With Sony being the latest major victim of hacking, large organisations are witnessing yet again how data breaches cause serious damage to the tune of millions. The prevalence of hacking in the media begs the question: what's in store for 2015?
Against a background of more frequent and dangerous XSS attacks, third-party code and plugins remaining the Achilles heel of web applications, and growing chained attacks, organisations will be looking to new ways to protect their online properties.
Unfortunately, it's pretty difficult to make information security predictions, and even more difficult to verify them afterwards – we can only judge the effectiveness of information security by the number of public security incidents, as the majority of data breaches remain undetected.
However, in this article we're going to make some web security predictions based on common sense profitability (profit/cost ratio) for hackers…
1. Vulnerable web applications will remain the easiest way to compromise companies
When almost any company has one or even several vulnerable web applications, hackers will not bother to launch complex and expensive APT attacks with zero-day exploits. Companies continue to seriously underestimate the risks related to their web applications and website. A tiny vulnerability, such as XSS, can lead to the compromise of the entire local network, emails and databases of a company.
2. XSS will become a more frequent and dangerous vector of attacks
It's very difficult to detect high or critical risk vulnerabilities in well-known web products (e.g. Joomla, WordPress, SharePoint, etc). However, low and medium risk vulnerabilities, such as XSS, will still regularly appear. Sophisticated exploitation of an XSS can give the same outcomes as an SQL injection vulnerability, therefore hackers will rely on XSS attacks more and more to achieve their goals.
3. Third-party code and plugins will remain the Achilles heel of web applications
While the core code of well-known CMS systems and other web products are pretty safe today, third-party code such as various plugins or extensions remain vulnerable even to high risk vulnerabilities. People tend to forget that one outdated plugin or third-party website voting script endangers the entire web application. Obviously hackers will not miss such opportunities.
4. Chained attacks and attacks via third-party websites will grow
Today it's pretty difficult to find a critical vulnerability on a well-known website. It's much quicker and thus cheaper for hackers to find several medium risk vulnerabilities and use a combination of these to get complete access to the website.
Another trend is to attack a reputable website that the victim regularly visits. For example, when chasing for a C-level executive, hackers may compromise several high-profile financial websites or newspapers, and insert an exploit pack that will be activated only for a specific IP, user-agent and authentication cookie combination belonging to the victim. Such attacks are very difficult to detect, as only the victim can notice the attack.
5. Weak passwords and password re-use will remain a very serious problem
Many people still use the same or similar passwords for all their accounts. Hackers cannot miss such opportunities and actively exploit this human weakness. The first step of attack is to identify all websites or blogs where the victim is registered or has an account. The second step is to select the weakest website from the list and to compromise it. Password encryption techniques commonly used in web applications today are far from being resistant, and a password in plaintext can be obtained pretty quickly.
Even if the victim uses a very strong password and it's being properly encrypted in the database. hackers will just Trojan the web application to intercept the password in plaintext during login. The last step is to try the password for all the victim's accounts and resources.
6. Application logic errors will become more frequent and critical
Examples with AliExpress and Delta Airlines highlight the impact of application logic vulnerabilities that are almost undetectable by automated solutions. Web developers have become aware about XSS and SQL injections flaws and code much better than before, however they forget about application logic vulnerabilities that may be even more dangerous than SQL injections or RCEs.
7. Automated security tools and solutions will not be efficient anymore
Web Application Firewalls, Web Vulnerability Scanners or Malware Detection services will not be efficient anymore if used separately or without human control. Both web vulnerabilities and web attacks are becoming more and more sophisticated and complex to detect, and human intervention is almost always necessary to properly detect all the vulnerabilities.
It's not enough anymore to patch 90% or even 99% of the vulnerabilities – hackers will detect the last vulnerability and use it to compromise the entire website. As a solution to the rise of new threats, High-Tech Bridge launched ImmuniWeb last year – a unique hybrid that efficiently combines automated security assessment with manual penetration testing.
- Ilia Kolochenko is CEO of High-Tech Bridge and Chief Architect of ImmuniWeb