Learn about SQL injection attacks and how to reduce your risk.

There are two types of Web sites... those that have been hacked and those that will be hacked. Under which category does your organization's Web site fall?

Three men were indicted on Aug. 17, 2009 for allegedly stealing more than 130 million credit and debit card numbers in what U.S. authorities believe to be the largest hacking and identity theft case ever prosecuted, as reported by Reuters reporter Daniel Trotta. Companies included in the "hack attack" were Heartland (a payment processing company), 7-Eleven, and Hannaford. According to Trotta, prosecutors said the ring caused more than $400 million in damages.1 SQL injection attacks exploited the computer networks and found a way around the network firewalls to steal credit and debit card information.2

You might still think that your Web site is secure. You pay someone to host your site, but are you certain your online assets are safe? Experts estimate that nearly 90 percent of all attacks today are aimed at the Web site and its supporting applications.

Earlier this year, NetStrategies realized that as a reliable Managed Web Hosting service provider it could better serve its clients by offering increased protection against the growing threat of Web application vulnerability.

"We had a real wake-up call – a knock on the head as I like to call it – when one of our hosting customers came under attempted attack and Web site defacement and needed our help," said Robert Moses, NetStrategies director of technology. "They needed a way to minimize future risk and we needed to better protect all of our customers."

At the time NetStrategies was using all the network and server security measures deployed by the majority of hosting companies. However they realized they were doing very little to address security at the Web site or Web application level. They needed to protect against the rapidly growing threat of SQL, XSS, and other Web application exploits that have begun to plague companies of all shapes and sizes, including of late, Google.

"We reviewed a number of vendors that offered Web vulnerability firewalls," said Moses. "After we did our research, we approached Applicure about offering their dotDefender to our hosting customers," said Moses. "We knew dotDefender helps protect Web sites from SQL Injection attacks and web vunerabilities, which continue to increase." Moses also wanted the Web site for NetStrategies protected. "Since our own site is intimately tied to our business success, we cannot take chances."

According to Moses, NetStrategies chose Applicure not only for the high level of protection offered by dotDefender but also because their business model was a match. "Their product met our needs, was easy to deploy, and fit our budget."

NetStrategies can now help protect its hosting customer Web sites from attack and can offer the solution to its customers at a competitive rate. NetStrategies also stepped up its efforts to educate hosting customers about potential security risks so that each customer could take every precaution necessary for advanced online protection.

dotDefender is now included in the NetStrategies deluxe managed hosting package, adding another critical level of protection to their online assets. Moses estimates that about one third of its customers are in this plan. An additional third of its hosting customers opt to buy dotDefender through NetStrategies at a significant discount from retail.

Knowledge is Power

"What have we learned over the past six months since adding dotDefender to our suite of online security protection?" muses Moses. "Aggressive probing and attempted intrusions through Web site applications happens 24 hours a day, seven days a week, from all corners of the globe. Whether you monitor it or not, it is happening and it is staggering."

"Will every probe or attempted intrusion produce problems for you business? No. However, this is the new status quo and ignoring the potential threat will not make it go away either," he continues.

Since the addition dotDefender, NetStrategies monitors the probing, attempted intrusion, and nature of traffic coming to its Web site. Currently Moses sees SQL Injection and Cross-Site Scripting (XSS) and the top two forms of attempted attacks aimed at the sites he monitors for NetStrategies. He sees a growing potential for other exploits in the near future because of the power of personal computing and the connective nature of the Internet. "Today, anyone with minimal technical know-how and the drive to use it has easy access to sophisticated tools for exploitation, said Moses. "Leaving yourself open is not a choice."

Casting a Wide Security Net

"Hackers look for holes in coding and no matter how thorough and talented the programmer, there will always be exposure," said Moses. "A Web Application Firewall adds a critical layer of defense to protect whatever you are running in the background and more importantly, gives you time to review and close those holes in your Web site before they become problems."

As organizations throw more and more content up on the Web, the higher their potential for security risk becomes. Businesses are adding competitive data, personal data, business intelligence, and more to the cloud. "If transparency was the buzz word of 2009, what will the buzz be in 2010?" wonders Moses. "Everything will be on the Web and accessible eventually. As a tech guy responsible for the safety and security of our hosting customers, I must remain proactive and vigilant."

Web Application Security and Your Business

What is the number one question you should ask your Web site host to ensure your Web site is safe?

"Do you use or offer Web application security?" This question is critical to your organization.

As stated above, most hacking attacks target Web applications (the "application layer"). Attacks on Web 2.0 sites are on the rise and Web applications are replacing e-mail as the preferred delivery method for planting malware.

If you are wondering if it could happen to you and your business, consider these three points:

1. Threats are evolving. Hackers are getting smarter, better financed, more devious, more automated, and absolutely more criminal. No longer is it just hacking for the thrill of it – the hacker community is now plying their skills for profit. Hacking schemes can be as elaborate as stealing the customer information database (or even just a few selected pieces of it) for blackmail or to sell to the highest bidder, or perhaps nabbing employee data for personal extortion, or even a simple defacement of the Web site home page just to chase potential customers to your competition.
2. Web applications are the low-hanging fruit. Hackers are also lazy by nature – why spend weeks, days, or hours trying to crack specific companies' networks when there are so many easy targets? Recent studies show that over 90% of all companies have significant vulnerabilities in their Web applications. Hackers know what to look for and are now using automated tools to scour Web sites and look for these holes. If a Web application can be breached, the hacker has access to all of the corporate data that powers the application. Once in, good hackers possess free reign. The scariest part is that in many cases you never even know they were there!
3. Network and client security measures do not prevent these attacks. Firewalls, Intrusion Prevention Systems, Anti-Virus, and other tools typically do an excellent job of filtering out the bad from the good, but they are not designed to deal with attacks exclusively at the application level (layer 7 of the OSI network stack). Hackers know this.

PCI Compliance and Web Application Security

In its Data Security Standard (DSS), the PCI (Payment Card Industry) Security Council stated that organizations accepting, storing, or processing credit card information must either employ a Web Application Firewall (such as dotDefender) or perform periodic Web application scanning for compliance. In its latest update to the standard, v1.2, the Council suggests using both scanning AND an application-layer firewall.

Ask your host whether they offer/use a Web application firewall or if they even scan Web applications. If the answer is "no" to both, your Web site, i.e., your business, is at high risk for attack. Remember, if an organization fails to comply with the DSS, it risks fines and possibly even a ban from accepting credit cards as payment, which for many would be the "kiss of death."

How Can I Secure My Online Business?

You need technology that directly protects your Web applications on an active basis and is powerful and flexible enough to manage threats as they evolve. Your programmers and security experts can then more effectively deal with application-level attacks and protect your corporate information without dramatic cost increases. In other words, you need dotDefender.

Make sure you understand the difference between a Web application attack and a worm, virus, or spyware. They are different things and require different methods of protection.

A virus or spyware initiates a noticeable difference in your Web site's speed. Web application attacks such as SQL injection can directly infect your site with malware. Other attacks, such as cross-site scripting, can redirect your customers to alternate sites where such malware resides, infecting their computers without them even knowing. Additional problems arise later when search engines such as Google identify your site as hosting malware. In fact, Google reported their blacklist of malware infected sites has more than doubled in the last year. This leads to a drop in ranking or even removal from their index, creating yet another set of challenges to rectify.3

A hacker is in and out of your site so quickly you won't even notice you've been attacked for quite some time. Unfortunately, the longer the intrusion lasts and the more time that lapses before detection, the more severe the aftermath is.

This is scary stuff. Symantec included the following in their 2008 report:

"Attackers are organized and implement contingency plans in case their activities are detected. By relocating their activities to a variety of countries, attackers can minimize the chances of being partially or completely shut down. This is demonstrated by events after the shutdown of a U.S.-based ISP toward the end of 2008. It seems that the bot controllers generating much of the attack activity from this ISP had alternative hosting plans. As a result, although Symantec noted a significant drop in malicious activity after the shutdown, particularly in spam, the numbers returned to previous levels soon afterward.

"It became apparent that the botnet controllers successfully relocated enough of their bot command-and-control (C&C) servers to other hosts, and rebuilt their botnets back up to previous numbers. Given the affected botnets were three of the world's largest, it is not surprising that new locations were quickly found to host these servers because botnets can generate significant profits."4

What Do Attackers Want?

Money! Symantec reports that "more than ever before, attackers are concentrating on compromising end users for financial gain. In 2008, 78 percent of confidential information threats exported user data, and 76 percent used a keystroke-logging component to steal information such as online banking account credentials. Additionally, 76 percent of phishing lures targeted brands in the financial services sector and this sector also had the most identities exposed due to data breaches. Similarly, 12 percent of all data breaches that occurred in 2008 exposed credit card information. In 2008 the average cost per incident of a data breach in the United States was $6.7 million – which is an increase of 5 percent from 2007 – and lost business amounted to an average of $4.6 million."

How Do I Get Proactive Protection for My Web Site?

Install Web application security software on your site. If your Web host does not offer this software, you can purchase it yourself and ask your host to install it on your site. If your host offers Web application security scanning, take advantage of it so at least you will know if you have been attacked and can react. The firewall of course helps prevent attacks from happening.

In addition to using the dotDefender Web Application Firewall, NetStrategies uses additional systems and tools to maintain a safe and secure network, including:

• Cisco ASA firewalls to protect against network level threats.
• Snort network IDS to monitor malicious network activity.
• Nessus network and server vulnerability scanning and testing to identify and correct vulnerabilities in servers.
• Acunetix Web vulnerability scanning and testing to identify and correct vulnerabilities in Web sites and Web applications.

Rely on NetStrategies to lead all of your Internet marketing efforts including pay-per-click management, Web analytics, search engine optimization, managed Web hosting, E-mail marketing, and Web design and development. To learn how our Internet marketing experienced leadership can drive measurable results to your online presence, visit our Web site.

Applicure Technologies Ltd. (TASE: APCR) develops the leading multi-platform Web application security software products to protect Web sites and Web applications from external and internal attacks. Built upon years of research into hacker behavior, Applicure solutions feature a comprehensive knowledge base to identify attacks accurately and to stop them before they reach the Web site or application. Applicure's flagship product, dotDefender, is deployed globally and is serviced by offices and business partners in the US, Europe, and Asia.

dotDefender delivers comprehensive protection against SQL injection, cross-site scripting and many other application-level attacks, and fulfills the challenging application layer firewall requirements of the PCI Data Security Standard. With thousands of installations, customers, and partners, from SMB/SME to Fortune 1000 enterprises, including a diverse range of hosting providers, dotDefender meets the demands of application security around the world for strong and affordable protection technology.

1. Reuters: Three indicted in largest U.S. identity theft scheme
2. NY Daily News: Hacker Albert Gonzalez charged with largest ID theft ever involving 130M credit, debit cards
3. Malware Statistics Update by Google
4. Symantec Internet Security Threat Report (.PDF, 362K)