Here's the scenario: Attackers compromise a major brand's Web site. The issue goes unnoticed until it's exposed publicly. But instead of stealing customer records, the attacker installs malware that infects the computers of thousands of visitors to the site. Such attacks are a common occurrence, but most fly under the radar because the users never know that a trusted Web site infected them, says Brian Dye, senior director of product management at Symantec Corp.
But word can get out, leaving the Web site's customers feeling betrayed, and seriously damaging a brand's reputation. When his company tracks down the source of such infections, it often quietly notifies the Web site owner. Attackers, often organized crime rings, gain entry using techniques such as cross-site scripting, SQL injection and remote file-inclusion attacks, then install malicious code on the Web server that lets them get access to the end users doing business with the site. "They're co-opting machines that can be part of botnets that send phishing e-mail, that are landing sites for traffic diversion and that host malware," says Frederick Felman, chief marketing officer at MarkMonitor. That possibility is one of Lynn Goodendorf's biggest worries as global head of data privacy at InterContinental Hotels Group. "I worry about attacks that use a combination of malware and botnets," she says, adding that she has watched this type of activity increase steadily over the past two years. "That's very scary," says Goodendorf. But because the business's Web site isn't directly affected, the administrators of most infected Web sites don't even know it's happening.
Most victims haven't associated such attacks with the Web sites that inadvertently infected them. The latest versions of Microsoft's Internet Explorer browser and Google's search engine detect sites infected with malware, issue a warning and block access to the site. "To me, this is serious online brand damage," says Garter analyst John Pescatore, and it can be disastrous for small and midsize businesses that totally depend on search engine traffic. But that may be changing. The next frontier, says Dye, may be attackers who use these types of exploits against the Web sites of high-profile brands and then publicize - or threaten to publicize - what happened. But Pescatore sees a more fundamental problem: rushing through Web site updates and ignoring development best practices designed promote security. Preventing attacks like SQL injections requires using enterprise-class security tools, such as intrusion-prevention and -detection systems, with a focus on behavioral analysis to spot attacks, Dye says.
Most organizations follow formal processes for major upgrades, but not for the constant "tinkering" that takes place. The result: Vulnerabilities creep into the code. "Security groups often are forced to put Web application firewalls in front of Web servers to shield [these] vulnerabilities from attack," says Pescatore.
0 comments:
Post a Comment