Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10 Web Threats That Could Harm Your Business

Easily overlooked vulnerabilities can put your data and business at risk

SQL injections accounted for about 7% of Web attacks in 2011 and looked to be petering out, according to security services vendor Trustwave. Then last year those exploits jumped to 26% of Web attacks, hitting companies that could have easily protected themselves.

The Trustwave data proves what hackers have known for years: Even though application vulnerabilities are well known and can be fixed or blocked, many companies don't implement secure coding practices and regularly test their applications to find them. Companies that overlook such basic Web security practices have no chance against more advanced attacks, says Chris Pogue, Trustwave's director of incident response and forensics.

Input validation, where user input -- such as a search query -- is limited to simple strings, is an easy way to protect against SQL injection, but developers frequently fail to do that, Pogue says. "It's one of the things that's taught in college, and if it has made it into the university system, then it's not bleeding-edge technology," he says.

The Web presents a variety of security threats for unwary businesses, from well-known SQL injection and cross-site scripting attacks to more esoteric threats posed by Web scraping and HTML5's many features. What follows are 10 Web threats we think are particularly worrisome, either because they're becoming more popular with attackers or because security pros and developers tend to overlook them.

1. Bigger, Subtler DDoS Attacks

When IT specialists think about distributed denial-of-service attacks, they envision the most basic kind: floods of packets overwhelming a victim's network so that valid requests can't get through. But improvements in defenses have forced attackers to change the way they attack.

Packet floods have become larger, maxing out at 100 Gbps. In a six-month campaign against U.S. banks, for which a group of alleged Muslim hacktivists claimed credit, the volume of attack traffic has regularly surpassed 30 Gbps -- throughput rarely seen five years ago.

Attackers also have targeted other parts of the infrastructure. Corporate domain name service servers are a favorite target, according to domain registrar VeriSign. When attackers take DNS servers down, customers can no longer access a company's service. "It doesn't matter how much data center capacity a company has, the requests will never reach their data centers," says Sean Leach, VP of technology for VeriSign's network intelligence and availability group.

Massive DDoS attacks often mask "low-and-slow" attacks, which use specially crafted requests to cause Web applications or appliances handling specific services, such as Secure Sockets Layer communications, to quickly consume processing and memory resources. These application-layer attacks now account for about a quarter of all attacks.

"If the mega-DDoS attacks are the cavemen getting bigger clubs, [low-and-slow] attacks are like the caveman evolving, getting smarter," says Matthew Prince, CEO of Internet security company CloudFlare.

Attackers look for URLs on a target site and then make calls to the back-end database that powers the site. Frequent calls to those Web pages quickly consume a modest site's resources, says John Summers, VP of security products at Akamai Technologies. "The targeting is much better this year than in 2011," Summers says. Attackers "are doing their homework, doing reconnaissance."

It's no longer enough for companies to use an appliance to block bad traffic as it enters their networks because the router will still be overwhelmed in a low-and-slow attack. These attacks can also get through a cloud DDoS mitigation service. Instead, companies should go with a hybrid approach, using Web application firewalls, network security appliances and content distribution networks to create a layered defense that screens out unwanted traffic at the earliest possible point.

2. Old Browsers, Vulnerable Plug-Ins

Cyber attacks that account for millions of dollars a year in bank account fraud are fueled by browser vulnerabilities and, more frequently, the browser plug-ins that handle Oracle's Java and Adobe's Flash and Reader. Exploit kits bring together a dozen or so attacks on various vulnerable components and can quickly compromise a company's systems if the patches aren't up to date.

A recent version of the popular Blackhole exploit kit, for example, contained attacks for 16 vulnerabilities, including seven targeting the Java browser plug-in, five targeting the Adobe PDF Reader plug-in and two targeting Flash, according to anti-malware firm Sophos. The Sweet Orange exploit kit contains Java, PDF, Internet Explorer and Firefox exploits, according to the creator's statements that security firm Webroot discovered. "These exploit kits are really good at identifying which vulnerabilities are unpatched in the browsers that people are running," says Grayson Milbourne, Webroot's senior threat researcher.

Companies should pay attention to Oracle's Java plug-in in particular. Cybercriminals are focusing on Java because it's widely deployed but poorly patched, says Michael Sutton, VP of research at Zscaler, a security-as-a-service provider.

Only 4% of systems at companies using Zscaler's security service have the Java plug-in installed, but almost 80% of those Java plug-ins are out of date, according to the provider's data for the last quarter of 2012. Adobe's Flash and Reader plug-ins are more ubiquitous but better patched, Sutton says. "Companies haven't grasped the problem of how Java plug-ins have been abused," he says.

Patching is the most obvious way to protect against this vulnerability. A number of patch management products, such as Qualys for large companies and Secunia for small and midsize businesses, are available. Companies that want to protect against zero-day attacks (for which a patch hasn't been released) should use anti-malware software such as ValidEdge (recently acquired by McAfee) and Invincea, which runs downloaded files in a sandbox.

Trustwave Global Security report - Real Risks

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Previous
1 of 4
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29367
PUBLISHED: 2020-11-27
blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.
CVE-2020-26245
PUBLISHED: 2020-11-27
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sani...
CVE-2017-15682
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
CVE-2017-15683
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
CVE-2017-15684
PUBLISHED: 2020-11-27
Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.