Analysis: The TalkTalk hack in October 2015 hit the company’s website.
So much of the focus in cyber security is on securing networks and endpoints that it can be easy to miss the huge vulnerability presented by websites.
It is not like the signs are not out there, however. The infamous hack of TalkTalk in October 2015, which saw the personal details of 156,959 customers accessed, used a type of website attack known as an SQL injection, for example.
Obviously not having a website is not an option; so what are the threats and how can companies mitigate against them?
As the attack on TalkTalk shows, the SQL injection (SQLi) is a fairly simple and effective way of carrying out an attack. Web applications frequently send input to a database to access information from it or modify its contents.
However, an attacker can replace this input to the database with a command. In a hack by SQL injection, this could be a command to 'dump' the database, giving the attacker access to the database's contents.
Ryan O’Leary, VP Threat Research Centre at WhiteHat Security says that SQL injection presents a “really easy avenue for hackers.”
“The SQL vulnerability is one of the very first skills you learn when trying to attack a site, because of the prevalence of the flaw and ease of exploitation,” explains O’Leary.
Whitehat Security research shows that around 6 percent of websites have at least one SQLi flaw.
“Six percent may not seem like a large proportion, but when you think of it as six out of every 100 websites you use that have this particularly nasty flaw, it suddenly seems a staggeringly large amount.”
SQL injections can be used to capture information from the database, but also could be used for further attacks such as web shells, according to Fidelis Security. A web shell is a malicious tool which enables an attacker to remotely control a web server after compromising it.
TalkTalk’s hack also involved another common type of attack on a website, a distributed denial of service (DDoS) attack. This is not so much a hack as a bombardment.
The targeted website is flooded with traffic, designed to overwhelm the resources of the site to crash or suspend its services.
In this instance the DDoS provided cover for the main SQL injection-based attack.
There are several other major categories of vulnerabilities in websites, such as the brute force attack, which can use automated inputs of log-in credentials to access the contents of the website with the privileges of a trusted user. This could include a company’s private CMS system, giving the attacker access to all sorts of confidential information.
Insufficient transport layer protection and information leakage are types of vulnerability that focus on information in motion, such as payment details being sent to and from a website.
There are also vulnerabilities driven by flaws in plugins. Karl Sigler, Threat Intelligence Manager at Trustwave says that the company’s 2016 Trustwave Global Security Report revealed that 71 percent of web attacks observed in 2015 were targeting WordPress sites, with 45 percent of these using a vulnerability in the Slider Revolution plugin to access files located elsewhere on the server.
Web applications are also another point of vulnerability. As Nathan Dornbrook, Group CTO at ECS Security says, online applications are constantly scanned by hackers to look for potential vulnerabilities, “often within minutes of going online.”
To defend against this range of attacks, a starting point is a “thorough vulnerability assessment”, says O’Leary.
This would involve looking at a range of factors, including the quantity and value of the data that a website handles. Who are the potential attackers? It may be that a company’s website does not deal with sensitive data and so will not be in danger of attack.
With this in mind, it is important to look at the specific vulnerabilities. Perhaps the website uses a database, in which case an SQL injection could be a threat.
Once a business has established what the threats are, there are plenty of easy fixes to get the website in shape.
Many of the attacks are fairly easily dealt with. For example, bots programmed to automatically attack websites can be easily derailed with a simple authentication solution such as a Captcha.
SQL injections may be easy to exploit, but they are also easy to mitigate against. Daniel Barrie Brown, Cyber Security Consultant at FarrPoint, says that website administrators should set up parameterised queries, which are “effectively a list of questions that can be asked where only specified parameters can be adjusted by the client”.
The contents of the database can also be encrypted and only accessible to trusted users.
Meanwhile, DDoS attacks can be prevented by provisioning additional bandwidth to deal with the increased traffic during a DDoS attack.
It is easy to just see the website as an add-on, but if the website is going to be handling the organisation’s data, it needs to be secure.