Author: John Maddison / Source: CSO Online
Historically, IT teams have tended to deploy web application firewalls (WAFs) simply to comply with Payment Card Industry Data Security Standards (PCI DSS). If this is the case in your organization, whether you are a financial services provider or a retailer, it may be time to take another look at these valuable security tools. Many of today’s data security professionals are beginning to recognize that unprotected web applications have become attractive targets for cybercriminals looking for easy entry points into their networks.
The fact is, securing application environments presents a unique and consistent challenge to IT teams. Which is why 83 percent of enterprise IT executives, according to a recent IDG survey, now believe that application security is critical to their IT strategy.
Top Web Application Attack Types
Tweets by @Fortinet
Many externally facing web applications are potentially vulnerable to a number of different attacks. In fact, according to a June 2017 Mozilla survey, of the top one million websites analyzed, 93.45 percent earned an “F” for failure to implement basic security measures that would protect them from attacks like cross-site scripting, man-in-the-middle, and cookie hijacking. Here are a few that IT teams should be paying close attention to:
- Cross-site scripting (XSS): These types of attacks inject malicious scripts into vulnerable web sites. Cross-site scripting attacks enable attackers to enter and steal sensitive financial data or even take control of targeted devices with known vulnerabilities. Flaws in both application code and the devices they run on that allow these attacks to succeed are actually quite widespread. Successful attacks can occur anywhere a web application uses input from a user to modify the output it generates without first validating or encoding it.
- SQL injection: When these types of attacks are successful, attackers can use them as a way to bypass authentication measures to retrieve information from databases. In 2015, for example, a group was accused of using SQL injection attacks to steal $30 million using stolen financial information.
- Layer 7 Denial of Service: Layer 7 (application layer) DoS attacks are commonly used to target and overload a specific function. These sorts of attacks can be used for a variety of criminal purposes, from merely disrupting a business by shutting down essential services, to holding these services hostage until a ransom is paid, or even as a…
Click here to read more