In the past year we have seen
numerous Web attacks hit companies globally. Organizations have been
breached and data has been stolen. And companies’ web applications have been taken down by DDoS attacks. Hackers easily dance around network security defenses, bypassing firewalls, IPSs, and other controls.
The Problem has Moved On…
For the past 10 years, companies have invested their efforts and budget in securing their infrastructure. Most of that budget went toward solving the most acute problems that existed, which were network hacks and virus propagation. And although companies have done a great job at solving these problems, it motivated hackers to look for other ways to penetrate their networks.
Hacking today is all about profit. In today’s industrialized hacking environment, hackers are focused on one major goal: maximize profit and minimize effort. When companies found a way to prevent the network attacks, hackers moved to where there is less resistance – the Web. Most compromised companies are those that have invested a lot in their security infrastructure: they upgrade their firewalls to the latest and greatest, but they have not invested in stopping today’s attacks that go after their most valuable assets through their web applications. Thus, when the hackers come today, companies aren’t ready.
In the Details
Attacks on the Web side of life are divided into two main categories:
- Technical Web Attacks
- Business Logic Attacks
Technical web attacks are attacks that use a software flaw in order to steal data, inject software and generally manipulate the application to get data. Security research cites that 97% of all data breaches are due to SQL Injection.
Business logic attacks and fraud attacks are gaining popularity. Hackers understand how to break an application’s logic to provide access to restricted areas, run fraudulent transactions, break search engines by creating enormous search terms (which in effect creates a DoS on the application), and countless other forms of abuse.
Next week, Imperva will release an eBook discussing the future of web security. We will outline our thoughts on the most important features and controls that Web Application Firewalls should provide.