Can you afford to cut back on web application security?

Perhaps you feel that security vendors are trying to sell you something by scaremongering. After all, the chances that your business is going to be the next breach victim like Capital One or Equifax are probably as remote as the Titanic sinking. That’s true, but what you may not realize is the fact that it’s not just the Russian spies, cybercriminal gangs, or pro hackers that are a danger to your money. In the world of IT security, even an experimenting teenager or an opportunist thief could cost you so much that you may have to go out of business, and while it’s less probable, it’s still possible.

“Hacking” is easy!

In the early days of hacking, every person who wanted to discover ways to go around security measures was basically on their own. That’s why the term hacker was originally associated with people with exceptional skills. With the development of the Internet, blockchain payments, and the dark web, now “hacking” for easy money is child’s play. For every common vulnerability, you can readily find an exploit that is easier to use than your web browser. Very often, all you have to do is point it and press a button. And there’s no problem with getting unmarked cash in a white envelope – we’ve got bitcoins for that.

The world is, unfortunately, full of people wanting to make a quick buck, and they’re not like professional car thieves from movies who spend hours figuring out how to go around immobilizers. They’re like those misled kids that walk along a street and pull on every car door handle to find one that’s unlocked for a joyride. And then they crash for fun or rip out your radio. Same with your web applications – these script kiddies, as we call them, are not after your complex password-protected sensitive data. Rather than that, they’ll have fun and deface your front page or pop in user-friendly, press-one-button ransomware to get you to pay them some bitcoins.

Want proof that the world is full of such culprits? Well, since the change of CEO, we at Invicti have been regularly receiving emails and phone text messages pretending to be from Michael George. Just think of the audacity or cluelessness of those sending those messages – they’re sending them, unencrypted, from easily traceable sources, to a company that deals with IT security. That’s the kind of people you’re facing every day – those downloading easy-to-use “hacking” tools and pointing them at your site without even thinking, just to try and make that quick bitcoin or simply have some fun.

What will that cost you?

“I’m fine,” you’re thinking. You’re taking care of all your major systems. They’re regularly scanned, and you’re prioritizing all the major vulnerabilities to make sure you have no RCEs in primary business systems. You might also have WordPress sites made by your marketing for campaigns, but there’s no sensitive data there, so there’s no point in worrying about them. You might not even scan them at all. After all, what’s the worst that could happen?

We have bad news.

Let’s assume that a script kiddie has managed to hack into one of your campaign sites and defaced the front page. What’s next?

Primary attack target forensics

First of all, you need a forensics expert to analyze your system, and you need to take that system down immediately. The cost of taking down a marketing campaign for a few days may not be that huge, so things are looking okay so far. Since you don’t hire IT forensics experts full-time, you spend some time finding a contractor, signing a contract, and getting them to start working. And the clock is ticking.

Secondary target forensics

The forensics expert goes into the defaced site and confirms that the attacker could have downloaded the whole WordPress database with all logins and passwords used by your marketing team. One of your marketing employees admits that they’re using the same login and password for the campaign site as for your primary business site, and the password is just 6-characters long, so it could be cracked in a few seconds (even though it contains a number, a capital letter, and a special character).

So, the next thing your forensic expert does is look at your primary business site logs. There, they see access attempts from the same IP as in the case of the campaign site hack. They recommend that you take down your primary business site for a while and perform deep analysis. Tick. Tock. Tick. Tock. Now your primary site is down for hours or days.

Et tu, Brute?

As you lose more and more money because further systems are found to be potentially affected and need to be taken down for deep analysis, you’re being stabbed from yet another direction. Someone saw your defaced site, found it very funny (the attacker was creative), and posted it all over social media. A commentary video making fun of your brand is now hitting millions of views on TikTok with a catchy song.

Your customer service center agents are now working 24 hours a day with unending calls and messages from customers worried about their data and money. Your channel teams are sweating – your partners are worried about supply chain effects. Your PR department is trying to reach out to all the news sources and issue statements that will mitigate potential business losses as much as possible. It’s not the catchy TikTok and making fun of you that’s the problem. It’s the fact that a lot of people now know that you’ve been hacked and lose trust in you.

This Armageddon luckily quiets down in a few days, but it’s going to have long-term consequences. You’ve lost a lot of business, which means you may be unable to afford some new initiatives, and that will cost you even more business. You may have to lay off employees, which makes other employees unhappy and uneasy and more likely to leave (including those difficult-to-find security experts). There is that gloomy feeling that your HR must now spend months to reverse.

Scaremongering? What do you think?

All-in-all, while this may seem like a drastic scenario, that’s pretty much what happens with every security breach. What costs you most is not credit card numbers that were stolen. It’s the business lost due to your web applications having to be taken offline and the fact that the company can do very little except focus on all the activities associated with the hack. Not to mention the long-term consequences. Your perceived savings now are very likely to cost you a lot more later and cause irreparable damage.

Are we scaremongering? No, we’ve simply seen this happen way too many times. For example, SolarWinds has spent more than $18 million already on remediating the events of December 2020. That’s why, while we understand that your resources are limited and you must prioritize your security activities, we urge you to try to focus your cuts elsewhere. Don’t ignore that campaign site – you don’t have to prioritize it, but do make sure it’s not completely forgotten. Find every site you have (by using web asset discovery) and make sure it’s there in the scanning queue.