Nowadays it is possible to do almost anything from a Web browser, thanks to the expansion of cloud computing. Previously, users had to download, install and run programs for almost any task. Yet now, thanks to Web applications, simply having a browser is sufficient: we use Web applications to check email, make presentations, watch TV series and movies, edit images, etc., both at home and at work.
In the sights of cybercriminals
The increasing proliferation of Web applications has not gone unnoticed by cybercriminals. In recent months, these applications have gained popularity as a vector for attacks in numerous security incidents. The Verizon Data Breach Report 2017 highlights two figures that illustrate how popular these attacks have become: almost 3 out of 10 security breaches were caused by attacks on Web applications, and the rate of security breaches stemming from Web application security flaws increased by 300 percent between 2014 and 2016.
In a world that now goes around thanks to Web applications, those with inadequate security have become highly attractive targets for cybercriminals who want to find a simple way of infiltrating corporate networks. Although companies benefit in various ways from the capabilities of Web applications, the prevalence of security vulnerabilities is exposing companies to significant risks. The most revealing case of the negative consequences of not ensuring the security of such tools is that of Equifax.
The Equifax case: the data of more than 147 million customers exposed
The security breach suffered by this credit reportiing company in September 2017 was one of the biggest data thefts in history. The company had until recently admitted that data of some 145.5 million users had been leaked, although they have now adjusted that figure up to 147.9 million.
The question is though, could such an attack have been prevented? The answer is simply, yes. Equifax left the door open to cybercriminals by not updating Apache Struts, an open-source Web application development framework. By not applying patches, a vulnerability allowed hackers to reveal the social security numbers, postal addresses and even driving license numbers of millions of people. This illustrates how the failure to follow basic security measures, such as patching the software used by a company, can have tremendous consequences. As Zane Lackey, a leading expert in Web application security explains, there are two lessons to be learned from the attack on Equifax. Firstly, that 99 percent of the time attacks happen due to common and simple errors: unpatched systems, weak passwords , malware on an endpoint, etc. And secondly, that security risks have shifted from the network to the application and endpoint layer.
The time has come to protect Web applications
If you don’t want your company to become the next Equifax, you should keep an eye out for these types of common attacks and take appropriate measures to keep them at bay.
According to Imperva, cross-site scripting or XSS vulnerabilities accounted for the highest number of Web application vulnerabilities in 2017. In fact, they have doubled in number compared to 2016. These attacks inject malicious scripts into vulnerable websites and allow attackers to steal sensitive data or even take control of devices. Imperva predicts that they will continue to be the most frequent attacks in 2018.
Another frequent attack is SQL injection. SQL programming language is so commonly used to manage and share information across applications, that cybercriminals see it as a perfect opportunity to perform attacks by entering their own SQL commands into databases. As many servers that store critical data from Web applications use SQL to manage communication with the data, hackers enter commands that allow them to edit, steal or delete this information.
In addition to the danger of external Web applications, internal Web applications also pose serious security risks, and they are an even easier target once an attacker has managed to gain access to the internal network.
To ensure the security of your company is not compromised by vulnerabilities in Web applications, the priority must be to design these applications securely from the outset. To this end, you can follow these tips: store raw data and encrypt it when rendering it, avoid non-secure frameworks (or update the ones you use, unlike Equifax!) and JavaScript calls that avoid encryption, etc. You should also provide developers with tools that let them see how their Web applications are being attacked, so they can react accordingly.
Another essential measure is to encrypt all data. WAFs (Web application firewalls) are not the panacea and they will not provide 100 percent protection, but encrypting information can frustrate potential attacks.
Finally, install a security solution that provides detailed visibility into all the activity that takes place on endpoints, continuously monitoring all running processes and applications. Panda Adaptive Defense protects you from the dangers of Web applications and prevents your company from becoming the next Equifax.