The legality of responding to malicious attacks was recently the conversation at BlackHat DC prompting Network World to pen an article intriguingly titled Is retaliation the answer to cyber attacks?. Maybe the legality is more easily defined if we split the types of counter-measures in two. The first type of response is an “aggressive” retaliation, similar to what the Stuxnet is supposed to have achieved against Iran’s nuclear infrastructure. Clearly there are legal ramifications for aggressively damaging property and corporations are not going to require this type of retaliation. The second type of response is a “protective” retaliation such as blocking the active connection or breaking the web application for that identified hacker. Or how about sending the hacker a warning? Is that a counter-measure that is too aggressive? Most companies would clearly see the difference and are comfortable with a more proactive protective response.
Dark Reading recently wrote about the weaknesses of firewalls and illustrate the problems of firewall proliferation in a very interesting way. There are four main problems:
- Rules Management: Firewalls require rules and the configuration of these rules are time-consuming and ever-changing. Changing one rule may affect another already configured. Rules management is a burden on IT Security staff and increasingly the reason firewalls don’t work is because they are configured incorrectly.
- Firewall Proliferation and Sprawl: More firewalls that reside within an enterprise require more rules to configure resulting in either more configuration errors or the likelihood that the firewall is configured to provide the least amount of possible security, possibly even letting all traffic through.
- The Security Myth of Firewalls: Audits for PCI or SOX compliance are more likely to uncover a mis-configured firewall than either a hacker or the overworked IT security department charged with managing the device.
- Application Ignorance: The majority of firewalls are ignorant about what they are protecting and do not understand what is the correct behavior of a normal user. Application-aware firewalls will become more important.
And another article lauds the three major tenets of PCI requirements. Companies holding customer data should:
- Use a Web application firewall
- Develop software using secure practices
- And focus on whitelisting technologies for key servers.
With the Verizon Data Breach Report stating that 94% of compromised records involved a flaw in a web application, something is wrong. If firewalls are not being configured correctly and almost all records are stolen using a web application flaw, why is it a PCI requirement to use a Web application firewall?
Is a proactive defensive solution, protecting web applications that is application aware, and doesn’t require signatures, or cumbersome rules management, the next key solution?
Join us for our complimentary Webinar. Register Here.
How Web Applications are Attacked: Understanding and Responding to the Five Phases of Web Application Abuse
Wednesday November 3, 2010 11am PST (2pm EST)
Web applications have created a massive attack surface for potential attackers. Because of this, the majority of attacks begin very quietly through a business Web application. This webinar outlines the problem of Web application abuse and how this abuse is used to steal data, money and resources from companies. Understanding the anatomy of an attack is key to selecting the best method of defending against widespread abuse.
Current solutions for securing Web applications rely heavily on signatures to identify and respond to threats. But signatures have become less effective at detecting threats over time, and aren.t sufficient to address the sophisticated abusive behavior that large, publicly exposed Web applications are subject to, including page scraping, logic abuse, malicious automation, phishing, and malware distribution. The key shortcoming is a lack of application context . without any grounding in actual application and user behavior, signature-based solutions can.t avoid flagging many false positives. This makes the information they provide to administrators practically un-actionable.
From this webinar, you will learn:
- How sophisticated attackers successfully abuse Web applications
- The five phases of a Web application attack
- The weaknesses of signature based security
- How companies respond today
- A new innovative approach to Web application defense
When Web applications are the core of your business, protecting them from abuse is crucial. High profile Web applications can provide front-door access to critical data. Sophisticated and organized attackers with deep technology skills are increasingly successful at accessing that data, and the results can be disastrous, from non-compliance, to fraud, to competitive loss.
»Bank account fraud. Attackers devise and execute phishing scams to highjack customer accounts and perform fraudulent electronic payments
»E-commerce fraud. Attackers make fraudulent purchases, or steal credit card information. This results in a loss of brand credibility, and threatens compliance status with PCI DSS
»Data scraping. For-hire hacking teams establish automated, non-sanctioned calls to business data to power a competitive site or service (e.g. retail pricing, travel bookings)
These problems are getting more severe as attackers become more organized and sophisticated. Traditional approaches to stopping Web attacks that rely on signature based intrusion detection and anti-virus are increasingly ineffective. This is the result of the combination of two factors. First, Web applications are exposed to the public, and easily introspected by the outside world. Attackers can take the time they need to understand how they are coded and which defensive measures are in place, allowing them to avoid being profiled by varying their attacks quickly. Second, the criminal community responsible for Web attacks has evolved into a market of its own, complete with highly productized “command and control” suites for creating and managing bots – armies of compromised computers on the internet that are used to distribute, transform, and obfuscate the attack. These suites are sold online as ready-to-go, do-it-yourself attack kits. The market for these kits is extremely competitive, with market demand driving new features and innovations all the time.
To realize how advanced targeted threats can be disrupted and prevented, you need to clearly understand the nature of those threats.