You may feel that security vendors are trying to sell you something through scaremongering. After all, the chances of your company becoming the next victim of a data breach are great capital one or Equifax are probably as far away as the sinking of the Titanic. That’s true, but what you might not know is that not only Russian spies, cybercriminal gangs or professional hackers pose a risk to your money. In the world of IT security, even an adventurous teenager or an opportunistic thief can cost you enough to go out of business, and while it’s less likely, it’s still possible.
Hacking is easy!
In the early days of hacking, anyone who wanted to find ways to bypass security measures was basically on their own. Hence the term hacker was originally associated with people of extraordinary ability. With the development of the internet, blockchain payments, and the dark web, “hacking” for quick cash is now a breeze. For every common vulnerability, you can easily find an exploit that’s easier to use than your web browser. Very often all you have to do is aim at it and press a button. And there’s no problem getting unmarked cash in a white envelope — that’s what bitcoins we have for that.
Unfortunately, the world is full of people looking to make a quick buck, and they’re not like professional car thieves from movies who spend hours trying to figure out how to bypass immobilizers. They’re like those misguided kids who walk down a street, pulling on every car door handle to find one that’s unlocked for a spin. And then they crash for fun or rip out your radio. The same goes for your web applications — these script kiddies, as we call them, aren’t after your complex password-protected sensitive data. Instead, they’ll have fun and deface your front page, or throw in easy-to-use one-click ransomware to make you pay them a few bitcoins.
Want proof that the world is full of evildoers like this? Well, since Change of manager, at Invicti we regularly receive emails and phone text messages claiming to be from Michael George. Just think of the audacity or ignorance of those sending these messages – they are sending them unencrypted and from easily traceable sources to a company that deals with IT security. These are the kind of people you face every day – the ones who download easy-to-use “hacking” tools and direct them to your site without a second thought, just to try and earn those quick bitcoins or just just having fun
What will that cost you?
“I’m fine,” you think. They take care of all the important systems. They’re scanned regularly, and they prioritize any important vulnerabilities to make sure you don’t have any RCEs in primary business systems. You may also have WordPress websites built by your marketing for campaigns, but there is no sensitive data there so there is no point in worrying about it. You may not scan them at all. Because what’s the worst that could happen?
We have bad news.
Let’s say a script kiddie managed to hack into one of your campaign pages and deface the front page. What’s next?
Primary target forensics
First of all, you need a forensic expert to analyze your system and you need to shut down that system immediately. The cost of setting up a marketing campaign for a few days might not be that high, so things are looking good so far. Since you’re not hiring full-time IT forensic experts, you spend some time finding a contractor, signing a contract, and getting them to start work. And the clock is ticking.
Secondary target forensics
The forensic scientist goes to the defaced page and confirms that the attacker could have downloaded the entire WordPress database with all logins and passwords used by your marketing team. One of your marketing reps admits they use the same login and password for the campaign page as for your main business page, and the password is only 6 characters long so it can be cracked in a few seconds (although it contains a number, a capital letter and a special character).
So next, your forensic expert looks at the logs of your primary business website. There they see access attempts from the same IP as in the case of the campaign page hack. They recommend that you shut down your primary business website for a while and do a thorough analysis. Tick. tock Tick. tock Now your primary website is down for hours or days.
Et tu, brute?
As you lose more and more money as it emerges that more systems may be affected and need to be shut down for thorough analysis, you’re stabbed from another direction. Someone saw your defaced website, thought it was very funny (the attacker was creative) and posted it on all social media. A commentary video making fun of your brand is now getting millions of views on TikTok with a catchy song.
Their customer service representatives are now working 24 hours a day with endless calls and texts from customers worried about their data and money. Your channel teams are sweating – your partners are worried supply chain Effects. Your PR department tries to reach all news sources and make statements that mitigate potential business losses as much as possible. It’s not the catchy TikTok and making fun of you, that’s the problem. It is the fact that many people now know that you have been hacked and are losing trust in you.
Fortunately, this Armageddon will calm down in a few days, but there will be long-term consequences. You’ve lost a lot of business, which means you may not be able to afford some new initiatives, and that will cost you even more business. You may have to lay off employees, which makes other employees unhappy and uneasy and more likely to leave (including this one hard-to-find security experts). There’s that grim feeling that it must now take your HR department months to turn back.
scaremongering? What do you think?
All in all, this might seem like a drastic scenario, but that’s pretty much what happens with every security breach. What costs you the most is non-stolen credit card numbers. It is the business that is lost because your web applications have to be taken offline and there is very little the company can do except focus on all activities related to the hack. Not to mention the long-term consequences. Your perceived savings now will very likely cost you much more later and cause irreparable damage.
are we scaring No, we’ve just seen it far too often. For example, SolarWinds has already spent more than $18 million to fix the events of December 2020. For this reason, while we understand that your resources are limited and you need to prioritize your security activities, we urge you to try to focus your cuts in other areas. Don’t ignore this campaign page – you don’t have to prioritize it, but make sure it isn’t completely forgotten. Find any website you have (by typing Web asset detection) and make sure it’s in the scan queue.
The post Can you afford to compromise on web application security? appeared first Invicti.
*** This is a syndicated blog from Security Bloggers Network Invicti written by Tomasz Andrzej Nidecki. Read the original post at: https://www.invicti.com/blog/web-security/can-you-afford-to-cut-back-on-web-application-security/