Below is a copy of the slides used in our Webinar titled ‘How Web Applications are Attacked’.
To watch the fascinating content, go to this page and complete the form to view the Webinar file at your leisure.
When Web applications are the core of your business, protecting them from abuse is crucial. High profile Web applications can provide front-door access to critical data. Sophisticated and organized attackers with deep technology skills are increasingly successful at accessing that data, and the results can be disastrous, from non-compliance, to fraud, to competitive loss.
»Bank account fraud. Attackers devise and execute phishing scams to highjack customer accounts and perform fraudulent electronic payments
»E-commerce fraud. Attackers make fraudulent purchases, or steal credit card information. This results in a loss of brand credibility, and threatens compliance status with PCI DSS
»Data scraping. For-hire hacking teams establish automated, non-sanctioned calls to business data to power a competitive site or service (e.g. retail pricing, travel bookings)
These problems are getting more severe as attackers become more organized and sophisticated. Traditional approaches to stopping Web attacks that rely on signature based intrusion detection and anti-virus are increasingly ineffective. This is the result of the combination of two factors. First, Web applications are exposed to the public, and easily introspected by the outside world. Attackers can take the time they need to understand how they are coded and which defensive measures are in place, allowing them to avoid being profiled by varying their attacks quickly. Second, the criminal community responsible for Web attacks has evolved into a market of its own, complete with highly productized “command and control” suites for creating and managing bots – armies of compromised computers on the internet that are used to distribute, transform, and obfuscate the attack. These suites are sold online as ready-to-go, do-it-yourself attack kits. The market for these kits is extremely competitive, with market demand driving new features and innovations all the time.
To realize how advanced targeted threats can be disrupted and prevented, you need to clearly understand the nature of those threats.
Mykonos has kept its latest project under wraps but the launch is looming. Next week we launch our new product – called the Mykonos Security Appliance. The launch will be at the RSA conference in San Francisco on March 1, 2010. The product is unique in that it helps organizations gain intelligence about hackers who attack their Web applications, and also allows them to respond in real-time with counter-measures.
The product complements our other product, the Mykonos Framework, which helps build new web applications more securely at the code-level. The Mykonos Security Appliance now helps secure the existing legacy Web applications that are already in use.
Mykonos grew out of the team’s experience building and securing Bluetie, one of the largest Web applications in the world. The team learned that beyond Web application firewalls, which are difficult to implement accurately and only offer point-in-time reporting, there are no real-time code-level security solutions in the market.
Mykonos started with building a Framework that helps you build secure Web applications. But next week, Web application security will gain intelligence with the release of the Mykonos Securty Appliance.