Coming into 2018, security professionals expected to see a continued increase in the use of websites as a means of infecting user workstations, according to a recently released report from Positive Technologies. The prediction has proven true. Websites increasingly are becoming the target of attacks, largely because of coding issues in web applications. These flaws leave the websites of banks, government agencies, IT organizations and healthcare companies vulnerable to attack, with their web apps being prime targets for financially motivated hackers.
Using the trends of 2017 to forecast the likelihood of threats in 2018, Web Application Attack Statistics found that the IT industry was a growing target given the proliferation of its interwoven customer base. Some of the report’s other predictions have already come to fruition, particularly in government and education. Because there is an inherent trust that users have in accessing government websites, they are highly attractive targets for cybercriminals.
When users feel they are accessing a trusted site, they let their guards down. Users often pay less attention to suspicious activity when on a government websites. The research analyzed data from the comprehensive security assessments of 23 web applications tested in 2017 and found cross-site scripting, which targets users, made up almost one-third of the attacks. Other popular attacks involved the ability to access data or execute commands on the server: SQL injection, path traversal, local file inclusion, remote code execution and OS commanding.
As far as the forecasts go, hackers are largely living up to industry expectations. The 2018 predicted an increase in government attacks, particularly in Brazil and Mexico. Halfway through 2018, a DDoS attack took a Mexican campaign website offline, arousing fears that hackers might do more damage on or before their July 1 election. Denial-of-service attacks often can be smokescreens for more malicious attacks that actually infect computers with malware, which was the case in Tennessee with an attack on a Knox County election commission website.
“Government websites can be hacked in cyberwarfare to give credibility to incendiary materials: fake news planted on the official website of a Ministry of Foreign Affairs can trigger a diplomatic row and put a strain on international relationships,” according to the report.
No sector is without risk, though. The review revealed that all the web apps tested contained vulnerabilities with 44 percent of them unprotected against unauthorized access. In 17 percent of those apps, an attacker could gain full control. Financially motivated attackers are known to target banks and because banking applications hold the possibility of profit.
“Web applications are a weak spot in bank security. Therefore attackers continue to target bank sites in order to penetrate internal infrastructure and steal money via banking systems,” the report said.
Education and Health Care
Increasingly, students are becoming the insider threats for the education sector, with a growing number of brazen individuals attacking their school’s website in an attempt to either augment their own grades or make changes to the grades of other students. Gaining control of a web application, these technically sophisticated youngsters “try to either alter their grades in electronic gradebooks or obtain access to exam materials,” according to the attack statistics report.
A common denominator that government and education share with the healthcare industry is the assumed trustworthiness of their websites. With health care in particular, “the users of these websites are unlikely to know the basics of how to stay safe online.”
Mitigating the Risks
For organizations to detect vulnerabilities in their web apps, they need comprehensive security strategies, but evidence shows that hackers often still have the upper hand as they stay abreast of zero-day vulnerability reporting to exploit those attacks before the flaw can be fixed.
“The time between a vulnerability being published and attempts to exploit it in 2017 was as little as three hours. Software developers might have no chance to remediate the vulnerability and release patches before attacks start,” the report said.
The security industry has seen a shift, moving from a primary focus on prevention to building better detection and response strategies. But that doesn’t mean prevention tools don’t have a place in securing today’s digital enterprise. Web application firewalls (WAFs) are effective security tools that protect against known attacks and can even detect attempts at zero-day exploits. When all the tools of the security ecosystem work in harmony with each other, security professionals are better equipped at identifying attacks.