5 Common Web Security Mistakes That Cost Millions
Protracted legal ramifications, dramatic loss of business and incalculable recovery costs are just a tip of the breached websites iceberg.
Thursday, November 14, 2019
Your web application security is a big deal. Gartner says that applications, not the infrastructure, represent the main attack vector for data exfiltration, while Verizon estimates that over 85% of hacking vectors target your web applications. With the rise of AI for application security testing, some fundamental problems continue causing the most devastating data breaches:
1. Lack of Visibility
Gartner estimates that by 2020, over 30% of successful attacks suffered by enterprises will be on data located in shadow IT resources, such as abandoned, forgotten and legacy applications.
The root cause of modern data breaches is incomplete or outdated inventory of your digital assets – you cannot protect what you don’t know. IoT, big data, containers, cloud and public ledger technologies add an extra complexity layer to the convoluted intricacy. Simultaneously, organizations face a merciless growth of severe compliance burden. Overhyped GDPR is a remarkable example how to unwittingly unleash a parade of horrors alongside with the contemplated benefits. Unfortunately, albeit predictably, most organizations have no viable choice but to strive for paper-based compliance, postponing factual security. Global cybersecurity skills shortage exacerbates the situation leaving organization understaffed and unequipped to tackle the incremental complexity of data access and privilege management.
Implement Attack Surface Management to keep an eye on and promptly react on any newly deployed code, nodes, subdomains or other web infrastructure. A coherent shift to a DevSecOps approach for your application development is a crucial milestone to pen into your agenda.
2. Outdated Software
The largest hacking campaigns in 2018 involved publicly disclosed and unpatched security vulnerabilities according to TrendMicro. Surprisingly, but there is virtually no substantial improvement of patch management for web applications today compared to a decade ago. Worse, in many large companies the situation has considerably deteriorated, de facto getting out of control. A growing number of external and internal web applications, often with custom configurations or unknow Open Source Software components, make their maintenance an arduous task. Modish APIs is the foggiest realm, where tailor-made software neighbors with abandoned commercial software that may serve as a museum of publicly disclosed, although unpatched, vulnerabilities.
Main websites and customer-facing applications are more or less well-protected, but all the surrounding web hosts are usually a gross disaster. The problem is that these hosts often have a privileged access to the same databases with customer data and other corporate crown jewels. Attackers will never sweat in a frontal attack of your castle but will rather find a secondary system left unattended and then easily get in using a passage tubing to the heart of the unconquerable castle.
Once you have a comprehensive and up2date asset inventory, make sure you a crystal-clear cognition which software is used on each of your web applications and web servers. Continuous security monitoring shall be properly implemented to notify your developers in a timely manner about any newly disclosed vulnerabilities for a priority-based remediation.
3. Careless Third Parties
Nearly half of companies suffer data breaches at hands of vendors, yet only half of firms discontinued their relationship with the guilty vendors, and 69% failed to update their risk policies after a breach according to eSentire report.
Western businesses strive for profitability on a turbulent global market by outsourcing website development and maintenance to third parties, often considering a cheapest offer floating on the marketplace. Frequently, the low-cost baits have no competitive advantage such as a technology or a patented process but blunt avoidance of cybersecurity and data protection spending. You get what you pay for, often the output is a substandard application riddled with a copy-pasted code, not that infrequently copied without permission thereby giving a raise to a copyright infringement claim. Some negligent software developers will carelessly upload their code into public code repositories, exposing your passwords and secret keys. Omitting quality and maintainability of such code, these companies rarely invest into their own security. Shrewd attackers won’t miss such a windfall to effortlessly get into your digital realm by hacking your next low-cost software provider.
Talk to your corporate counsel to develop, promulgate and enforce a third-party risk management policy, ensuring both practical data protection in accord with applicable law and an actionable legal remedy available in case of a breach.
4. Weak and Reused Passwords
Verizon says that weak and stolen passwords are to blame for over 80% of the reported data breaches. Worse, over 21 Million of stolen login credentials belonging to Fortune 500 companies are readily available in the Dark Web in 2019. Nowadays, many external parties have a legitimate access to your web applications and data. The situation is steadily aggravated by numerous integrations and data synchronization processes that are quite burdensome to monitor and safeguard.
First thing cybercriminals will do to steal your data - is to search for your employees’ or suppliers’ passwords in mushrooming public, or semi-private, hacked passwords databases. Most organizations still fail to enforce holistic access management, proper password policy and 2FA with OTP for business-critical systems. Others rather do so in a counter-productive way, eventually forcing their employees to choose predictable password patterns thereby undermining the very substance of their efforts. Frequently, a modicum of creativity permits the attackers to get into a website or an interconnected system from where they can enjoy an unrestrained control over your web assets. Keep in mind that your suppliers and software developers will likely be the primary target to get into your digital realm.
Implement Dark Web Monitoring to stay ahead the attackers and timely react to minimize the losses and reduce damages from third-party breaches, data leaks and human error. It may be a lifesaver even if you cannot control the entirety of access management in your organization.
5. Overreliance on Vulnerability Scanning and WAF
Most of the notorious companies breached in 2018 were using both automated vulnerability scanning and WAF but were nonetheless hacked losing billions of dollars and still defending a great wealth of bitter claims in national courts. Quite a lot of cybersecurity professionals still instinctively rely on automated web vulnerability scanning and default WAF configuration. Both solutions are must-have security controls also required by many security compliances such as PCI DSS, however they are largely insufficient to prevent data breaches in 2019.
Modern web applications are progressively prone to complicated vulnerabilities, involving thoughtful chain exploitation of several low-risk vulnerabilities or targeting web application business logic. Can a passenger paying for an economy class ticket get a seat in business by simple HTTP request tampering on e-booking website? What happens if a passenger claims a moneyback for the flight s/he has just canceled? Automated software will unlikely even comprehend such a flaw, let alone detecting it. Web application firewalls now actively start using machine learning to detect anomalies in web traffic, however, it requires time-consuming training and untrivial configuration that most businesses are reluctant to undertake being sufficiently busy with other priorities.
Enhance your vulnerability scanning and WAF with a regular or continuous penetration testing capable to discover advanced attack scenarios with sophisticated exploitation vectors.
Mindfully go through the five aforementioned matters with your cybersecurity team to ensure you have the necessary security controls in place. To get a general landscape of your website risks and threats, try a free GDPR compliance and website security test offered by ImmuniWeb for the community.
Latest news and insights on AI and Machine Learning for application security testing, web, mobile and IoT security vulnerabilities, and application penetration testing. 
