Locking the Back Door to Your Back-End Systems: The Top 10 Web Application Attacks of Which Insurers Should Be Aware
Insurance carriers understand that the corporate Web site is one of the most important interaction points between them and their customers. Unfortunately, hackers also understand this opportunity only too well — industry analysts have estimated that 75 percent of attacks now targeting Web applications. As more and more insurance carriers encourage their customers to use the Web as the first point of contact, it is essential that Web sites be secure, trustworthy and compliant with insurance industry and other standards and regulations.
Missed security and privacy vulnerabilities can lead to increased regulatory scrutiny, fines, lawsuits, brand damage and erosion of consumer confidence. Newer breach notification requirements have also made it mandatory to notify consumers of privacy and security breaches " adding the hazard of bad publicity in an industry where consumer confidence in one's brand is essential. According to recent reports, there have been more than 75 disclosed breaches in 2006 that have already potentially affected as many as 4.9 million individuals. Organizations are facing pressure to proactively assess and correct security and privacy issues, with customers, regulators, partners and investors becoming increasingly vocal about violations and breaches.
More and more, insurance Web sites are becoming targets, and as Web applications become increasingly complex, tremendous amounts of sensitive data — including personal and financial information — are exchanged and stored. The consumer not only expects, but also demands, proper security to protect this information.
A hacker will typically spend time getting to know the Web application by identifying the shortcuts he would have created had he built the application himself. Then, using nothing more than the Web browser, the hacker will attempt to interact with the application and its surrounding infrastructure in malicious ways. The results can be disastrous.
OWASP (Open Web Application Security Project), a cross-industry, non-profit organization dedicated to Internet-related security, has created a "Top Ten" list to help organizations focus on the most serious Web application security vulnerabilities. Adopting a process and implementing technology to monitor for, identify and remediate the threats highlighted below is an effective first step towards helping ensure the security of Web applications.
| Application Threat | Negative Impact | Example of the Business Impact |
|---|---|---|
| Invalidated Input | Attackers can use these flaws to attack back-end components through a Web application | Alter application logic, access confidential information, etc. |
| Broken Access Control | Attackers can exploit these flaws to access other users' accounts, view sensitive files or use unauthorized functions | Risk to confidential information. Malicious users can reach administration parts of the Web application |
| Broken Authentication and Session Management | Session hijacking | Attackers can compromise passwords, keys, sessions, etc. and cash out someone else's account |
| Cross-Site Scripting | Identity theft | Hackers can impersonate legitimate users and steal their accounts |
| Buffer Overflow | Denial of service (DoS) | Site unavailable to customers. Could allow execution of malicious code on the server's operating system |
| Injection Flaws | Attackers can manipulate queries to the database | Hackers can access back-end database information, alter it or steal it |
| Improper Error Handling | Attackers can gain detailed system information | Malicious system reconnaissance may assist in developing further attacks |
| Insecure Storage | Weak encryption techniques may lead to broken encryption | Confidential information (SSN, credit cards) can be decrypted by malicious users |
| Denial of Service (DoS) | Legitimate users can no longer access or use the application | System is inaccessible, leading to loss of business |
| Insecure Configuration Management | Web, application or database servers are configured insecurely | Attackers may exploit known vulnerabilities in the Web, application or database servers |
Why do these vulnerabilities exist? New methods for attacking Web applications are growing in volume and frequency. Security teams are under intense pressure and many cannot keep up with the volume of applications they need to test. Currently, they are either catching issues late in the development cycle or not at all. The continuous cycle of developing, updating and auditing applications combined with trying to keep up with the latest patches is a constant battle against hackers.
With the explosion of Web-enabled applications, a new genre of threats has emerged and insurance companies are not immune. Organizations should not neglect the important step of securing the site in addition to the applications and the data they collect. It only takes a single breach to ruin a reputation.
Michael Weider is the CTO of Watchfire, a Web application security vendor based in Waltham, Mass.
Tweet This