Any company worth their salt (especially those based in the digital sector) will already be aware of a number of attack risks that they need to be aware of and protect themselves againstincluding spyware, Trojan Horses and phishing, for example. In addition to these well known security risks,there are also a number of new, unknown bugs currently being deployed throughout the web. These are some of the key ones:
Headless Browser Attacks
It’s likely you will have heard of a distributed-denial-of-service attack – essentially, floods of packets are unleashed onto the victim’s network, meaning that valid requests can’t get through and the server is eventually forced to crash. However, because defences against these assaultshave strengthened, attackers are now changing their methods.In particular, modern application-layer attacks using headless browsers have become more common. A ‘headless browser’ attack makes use of software designed to imitate genuine users in order to carry out assaults on the target website. Unfortunately, because the browsers can imitate genuine traffic so effectively, they are often extremely hard to spot. What’s more, they are often used as part of a ‘botnet’ attack, which uses malware to commandeer machines belonging to innocent parties. This way, the attack comes from a range of IP addresses, making it even tougher to differentiate from normal traffic.Recently,website security firm Incapsula had to combat a headless browser attack that flooded the target site with a staggering 700 million hits per day.
Older Browsers and Weaker Plug-ins
A wise attacker always concentrates on his opponent’s main area of weakness. It’s no surprise therefore, that millions of financially oriented attacks are focusing heavily on perceived weaknesses in both browsers and browser plug-ins such as Adobe’s Flash and Reader, as well as Oracle’s Java. If patches aren’t kept up to date then a dozen or so simultaneous attacks on the different components can easily lead to a company’s system becoming compromised. The Java plug-in in particular is often targeted, as it is renowned for being both widely used and often poorly patched.
Good Sites and Bad Content
Another common move amongst today’s attackers is the targeting of widely known, trusted websites. Users are more likely to accept content from sites they know and respect, and as a result it becomes easier to cause a compromise in security. During the VOHO watering hole attack last year, for instance, hackers infected legitimate technical and financial sites based in Washington and Massachusetts – sites that were already frequently accessed by the intended victims. Malvertising is another common method that follows a similar line – the placing of malicious advertising on renowned websites, but used sparingly to avoid the attack being easily detectable. As well as affecting users, this can lead to the site itself being blacklisted by Google and ultimately losing revenue.
The advent of mobile technology has led to an increase in attacks, with hackers looking to take advantage of apps – many of which are very poorly programmed and thus easy to exploit. Security firm Zscaler estimated that around 60% of mobile apps are currently accessing unique hardware information from devices and then passing it over Web interfaces. What’s even worse is that around 10% of these applications aren’t even transmitting their user’s credentials securely.
Not Cleaning up the Input
SQL injection is widely considered to be the top security threat in operation at the moment. (Indeed, it holds top spot in the OWASP list). One of the reasons that it continues to cause such issues is that user-provided input isn’t being checked to ensure its validity. Companies will frequently focus on SQL flaws in their own website, whilst forgetting to lock down sites that are connected, such as their contractor time-tracking systems or remote collaboration pages. This means that attackers can instead target the less secure pages and then access the main site through them.
Just a few simple tweaks and being aware of these threats will help you protect yourself and your business.
Amanda Walters – This article was written by Amanda Walters, an experienced freelance writer and regular contributor to Huffington Post. Follow her here: @Amanda_W84