More than 56% of cybercriminals think that winter holidays are the best time for corporate hacking. While the survey was conducted a few years ago at the DEFCON, respondents cannot be any righter in any year.
Usually, organizations freeze all their technology developments and security patching updates citing most employees do not work for a week or two. Now at the same time, with Christmas being one of the higher sales volume days, application changes are inevitable. This conflict of interests leaves a minuscule vulnerability window that hackers can exploit.
How else would you explain the sudden rise in malware circulation and phishing emails in the holiday season? Sony PlayStation and Microsoft Xbox received bad publicity last year with the so-called ‘Christmas Hack’. It is also happening with holiday companies like Sheraton and Westin chain and Trump Hotels.
People are keener to spend money in December around Christmas and New Year across the sectors. That is probably why almost all marketing and sales efforts are on hold just before the winter holidays.
Both B2B and B2C companies invest heavily in winter sales surge activities, where security often takes a back seat. It is also a huge bid on closing the last quarter of the year on a high. Both traffic and online payments obviously rise within these months, leaving little time to focus on anything else.
In one of our previous posts, we have already talked about how overlooking security and updates may lead to undetected OWASP vulnerabilities that pose data breach and server downtime risks. Shouldn’t it be the first step to making people comfortable with sharing card info online and of course to prevent exploitation? Unfortunately, many organizations know little about it.
We understand that security can often be daunting. What are the matters that you should really look into? Why is there a new kind of threat in every few weeks? How can someone monitor threats?
Gartner estimates that 70% of all hacks happened at the application layer. These apps are complex to build and even more complex to find out what is wrong with them, given that a major chunk of the code comes from the Open Source. In fact, last December only AliExpress from Alibaba Marketplace was detected with Cross Site Scripting (XSS) vulnerability that allowed attackers to take over a few of the merchant accounts.
So, what’s the solution? It is critical for organizations to find out weaknesses within the framework even when human resources are unavailable or just too busy for the task. That is when Web Application Scanning becomes so critical. It not only finds vulnerabilities continuously but also helps you prioritize on what needs your attention first.
Web Application Firewall is the other important piece of the process that blocks attacks from hackers even when you cannot repair or patch the application. It becomes even more important if the package includes DDoS protection, which is a major cause of concern for most businesses during the holiday season.
No matter what kind of security mechanism you invest in, machine logics have limitations. Take business logic vulnerabilities for instance. A business logic flaw is an application vulnerability, which arises by circumstantial security weakness.
Machines, unlike human brains, work on simplified binary logic. They respond to conditions that must lead to a simple ‘YES’ or ‘NO’, and absolutely nothing between it. On the other hand, people running businesses think. They make decisions. Often quickly, frequently, and making them out most of the available information, which can create logic loopholes that even automated scanning cannot detect.
False positive is one of such problems that cost companies millions every year. It is basically a false alarm caused by a flaw in logic. Think of a security guard whose job is to keep suspicious individuals out of your property, but who instead denies access to your family members due to some misplaced understanding of what you told him. Wouldn’t that frustrate you to a level of firing that security guard? That is something that a web application firewall can face too.
That is why larger organizations will inevitably look for security options that bring the human advantage to the equation.
Since we have already talked about how human involvement decreases around the holiday season, how about a security team that will be working for you day in and day out?
Indusface’s Total Application Security is a completely managed web application scanning and firewall solution. It allows you to focus on key business activities at any time of the year while a dedicated security team looks about your security on the concept of ‘Detect, Protect, and Monitor.’
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.