Mykonos Software’s Director of Product Management, Al Huizenga presented at the Cornerstones of Trust event in Silicon Valley. The event held by ISSA (Silicon Valley and San Francisco chapters) and Infragard provided a fascinating array of topics and security perspectives.
Al’s presentation to IT Security professionals was titled “Pro-actively Managing web Application Abuse” and was included in the track Proactive Defense: Technologies to Overcome Hidden Threats.
When Web applications are the core of your business, protecting them from abuse is crucial. High profile Web applications can provide front-door access to critical data. Sophisticated and organized attackers with deep technology skills are increasingly successful at accessing that data, and the results can be disastrous, from non-compliance, to fraud, to competitive loss.
For example:
»Bank account fraud. Attackers devise and execute phishing scams to highjack customer accounts and perform fraudulent electronic payments
»E-commerce fraud. Attackers make fraudulent purchases, or steal credit card information. This results in a loss of brand credibility, and threatens compliance status with PCI DSS
»Data scraping. For-hire hacking teams establish automated, non-sanctioned calls to business data to power a competitive site or service (e.g. retail pricing, travel bookings)
These problems are getting more severe as attackers become more organized and sophisticated. Traditional approaches to stopping Web attacks that rely on signature based intrusion detection and anti-virus are increasingly ineffective. This is the result of the combination of two factors. First, Web applications are exposed to the public, and easily introspected by the outside world. Attackers can take the time they need to understand how they are coded and which defensive measures are in place, allowing them to avoid being profiled by varying their attacks quickly. Second, the criminal community responsible for Web attacks has evolved into a market of its own, complete with highly productized “command and control” suites for creating and managing bots – armies of compromised computers on the internet that are used to distribute, transform, and obfuscate the attack. These suites are sold online as ready-to-go, do-it-yourself attack kits. The market for these kits is extremely competitive, with market demand driving new features and innovations all the time.
To realize how advanced targeted threats can be disrupted and prevented, you need to clearly understand the nature of those threats.
