Stem the Tide of Web Application Attacks
Web application security continues to plague organizations across all industry sectors. Hackers have learned most websites have some type of vulnerability. And they have learned to exploit them. In fact, the 2017 Trustwave Global Security Report found 99.7 percent of web applications have at least some sort of vulnerability.
The top three types of web application attacks are SQLi (SQL injection), lfi (local file inclusion) and xss (cross-site scripting), according to Akamai research. Akamai predicts these types of attacks will continue to cause problems, not only because they usually target unprotected websites, but also because organizations often don’t actively block these types of traffic.
- Cross-site Scripting: These attacks remain prevalent throughout all industry sectors. With these attacks, hackers look for vulnerabilities that let them infiltrate websites and web applications and then inject malicious payloads or scripts. One type of xss launches when a user views a hacked web page. The other, called reflected cross-site scripting, launches when users click on malicious links. The potential damage from both kinds of attacks can be severe. Using this method, hackers can access user accounts, impersonate the users, and steal their sensitive information.
- SQL Injections: Hackers insert false SQL statements into a web application database field, which potentially lets attackers steal the contents of a database; or add, change, or delete records. These types of attacks are relatively easy for hackers to pull off, especially when dealing with unsecured databases. The results can be catastrophic. In many cases, even a small SQL injection attack can bring a database or web server to its knees.
- Local File Inclusion: This is a normal part of server side scripting languages developers use to maintain order in web code. Problems can occur if hackers find a way to upload a locally executed malicious script to an organization’s server. The result can give them access to restricted directories or remote code execution. Attackers can then run the code from servers anywhere in the world using the user’s admin privileges.
Web application vulnerabilities like these are top-of-mind for all industries, and government agencies are no exception. An October, 2016 memorandum from the U.S. Office of Personnel Management (OPM), for example, detailed the results of a web application security review. It concluded the agency should focus on improving its policies, procedures, and controls surrounding public-facing web applications. Specific recommendations included creating a formal web application inventory, improving policies and procedures to address web application development and security, and implementing a comprehensive web application vulnerability scanning program.
Agencies like OPM are on the right track. All organizations should implement a strong web application firewall to perform a deep inspection on every request and response for all common types of web traffic. It should identify, isolate, or block abnormal or malicious traffic. A comprehensive web application firewall should provide real-time visibility into security events, help administrators drill down into attack alerts, and help the organization integrate firewall information and event logs with security information to improve threat posture awareness.
While there are many effective on-premises firewalls, more organizations are moving toward a cloud-based approach. With a cloud-based web application firewall, agencies don’t have to buy and maintain hardware, worry about upgrades and patches, or hire and train cybersecurity professionals to run and monitor the firewall. Today’s cloud-based web application firewalls block both DDoS and web application attacks, they are easy to configure, and automatically manage. They are also easy to reconfigure and scale as requirements evolve.