A Symantec global survey of nearly 2,000 SMBs showed that 50% did not consider themselves an attack target. However, looking at today’s threat landscape, this is clearly a misconception. If a site is online, regardless of its popularity, it will be targeted, according to Imperva.
Hackers are going after low hanging fruits. These are the companies who are less security aware and do not have the proper defenses in place. According to the 2011 Verizon Data Breach Investigations Report, hackers are increasingly targeting smaller, softer, less reactive targets since these provide a lower-risk alternative to financial institutions.
Why would someone want to hack an SMB site (an application or server)? For a variety of reasons:
Data retrieval. Nearly all data may considered of value to any hacker who can later exchange this data on the cyber-underground. Hot commodities include: credit card numbers, employee details, login credentials.
Malware hosting. Hackers hack legitimate sites to host malware on them. Visitors to these compromised sites may then unknowingly download the malware. The benefit to hackers is that they do not need to setup their own server. More importantly, since these sites are legitimate, it avoids the suspicions raised from dubious sites.
Compromising the company’s servers. A server under the hacker’s control, can be used to carry out further attacks against other targets. The hacker gains a couple of advantages. First, the hacker does not attack the target directly thus concealing their identity behind a legitimate server. Second, attacks originating from servers are powerful. In fact, an estimate has it that one compromised server is equivalent to 3,000 compromised PCs under the hacker’s control.
Hackers are increasingly leveraging search engines such as Google, Yahoo! or Bing to scan the Web for vulnerable sites. With a list of potentially vulnerable resources, the attacker can create, or use a ready-made, script to exploit vulnerabilities in the pages retrieved by the search campaign. In fact, in August 2011 USA Today reported that 8 million websites, mostly belonging to small companies, were infected and hosting malware. In this case, the hackers used the technique of “scan and exploit” in order to conduct such a massive attack campaign within such a short period of time.
How can SMBs protect their applications?
As we can see, attacks nowadays are completely opportunistic in nature. Organizations can overcome these threats, by introducing different security measures into the systems:
- Building secure application code. This will solve the root cause of the issues. However, many SMBs are reluctant to choose this path as returning the code to development is expensive: it requires developers who are more experienced with security, delayed releases, and is a never-ending process.
- Placing security devices on site. For example, placing a Web Application Firewall (WAF). A WAF is a device which inspects incoming traffic targeted at the application and alerts on malicious traffic. WAFs may or may not be combined with application vulnerability scanners which test the application itself for known vulnerabilities. However, these tools usually prove to be too costly for SMBs.
- Using the cloud to provide security. Different offerings exist which allow traffic to be re-routed via a security offering in the cloud. These services sift out the bad traffic from the good so that eventually only the good traffic arrives at the application. This is usually the preferred choice for SMBs as cloud offerings are cheaper and are usually provided as subscription-based services based on traffic throughput.