Similar to battles fought in history, no two cyber-attacks are the same. However, like the battles of history, tactics and strategies are similar because they are effective, just like with cyber-attacks. An attacker is going to use common, effective hacking techniques. Much like the defense in the battles, network security is going to spend current and proven methods in protecting their networks and servers from attackers. And, the keen companies will spend a lot of money on prevention. The reality is most security breaches occur over web applications rather than networks and servers. Common low-level attacks against websites and web applications occur daily and are preventable with a little proactive security.
Many organizations think “Why would an attacker want to attack me; I’m a nobody?” The genuine answer is because they can. Other motivations are for financial gain or notoriety. On the other hand, if the company or website is popular or political, the motivation of an attack can be for a multitude of reasons such as competition, just for fun, attack on the government to make a statement, religious reasons, and the list can continue.
Common Threats/Vulnerabilities
The top three web application security attacks listed on the Open Web Application Security Project (OWASP) Category: Attack webpage which are of the greatest security threats are Cross-site Scripting (XSS), Denial of Service (DoS), and SQL Injection. By using the CIA triad, (Confidentiality, Integrity, Availability), SQL injection is the greatest threat of the three listed above. XSS is the second greatest, and DoS is the least great threat of the three. SQL injection will allow an attacker access to the web applications database. Once the attacker has access to the database, the attacker can create a user, read sensitive information, cause a DoS, apply XSS, and be the source of other havoc. Cross-site Scripting (XSS) is second greatest threat because it affects the integrity of a business by sending malware to the users’ browsers. A Denial of Service (DoS) attack third greatest threat of the three attacks since it makes the resource unavailable. The DoS of a web application can be against a website, a web application, or the database on which both or either the website or application depends on functioning.
SQL Injection is an inherent danger and poses more of a threat than any others because of the level of control an attacker can gain. An attacker can undertake root control of the databases which control websites and web applications. Today’s world of the World Wide Web, it no longer is simple HTML web pages made from Microsoft’s Publisher without any JavaScript and no CSS. Websites have evolved to run almost strictly on server-side scripting in languages such as PHP, JSP, and ASP all of which rely on Structured Query Language (SQL). Along with websites, applications have evolved to be stored on a local server or on the cloud, both of which are capable of relying on a web application for client-side access. These sites and applications store user information, site content, and depending on the business entity, the site can contain financial data like bank account and credit card information or personal information like social security numbers, driver license numbers, names, addresses, etc.
Cross-site Scripting (XSS) is the second most inherent danger and poses more of a threat than DoS because it can cause a significant consequence on the victims’ business reputation. Cross-site Scripting differs from SQL Injections since it does not directly target the application. XSS is used by attackers to inject malware into web applications to be executed by the users’ browsers. An article by Imperva states the most common reasons for XSS attacks are to hijack a user account, access a user’s private messages and history, to exploit a user’s applications or peripheral devices, or to deploy a worm. XSS has manifested itself into a common threat since websites, and web applications have evolved to run scripting languages, and the browsers have add-ons to read/execute the said scripts in order to display the site properly. XSS is popular among sites which allow for uploads, comments, and blogging type capabilities like the social media platforms that have become extremely popular. Once the attacker hijacks a user’s account or gains access to their information, they can impersonate the user. The impersonator can send an infected link to the victim’s contacts to spread the XSS and access more victims. Depending on the severity of the attack and how the victim uses their device, the victim’s financial data and personal information can be compromised.
A Denial of Service (DoS) is the least most inherent danger of the three greatest of the list and poses less of a threat than an SQL Injection and XSS because it blocks a website, a web application, a database, or whatever is hosted on the server by making it temporarily unavailable for users to access. A DoS attack does not generally cause the victim to also be a victim of a loss of other data such as information or monies. However, it can cost them time lost from employees not being efficient or having the capability to work. And, it can cost the company payroll monies for the IT team to get the situation under control and the network resumed to optimum speeds. A DoS attack usually overwhelms a targets computer, computers, or servers with traffic so legitimate users experience degradation in the network performance, have an inability to reach outside their network to websites, or an extremely high volume of spam emails. Sometimes rebooting the network appliances resolves the DoS attack, unless it is flooding attack. If under an SYN or Smurf flooding attack, the Internet Service Providers (ISP) can generally be of assistance under a flooding attack by throttling bandwidth for malicious traffic. On the other hand, an entity may become a victim of a DoS indirectly if their ISP is under a DoS or Distributed Denial of Service (DDoS) attack. A DDoS attack is different than a DoS attack.