Recently, a new study was published by Akamai’s 2019 State of the Internet / Security Financial Services Attack Economy Report, which showed that about half of all unique organizations that were victims of hacking attacks derived from the financial sector. As we will see later on, there are four methods hackers use to gain access to users’ personal data. Before we get into the technical details, let’s take a look and what you can do to defend against phishing attacks and credential stuffing.
Domain Phishing and Credential Stuffing
Domain phishing is a type of scam that is intended to get customers to hand over their account credentials by enticing them to click a link, usually in an email that appears to officially be sent by one of the user’s service providers. The link redirects them to a replica registrar website that contains malware intended to steal account details. The best way to defend against these attacks is to stop them before they even start. This means educating your employees about what phishing emails look like, and the dangerous consequences of opening one. It is also a good idea to use both a desktop and a network firewall. A desktop firewall is powered by software, while the network firewall is primarily hardware. When you use both in tandem, you significantly reduce the chances of a hacker infiltrating your systems.
Credential stuffing is a technique used by hackers, in which they take a batch of usernames and passwords they stole from a previous data breach and literally stuff all of those credentials into the login page to gain access to accounts. Since a lot of people use the same credentials for multiple sites, hackers can usually use those credentials to access many accounts from a single victim. Cybercriminals routinely post stolen credentials, as we’ve seen recently, a massive list posted including 2.2 billion unique usernames and passwords that are available for anyone to download in plain text for free.
The best method to guard against credential stuffing is to rotate your passwords every three months, and when possible, use two-factor authentication. Companies such as Google have taken a proactive approach to identify whether or not usernames and passwords have been compromised, and suggests a passwords reset automatically should the need arise. Your company can be just as proactive by tracking all employee and contractor logins that have displayed any kind of fraudulent activity, and subsequently, blacklist all IP addresses associated with said activity.
The Four Attack Vectors to Watch Out For
Hackers primarily have four favored attack methods: SQL injections, local file inclusions, cross-site scripting, and OGNL Java injection. Let’s take a look at each of these in more detail.
An SQL injection is where hackers input malicious code into a web app database server, which they can then use to perform pretty much any operation they want. Since the web app usually stores data in a relational database, users have to input their login details to authenticate themselves. All of this information is inserted into a SELECT statement to search the backend of the database. If the information is found, the user is allowed to proceed, and if not, they are denied access. If the webform is poorly designed, it may not notice suspicious inputs, and will likely send it to the database anyway. Hackers take advantage of this vulnerability by entering their own SQL statements, giving them full access to view the information in the database.
The best way to defend against SQL injections is by using prepared statements. In other words, the SQL Command uses a parameter instead of inputting raw values directly into the command. Also, it is important to update your systems regularly since an SQL injection is a regular programming error.
Local file inclusion is where a hacker tricks your web app into running or disclosing files on the webserver to the hacker. This can lead to data breaches and remote code execution. The good news is that it is easy to determine whether or not you are vulnerable to such an attack by running an automated web scan. In order to prevent such attacks, you should include user input as a source for file inclusions. Also, you should remove or blacklist character sequences and encode the file sequences with base64 or similar functions.
In order to defend against XSS attacks, you need to apply context-dependent outputting systems. This includes encoding the HTML special characters and properly applying URL encoding. As a general rule, links should not be allowed unless they begin with either http:// or https://.
OGNL stands for Object-Graph Navigation Language. It is used by hackers to access object properties in HTML templates and perform remote code execution. There are two aspects of this vulnerability. First, an HTTP header is inserted into the OGNL parser. Then the injected expression allows for code execution. The simplest way to avoid this vulnerability is to forbid the entering of user data into the expression interpreter. However, there is a more comprehensive method call Penetration Testing. Let’s take a closer look.
There are some steps you can take to prevent all four of these vulnerabilities, as well as many others. The first step is to conduct penetration test(s). This will allow you to determine where the vulnerabilities are, how they can be exploited, and what you can do to safeguard against breaches. Recovering from a hacking attack is very expensive on both the technological and PR fronts. While a large enterprise like Capital One will be able to bounce back from a data breach like we witnessed earlier this year, small and medium-sized businesses might not be so lucky.
We also believe it’s wise to conduct security code audits before releasing your product to the public at large. This includes both automated and manual reviews. The automated review will be able to detect obvious vulnerabilities such as SQL injections and the other ones we have previously mentioned. The manual review is more of a deep dive into the app itself, to find any flaws in the business logic, as well as any issues with the design and architecture that the automated review does not detect.
More importantly, is paramount to integrate security into the SDLC. very often, we fall into the trap of thinking that quality alone will repel vulnerabilities, but this is not the case. New threats emerge all the time and you have to constantly be one step ahead.