Cyber attacks are on the rise. According to the BDO Cyber Governance Survey, attacks grew significantly in 2018. How significantly? Ransomware attacks grew by 350% while spoofing attacks went up 250%.
It isn’t just the increase in attacks that’s a concern. It’s also what these attacks can cost a business. Reports from just this year show cyber attacks can cost companies an average of $1.67M, per attack.
Furthermore, breaches disrupt regular business operations and may even require additional resources time to address and resolve the vulnerabilities. An attack can negatively impact your reputation and erode the trust your customers have placed in you.
Worse yet, a breach may only show you a single vulnerability in your application. There may be more yet to be discovered.
As with many things, an ounce of prevention is worth a pound of cure. An application security scan can identify where potential vulnerabilities exist in your web application. If you’re unfamiliar with the kinds of attacks your business may be facing, it’s time to understand the threats that are out there and what they could mean to your business.
Cross-Site Scripting (XXS)
Savvy technology users know to avoid suspicious sites. But trusted sites can also be a problem. With Cross-site scripting, hackers place – or “inject” – malicious scripts into trusted websites. The scripts then run in the browser of a site visitor and can access cookies, session tokens, and other sensitive information that a user might have saved for that website.
Cross-Site Request Forgery (CSRF)
A Cross-Site Request Forgery – also known as a CSRF or XSRF – harms both the business and the user. The attack typically comes via social engineering, such as in an email, that appears legitimately from the business and gives the user a link to click. Because the user logs in to the site, the forged server request can end up creating unauthorized bank transfers, can change passwords, and even steal session cookies.
Companies who have not created a custom error page for their website may be giving away more information than they intend. The default error page may report the application code as part of the error, allowing hackers to dig into the application for vulnerabilities.
SSL Protocol Version
Secure Socket Layer, or SSL, protocols are meant to help secure applications. But using an old or outdated version can leave you open to man-in-the-middle attacks. Companies should always be using the newest SSL versions and should disable SSLv3 services.
Secure Cookie Usage
Any cookies your site uses should be secure and HTTPOnly. Without this, cookies can be hijacked and copied, allowing attackers to steal the information stored in the cookie and impersonate the user on the site. Hackers can also access the information stored in the cookie if it isn’t encrypted and use that information in a number of ways.
Sensitive Fields and Autocomplete
Filling out forms on the web and in apps can be tedious, especially on smaller devices. Using auto-complete is common, but when it’s used on fields with sensitive information – like on login pages – existing data can be shown to the end user.
Clickjacking is a particularly insidious attack. It tricks a user into thinking that they are clicking on something useful, when in reality they may be leaking confidential information to attackers. This threat can also be used to take control of the user’s computer.
When using a database for your applications, companies should observe security best practices for database access and logins. Far too many businesses, however, still rely on the SA or root accounts for the database, or simply don’t disable these accounts. This can leave your data open to attackers who use these powerful accounts to gain access and steal information.
Web.config Encryption and Decryption
Your web.config file is just that – a file that shows the configuration of your web server, including web application paths and database access. This file should always be encrypted to prevent hackers from exploiting the information and stealing data – like customer information – or taking down your entire site.
File Upload Vulnerabilities
Allowing a file upload capability in your applications may be a nice or even a necessary feature. Without restrictions on what can be uploaded, however, attackers can add any kind of file to the receiving system, including an executable (exe) file. Once done, this file can install a virus or copy your data.
Website Path and Build Hygiene Issues
Building a web application can be a hectic time, with testing and go-live deadlines. However, it’s important to follow best practices during development to prevent vulnerabilities. When backup files and data is left in public web folders, anyone can access the information. With a copy of your backups, a hacker can take their time finding and testing vulnerabilities.
The best way to prevent becoming a victim of these attacks is by regularly scanning to see what vulnerabilities exist in your applications. An application scan will not only identify vulnerabilities but also give your IT vendor a place to start to secure your applications. For a free security scan of your applications, contact SunNet today.
What would you like SunNet Solutions to build for your business?
Submit a request at the left hand side of this page to get started today.
Contact us if you have any questions.