In the charity and not-for-profits sectors, security vulnerabilities more than tripled from 2008 to 2009 over a 12 month period. NTA Monitor clients in the services sectors had the highest number of high risk security issues per test despite seeing a decrease in the average number of threats.
Utilities and the legal sector clients, on the other hand, had no high risk security vulnerabilities.
NTA Monitor said the three most common high risk security issues were:
- An SQL injection attack enabling attackers to modify database queries initiated for an application
- A cross-site scripting attack enabling a hostile website to execute potentially malicious code in a user’s browser
- A cross-request forgery attack enabling a hostile website to make arbitrary HTTP requests to applications.
“All users-supplied data should be properly sanitised before returning it to the browser or storing it in a database. This reduces the threat of SQL injection, which is a consistently prevalent high risk throughout 2008 and 2009”, said Roy Hills, technical director at NTA Monitor.
In addition to sanitising user-supplied data, NTA Monitor said organisations should switch from a persistent authentication method (where cookies, for example, is used to authenticate users) to a transient authentication (usually using a hardware token for continuous authentication of a user’s presence) to help prevent cross-request forgery attacks. An account lockout mechanism should also be in place to help prevent attackers from being able to brute force user accounts.