It used to be that the most valuable asset a bank held was the gold or cash reserves in its vault. In the digital world, the most valuable resource a bank or other financial institution holds is customer data.
How can malicious actors easily get at customer data and the other sensitive information your financial institution holds? While ransomware is clearly a top-of-mind concern, IT leaders in the financial services industry should not forget about the threat posed by web application attacks. If they are not properly secured, web applications can be a vulnerable entry point to an organization’s networks and data.
According to a May report from security vendor Positive Technologies, in 2017 the most intensely targeted sectors for web application attacks were IT and finance — the latter including both banks and e-procurement platforms, which had daily attack rates of 1,014 and 983, respectively.
The report notes that such attacks on financial web applications “still tend to target users” and “attackers are lured by the funds they can steal from users of online banking or payment systems.” Further, “web applications are a weak spot in bank security,” meaning “attackers continue to target bank sites in order to penetrate internal infrastructure and steal money via banking systems.”
What Is a Web Application Attack?
Web applications are pieces of software that allow users to submit and retrieve data from an internet database via their browsers. The data is then transmitted via a web server and presented to the user. If web applications are not secured, hackers can use a variety of methods to access the database.
According to Positive Technologies, the most common types of attacks remained the same in 2017 as in previous years, with cross-site scripting making up nearly a third of all attacks. Other popular attacks involved the ability to access data or execute commands on the server, including SQL injection, path traversal, local file inclusion and remote code execution and OS commanding.
As CSO Online notes, cross-site scripting attacks inject malicious scripts into vulnerable websites and allow attackers “to enter and steal sensitive financial data or even take control of targeted devices with known vulnerabilities.” These attacks are widespread due to the prevalence of flaws in both application code and the devices applications run on and “can occur anywhere a web application uses input from a user to modify the output it generates without first validating or encoding it.”
SQL injections are another common attack type, and attackers “can use them as a way to bypass authentication measures to retrieve information from databases.”
The bottom line is that there are host of web application attack types out there, which means that IT leaders need to do all they can to guard against as many attacks as possible.
IT Security Tools to Thwart Web Application Attacks
Though it may seem daunting to confront the threats posed by web application attacks, the good news is that there are many tools at your disposal to mitigate the dangers.
As Maureen Kolb of Gemalto notes in a blog post, financial firms “must strike a fine balance between customers’ demand for easily conducting business online and potentially cumbersome network security.”
However, a good place to start is by building encryption directly into the web application, which Kolb notes, “prevents hackers from accessing clear text data even when they’re on the application server.” This encryption should be immediately in the web application as it is created and will ensure data is protected both at rest and in transit.
As more applications are built with encryption, Kolb says, organizations should invest in encryption key management technologies to restrict access to encryption keys and protect data.
There are also security software tools that can be used to thwart web application attacks. One such tool is IBM’s Trusteer Rapport, which, the company notes, is an advanced endpoint protection solution designed to protect users from financial malware and phishing attacks. The solution is designed to guard against man-in-the-browser attacks, which use malware or social engineering to lure users into surrendering login credentials and other sensitive information.
Web application attacks are not something financial institutions can easily ignore. But with the right technology approaches, they do not have to turn disastrous.