Can you afford to reduce web application security?
Maybe you feel like the security vendors are trying to sell you something scary. After all, the chances of your business being the next victim of a breach like Capital One or Equifax are probably as low as the sinking of the Titanic. That’s true, but what you might not realize is that it’s not just Russian spies, cybercriminal gangs, or professional hackers that pose a danger to your money. In the world of computer security, even an experienced teenager or an opportunistic thief can cost you so much that you may have to go out of business, and while that’s less likely, it’s still possible.
Hacking is easy!
At the start of the hack, everyone who wanted to discover ways to circumvent security measures was essentially on their own. This is why the term pirate was originally associated with people of exceptional skill. With the development of the internet, blockchain payments and the dark web, “hacking” for easy money is now a piece of cake. For every common vulnerability, you can easily find an exploit that’s easier to use than your web browser. Quite often, all you have to do is point it and press a button. And it’s no problem getting unmarked money in a white envelope – we have bitcoins for that.
The world is, unfortunately, full of people who want to make a quick buck, and they’re not like the professional car thieves in the movies who spend hours figuring out how to bypass immobilizers. They’re like those misled kids who walk down a street and pull on every car door handle to find one that’s unlocked for a ride. And then they plant for fun or rip off your radio. The same goes for your web apps – those script kiddies, as we call them, aren’t looking for your complex, password-protected sensitive data. Instead, they will have fun defacing your homepage or using user-friendly one-button ransomware to trick you into paying them bitcoins.
Want proof that the world is full of such culprits? Well, since the CEO change, we at Invicti have been getting regular emails and text messages claiming to be from Michael George. Just think how bold or ignorant those sending these messages are – they send them, unencrypted, from easily traceable sources, to a company that deals with computer security. These are the kind of people you face every day – those who download easy to use “hacking” tools and point them to your site without even thinking about it, just to try and make that quick bitcoin or just to s have fun.
What will it cost you?
“I’m fine,” you think. You take care of all your major systems. They are regularly scanned and you prioritize all major vulnerabilities to ensure there are no RCEs in key business systems. You may also have WordPress sites created by your marketing for campaigns, but there is no sensitive data there, so there is no need to worry about that. You might not even scan them at all. After all, what could be worse?
We have bad news.
Suppose a kiddie script managed to hack into one of your campaign sites and deface the front page. And after?
Forensic Analysis of Primary Attack Target
First, you need a forensic scientist to analyze your system, and you need to take that system down immediately. The cost of deleting a marketing campaign for a few days might not be that huge, so so far so good. Since you’re not hiring full-time computer forensics experts, you spend time finding a subcontractor, signing a contract, and getting them to start working. And the clock is ticking.
Secondary target forensics
The forensic expert visits the defaced site and confirms that the attacker could have downloaded the entire WordPress database with all the usernames and passwords used by your marketing team. One of your marketing employees admits that he uses the same username and password for the campaign site as he does for your company’s main site, and that the password is only 6 characters long , so it can be decrypted in a few seconds (even if it contains a number, a capital letter and a special character).
So the next thing your forensic expert does is look at the logs from your main business site. There they see access attempts from the same IP address as in the case of the campaign site hack. They recommend that you take down your main business site for a while and do a thorough scan. Check. Knock. Check. Knock. Now your main site is down for hours or days.
And you, Brute?
As you lose more and more money because other systems are potentially affected and need to be taken apart for further analysis, you are being stabbed from another direction. Someone saw your defaced site, found it very funny (attacker was creative) and posted it all over social media. A commentary video poking fun at your brand now reaches millions of views on TikTok with a catchy song.
Your customer service center agents are now working around the clock with endless calls and messages from customers worried about their data and money. Your channel teams are sweating – your partners are worried about supply chain effects. Your public relations department tries to contact all sources of information and release statements that will mitigate potential business losses as much as possible. It’s not the catchy TikTok and making fun of you that’s the problem. It’s the fact that a lot of people now know you’ve been hacked and are losing faith in you.
Fortunately, this Armageddon subsides in a few days, but it will have long-term consequences. You’ve lost a lot of business, which means you may not be able to afford new initiatives, which will cost you even more. You may have to fire employees, which makes other employees unhappy and uncomfortable and more likely to leave (including hard-to-find security experts). There’s this dark feeling that your HR now has to spend months overturning.
Scary ? What do you think?
All in all, while this might seem like a drastic scenario, that’s pretty much what happens with every security breach. What’s costing you the most isn’t the stolen credit card numbers. It is the lost business due to the fact that your web applications have to be taken offline and there is very little the company can do except focus on all activities associated with hacking. Not to mention the long term consequences. Your perceived savings now are very likely to cost you much more later and cause irreparable damage.
Are we alarmists? No, we’ve just seen it happen too many times. For example, SolarWinds has already spent over $18 million to address the events of December 2020. That’s why, while we understand that your resources are limited and you need to prioritize your security activities, we urge you to try to concentrate your cuts elsewhere. Don’t ignore this campaign site – you don’t have to prioritize it, but make sure it isn’t completely forgotten. Find every site you have (using Web Asset Discovery) and make sure it’s there in the crawl queue.
Can you afford to reduce web application security? appeared first on Invicti.
*** This is a syndicated blog from Invicti’s Security Bloggers Network written by Tomasz Andrzej Nidecki. Read the original post at: https://www.invicti.com/blog/web-security/can-you-afford-to-cut-back-on-web-application-security/