Websites of Canadian and American small and medium businesses continue to be vulnerable to spoofing, clickjacking and sniffing, according to a report from a new cybersecurity company offering cloud-based protection for SMBs.
The report from CyberCatch, headquartered in San Diego with an office in Vancouver, B.C., is aimed at trumpeting the capabilities of its CyberXRay tool. It scanned 20,000 randomly selected SMB websites in the U.S. and 1,850 in Canada.
Among Canadian sites it found
- 84.3 per cent were vulnerable to being spoofed, which the report defines as a website, software or web application that didn’t sufficiently verify the origin or authenticity of data and could accept invalid data. This would allow an attacker to send carefully crafted scripts to force the web server to produce information such as usernames, passwords, content of a shopping cart, or in some cases, the entire customer database.;
- 73.3 per cent were vulnerable to clickjacking, which allows an attacker to insert stylesheets, iframes, text boxes or layers in a website;
- and 26.8 per cent were vulnerable to sniffing attacks, which allow an attacker to view the transmission of sensitive data in cleartext because it isn’t encrypted. If a website had simple single-factor authentication with just a user name and password, and was using a deprecated version of Secure Sockets Layer (SSL) or Transport Layer Security (TLS), the
password could be easily detected and discoverable using simple network sniffing, the report says.
Among U.S. sites it found
- 32.7 per cent were vulnerable to being spoofed;
- 27.9 per cent were vulnerable to clickjacking;
- and 10.5 per cent were vulnerable to sniffing.
The report also breaks down vulnerable sites by industry.
“SMBs across U.S. and Canada should scan their websites, software and web applications facing the Internet to make sure there are no vulnerabilities,” the report says. IT security managers should also implement a cybersecurity control to regularly scan all IT assets
for hardware and software vulnerabilities and set a policy to fix the weaknesses within a reasonable time.
“SMBs have limited resources, lack cybersecurity knowledge and the how-to. They rely on their IT provider, but IT is not cybersecurity,” said company founder and CEO Sai Huda. The report “reveals how vulnerable SMBs are to cyberattacks today and this is the reason why CyberCatch was founded. Our mission is to protect SMBs by focusing on the root cause for data breaches and ransomware: security holes.”
The company, whose advisory board includes former RCMP assistant commissioner Kevin Hackett and former U.S. Secretary of Homeland Security Tom Ridge, offers a software-as-a service network monitoring and cybersecurity controls testing service that starts at US$250 a month for firms with up to 50 employees, rising to US$1,000 a month for up to 499 employees. There are discounts for paying annually. There’s also a similarly-priced continuous compliance assessment service that gives instant benchmarking, a cyber hygiene score, a system security plan, a security awareness module for employees and a virtual CISO to offer advice.
It also offers a separately-priced cyber incident simulator for table-top exercises for US$95 a year.