10 Web Threats That Could Harm Your Business

Download Dark Reading's March special issue on Web threats

SQL injections accounted for about 7% of Web attacks in 2011 and looked to be petering out, according to security services vendor Trustwave. Then last year those exploits jumped to 26% of Web attacks, hitting companies that could have easily protected themselves.

The Trustwave data proves what hackers have known for years: Even though application vulnerabilities are well known and can be fixed or blocked, many companies don't implement secure coding practices and regularly test their applications to find them. Companies that overlook such basic Web security practices have no chance against more advanced attacks, says Chris Pogue, Trustwave's director of incident response and forensics.

Input validation, where user input -- such as a search query -- is limited to simple strings, is an easy way to protect against SQL injection, but developers frequently fail to do that, Pogue says. "It's one of the things that's taught in college, and if it has made it into the university system, then it's not bleeding-edge technology," he says.

The Web presents a variety of security threats for unwary businesses, from well-known SQL injection and cross-site scripting attacks to more esoteric threats posed by Web scraping and HTML5's many features. What follows are 10 Web threats we think are particularly worrisome, either because they're becoming more popular with attackers or because security pros and developers tend to overlook them.

1. Bigger, Subtler DDoS Attacks

When IT specialists think about distributed denial-of-service attacks, they envision the most basic kind: floods of packets overwhelming a victim's network so that valid requests can't get through. But improvements in defenses have forced attackers to change the way they attack.

Packet floods have become larger, maxing out at 100 Gbps. In a six-month campaign against U.S. banks, for which a group of alleged Muslim hacktivists claimed credit, the volume of attack traffic has regularly surpassed 30 Gbps -- throughput rarely seen five years ago.

Attackers also have targeted other parts of the infrastructure. Corporate domain name service servers are a favorite target, according to domain registrar VeriSign. When attackers take DNS servers down, customers can no longer access a company's service. "It doesn't matter how much data center capacity a company has, the requests will never reach their data centers," says Sean Leach, VP of technology for VeriSign's network intelligence and availability group.

Massive DDoS attacks often mask "low-and-slow" attacks, which use specially crafted requests to cause Web applications or appliances handling specific services, such as Secure Sockets Layer communications, to quickly consume processing and memory resources. These application-layer attacks now account for about a quarter of all attacks.

"If the mega-DDoS attacks are the cavemen getting bigger clubs, [low-and-slow] attacks are like the caveman evolving, getting smarter," says Matthew Prince, CEO of Internet security company CloudFlare.

Attackers look for URLs on a target site and then make calls to the back-end database that powers the site. Frequent calls to those Web pages quickly consume a modest site's resources, says John Summers, VP of security products at Akamai Technologies. "The targeting is much better this year than in 2011," Summers says. Attackers "are doing their homework, doing reconnaissance."

It's no longer enough for companies to use an appliance to block bad traffic as it enters their networks because the router will still be overwhelmed in a low-and-slow attack. These attacks can also get through a cloud DDoS mitigation service. Instead, companies should go with a hybrid approach, using Web application firewalls, network security appliances and content distribution networks to create a layered defense that screens out unwanted traffic at the earliest possible point.

2. Old Browsers, Vulnerable Plug-Ins

Cyber attacks that account for millions of dollars a year in bank account fraud are fueled by browser vulnerabilities and, more frequently, the browser plug-ins that handle Oracle's Java and Adobe's Flash and Reader. Exploit kits bring together a dozen or so attacks on various vulnerable components and can quickly compromise a company's systems if the patches aren't up to date.

A recent version of the popular Blackhole exploit kit, for example, contained attacks for 16 vulnerabilities, including seven targeting the Java browser plug-in, five targeting the Adobe PDF Reader plug-in and two targeting Flash, according to anti-malware firm Sophos. The Sweet Orange exploit kit contains Java, PDF, Internet Explorer and Firefox exploits, according to the creator's statements that security firm Webroot discovered. "These exploit kits are really good at identifying which vulnerabilities are unpatched in the browsers that people are running," says Grayson Milbourne, Webroot's senior threat researcher.

Companies should pay attention to Oracle's Java plug-in in particular. Cybercriminals are focusing on Java because it's widely deployed but poorly patched, says Michael Sutton, VP of research at Zscaler, a security-as-a-service provider.

Only 4% of systems at companies using Zscaler's security service have the Java plug-in installed, but almost 80% of those Java plug-ins are out of date, according to the provider's data for the last quarter of 2012. Adobe's Flash and Reader plug-ins are more ubiquitous but better patched, Sutton says. "Companies haven't grasped the problem of how Java plug-ins have been abused," he says.

Patching is the most obvious way to protect against this vulnerability. A number of patch management products, such as Qualys for large companies and Secunia for small and midsize businesses, are available. Companies that want to protect against zero-day attacks (for which a patch hasn't been released) should use anti-malware software such as ValidEdge (recently acquired by McAfee) and Invincea, which runs downloaded files in a sandbox.