Many Canadian, U.S. SMB websites vulnerable to spoofing, clickjacking and sniffing, says vendor

Websites of Canadian and American small and medium businesses continue to be vulnerable to spoofing, clickjacking and sniffing, according to a report from a new cybersecurity company offering cloud-based protection for SMBs.

The report from CyberCatch, headquartered in San Diego with an office in Vancouver, B.C., is aimed at trumpeting the capabilities of its CyberXRay tool. It scanned 20,000 randomly selected SMB websites in the U.S. and 1,850 in Canada.

Among Canadian sites it found

  • 84.3 per cent were vulnerable to being spoofed, which the report defines as a website, software or web application that didn’t sufficiently verify the origin or authenticity of data and could accept invalid data. This would allow an attacker to send carefully crafted scripts to force the web server to produce information such as usernames, passwords, content of a shopping cart, or in some cases, the entire customer database.;
  • 73.3 per cent were vulnerable to clickjacking, which allows an attacker to insert stylesheets, iframes, text boxes or layers in a website;
  • and 26.8 per cent were vulnerable to sniffing attacks, which allow an attacker to view the transmission of sensitive data in cleartext because it isn’t encrypted. If a website had simple single-factor authentication with just a user name and password, and was using a deprecated version of Secure Sockets Layer (SSL) or Transport Layer Security (TLS), the
    password could be easily detected and discoverable using simple network sniffing, the report says.

Among U.S. sites it found

  • 32.7 per cent were vulnerable to being spoofed;
  • 27.9 per cent were vulnerable to clickjacking;
  • and 10.5 per cent were vulnerable to sniffing.

The report also breaks down vulnerable sites by industry.

“SMBs across U.S. and Canada should scan their websites, software and web applications facing the Internet to make sure there are no vulnerabilities,” the report says. IT security managers should also implement a cybersecurity control to regularly scan all IT assets
for hardware and software vulnerabilities and set a policy to fix the weaknesses within a reasonable time.

“SMBs have limited resources, lack cybersecurity knowledge and the how-to. They rely on their IT provider, but IT is not cybersecurity,” said company founder and CEO Sai Huda. The report “reveals how vulnerable SMBs are to cyberattacks today and this is the reason why CyberCatch was founded. Our mission is to protect SMBs by focusing on the root cause for data breaches and ransomware: security holes.”

The company, whose advisory board includes former RCMP assistant commissioner Kevin Hackett and former U.S. Secretary of Homeland Security Tom Ridge, offers a software-as-a service network monitoring and cybersecurity controls testing service that starts at US$250 a month for firms with up to 50 employees, rising to US$1,000 a month for up to 499 employees. There are discounts for paying annually. There’s also a similarly-priced continuous compliance assessment service that gives instant benchmarking, a cyber hygiene score, a system security plan, a security awareness module for employees and a virtual CISO to offer advice.

It also offers a separately-priced cyber incident simulator for table-top exercises for US$95 a year.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.