Skip to main content

It's time for medium-sized business to wake up to web security

This article was originally published on Technology.Info.
As part of our continuing strategy for growth, ITProPortal has joined forces with Technology.Info to help us bring you the very best coverage we possibly can.

For channel partners that cover the midmarket, web application security has historically been looked at as a problem that impacts the large enterprise and e-commerce providers. Small to mid-sized businesses were thought to be relatively safe from these types of attacks, but unfortunately the data tells a different story.

Over half of all organisations have experienced a web application breach in the past year, and many of these incidents led to severe financial losses for the targeted companies.Virtually every security professional has read the news stories – the wave of hacktivist attacks in 2011 that brought down dozens of corporate and government sites, the DDoS attacks in 2012 that disabled many local, national and international banking sites, and several massive web breaches that resulted in millions of compromised passwords and credit card numbers. Hackers easily danced around network security defences, like firewalls and intrusion prevention systems (IPSs), to take down popular websites.

Hidden behind the front page headlines, though, lurk tens of thousands of unreported breaches – unexplained website outages, temporary website defacements, small-scale fraud incidents – that never make their way into news articles. This is because cybercriminals don’t just target brand name companies; they are equal opportunists, constantly seeking out vulnerable sites to compromise, disable, or deface. And their weapons of choice are technical web attacks, business logic attacks, and fraud. Mid-market companies are now starting to ask their partners why this is happening and how can they mitigate the risk to their business.

Technical web attacks

If hackers were surveyed about their favourite attack vectors, technical web attacks, like SQL injection and cross-site scripting (XSS), would undoubtedly top the list. And this assumption is borne out by analyses of hacker forums and application attack traffic. In fact, SQL injection alone accounted for almost one fifth of all hacker forum discussions.And, according to security research, up to 97 per cent of data breaches worldwide are due, at least in part, to SQL injection.

To accelerate the rate of technical web attacks, cybercriminals have become “industrialised.” They leverage a combination of off-the-shelf attack toolkits, infected ‘bots,’ and search engines to quickly find and exploit web application vulnerabilities. The industrialisation of hacking has made technical attacks much more automated and dangerous.

Business logic threats

Hackers aren’t stopping at traditional web attacks; they’ve moved on to business logic attacks and fraud. Today, hackers exploit business logic flaws to post advertisements in online forums. They scrape websites for valuable intellectual property. They perform repeated brute force attacks. They use wildcards in search fields to bring applications to a screeching halt. These attacks have left many organisations at their wits’ end, because application scanners cannot detect business logic flaws and secure development processes usually cannot mitigate them.

Online fraud

In addition, hackers have turned their sights to unsuspecting website visitors, infiltrating millions of computers with malware like Zeus and SpyEye. This malware steals user credentials and hijacks sessions by tracking keystrokes and manipulating website content. While the malware targets end users, the true victims are the website owners; often banks and ecommerce sites, which must pay fraud restitution costs.

Together, web application attacks, business logic attacks, and fraud can cost organisations millions of dollars. Breaches stemming from web-based attacks can result in brand damage, customer churn, lost revenue, fines, and lawsuits. Many victims of web-based attacks have invested in customer notification and credit card monitoring services for their customers. And, in several instances, large-scale breaches have even driven companies out of business.

Web application firewalls are strategic for business

Web application firewalls have become the central platform for protecting applications against all online threats including technical web attacks, business logic attacks, and online fraud. Web application firewalls understand web usage and validate input to stop dangerous attacks like SQL injection, XSS, and directory traversal. They block scanners and virtually patch vulnerabilities. And they rapidly evolve to prevent new attacks and to keep critical applications safe.

Because web application firewalls are strategic, every organisation must carefully evaluate the products’ security, management, and deployment capabilities.