Top thieves don’t have to scale buildings, slice holes through floors and bypass laser alarms like some James Bond character. These days, it takes cybercriminals mere minutes to plunder businesses via the Internet through numerous little holes in website applications.
Dell SecureWorks saw an average of 42,000 attempted Web attacks per month across our 552 protected credit unions during 2010, and the majority of attacks were targeted at the credit unions’ website applications.
Web applications that cause the most havoc are those that have a slot for a computer user to type information into, such as a search box or a space for a username or password.
Those slots and other content on a Web page are created by computer programmers using code, or computer language, such as HTML.
If the programmer did not write the code securely, problems can arise. Whether the website was created in-house or by a third party, organizations should have their code reviewed and tested to ensure the code contains no holes, or “vulnerabilities,” so cyber intruders cannot hack the website and gain access to their computer network.
One of the most prevalent methods attackers use to compromise web applications is through exploiting “SQL injection vulnerabilities” in Web application code. This is when attackers execute their own SQL code against the database backend of a company’s Web application.
The impact of a successful SQL injection attack may vary greatly. Attackers may be able to obtain, modify or destroy sensitive information stored in the database such as user or administrative credentials or financial data, or they may inject malicious content into the database that will subsequently attempt to exploit users of the web applications.
In the past several years, there have been numerous high-profile breaches of financial organizations due to SQL Injection attacks. Unfortunately, many organizations assume that because they are “Web compliant” that their website is secure.
Organizations should approach security first and compliancy second, because compliancy will not necessarily ensure safety. A good security consultant will automatically review the steps an organization should take in order to be secure and compliant.
Many layers of protection are needed to deter cybercriminals.
The first thing a credit union should do is hire an information security expert to review the source code for all the pages on its website. If your credit union has outsourced its website, ensure that your website provider has done this. Each time the source code is changed to add a new feature to the website, a security expert should review it.
Hire a security expert to try to try to break into your website using numerous hacking techniques. Perform a security assessment of your Web applications at least quarterly and every time your site has added new code. When you find vulnerabilities, fix the code as soon as possible.
Credit unions, like all financial institutions, should install a Web application firewall to help prevent Web applications from being infiltrated. Firewalls should be maintained and monitored continuously by a security expert.
Lastly, credit unions should have security experts monitoring their server and firewall logs 24x7x365, in real time. If security professionals are monitoring your logs just a couple of times a day, by the time they see the malicious activity that has hit your website, there is a good chance the hacker has acquired access to your organization’s personal and financial data.
Don Jackson is director of Threat Intelligence at Dell SecureWorks in Atlanta.