|
Introduction
Web applications can take many forms—an informational website, an e-commerce site, an extranet, an intranet, an exchange, a search engine, a transaction engine, an e-business. All of these applications link to computer systems that contain weaknesses that can pose risks to your organization. Weaknesses exist in system architecture, system configuration, application design, implementation configuration and operations. The risks include the possibility of incorrect calculations, damaged hardware and software, data accessed by unauthorized users, data theft or loss, misuse of systems and disrupted business operations.
As the digital enterprise embraces the benefits of e-business, the use of web-based technology continues to grow. Most organizations today use the web as a way to manage their customer relationships, enhance their supply chain operations, expand into new markets and deploy new products and services to customers and employees. However, successfully implementing the powerful benefits of web-based technologies cannot be achieved without a consistent approach to web application security.
Everyone gets hacked, from large consumer e-commerce sites and portals, such as Yahoo!, to government agencies, such as the National Aeronautics and Space Administration (NASA) and the Central Intelligence Agency (CIA). In the past, the majority of security breaches occurred at the network layer of enterprise systems. Today, however, hackers are manipulating web applications inside the enterprise firewall, enabling them to access and sabotage corporate and customer data. Given even a tiny vulnerability in a company's web application code, an experienced intruder with only a web browser and a little determination can break into most commercial websites.
The problem is much greater than industry watchdogs realize.
Many businesses do not monitor online activities at the web-application level. This lack of security permits attempted attacks to go unnoticed. It puts organizations into a reactive security posture, where nothing gets fixed until after a situation occurs. Reactive security can mean sacrificing sensitive data as a catalyst for policy change.
Why aren't web environments secure?
As more organizations take advantage of the Internet, they discover that the web is not just a new market or distribution channel but also a new operating environment. In this new environment, conventional security measures are outdated and frequently ineffective.
A new level of security breach is occurring through continuously open Internet ports (port 80 for general web traffic and port 443 for encrypted traffic). Because these ports are open to all incoming Internet traffic from the outside, they are gateways through which hackers access secure files and proprietary corporate and customer data. While you may read about rogue hackers in the news, the more likely threat is in the form of online theft, terrorism and espionage. In addition to the vulnerabilities inherent in the Internet operating environment, negligence also accounts for some of the risk to company data. According to the SANS Institute, seven management errors lead to computer security vulnerabilities:
1) Assigning untrained people to maintain security and not providing needed training or time for the job
2) Failing to understand the relationship of information security to the business problem—managers understand physical security but do not see the consequences of poor information security
3) Failing to deal with the operational aspects of security: making a few fixes and then not allowing the follow through needed to make the fixes permanent
4) Relying primarily on a firewall and intrusion detection systems (IDS)
5) Failing to realize how much money information and organizational reputations are worth
6) Authorizing reactive, short-term fixes so problems re-emerge rapidly
7) Pretending the problem will go away Hackers are one step ahead of the enterprise.
While organizations rush to develop security policies and implement basic security capabilities, professional hackers continue to find new ways to attack. Most hackers use “out-of-the-box” security holes to gain escalated privileges or execute commands on a company's server. Simple misconfigurations of off-the-shelf web applications can leave gaping security vulnerabilities in an unsuspecting company's website.
It's not a question of if your site will be attacked but when.
Attacks on web-connected servers have become more common. For example, attackers stole credit card numbers from the Western Union website, and a computer hacker broke into a Walt Disney Company computer, stealing sensitive guest information. There is also resulting brand deterioration, which Ford experienced when its website was defaced.
|
