Since I first got involved with information security I’ve been a strong proponent of focusing on the common sense basics. We all know what needs to be done yet I see fundamental web security problems in practically every assessment I perform. From passwords to patches to input validation and beyond, there’s so much out there for the taking and, sadly, not enough is being done about it.
As we’re (slowly) learning, fixing the silly – arguably inexcusable – low-hanging fruit is as important as ever. Don’t take my word for it. Look at the Verizon 2012 Data Breach Investigations Report. Of the 855 incidents and 174 million compromised records that Verizon analyzed, here are some highlights underscoring web security problems we are still dealing with:
- Web applications were the third most common attack vector representing 54% of breaches affecting larger organizations.
- Most of the attacks (96%) were not highly difficult and 97% were considered avoidable.
- Use of stolen login credentials was 1st on the list of breaches of larger organizations, SQL injection was 8th behind brute force and dictionary attacks
- Stolen login credentials comprised 30% of all incidents and 84% of all records breached
- Targeted attacks made up 16%, opportunistic attacks made up 79%
Every single situation is different but criminal hackers are going to do what they can to exploit the simple stuff, if anything, to make you look bad. We can continue spinning our wheels on the seemingly bigger web security problems, but unless and until we get our arms around the fundamental flaws in our web systems, we’re going to continue down the path we’ve been on. What are you going to do about these web application vulnerabilities? When we keep doing the same things we’ve been doing we’re keep getting the same results we’ve been getting. It’s a universal law that we can pretend doesn’t exist. But who’s that going to help? None other than those whom we’re trying to keep out of our networks.
You can minimize your network perimeter footprint, but web applications will remain. Basic flaws are on marketing sites that many are quick to claim don’t need website security and they’re on critical business applications. The thing is, if a web system has to be public facing, there’s not much you can to keep the bad guys from poking around on it for ill-gotten gains. At the beginning of their report, Verizon offers mitigation tips for both small and large organizations. I think it all boils down to one thing: you cannot secure what you don’t acknowledge.
Study the Verizon report. Microsoft, Cisco and Trustwave have reports worth reviewing as well. The important thing is to see the big picture, spread the word to get the right people on board and then do something about it periodically and consistently moving forward.