An Introduction to Defending Your Business Against Today’s Most Common Cyber Attacks
When web applications are breached, enormous amounts of sensitive business data can be lost. According to Verizon’s 2014 Data Breach Investigations Report, web application attacks more than doubled in 2013 to become the #1 cause of security incidents.
These types of attacks can occur at organizations of all sizes and levels of IT sophistication, and can affect tremendous amounts of data. In the spring and summer of 2013 alone, there were numerous high profile web-related security incidents. Attackers were able to steal passwords from a site run by NASDAQ, the second breach at NASDAQ in recent years. Shortly thereafter, Apple’s developer website was breached, placing registered developer names and mailing addresses at risk.
Web applications are popular targets because:
- They are accessible to almost anybody in the world.
- They are a conduit to an enormous amount of valuable data.
- They are commonly riddled with weaknesses.
If you’re like many organizations, your IT teams and developers have very little time or resources to devote to performing security tests (particularly manual ones).
When security testing does get done, it tends to be focused on the highest-profile web applications, leaving the security of other apps to chance. Even then, testing can be sporadic, enabling vulnerabilities to creep in unnoticed and create opportunities for exploits.
The financial impact of such exploits is substantial: according to the Ponemon Institute’s 2013 Cost of a Data Breach Study, U.S. breaches cost $188 per record stolen, with an average total cost of $5.4 million per incident.
Fortunately, most web application attacks follow a small number of patterns.
The most common classes of web application vulnerabilities
Like other application flaws, web application security defects arise during software development. The Open Web Application Security Project (OWASP) Top 10 provides the defacto standard for categorizing web app vulnerabilities (see appendix). The most common types include:
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) is one of the most widely-found and dangerous vulnerabilities in web apps. XSS can have a big impact on your organization because it enables attackers to send untrusted code to users’ web browsers under the guise of your business’s legitimate app. This enables attackers to execute scripts in victims’ browsers to hijack a session or download malware to take full control of their system. XSS vulnerabilities have been found by researchers to exist in the websites of security vendors, marketplaces, payments providers, merchants, and social networks.
Injection attacks come in many different flavors, including: SQL injection, command injection (inserting system commands into a form field), and many others. SQL injection attacks are among the most widely known. Attackers send malformed inputs to your application (for example adding extra characters to the ends of a type-in field), which then gets passed to a database. The maliciously-formatted input tricks the database into returning excess information or performing unwanted actions. This type of attack has been used to expose hundreds of millions of records containing personally-identifiable information (PII) and credit card data; it can also be used to modify or delete sensitive data, sometimes without your ever knowing.
Fortunately, you can combat these and other vulnerabilities by following a few straightforward best practices and employing new automated technologies.