There are many ways hackers can get at your Web site and data, but in many of the most recent major data breaches the weakest link and the entry point has been a vulnerable web application. Despite that many companies still underestimate the importance of web application security in their cybersecurity and risk management strategy.
According to PwC’s Global State of Information Security Survey 2016, in 2015 companies detected 38 percent more security incidents than in 2014. Risk Based Security Q3 2015 Data Breach Report highlights a 29 percent increase in the number of incidents reported compared to last year, and a 40 percent increase in the number of incidents exposing 1 million or more records.
Today, the vast majority of Advanced Persistent Threats (APT) gain their first foothold inside target companies by sending a few emails. Ten years ago, people were less cautious and more likely to click on a link from an email or open an executable file from an attachment. Today users are much better educated, and this is why modern APTs start with your corporate website, even if it has no sensitive information and it is hosted on the other side of the world.
Instead of sending you a link to a phishing domain (e.g. with a typo), or to a newly registered website in a shady TLD zone that your corporate email gateway will quite probably block, attackers would rather send you a link to… your own website.
First of all, hackers will compromise your corporate website or one of your web applications (e.g. subdomain or different domain your company owns). As many companies still believe that their websites do not deserve more sophisticated protection than automated vulnerability scanning and a web application firewall (WAF), attackers will probably get in within a couple of hours or even quicker.
Once your website is under their control, attackers will create a legitimate page on it that will look like any other page on your website with similar content, leaving you none the wiser when you visit the page. Attackers will host a recent exploit-pack on the page, the most expensive of which would cost them just a few thousand dollars on the Black Market.
Finally, an email will come from a legitimate looking email address on a legitimate domain from a person you may have briefly met in the past, and will contain a link to your own [authentic] website that is quite probably whitelisted in your corporate IPS/IDS. The content of the email will be relevant enough to encourage you to click onto the link in nine out of 10 cases. Once clicked, one of the recent vulnerabilities in your browser, its plugins or components (e.g. Flash) will be exploited to execute arbitrary code - quite probably successfully. Now your machine is under the attacker’s control. A local privilege escalation exploit will help to gain local admin rights, and intrusion will spread to all available machines and hosts in the same segment of your local network (if your network is segmented of course).
Further intrusion to your corporate network will be quite probably quick and easy, as internal penetration testing is often considered “useless” or economically unjustified – fair enough, but only if you don’t let attackers get into your network from the outside, and have properly implemented patch management (including patches for third-party software), access control and user segregation.
To find out more about web application vulnerabilities read the second part of this article The five most common web application mistakes
About the author
Ilia Kolochenko is CEO of information security and computer forensics company High-Tech Bridge. Prior to establishing High-Tech Bridge in 2007, Ilia worked as an IT security expert and manager with various financial institutions in Switzerland, including the World Bank, implementing complex IT security projects.