By Cliff Turner, Sales Engineer, Alert Logic
bfw Advertising is a full service advertising agency with expertise in building websites. However, bfw Advertising does not have expertise in cloud or Web Application Firewall (WAF) technologies. In order to focus on its business, bfw Advertising turned to Rackspace Managed Cloud and Alert Logic.
The south Florida-based agency boasts a strong client list that spans industries from aerospace to healthcare to travel and more. It also has a strong interactive department that offers website design and development; and in-house Microsoft certified web developers to build websites, intranets, extranets, applications and more for multiple clients.
A Rackspace customer for years, bfw Advertising recently moved its infrastructure to the Rackspace Managed Cloud, to take advantage of new functionality and to reduce costs, while also remaining in a fully managed environment. Moving to the managed cloud gave bfw Advertising an opportunity to take a fresh look at security technology that could further protect its customers’ websites and applications.
Web Application Firewall (WAF) Basics
Since bfw Advertising hosts many of the websites and web applications it develops for clients, one of the first technologies that Rackspace suggested bfw Advertising evaluate to protect its clients was a Web Application Firewall (WAF). A WAF examines web traffic, looking for suspicious activity and filtering out bad traffic, based on rules set by the user or by the WAF itself, which learns normal website behavior over time and blocks abnormal behavior.
WAF Example SQL Injection
To better understand how a WAF works, let’s look at a quick example. While there are countless ways to try to breach websites, according to the Open Web Application Security Project (OWASP), the most popular method is SQL injection. In a SQL injection attack, malicious SQL statements are inserted into an entry field to do something like dump the database contents if the attacker is looking to access the data or erase the data if the attacker is simply out to cause trouble.
Here’s an example where someone is using a shopping cart application to buy a new winter coat. In the entry boxes, the buyer selects their category and item and the web application would translate their selections into SQL code and make a database request.
The SQL code would go to the database looking something like this:
In a SQL injection, an attacker adds some malicious SQL code to the URL in hopes of finding a vulnerability that enables them to do some damage, like the example here of dropping a table from the database which would remove some information.
A WAF would stop that from happening by examining the URL request, and if it contains anything malicious (like the example above), the WAF would simply not pass the request on to the website.
Alert Logic Web Security Manager at bfw Advertising
A well-documented challenge with WAFs is tuning them. WAFs require expert tuning and management to be effective; otherwise, they can impact site availability by blocking legitimate traffic or are tuned down to a level where they are no longer effective. And to be a WAF tuning expert, you typically have to be an expert in web application, security and WAFs. So, to protect their clients’ web applications, bfw Advertising chose to work with Alert Logic Web Security Manager. Web Security Manager offered the WAF capabilities they needed, but even more important to bfw Advertising is that the Alert Logic WAF comes fully managed, so it could get the benefits of a WAF without having to become WAF experts themselves.0
Earlier this week, we published a new white paper titled, “Weighing Risk Against the Total Cost of a Data Breach,” on Akamai.com. Ordinarily, a white paper wouldn’t be a particularly interesting subject for a blog post, but this one explores a topic that has generated a lot of questions from our customers – how do I financially justify a Web application firewall solution to my management?
We normally get this question from technology people who know that they need a solution to protect their Web applications against bad things like SQL injections, cross-site scripting, or remote file inclusions, but don’t know how to tie that protection to the business goals that their upper management cares about. This question is particularly vexing because a Web application firewall doesn’t follow the same ROI model that our customers are used to using when evaluating a technology solution. A Web application firewall doesn’t increase revenue, productivity, or customer engagement. Nor does it reduce CAPEX or OPEX in a regular, predictable manner.
What a Web application firewall does do is reduce risk. It reduces the risk of a harmful event occurring – in this case, of a data breach that can present a financial cost several orders of magnitude greater than of the solution itself. The white paper dives into all of the different sources that can contribute to that cost and offers a simple (and industry-accepted) formula to estimate it up front.
Does it provide an exact calculation of those costs? No – we’ve found that this is different for every customer and varies between industries, size of organization and region or geography. For example, in the US (and in Europe), the costs are particularly high, while in Asia the costs are more contained but seem to be rising.
Does implementing a solution guarantee that a data breach will never occur? Again, no – Bill Brenner recently made a great post that, while tongue-in-cheek, tried to explain that no security solution is ever 100 percent effective. In addition, we’ve seen that attackers utilize a variety of methods to get past IT defenses, including social engineering tactics like spear phishing, malware installed at the point of sale, as well as exploiting vulnerabilities of Web applications. However, Verizon’s 2014 Data Breach Investigations Report showed that more data breaches went through the Web application in 2013 (35 percent) than any other category, making it the largest risk to organizations and the area that we recommend our customers address first.
What the white paper does is present a method through which you can estimate the financial cost of a business-threatening event against your organization, allowing you to then weigh that against the cost of a solution and the risk that such an event will occur. This can be a great resource to help justify the purchase of a Web application firewall that can help you better protect your data. Because at the end of the day, a Web application firewall is all about reducing the risk and possible financial impact of a data breach, and having a better understanding of the financial impact and a sound method to estimate it upfront can only lead to a more informed decision.0
The data center perimeter is dead – web assets cannot be protected by a fortress wall – but a historical view of web protection lives on in the way many IT departments continue to defend their infrastructures. Websites and web applications increasingly live outside the data center. Cloud-based applications and websites are at constant risk from web threats that are becoming more damaging and sophisticated by the day.
Akamai advises organizations to avoid becoming the next cyber-attack victim in the headlines by making a critical evaluation of cybersecurity practices – and then take steps to extend multi-layered security controls to the cloud. Of course, before you can even start to build a multi-layered web defense, you must understand your enemy and its weapons.
Generally, attacks fall into two categories: Distributed denial of service (DDoS), which is also called denial of service (DoS), and hacks against web applications that steal data, such as SQL injection and other command injection attacks.
Akamai predicts that by 2020, the average distributed denial of service (DDoS) attack will generate 1.5 Tbps of network traffic, but even today’s large and sophisticated denial of service attacks can easily overwhelm available IT resources. The more you understand the nuances of different types of DDoS attacks and web threats, the better you can determine how they will affect your network.
A mind-boggling array of DoS and DDoS attacks occur at the network layer. These can be grouped into two broad categories: simple flooding and amplification attacks. Several readily available tools are available to attackers to automate the process of creating both types of attacks, allowing malicious actors with no technical background to quickly and easily threaten their choice of website.
Attacks at the application layer are also common and often very sophisticated. They consist of high bandwidth attacks and low-bandwidth denial of service attacks, Domain Name System (DNS) attacks, and attacks that steal data. Attempts to steal data are most likely to take the form of command injection attacks where a hacker injects commands into a vulnerable application. The attacker can then execute these commands to view data, wipe out data, or take over the machine.
Akamai advises practicing good web-application hygiene by using a secure software development lifecycle that includes secure configuration, updates, patches, and secure validation. In addition, a web application firewall (WAF) with anti-DoS capabilities provides a strong line of defense against application-layer attacks such as SQL injection commonly used to cover data theft. The eBook goes into greater detail on how to ensure good web-application hygiene and what to look for in a WAF.
With knowledge you can identify and close network vulnerabilities before your company is harmed. And the reality is that it is when, not if, your network will be threatened by cyber-attackers.
To that end, Akamai has released a free eBook, Threats and Mitigations: A Guide to Multi-Layered Web Security that covers important information that you need to know about the types of cyber threats, how to secure your sites, how to protect web applications from data theft, the different types of cybersecurity solutions, and how to make your network less vulnerable to attack.
There is no one solution to cybersecurity. Before you sign on the dotted line, know the key differences between on-premise hardware and cloud-based services; learn about the strengths of Security Operations Centers (SOCs) and Content Delivery Networks (CDNs) and of always-on services versus on-demand services. The eBook includes a guide to asking the right questions when seeking a web security services provider.
The fortress can no longer be defended by traditional methods, but it can be defended. The cyber battlefield keeps changing with powerful attacks that can down the websites and web applications of global brands, but you don’t have to become a victim. Learn how to defend your web and cloud resources – and win. The free Akamai eBook “Threats and Mitigations: A Guide to Multi-Layered Web Security” explains how. Download it today and learn how to build the strongest defense to protect all of your network assets and web applications.0