BLOG
What does website security cost?
I was speaking with a prospective customer a few weeks ago when the topic of website security (and its associated costs) came up. We host a lot of our clients' websites at ODG on our AWS-based servers, and it's part of our job to stay on top of the latest security threats. This client was a bit defensive, however, thinking that their $49.99/month hosting package came with sufficient protection. Unfortunately, that wasn't the case.
I asked them if I could show them exactly how someone might break into their website and they agreed. We connected through Zoom, and the demonstration began. I started by sharing my screen and then I ran their URL through a common open source website vulnerability scanner. Within seconds, the scanner gave me what I needed. It told me that their website was running an outdated version of the Sitefinity CMS, and provided a list of several critical vulnerabilities that required immediate attention. My way in was simple. Their older, unpatched CMS was susceptible to a major vulnerability related to “Sitefinity RadAsyncUpload,” as seen here: https://community.progress.com/s/article/resolving-security-vulnerability-cve-2017-9248
That particular vulnerability was a huge hole in their website security, because it allows for unrestricted file uploads to the web server. I demonstrated how anyone with coding knowledge could upload their own DLL file to the /bin folder of their .NET website, making that code execute every time any page was loaded. What could someone do with a DLL file in place? Anything they wanted, including these nightmare scenarios:
- Complete website takeover
- Holding their website hostage
- Extracting data from the website/database
- Granting unauthorized access to the website's backend
- Fraud and impersonation using hidden website pages and mailing list communication
- Silently run the code in the background for months before performing any actions, likely preventing daily backup restorations from fixing the problem
In other words, total ownership of the website.
Even scarier, their website was likely already on a database of vulnerable websites courtesy of the huge number of robots that are scanning the web looking for just this kind of vulnerability. This kind of exploit is public knowledge, and demands an immediate fix. So let's look at how I broke it all down for the prospective client. I'll tell you what needs to be done, and we'll summarize the costs afterwards.
-
Implement Cloudflare at the Domain Level
Cloudflare dashboard screenshot
By pointing your domain to Cloudflare and handling the DNS there, you will receive numerous instant advantages at a very low cost, including:
-
Web application firewall
Cloudflare's WAF provides a comprehensive security solution that protects against a wide range of application attacks. All URLs loaded from your domain are run through this system and are evaluated from a risk perspective. It monitors the OWASP list of top vulnerabilities and constantly updates itself. -
Configurable URL protection
Want your admin login screens to only be accessible from certain IP addresses? Simply configure it inside Cloudflare in their Page Rules area. -
Country level blocking
If you serve only customers from Canada, or just North America, why allow visitors from countries that have the most malicious activity? Set up country level blocking. -
Website speed improvements.
Since all URLs on your site run through Cloudflare, including images, javascript and css files, these files can be stored in Cloudflare's CDN (content delivery network) and be served faster to customers with configurable caching levels, meaning files are saved in memory vs loaded fresh each time. We often see an instant 25% load speed improvement. -
Robot protection
Cloudflare detects the robots that are scanning websites for vulnerabilities and prevents them from doing the scan in the first place. Their system contains an extensive database of IP addresses detected as robots. -
Server protection
By having your DNS hosted at cloudflare, your server's IP address is hidden and cannot be directly accessed. A lookup of your website's IP address returns a cloudflare IP address, not your IP address. This is important to prevent attacks directly to the server.
-
Web application firewall
-
Scan for Vulnerabilities
To stay ahead of the robots looking for vulnerabilities, we must use the same tools they are using to detect problems on the website. This should be done on a monthly basis, as new vulnerabilities are regularly discovered.
Tenable dashboard screenshot
In 2022 we did a review of some of the most popular vulnerability scanning systems and found that Tenable.io provided the most comprehensive reports, while detecting problems that other systems simply didn't find.
A deep vulnerability scan will often take 4-5 hours and we run them on scheduled intervals. We tell Cloudflare to whitelist Tenable.io to allow this scan to happen, as it normally blocks robots performing actions like these.
-
Act on the Results
Performing a scan is one thing, but taking action is another. Each month the scan results need to be reviewed and hours need to be invested into patching systems and implementing the security recommendations. The amount of time spent patching these vulnerabilities will be high in the beginning as the report will likely return numerous results. Over time, however, once your system is fully patched and up to date, the time required should decrease.
-
Implement Security Best Practices
We will need to make sure that your website and its various plugins are updated to the latest versions, and that you are implementing best practices such as two-factor authentication and even IP restriction, if possible. At the very least, you should use Cloudflare to restrict logins to your local country.
Some systems like Wordpress make it quite easy to implement two-factor authentication, while others may require custom programming.
A simple two factor plugin for Wordpress
-
Hold Monthly Security Meetings
These meetings don't need to take long. Our security meetings with clients last less than 15 minutes on average as we review:
Screenshot of a security call with BCREA
- The latest vulnerability scan and what was reported
- The status of to-do items from previous meetings
- Discuss if any urgent vulnerabilities are in the news
- Discuss any new system programming changes
- Confirm all users in the website systems are two-factor enabled
Now let's break down the cost.
Cloudflare
Per their pricing page, their professional plan is $20/month when billed annually. $240USD = $325 CAD/year.
Tenable.io
As an agency with many clients utilizing Tenable, we receive licenses at a lower bulk rate as we pay a large annual fee for bulk licenses. The cost is $100/month for our clients. If you are paying for this on your own, per their pricing page, you can expect up to $280/mth. However, Tenable is one of many vulnerability scanning tools out there and lower prices can be found. We anticipate costs in the neighbourhood of $100/month = Est. $1200/year
Our time
This is the monthly time required to manage Cloudflare, execute the vulnerability scans and implement the security items while meeting once a month to review. On average, expect approximately 4 hours/month. This is the annual average as early months will require a higher amount of time.
Est. 4 hours/month = 48 hours/year = Est. $8880/year
In summary, this works out to $10,405 per year.
It's a hefty cost for businesses, but unfortunately this is what it takes to be on top of security, else risk what we demonstrated above.
If your website is a critical component of your day to day business activities, we strongly recommend the suggestions above, particularly if you use software that you host yourself, such as Wordpress or other CMS systems. The annual investment will outweigh the severe cost of the worst case scenario: a targeted attack that will cripple your company or hold your sensitive data for ransom.
For smaller, less mission-critical websites, I still recommend the low monthly cost of the cloudflare subscription, while your vulnerability scan can be performed on an annual basis, rather than monthly. Lastly, if you're on a 3rd party platform such as Shopify or Squarespace, there is no need for this level of security, as they handle the codebase and security for you.
I hope this helps! If you'd like a complimentary scan of your website's vulnerabilities or just to have a quick chat about security, reach out to me on Linkedin.
Chris
