With all the news play that security-related incidents receive, it may often feel like we are in a constant state of war against hackers. This thought is not that far off, as receiving a personal breach notification now seems like a rite of passage into adulthood. Though mitigation through various password complexities, virus and malware protections, and multifactor authorizations are important, they can also lead to a false sense of cybersecurity.
Most modern attacks do not utilize a single exploit. Though vulnerabilities can reside in the application, operating system, or hardware (firmware), attacks often rely on a combination of seemingly unrelated conditions in a system you least expected (vectoring).
SQL Injection – An attack vector traditionally used where a web form allows you to enter a piece of data (like a check number search), but unintentionally does not prevent an attacker from entering a command to the back end of the server – which can permit displaying more and/or deleting information.
Cross-Site Scripting (XSS) – Another very common attack vector. A lot of websites that allow comments can be vulnerable if the designers did not code for this. What an attacker can do is inject code to make the website behave differently or even obtain login information by retrieving the browser cookies.
Man-in-the-Middle – This method used to be considered impossible to use but has recently surfaced due to certain SSL certificate issues. This attack vector allows the attacker to communicate securely with both sides of a web connection. This gives the impression to the sender and receiver that data is encrypted, whereas the attacker in-between is seeing data in its native, unencrypted state.
If you review the top five attacks from year to year, it becomes apparent that cybersecurity is a very active process (no two years are the same). In order to properly secure applications, it is imperative that you ensure your application vendor or contract developers periodically perform:
Many of the above practices are expensive and may be outside of the reach of smaller/contractor developers but are imperative to mitigate attacks. When it comes to security, however, you are only as strong as your weakest link. Additionally, some steps your institution can take should include:
Web application security is nothing new. Though there is no 100% guarantee for safety, with proper and diligent mitigation, we can make it undesirable for attackers to even try. As a police officer once said to me when asked, “What the best lock is I can get for my front door?” He simply stated, “None, get a dog.”
Who We Serve
What We Offer