{"id":2945,"date":"2016-10-11T16:17:37","date_gmt":"2016-10-11T22:17:37","guid":{"rendered":"http:\/\/www.whitefirdesign.com\/blog\/?p=2945"},"modified":"2016-10-11T16:17:37","modified_gmt":"2016-10-11T22:17:37","slug":"sitelock-promotes-the-idea-that-protecting-websites-involves-leaving-them-vulnerable-to-being-hacked","status":"publish","type":"post","link":"https:\/\/www.whitefirdesign.com\/blog\/2016\/10\/11\/sitelock-promotes-the-idea-that-protecting-websites-involves-leaving-them-vulnerable-to-being-hacked\/","title":{"rendered":"SiteLock Promotes The Idea That Protecting Websites Involves Leaving Them Vulnerable to Being Hacked"},"content":{"rendered":"

When it comes to cyber security, it has been clear to us for some time that most of the companies in the field don’t really care about security. Just yesterday we discussed a cyber security company that doesn’t even bother to keep the software running their websites up to date<\/a>, despite that being a really basic security measure (that is far from the first time we have spotted that type of situation either). One of the areas where we see this lack of care about security is shown by the fact that\u00a0security companies\u00a0services and products often are focused not on things that would actual prevent systems from being hacked in the first place, but on detecting the system has been hacked after the fact.<\/p>\n

That brings us to a recent post<\/a>\u00a0on the web security company SiteLock’s blog. The post uses the results of a test they recently had done by the Tolly Group to argue their product is better at protecting against threats to website than another product of a different type.\u00a0As we discussed last week the test\u00a0was, at best, quite poor<\/a>, but might be accurately describe as being rigged. The test involved testing\u00a0if their product and another product could detect\u00a0malicious code on a\u00a0website and SiteLock not only had access to the samples being tested, but provided the sample code that was tested. Not surprisingly they were able to detect 100 percent of it (the developer of the other product wasn’t provided the sample code). To make things even ridiculous they then promoted the testing as having been independent, despite the fact that they even provided the samples to be\u00a0tested.<\/p>\n

First off, the post really could have used some editing, as it has some quite bad statements such as one in this paragraph:<\/p>\n

In recent years, though, informal blogging environments, such as WordPress, have blossomed into full-blown web application platforms. Commercial and community developers contribute blocks of codes, known as \u201cplugins\u201d to enable just about any type of functionality that you can imagine. (A Google search on \u201cWordPress Plugins\u201d shows over 11 million hits.)<\/p><\/blockquote>\n

If you want to measure how many WordPress plugins there are, you could look at the\u00a0homepage of the official Plugin Directory<\/a>, where most WordPress plugins are made available, as\u00a0that provides a count of plugins available through that, currently\u00a047,146. If SiteLock was as familiar with WordPress as they promote themselves, they should have known that.<\/p>\n

Explaining the basis of the test you can see what is so wrong with the view that SiteLock appears to agree with:<\/p>\n

The basis of the test was the assertion that traditional endpoint security solutions are not designed to detect web application threats and, therefore, would have a low detection rate when scanning for such threats.<\/p><\/blockquote>\n

The actual threats against web applications would be vulnerabilites in the software, not malicious code that can be added by exploiting those. But the testing instead looked at the end results of threats being exploited:<\/p>\n

A corpus of nearly 3,000 web-based malware samples, defined by SiteLock, was run through a prominent \u201ctraditional\u201d endpoint security solution to illustrate SiteLock\u2019s point.<\/p><\/blockquote>\n

The conclusion on the post is:<\/p>\n

The point, really, is not the absolute percentage of malware detected. The point is to illustrate that there is an entirely new set of threats \u201cout there\u201d that traditional endpoint solutions have not been designed to detect. And, those new threats clearly require an additional, \u201cnext-gen\u201d endpoint security solution in place to provide protection.<\/p><\/blockquote>\n

The reality from dealing with many hacked websites that many of those could have been prevented by taking basic security measures<\/a> and many other could have prevent if other security practices were improved.\u00a0From what we have seen of automated methods for trying to detect and clean malicious code, they produce poor results. Also, websites don’t just get hacked to place malicious code on them, so leaving a website vulnerable and trying to detect malicious code added to it, would among other things, allow for the possibility of sensitive data being\u00a0extracted from it on a repeated basis.<\/p>\n

While the post was written by the found of the Tolly Group, it isn’t just a situation that SiteLock posted someone else’s words with this very wrong view on the security, our past experience has shown that SiteLock view is in line with this. For example we have found that they label websites as being secure when they are using outdated software with known vulnerabilites<\/a> and they don’t make sure that the software on a website is upgraded<\/a> when they are cleaning up after a hack<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

When it comes to cyber security, it has been clear to us for some time that most of the companies in the field don’t really care about security. Just yesterday we discussed a cyber security company that doesn’t even bother to keep the software running their websites up to date, despite that being a really … Continue reading “SiteLock Promotes The Idea That Protecting Websites Involves Leaving Them Vulnerable to Being Hacked”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[39,91],"class_list":["post-2945","post","type-post","status-publish","format-standard","hentry","category-bad-security","tag-sitelock","tag-tolly-group"],"_links":{"self":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2945","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/comments?post=2945"}],"version-history":[{"count":7,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2945\/revisions"}],"predecessor-version":[{"id":2961,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2945\/revisions\/2961"}],"wp:attachment":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/media?parent=2945"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/categories?post=2945"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/tags?post=2945"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}