But let me ask you this…. could your website take a black eye? Could it take a hit and continue to offer the level of service your customers have come to expect? Could your web services absorb the impact and keep on trucking regardless of a cyber attack?
We’re talking malicious activity that you can see and feel, bad actors looking to take down your web application servers at the most critical time to have the greatest impact to your business and your customers, Distributed Denial of Service (DDoS) Attacks to rock your Web platform and take it down losing you business and causing irreparable reputational damage in the process!
What about Brute Force attacks against your customer login pages as hackers try 1000’s of passwords simultaneously, Credential Stuffing Attacks using known to be valid user credentials against your customer database, Cross Site Request Forgery attacks taking advantage of compromised user session cookies…the list goes on!
But wait, there’s more! It’s not just about what we can see, it’s more about what we can’t see and that’s what we should be most concerned about. Would you even know if you were under attack from cyber criminals and what action to take should a breach be discovered? What if you’ve already been attacked by some black hat hacker inserting a Stored Cross Site Script within your web code just waiting for your busiest day of the year to take advantage? What if you didn’t even know of the compromise until it was too late, and the damage was done?
I ask you to ponder the fact that perhaps your online web services may or may not be able take a blow to the proverbial cyber “you know what’s”, but what about mitigating the attack or even preventing the attack from occurring in the first place?
“It’s all good, we’re protected with our Internet edge firewall, in fact we have a bunch of firewalls so we’re covered, thanks”
We hear this a lot, and for those of you up on your Open Systems Interconnection (OSI) model, credit to you and congratulations in joining the Internet safe minority. For those of you less familiar about a layered approach to cyber security keep on reading as a lot of the time the fundamentals of good security are not particularly well understood and with the ever increasing application layer attack surface often overlooked.
A fundamental understanding of Internet security considering both positive and negative security models to protect your web applications is vitally important and the first step in protecting your online business and your customers.
Starting with a Web Application Firewall (WAF) you can quickly implement a good level of security for your applications, mitigating the most common risks and exploits known to the cyber security industry as detailed in the ever changing OWASP Top 10 vulnerabilities! For those of you unfamiliar with OWASP it is the Open Web Application Security Project and is the de facto standard to follow when it comes to Internet Security. OWASP is made up of an online community of cyber security contributors and the Top 10 itself is the current top 10 most frequent attack types such as Credential Stuffing, SQL Injection, XSS attacks etc and this list will change over time as attack types and vectors change.
WAFs operate at Layer 7 of the OSI Model (the Application Layer) and as such go above and beyond the Layer3/4 (Network/Transport Layer) protection offered by most traditional network firewalls including those on the Internet edge or perimeter!
By going one step further and looking at the application itself a Web Application Firewall can see what other traditional firewalls cannot. To a traditional Internet Edge Firewall an HTTPS packet looks like an HTTPS packet……it’s HTTP secured with TLS and as such it’s as safe as they come right?
Unfortunately, this is a common misconception in that not everything wrapped up in secure HTTP packets (SSL and TLS) is to be trusted, in fact in my own opinion it’s even more reason to be suspect!
Where the traditional firewall looks at its rule-set and determines if HTTPS is allowed and then permits or denies it, the Layer 7 WAF looks at the HTTPS Packet in its entirety including it’s payload and inspects it for malicious content. What better way to disguise an attack than to hide it inside and encrypted HTTP packet to allow safe delivery to its intended target?
In addition to controlled deep packet inspection identifying the known bad actors we can over time further tune our Web Application Policies to become more and more granular to the point in which we are not only able to mitigate known attacks but better prepare us for Zero Day attacks which are not yet known.
We can tailor our security posture so that we get the right balance of security vs functionality and add the features that benefit our unique web application requirements such as CSRF protection, Cookie Hijacking protection, Credential Stuffing protection, Brute Force protection and Geolocation protection to name but a few of the many available options out there.
The list of attacks continues to grow at an ever increasing pace but with it so does the industry knowledge and expertise of the Cyber Security Professional and this new threat information is immediately incorporated into WAF products by way of Attack Signature Updates and feature enhancements to ensure you’re always one step ahead of the bad guys.
If you’d like to discuss or review your current security posture or would like to know more about Web Application Firewalls and how they can help protect your business please feel free to get in touch and one of our team of Cyber Security Consultants would be happy to help.