If you’ve been living off the grid or hunkered down to avoid the wrath of mother nature, you might have missed the big news from last week. Equifax, one of the big 3 credit reporting entities in the United States, reported a security breach of epic proportions.
The breach involved Personally Identifiable Information (PII) for roughly 143 million people in the US alone, or close to 1 in every two people. Data lost included names, birth dates, and addresses, but also extended to social security numbers, credit card numbers, and in some cases driver’s license numbers.
To exacerbate the problem, Equifax’s handling of the response and notification has also consumers and experts alike concerned with their ability to address the issue. In fact, the incident is so severe, and the management of it so questionable, the House Financial Services Committee will be holding hearings to gain a better understanding of what this means to consumers and the country.
What might be the most damning, however, is how the breach occurred. Currently, signs point to Equifax having fallen to one of the most common security vulnerabilities known – a SQL injection.
Yet, while a company entrusted with the wealth of personal information that Equifax had stored on consumers should have taken greater precautions, hacks like these are called common for a reason. Many companies fall prey to them. Others don’t even know they should be testing for them. And still, more rely on a single point of failure – a developer – to be the one to hold back the tide of hackers trying to get at your company’s data.
So, what are the most common web vulnerabilities your company should be looking for? And how do you effectively, and consistently, ensure the security of your data?
Top 5 Common Web Vulnerabilities
While not a complete list, these are some of the most common – and therefore, serious – vulnerabilities in web applications.
Authentication Issues and Session Management
HTTP does not provide functionality for user authentication and session tracking, so this must be handled by the web applications. Because of this, developers must be vigilant to ensure that session data is encrypted at all times, otherwise, it provides opportunities for hackers to hijack a user’s session during an active session.
Cross-site Request Forgery
With a cross-site request forgery, a third-party site attempts to request access to a web application that a user is already authenticated to. Examples are social media sites, financial institutions (banks, credit cards sites), and email clients. Once access is obtained, the malicious site can then access functionality on the authenticated site, wreaking havoc on bank accounts and through email.
With the complexity of applications that are part of a web application ecosystem, it’s important that users and processes have the minimum security access that they need to get done their intended tasks. Unfortunately, either because of a lack of resource training or through systems allowing access to more data than is needed, processes and accounts may be able to see data or perform actions that they shouldn’t have access to. Because of this, a malevolent user, or someone who can access a user or process account, can perform harmful actions that they shouldn’t be able to otherwise gain access to.
XSS – Cross-Site Scripting
Validation is an important part of user submitted data when it comes to the security of your application. In a cross-site scripting attack, client-side scripts are injected into a site and can execute on pages that are dynamically generated. User-supplied data can be a point of risk if the information isn’t validated. As a result, users can be redirected to a malicious site that appears like the original site or their sessions can be hijacked.
It’s believed that a SQL injection is what was used in the Equifax breach. Like a cross-site scripting vulnerability, SQL injection can occur when data coming into the site is not validated. In these cases, user-supplied data is input into a web application, but without data validation, a malignant SQL query and commands can be passed directly into the database. Equifax isn’t the only large company that has fallen victim to a SQL injection attack. The PlayStation breach of 2011 was also caused by SQL injection.
Strategies for Protecting Your Data from Common Web-based Threats
The good news is that most of the common attacks are easily taken care of with education, testing, and consistency.
Developers, system administrators, and security staff should be well-trained to be aware of best practice for web application security. Knowing when encryption should be used on data, and how to minimize exposure to data through access control, can reduce system exposure to outside entities.
Education can also ensure that data cannot be injected into the site through foreign scripts or malicious SQL code passed through web application form elements. When developers are taught to limit form inputs and validate data, at least one attack vector is minimized.
But the entire burden shouldn’t be placed on the shoulders of the developers. While application testing is done, boundary testing – in other words, testing beyond what the expected use of an application is – can identify areas of potential vulnerability.
Beyond the areas of education and standards, though, regular full site testing can be invaluable. Penetration testing on applications that have access to sensitive data can inform improvements that need to be performed to secure your site. While internal teams can perform regular penetration tests, periodic testing and security audits by an outside partner can provide invaluable insights that might otherwise be overlooked.
Simple oversights in web application security can have devastating results, as the Equifax breach has shown. A common vulnerability can be easily exploited by hackers and cause life altering effects on millions. But even if your company doesn’t deal with the same level of sensitive data, you have a responsibility to your users and the enterprise to protect the data stored on your systems. Vigilance, education, and awareness are the greatest tools at your disposal to protect your organization from outside attacks.