As Web applications have become the dominant source of information security risk in many organisations today, attackers have moved on to exploiting software vulnerabilities in such apps.
This was shared by Paul van Woudenberg and Theo van Niekerk of ThinkSmart Information Systems and Security, speaking at the ITWeb Security Summit at the Sandton Convention Centre yesterday.
Van Woudenberg explained that though reports on application attacks vary, the most recent ones agree that more than 80% of attacks perpetrated today are against Web applications.
According to the 7Safe UK Security Breach Investigations Report, he said, in 86% of all attacks, a weakness in a Web interface was exploited.
He also made reference to the Privacy Rights Clearinghouse report which found that in 2009, 93% of all data breaches concerned compromised databases or applications.
“The latest Verizon Data Breach Investigations Report for 2010 shows that 92% of the data breaches stemmed from external agents; and 50% of the attackers utilised some form of hacking with 92% of attacks being not highly difficult.”
Simply put, Van Woudenberg added, attackers follow money and this has seen their attack tools becoming industrialised. “They are also motivated, organised, patient and persistent - they have much more time than pen testers.
“They may also have your source code, or could be inside your company.”
Describing how attackers work, he said they first do surveillance on the systems and detect vulnerabilities. They then identify exploits before executing the exploits and fully compromising the system, he added.
Thus, he called on organisations to put in place a direction strategy; define attack detection points; define tolerance; keep track of failures and severity; and respond to attacks exceeding tolerance as well as risk thresholds.
“You will be blind to what is happening in your applications if the system does not participate in monitoring and response,” noted Van Woudenberg.
In the face of the mounting attacks, Van Niekerk said securing applications is key to sound information security in modern organisations.
“Protection is only the beginning - you will only know if your protection is working if you monitor it. You need to respond when things start to go wrong,” said Van Niekerk.
He also said information security systems need monitoring. “You need to observe and check the progress or quality of the system over a period of time and keep it under systematic review.
“Make your applications attack-aware; detect and log application security events; some responses may be automated,” he said. “Detection and logging must be designed into your application as part of the SDLC process.
“Start small; build detection points in the critical parts of your applications and focus on those areas that keep your CEO awake at night like transaction processes, and also be conservative with automated responses.”
According to Van Niekerk, mitigation efforts must be focused on eliminating unnecessary data and ensuring that all essential controls are met.
“Businesses should test and review Web applications; audit user accounts; and monitor privileged activity. They should also monitor and mine event logs. Examine ATMs and other payment card input devices for tampering.”
He believes ISO 27001 is gold standard of information security as it describes the creation and maintenance of an information security management system.
Share