The open nature of the web has led to a rapidly changing threat landscape. John Stock with Outpost24 discusses how to address the balance of proactive and reactive security to protect against vulnerabilities in today’s environment
Over the past year, the number of organizations falling victim to high-profile data breaches through network and web-based vulnerabilities has increased substantially. As a result, media attention, public interest and awareness around topics such as data protection and IT security have grown, to the extent that we now see stories of this nature on an almost-daily basis.
Indeed, in 2011, widely renowned companies, such as Sony, Nasdaq, eHarmony and Play.com, all hit the headlines with cybercriminals exploiting vulnerabilities to gain access to sensitive information.
Although the rise of the web as a major attack vector comes as no surprise, most companies are not reflecting this change by doing more to proactively protect themselves.
The True Cost of Security Breaches
The Ponemon Institute estimates the cost of an average data breach to be $2.67/£1.68 million per incident; however, this doesn’t take into account the cost of reputational damage to the company in question, future business lost, and the risk of scaring away existing customers.
With the tools to execute these kinds of attacks now becoming more readily available and affordable, the growing potential of security breaches is a very real threat.
The Changing Threat Landscape
The open nature of the web makes it relatively easy to develop new applications, and these programs are comparatively simple to exploit if not properly protected. The majority of companies continue to weight their security investments in favor of reactive security measures, for example, anti-virus software, encryption and intrusion protection. Whereas these technologies are essential when it comes to enterprise security strategies, it’s becoming increasingly important for companies to also proactively address the new wave of web vulnerabilities that are affecting systems today.
The majority of external attacks now arise from vulnerabilities in web applications resulting in cybercriminals gaining control of them. This enables easy access to business processes and information. The 2011 Sony hack was a result of an SQL injection, which allowed the hackers to exploit a vulnerability in the database layer of a web application. They then injected their own malicious code in order to ultimately access privileged information.
For a company the size of Sony, it’s admittedly harder to protect every inch of the potential attack surface; however, this attack highlights the need for rigorous, proactive vulnerability scanning and monitoring, to enable organizations to identify potential weaknesses, rather than leaving the door wide open to an attack.
In the past, many companies have turned to white-hat hackers to carry out manual testing of website and web application security. Although ethical hacking allows companies to gain insight into real-life attempts to penetrate enterprise security, it’s a costly and time-consuming process. This means that, for most companies, it’s only carried out on an annual basis, leaving long periods of time when companies are dangerously exposed to new vulnerabilities.
A combined approach of running regular internal and external network scans, as well as manual penetration testing, helps companies minimize the risks of threats posed to websites and applications. Vulnerability scanning software mimics the role of a malicious hacker, looking to exploit weaknesses in system architectures, and indicates what can be done to repair any weaknesses.
Readdressing the Balance
The recent spate of attacks from notorious anti-sec groups, which show no sign of easing up, have not been particularly sophisticated. Rather, they’ve been a result of basic errors and oversights in security. As the potential attack surface continues to grow – especially when companies work with third-party partners that cannot guarantee the same security standards – it’s becoming more and more important for companies to reassess their security priorities and budgets to ensure optimum protection for customer and corporate data.
At a time when many enterprises are reluctant to increase IT security spending, web security receives a relatively small proportion of IT security budgets, despite the web emerging as a key vector for attack. By setting up a vulnerability management program, companies can conduct regular scans to proactively monitor and indentify potential weaknesses, rather than allowing the bad guys to find the weakness for them.
John Stock has worked for Outpost24 as a senior security consultant for three years, providing both customer support as well as professional services, such as penetration testing. Prior to his role at Outpost24, he spent ten years working for one of the UK's largest utility companies, with roles as a Windows systems administrator, network engineer, and finally as a senior security engineer. Stock holds a BSc in computer systems and networks.