What do you see as the biggest online security threats today?
Large organized underground groups of hackers targeting unsuspecting organizations with web applications that access core business data. They have created underground marketplaces for illicit goods, including credit card numbers, privacy information, email accounts, etc. These groups perfect their techniques and target specific organizations. These groups have also begun online extortion by either threatening Denial of Service attacks or encrypting some critical piece of data on a corporate server.
What is, in your opinion, the biggest challenge in protecting sensitive information at the enterprise level?
Most organizations have invested in a network security infrastructure with firewalls and intrusion detection systems to provide protection against network attacks. At the same time, organizations are building a web presence for their customers, business partners, and prospects. These web applications are all different and expose their own unique set of vulnerabilities that cannot be protected by network security. One of the biggest challenges for organizations is to balance the need for access to these applications with the need to protect against targeted web attacks.
Since communications for web applications flows through the network firewall, if security is not in place at the application layer the organization may have data leakage through the web application without their knowledge. Web applications, and if exploited could result in a highly publicized identity theft incidents.
Gartner Group has stated that over 75% of successful attacks against organizations have exploited vulnerabilities in web applications. Hackers attacking web applications are able to circumvent network security and gain access to an organization’s crown jewels, their customer data.
In your opinion, has the phenomenon known as Web 2.0 increased security awareness when it comes to web application security?
Web 2.0, the Web as a platform, has significantly increased the complexity of web applications as they grow to incorporate multiple components and integrate with other parts of the infrastructure (like databases and authentication systems). These multi-tiered applications have included security as a component of the application infrastructure, however the integration of all this disparate technologies has introduced more complexity than can be addressed by network security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.