With all the news play that security-related incidents receive, it may often feel like we are in a constant state of war against hackers. This thought is not that far off, as receiving a personal breach notification now seems like a rite of passage into adulthood. Though mitigation through various password complexities, virus and malware protections, and multifactor authorizations are important, they can also lead to a false sense of cybersecurity.Most modern attacks do not utilize a single exploit. Though vulnerabilities can reside in the application, operating system, or hardware (firmware), attacks often rely on a combination of seemingly unrelated conditions in a system you least expected (vectoring).
A few common examples of web application attacks include:
SQL Injection – An attack vector traditionally used where a web form allows you to enter a piece of data (like a check number search), but unintentionally does not prevent an attacker from entering a command to the back end of the server – which can permit displaying more and/or deleting information.
Cross-Site Scripting (XSS) – Another very common attack vector. A lot of websites that allow comments can be vulnerable if the designers did not code for this. What an attacker can do is inject code to make the website behave differently or even obtain login information by retrieving the browser cookies.
Man-in-the-Middle – This method used to be considered impossible to use but has recently surfaced due to certain SSL certificate issues. This attack vector allows the attacker to communicate securely with both sides of a web connection. This gives the impression to the sender and receiver that data is encrypted, where the attacker in-between is seeing data in its native, unencrypted state.
If you review the top five attacks from year to year, it becomes apparent that cybersecurity is a very active process (no two years are the same). In order to properly secure applications, it is imperative that you ensure your application vendor or contract developers periodically perform:
- Secure Application Development Training
- WAVE (web application vulnerability examination)
- External Penetration Test
- External Audits (SOC, PCI, etc.)
- IT Hardening & Patching (address zero-day exploits)
- Data Criticality and Risk Assessments
Many of the above practices are expensive and may be outside of the reach of smaller/contractor developers but are imperative to mitigate attacks. When it comes to security however, you are only as strong as your weakest link. Additionally, some steps your institution can take should include:
- Catalogue and review all installed applications (from commercial to custom).
- Review data storage requirements (you cannot lose what you don't have).
- Assess all vendors (ensure they are following the secure development practices).
- Perform employee security training (involve all employees in security awareness).
- Consider hosted applications/networks (are applications housed in a resilient location).
Web application security is nothing new. Though there is no 100% guarantee for safety, with proper and diligent mitigation, we can make it undesirable for attackers to even try. As a police officer once said to me when asked, “What the best lock is I can get for my front door?” He simply stated, “None, get a dog.”