. Do you know, Gmail sometime considers email@example.com and firstname.lastname@example.org as the same account! So a mail sent to the first address can end up in the inbox of the second one.
3. Your in-house FTP server is not that secure. Stop using that.
The threat of social engineering and insecure communication cannot be addressed by any software solutions. These are human errors. In these cases, software companies will not take liability. You are responsible for securing your confidential information.
To avoid future disaster conduct one or two yearly training sessions regarding security for your organisation and force all the employees to make sure they do not share their information with anyone. Please do not sell old notebooks to hawkers and try to adopt a paperless model.