Protecting personal data is critical for any organisation with an online presence. A breach not only results in substantial reputational damage and huge fines, it can have a negative impact on revenue and threaten the long-term viability of a business.
This was drawn into sharp focus last week when Canada-based Avid Life Media confirmed a breach of its systems had put the personal information of some 37 million customers at risk. The company owns dating sites including AshleyMadison.com, CougarLife.com and EstablishedMen.com, and with the breach receiving global media coverage, its plans to float Ashley Madison on the London Stock Exchange look dead in the water. Meanwhile, the hackers are threatening to release customers’ real names, nude photos, credit card details and sexual preferences, so one would suspect that the reputational damage incurred spells the end for Ashley Madison altogether.
Moving up the stack While it has been suggested that the breach at Ashley Madison was connected to an insider, SecureData believes the attack could easily have been orchestrated from outside the business, using combinations of SQL injection attacks or infiltration of the organisation through some form of ‘back-door’ vulnerability.
One of the main challenges organisations face today is that as firewalls and intrusion detection systems (IDSs) have matured, hackers have set their sights higher up the stack, targeting vulnerabilities in the web application software itself rather than those at the network or server level. Known as ‘web application attacks’, these were identified as one of the leading causes of confirmed data breaches in 2014. As such, Web Application Firewalls (WAFs) are today an essential line of defence for any organisation holding personal information on a non-static website where users enter their own details. WAFs sit in front of web applications and block malicious traffic.
When implemented as part of a security-monitoring infrastructure, they can also provide much greater visibility into application traffic than conventional firewalls and IDSs. Any organisation handling or holding customer credit card information will know that the Payment Card Industry Data Security Standard (PCI DSS) mandates the use of a WAF. However, high-profile data breaches are driving organisations to proactively evaluate WAF solutions as a means to minimise business risk from unprotected web applications. Yet large-scale adoption remains slow, with businesses fearing they lack the time, expertise and budgets necessary to manage these appliances. Although WAF vendors bill their appliances as ‘plug and play’, the reality is they have to be implemented and configured correctly otherwise the risk of compromise can go up rather than down! Time to out-task The majority of customers that we work with came to us because they were struggling to keep on top of managing their WAF, or because they’ve been subject to multiple attacks. A common issue is that organisations are reticent to switch-on the WAF’s blocking capability in case it impacts on their website’s performance and blocks legitimate traffic.
Moreover, WAF policies must be reviewed and managed regularly, at least once or twice a year. Typically, it will be necessary to update attack signatures, geo-location data and IP address intelligence, and then synchronise the policy to the WAF appliance. Any changes to a website necessitate changes to a WAF’s policy too. All of this takes time and a level of expertise that many organisations just don’t have in house. Adopting WAF as a managed service addresses these challenges head on. Out-tasking time-consuming, complex management tasks associated with WAF to a Managed Security Services Provider (MSSP) can save you up to 145 hours per month. It also ensures comprehensive application security and protection, with policies configured and updated continuously, together with 24x7x365 proactive monitoring and management of the appliance itself. As an F5 Gold Partner, SecureData offers F5’s Application Security Manager (ASM) as a managed service that enables organisations to tighten application security, protect against the top ten threats identified by the Open Web Application Security Project (OWASP), and enforce policies around apps loaded via App Stores.
It also addresses other types of vulnerabilities, such as zero-day attacks, brute force attacks (forced logins), website scraping (content stealing), and DDoS (Denial of Service) attacks. We believe an appliance such as the ASM could have protected the Ashley Madison website both front and back. Of course, technology is only one line of defence. To truly mitigate risks and vulnerabilities, the right people and processes are also crucial. This is where a service such as SecureData GI comes in to complete the security loop. In a world where everyone has some form of sensitive data to protect, partnering with a Managed Security Services Provider like SecureData can improve your security posture immensely. Crucially, it can also bring huge savings – especially when considered against the reputation and revenue costs of a breach. Contact us today for a review of your current environment, information security policies and web application protection requirements.