How secure is your company?
Security is very important for websites, because of the obvious increase of web-based attacks and security threats. The investment involved in ensuring that data is secure has increased tremendously but security web apps make it easy to respond to attacks in seconds without any slowing down of the site. Security web apps ensure the safety of your financial information from common web threats no matter what platform you use in accessing the site
Attacks on web apps
Critical business functions are dependent on IT applications and most of them are web-based. However, there has been a substantial increase in vulnerabilities of web-based apps that impacts on both the business and the consumer. The business is financially impacted while the privacy of the end user is violated. 75% of attacks are now focused on web applications which require well-managed firewalls to provide sufficient security for a website. Web apps have their vulnerabilities because of the complex ways with which they are created. Usually a web app is composed of a mixture of codes and the integration of a multiple other applications that increases the potential points of vulnerability. In a recent study done by penetration testers, approximately 95% of web apps have some sort of vulnerability which requires strong security control over the IT applications and other associated processes
Counter-measures to security attacks
Intruders can be dissuaded from attacking web applications by forcing them to make incorrect assumptions by removing the signatures of technology platforms like the file extensions in HTTP, the TCP/IP window size and services that are running on IP/port combinations. A leeching attack on the other hand can impact on the bandwidth and responsiveness of your site. The solution to these leeching attacks includes the referrer checking through “time-limited” or “sessionized” URLs. It is also important to ensure that requests for file resources of the site are indeed from a web user that is on your site and not another site that is deep-linked to the file resources.
Undesired use of website content can be blocked using IP access control. While it can limit your audience, you can minimize the vulnerability of your website and web apps
Attack Types
The following Attack Types were the primary ones considered when developing the Critical Security Controls. Each is listed with the most relevant and direct Critical Security Controls (by number) to help block, detect, or manage this problem
| Attack Summary | ||
| 1 | Attackers continually scan for new, unprotected systems, including test or experimental systems, and exploit such systems to gain control of them. | |
| 2 | Attackers distribute hostile content on Internet-accessible (and sometimes internal) websites that exploit unpatched and improperly secured client software running on victim machines. | |
| 3 | Attackers continually scan for vulnerable software and exploit it to gain control of target machines. | |
| 4 | Attackers use currently infected or compromised machines to identify and exploit other vulnerable machines across an internal network. | |
| 5 | Attackers exploit weak default configurations of systems that are more geared to ease of use than security. | |
| 6 | Attackers exploit new vulnerabilities on systems that lack critical patches in organizations that do not know that they are vulnerable because they lack continuous vulnerability assessments and effective remediation. | |
| 7 | Attackers compromise target organizations that do not exercise their defenses to determine and continually improve their effectiveness. | |
| 8 | Attackers use malicious code to gain and maintain control of target machines, capture sensitive data, and then spread it to other systems, sometimes wielding code that disables or dodges signature-based anti-virus tools. | |
| 9 | Attackers scan for remotely accessible services on target systems that are often unneeded for business activities, but provide an avenue of attack and compromise of the organization. | |
| 10 | Attackers exploit weak application software, particularly web applications, through attack vectors such as SQL injection, cross-site scripting, and similar tools. | |
| 11 | Attackers exploit wireless access points to gain entry into a target organization’s internal network, and exploit wireless client systems to steal sensitive information. | |
|
Attackers exploit users and system administrators via social engineering scams that work because of a lack of security skills and awareness. | |
| 13 | Attackers exploit and infiltrate through network devices whose security configuration has been weakened over time by granting, for specific short-term business needs, supposedly temporary exceptions that are never removed. | |
| 14 | Attackers trick a user with an administrator-level account into opening a phishing- style e-mail with an attachment or surfing to the attacker’s content on an Internet website, allowing the attacker’s malicious code or exploit to run on the victim machine with full administrator privileges. | |
| 15 | Attackers exploit boundary systems on Internet-accessible DMZ networks, and then pivot to gain deeper access on internal networks. | |
| 16 | Attackers exploit poorly designed network architectures by locating unneeded or unprotected connections, weak filtering, or a lack of separation of important systems or business functions. | |
| 17 | Attackers operate undetected for extended periods of time on compromised systems because of a lack of logging and log review. | |
| 18 | Attackers gain access to sensitive documents in an organization that does not properly identify and protect sensitive information or separate it from non-‐ sensitive information. | |
| 19 | Attackers compromise inactive user accounts left behind by temporary workers, contractors, and former employees, including accounts left behind by the attackers themselves who are former employees. | |
| 20 | Attackers escalate their privileges on victim machines by launching password guessing, password cracking, or privilege escalation exploits to gain administrator control of systems, which is then used to propagate to other victim machines across an enterprise. | |
| 21 | Attackers gain access to internal enterprise systems and gather and exfiltrate sensitive information without detection by the victim organization. | |
| 22 | Attackers compromise systems and alter important data, potentially jeopardizing organizational effectiveness via polluted information. | |
| 23 | Attackers operate undiscovered in organizations without effective incident-‐ response capabilities, and when the attackers are discovered, the organizations often cannot properly contain the attack, eradicate the attacker’s presence, or recover to a secure production state.
Source: SANS 20 Critical controls Council On Cyber Security |
