It might not be a stretch to suggest that information security is the single biggest threat in this modern age, especially in a tech world dominated by trends and advanced technologies like cloud computing, mobile computing, and big data.
With the innovations of new technologies also comes the responsibility to govern them. Compliance and regulations are factors that do not have the luxury to be overlooked.
But of course, there are hundreds and thousands of people who are always looking to either break these laws or find loopholes in them for their own personal gains. Such people are the reason why information security is now the single biggest concern in the digital world.
The Early 2000’s
A little over a decade back, people were witnessing the growth in the performance of their personal computers to run certain applications. Applications that needed X GB of RAM or X GB of hard disk space on their systems kept increasing.
Applications which were widely used at that time were usually the prime target for hackers as they could reach the maximum number of users thus resulting in maximum potential damage.
However, in what would seem like a dramatic turn of events, consumers quickly shifted from their personal computers to mobile and tablet computing. Applications like Photoshop and Microsoft Office could now run on their tablets and mobile phones.
As time passed, users working on portable devices largely outnumbered users working on their personal computers in their homes and offices.
This was, however, not the end of the shift. The paradigm shift occurred in the IT industry with the growth of trends like cloud computing and bring your own device (BYOD). For everyday consumers, new technologies such as these meant easier ways to work and perhaps more ways to have fun.
For hackers, it meant more ways to hack, intrude, attack, steal and leak. The bigger the technology, the bigger the impact of the attack. Many nations have also termed it as a “new age terrorism” since it even has the ability to affect the nation as a whole.
The internet is capable of doing things unheard of before. According to a report by Statista, as of the third quarter of 2016, Facebook had 1.79 billion monthly active users.
The last couple of years has seen the rise of virtual assistants like Siri, Google Assistant, Cortana, and Alexa. This reiterates the fact that more people are active on the internet than ever before.
Cloud computing made things possible which weren’t a decade ago. In this era, applications don’t even need to be installed on the computer to be used.
High performance and resource demanding applications are delivered through a web interface. This indicated that the way consumers interacted with the internet has changed completely.
Cloud-based services such as software as a service and security as a service are delivered through the cloud and accessed through the end user’s web interface.
People are using web browsers for more than just browsing social media. An average internet user has atleast 90 online accounts that range from social media to online banking.
And that is why it comes as no surprise that this phenomenon gave prominence and almost instantaneous rise to cyberattacks on web based applications. This is precisely the reason why web application security is the branch of information security that cannot be overlooked any longer.
According to a report by Whitehatsec, it takes approximately 250 days for IT and 205 days for retail businesses to fix software flaws. That is more than sufficient time for hackers to find, plan and execute cyber attacks.
The New Age Web Application Attacks
According to a recent report by PCWorld, Web application attacks, point-of-sale intrusions, cyber espionage and crimeware were the leading causes of confirmed data breaches last year.
They further stated that this involved a total of almost 80,000 security incidents and 2,000 confirmed data breaches in 61 countries!
For the past two years, over two-thirds of cyber espionage incidents were related to phishing. Yet another statistics report by Calyptix states that 24% of total attacks are web application attacks.
These reports clearly show increased awareness is a necessity. The internet is a vital resource to a business regardless of the type of industry it belongs to. Be it finance, manufacturing, accounting, law or even healthcare, it is virtually impossible to function altogether without the internet.
Earlier, we discussed the concept of web application security. We also discussed the most commonly identified attacks carried out through web applications. Let us now look into some of the ways we can prevent an attack.
Preventing Web Application Attacks
1. Strong Password and Autocomplete Disabled
Users generally have a tendency to not use strong passwords. They usually ignore the risks despite its general awareness and choose a password easier to remember instead. However, with the use of a good password manager, a solution can be found to both these issues.
Strong passwords will force the user to either use a password generator or choose a strong password. Disabled autocomplete will force them to either use a password manager or remember it. Either way, the user will no longer be dependent on the browser to make note of the login credentials.
2. Use of SSL, STS, HttpOnly & HSTS
Not opting for an SSL certificate can have huge implications for a website as it leaves the site vulnerable to attacks; support for SSL is crucial to prevent them.
STS or Security Token Service further secures the authentication process by acting as an entity that creates a chain of trust between the user authenticating his/her credentials and the application using the STS service.
All authentications have to verify the trustworthiness of the token between the two parties in order to complete the authentication process.
The use of an HttpOnly cookie disallows any third party from accessing the client side script, hence mitigating the attack through cookies. In fact, the browser will not reveal the cookies to the attacker even if the cross-site scripting flaw exists.
HTTP Strict Transport Security is also referred to as HSTS. It is an enhanced security feature specified by a web application. HSTS security mechanism restricts a browser to communicate with any specified domain over HTTP protocol and it will only communicate over HTTPS.
3. Secure Storage for Login/Account Details
It is the responsibility of the site owner to ensure that a user’s account details comprising of login usernames and passwords, account recovery details such as security questions and answers or contact details are securely stored with strong encryption.
It would be quite pointless to have the end users create strong passwords along with complicated answers against security questions if the all the details are stored in plaintext.
Having an outdated hashing algorithm is as good as having almost no security at all. Conversely, strong hashing algorithms would mean the database would be useless to hackers even if they are able to get their hands on it.
Businesses need to keep an alert eye and constantly monitor the precautionary measures taken to secure their websites from such types of web application attacks.
Although no amount of security can be termed as foolproof, attackers tend to target organizations which have relatively less or no security measures in place.
Image Credit – DepositPhotos