Interview: Defending against the threat of web vulnerabilities

Security threats are everywhere these days, with irreparable brand damage, unhappy customers and financial loss being just a few of the consequences.

Vulnerabilities are continuously being exploited as the web grows and hackers are also becoming smarter, meaning businesses of all sizes have a bigger job on their hands trying to protect their data than ever before.

We spoke to Johnathan Kuskos, Threat Research Center Manager at WhiteHat Security, about the threat of web vulnerabilities and what companies can do to protect themselves.

How well do you think companies are dealing with security threats? Does it vary much between sectors?

Companies are not taking web vulnerabilities seriously. In our latest research of over 30,000 websites, 86 per cent had at least one serious vulnerability where an attacker could compromise the system and cause serious commercial or reputational damage.

What is really shocking however, is that it took an average of 193 days to remediate 61 per cent of these vulnerabilities. This means that 39 per cent of flaws were never closed, leaving many businesses open to attack. This is precisely why we continuously see breaches making the headlines.

These statistics are obtained from our customers – the people who are using a solution to pro-actively look for vulnerabilities. When you compare that to businesses who aren’t looking for vulnerabilities, it’s scary to think how many open vulnerabilities there could be.

What is a web vulnerability?

A vulnerability is a weakness in a system or product that allows an attacker to compromise it - for whatever reason they may have, be it financial gain or malicious intent. Vulnerabilities come in many different forms from SQL injection to Cross Site Scripting (XSS).

When exploited, detrimental effects often occur. News stories appear every week, reporting on companies whose systems have been compromised. Vulnerabilities are continuously being exploited as the web grows and hackers are becoming smarter. If there is one thing you can be certain of, it’s that if you have vulnerabilities, hackers will find and exploit them.

What is your most memorable web vulnerability?

Over the past few years, we have seen some big web vulnerabilities. By far the most notable is Heartbleed - one of the most severe vulnerabilities to endanger encrypted SSL communications.

Months after the critical Heartbleed vulnerability was announced in OpenSSL, hardware and software vendors were still identifying affected products and releasing updates.

Which businesses should be thinking about web vulnerabilities?

If you have a website then you should be thinking about web vulnerabilities. Hackers are getting smarter and the web is growing at an alarmingly fast rate.

Nearly every business or organisation has a website these days and each is open to attack if these vulnerabilities aren’t identified and patched.

How common are web vulnerabilities?

Vulnerable code is everywhere and it’s often around for a long time before it gets fixed. Vulnerabilities in websites are incredibly common, even amongst the largest brands breaches have become an everyday occurrence.

Many businesses are still unaware of online business risks, or have delayed taking appropriate action when they’ve found vulnerabilities, which is unfortunate for them and their users.

What advice would you give companies to better deal with vulnerabilities?

The best way to deal with web vulnerabilities is to proactively check for and report them before they are exploited. Companies should think about moving towards a more agile development lifecycle.

There should be a solid feedback loop between production and coding so vulnerabilities can be identified and remediated more quickly.

Do you think companies need to take vulnerabilities more seriously or is there a lack of awareness?

I don’t think a lack of awareness is an excuse anymore. Major companies and government bodies are being hacked all the time. Big breaches in organisations like Sony and Edinburgh Council are continuously making the headlines and I doubt that people aren’t aware of them.

I think it’s a lack of understanding. For example, you see companies that take people out of their financial auditing department and put them into the computer security auditing world which isn’t familiar to them. All of a sudden they are doing PCI audits and their understanding isn’t good enough to do the job properly. A lot of companies haven’t realised that they have to free up some budget to protect themselves properly.

How can IT security staff push for better security in their company?

Companies that do excel in this area are the companies that are moving towards a risk-based approach of prioritisation.

If you are in charge of security in your company, you need to be able to talk about the potential risk in terms of costs. If you can put the conversation in terms of the money you could save in potential risk by investing £10,000 in security, compared to the millions you could lose if you are breached, your argument will be much more convincing.

We see a lot of success with this kind of conversation, rather than trying to explain to your management what a SQL injection is.

What kind of security threats can we expect in the future?

The big trend that we’ve seen in the past year, and one I can’t see slowing down anytime soon, is attacks on encryption. Privacy is the hot topic of the year, especially since the Snowden disclosures.

There’s been a lot of research and many attacks on things like SSL, Heartbleed and Poodle. These are major vulnerabilities that allow hackers to spy on encrypted web traffic and I imagine they are only going to increase. I think it’s going to be a race to get encryption up to scratch before these vulnerabilities are exploited.

I wouldn’t be surprised if before the year is over we see another major vulnerability exploited. For hackers, the return on investment is so high - if you are able to de-crypt all of the Internet’s encrypted traffic then you are sitting on a gold mine.