Traditional network firewalls are being circumvented with attacks aimed directly at Web applications. These Web-based attacks are targeted at Web servers, Web forms, business and financial applications, e-commerce applications and blogs.
According to security specialist, Eric Wolff, the threat is growing. It is believed that 73% of Web vulnerabilities have been ranked as "easy to exploit", with a 90% increase in reported Web attacks in 2006. 75% of these attacks targeted application vulnerabilities.
Network-level security cannot detect, let alone prevent the majority of Web application attacks. This is despite valiant attempts to improve various popular network firewall products to provide attack prevention capabilities.
The reality is that protection from a Web application attack requires a firewall to understand application language as well as the basic constructs of Hypertext Markup Language or html - which many of these products do not offer. This leaves many companies with a false sense of security, unprotected from attacks on their Web applications.
It has been estimated that on any given day, the security of between 150 and 2 000 Web sites is compromised by hackers. Companies exploited by Web application attacks have faced the costly challenges such as business reputation risk, business continuity threats and damage to their brands.
Malicious attacks
A recent example of a large-scale use of a Web-based attack, known as the "Italian Job", took place during June. In this malicious attack, a program was used to deliver a Trojan downloader to any unsuspecting user. The Trojan downloader subsequently downloaded a larger Trojan, which in turn downloaded a key-logger - essentially a software tool that captures the keystrokes of users.
It is estimated that by mid-day on Monday, 18 June, anywhere between 3 000 and 10 000 servers were compromised. Many ordinary Web sites, without sufficient Web application protection, such as travel agencies, hotels and charities, were infected. Users of the Web sites infected with the "Italian Job" fell prey to extensive identity and credit card theft.
Web applications have definitely reshaped the business world for the better by making e-commerce, online banking and customer portals possible. By moving business-critical applications and services to the Web, organisations have extended the boundaries of the business - opening it up to enhanced interaction with customers, suppliers, partners and employees.
Beware the pitfalls
Web applications have definitely reshaped the business world for the better by making e-commerce, online banking and customer portals possible.
Nick Keene is country manager at Citrix Systems Southern Africa.
But there is also a serious drawback to an increased reliance on Web applications - they are inherently insecure and easily compromised.
Statistically, the two most common forms of Web application attacks are Structured Query Language (SQL) injection and cross-site scripting (XSS). SQL injections send commands to a Web application that when passed to databases, executes and allows the hacker to gain access or change customer and sensitive information.
An increasing number of sophisticated phishing attacks use XSS vulnerabilities in Web applications to present consumers with a blended site that is a mix of the real Web site and the malicious Web site. By leveraging XSS, a fraudster can overlay the legitimate Web site and inject a data capture form even though the consumer has entered the correct Web address.
In order for companies to protect the integrity of their data, it is imperative that they seek the right solution for delivering applications securely - in essence protecting their business applications from attack.
This level of protection is achieved by ensuring security is an inherent part of an organisation`s application delivery strategy and not just confined to one area.
An organisation wanting to ensure the integrity of its Web applications should observe the following key security components to prevent and pre-empt malicious attacks and possible misuse. Companies should protect both users and application infrastructure, guard against zero-day stacks or breaches that exploit vulnerabilities in custom application code, prevent sensitive data from slipping through by inspecting outbound traffic and not blocking traffic that poses no threat.
These four key guidelines will assist companies to better protect Web applications from attack and misuse. However, there are still a number of organisations that have a `tick-in-a-box` approach to security and are not aligning its importance with their business objectives.
The Internet is a huge business driver as more South African companies embrace Web 2.0 and the online community. With Web applications extending the boundaries of an organisation, appropriate controls must be in place so that secure and well-managed access to business information - wherever it resides - is protected and trusted at all times.
* Nick Keene is country manager at Citrix Systems Southern Africa.
Share