Internet Performance Delivered right to your inbox

Storm on the Horizon: How Due Care Can Prevent Another Hurricane Equifax

In light of hurricane Irma, which I experienced firsthand, the disaster it has left behind will be fixed. Floridians have been rebuilding portions of their state due to hurricanes before it even was a state. Although the damages that everyone incurred are all quite visible, eventually the trees will grow back, the homes and businesses will be repaired, the cities will return to normal, and the human persistence to exist – will once again be demonstrated.

It’s simple to see what needs to be done when the damages are right in front of you, and this one is going to be extremely costly. Every citizen and property owner of Florida and other states directly in Irma’s path will incur some sort of financial loss. This was a storm whose effect was quite evident, and riding these things out are never a pleasure.

Although nothing in comparison to Irma, the recent Equifax breach will result in similar, yet less visible damages. People’s lives are likely to be affected in this event as well. Many have already experienced the fear of identity theft because of this breach and the likelihood of individuals and businesses incurring some sort of financial loss due to the Equifax breach is also quite high. While hurricanes are unavoidable, can organizations eliminate the “Hurricane Breach” we so often hear of?

Those that study hurricanes understand them well. They know how they form, how they grow, where they’ll likely go next, and the damages they usually cause. However, why don’t many of the those entrusted with securing organizations and their customers’ data understand these “breach” events, as well as their expert hurricane counterparts? Many people are beginning to believe nothing can be done to stop hackers from breaching networks, applications, and APIs – then stealing precious data. However, if there is a will, there is always a way.

We all know that hurricanes are not on the same damage-scale as data breaches. However, here is a storm forecast that organizations won’t want to hear. Hackers are no longer going after your endpoints. Instead, they are now going after your web-facing applications and APIs, and the probability they’ll successfully cause outages and steal your data increases every minute. Many organizations are either ignoring the warning signs, overlooking them completely, or are simply not well informed. There is definitely a hurricane on the horizon, if organizations don’t take immediate action to shore up the defenses of their web-facing applications and APIs.

For example, the Open Web Application Security Project (OWASP) is a well-known open source effort that periodically releases a list of Top 10 risks that website owners should pay attention to. The reason for this is simple. All of the risks identified in the 2017 release candidate, and the risks identified the previous release, come from people who are experts in understanding how to secure applications and APIs.

In the 2017 release candidate, which is still in a “request for public comments” phase, a somewhat controversial risk has arisen. Out of the Top 10 Risks, risk A7 seems to have some people rather concerned about what it actually means. Others feel that the specific recommendations related to risk A7 from OWASP may be too overbearing, and are not really necessary to protect applications and APIs appropriately.

According to the release candidate, A7 states, “insufficient Attack Protection: The majority of applications and APIs lack the basic ability to detect, prevent, and respond to both manual and automated attacks. Attack protection goes far beyond basic input validation and involves automatically detecting, logging, responding, and even blocking exploit attempts. Application owners also need to be able to deploy patches quickly to protect against attacks.”

What this really means is that MAJORITY of web applications and APIs are poorly protected, they have no defenses to defeat exploits, and this is growing into one of the greatest risks that often results in the many data breaches reported. However, there are solution that can directly remedy the insufficient attack protection as OWASP highlights, concerning applications and APIs.

If one looks deeper into the detail about A7, the release candidate also states, “Be sure to understand what types of attacks are covered by attack protection. Is it only XSS and SQL Injection? (No) You can use technologies like WAFs, RASP, and OWASP AppSensor to detect or block attacks, and/or virtually patch vulnerabilities.” If there are technologies readily available to automatically detect, log, respond, and blog exploits, why does OWASP use the terms, “the majority of applications and APIs lack the basic ability to detect, prevent, and respond to attacks”? It’s simple. Organizations are not using the technologies that OWASP will recommend.

For example, and according to Equifax, their customer’s data (and mine) was stolen by hackers that exploited a very simple web application vulnerability in Apache Struts. What this means is that their websites were running vulnerable Apache software that was easily exploited (taken advantage of) by hackers. The vulnerability allowed hackers to gain access and steal personnel data – and a lot of it. If Equifax was using at least one of the technologies that OWASP points out, and had it been deployed and configured properly, the likelihood of this breach happening would have been quite low.

Although many organizations will ignore the signs of the storm on their horizon, anyone that has not installed, properly configured, and enabled at least one of these technologies to protect their web applications and APIs are not following the basic principles of “due care”.

Learn more about Oracle Dyn API security.

Share Now

Whois: Stephen Gates

Stephen Gates is a Edge Security Evangelist at Oracle Dyn Global Business Unit, a pioneer in managed DNS and a leader in cloud-based infrastructure that connects users with digital content and experiences across a global internet.