https://www.fintechfutures.com/wp-content/themes/fintech_child/assets/images/logo/fintech-logo.png
  • Home
  • COVID-19
  • News
  • Intelligence
    • Back
    • Analysis
    • Interviews
    • Features
    • White Papers
    • Case Studies
    • Surveys, Reports & Infographics
    • Webinars
    • Podcasts
    • Videos
    • Library
    • Techwire
    • Browse
  • Publications
    • Back
    • Banking Technology Magazine
    • Supplements
    • Daily News at Sibos
    • Subscribe to Magazine
  • Content Hub
    • Back
    • COVID-19: industry impact & response
    • Challenger Banks Guide
    • Food For Thought
    • I’m Just Saying
    • Through a Gen Z Lens
    • Ask The Expert
  • Videos
  • WTF? Podcast
  • Awards
    • Back
    • Banking Technology Awards
    • PayTech Awards
  • Advertise
  • Jobs
  • More
    • Back
    • About us
    • Contact us
    • Advertising / Media Kit
    • Banking Technology Magazine Calendar
    • Reports Calendar
    • FinTech Futures Newsletter
    • Events
  • FinTech
  • BankingTech
  • PayTech
  • RegTech
  • WealthTech
  • LendTech
  • InsurTech
  • US Edition
    • Intl. Edition
Banking Technology
  • NEWSLETTER
  • Home
  • COVID-19
  • News
  • Intelligence
    • Back
    • Analysis
    • Interviews
    • Features
    • White Papers
    • Case Studies
    • Surveys, Reports & Infographics
    • Webinars
    • Podcasts
    • Videos
    • Library
    • Techwire
    • Browse
  • Publications
    • Back
    • Banking Technology Magazine
    • Supplements
    • Daily News at Sibos
    • Subscribe to Magazine
  • Content Hub
    • Back
    • COVID-19: industry impact & response
    • Challenger Banks Guide
    • Food For Thought
    • I’m Just Saying
    • Through a Gen Z Lens
    • Ask The Expert
  • Videos
  • WTF? Podcast
  • Awards
    • Back
    • Banking Technology Awards
    • PayTech Awards
  • Advertise
  • Jobs
  • More
    • Back
    • About us
    • Contact us
    • Advertising / Media Kit
    • Banking Technology Magazine Calendar
    • Reports Calendar
    • FinTech Futures Newsletter
    • Events
  • US Edition
    • Intl. Edition
  • newsletter
  • FinTech
  • BankingTech
  • PayTech
  • RegTech
  • WealthTech
  • LendTech
  • InsurTech

bankingtech.com

bankingtech.com


Four cyber security risks not to be taken for granted in 2015

  • Written by FinTech Futures
  • 12th January 2015
Ilia Kolochenko is chief executive of High-Tech Bridge and chief architect of ImmuniWeb

Ilia Kolochenko is chief executive of High-Tech Bridge and chief architect of ImmuniWeb

With Sony the latest victim of hacking, large organisations are witnessing yet again how data breaches cause serious damage, to the tune of millions. The prevalence of hacking in the media begs the question, what’s in store for 2015? writes Ilia Kolochenko

Against a background of more frequent and dangerous XSS attacks, third-party code and plugins remaining the Achilles’ Heel of web applications and growing chained attacks, organisations will be looking to new ways to protect their online properties.

Unfortunately, it’s pretty difficult to make information security predictions, and even more difficult to verify them afterwards – we can only judge the effectiveness of information security by the number of public security incidents, as the majority of data breaches remain undetected.

However, here we make some web security predictions based on common sense profitability (profit/cost ratio) for hackers:

1.       XSS will become a more frequent and dangerous vector of attacks

It’s very difficult to detect high or critical risk vulnerabilities in well-known web products (e.g. Joomla, WordPress, SharePoint, etc). However, low and medium risk vulnerabilities, such as XSS, will still regularly appear. Sophisticated exploitation of an XSS can give the same outcomes as an SQL injection vulnerability, therefore hackers will rely on XSS attacks more and more to achieve their goals.

Indeed, XSS on subdomains puts the entire web application at risk. Many large companies install web application firewalls (WAF) and regularly conduct penetration testing for their main, most critical website. At the same time they ignore security of numerous subdomains that they consider “less important” for business continuity. The problem is that in many cases, for the sake of simplicity, usability and compatibility, cookies installed on the main website (e.g. www.site.com) will be valid for any subdomain like (education.site.com or jobs.site.com).

This means that an XSS vulnerability on a forgotten subdomain may be easily used to steal cookies from the main website, or from the other subdomains (e.g. e-banking.site.com that also sets cookies for *.site.com), even if they are located on completely different servers in different datacenters.

Quite often, particularly in large companies, different departments have their own websites and subdomains for testing reasons which are not designed to be secure, but their presence endangers the entire web infrastructure of the company. We are not even talking about the case when test area is located directly on the main website (e.g. www.site.com/secr3t/beta1/) but can be found by Google search.

2.       Third-party code and plugins will remain the Achilles’ Heel of web applications

While the core code of well-known CMSs and other web products are fairly secure today, third-party code such as plugins or extensions remain vulnerable even to high-risk vulnerabilities. Web developers tend to forget that one outdated plugin or third-party website voting script endanger the entire web application. Obviously hackers will not miss such opportunities.

For example WordPress may not be vulnerable, but the WordPress plugins, which are often produced by new coders with little security experience, may be vulnerable. At the same time plugins are unavoidable as organisations will always want some specific customised features on their websites that no CMS can provide by default. Of course from time to time new vulnerabilities (or bypasses of previous patches) in major CMSs are announced, but they represent the vast minority and are usually quite complex to exploit.

A vulnerable plugin means a vulnerable CMS that has this plugin installed. By exploiting XSS and SQLi flaws in the plugins, the attacker can get at the admin password same as if he were exploiting these vulnerabilities in the core code of the web application.

3.       Chained attacks via third-party websites will grow

Nowadays, it’s pretty difficult to find a critical vulnerability on a well-known website. It is much quicker, and thus cheaper, for hackers to find several medium risk vulnerabilities that in combination allow complete access to the website. Another trend is to attack a reputable website that the victim regularly visits. For example, when chasing for a C-level executive, hackers may compromise several high-profile financial websites or newspapers, and insert an exploit pack that will be activated only for a specific IP, user-agent and authentication cookie combination belonging to the victim. Such attacks are very complicated to detect, as only the victim can notice the attack.

4.       Automated security tools and solutions will no longer be efficient

Web Application Firewalls, Web Vulnerability Scanners or Malware Detection services will not be efficient anymore if used independently or without human control. Both web vulnerabilities and web attacks are becoming more and more sophisticated and complex to detect, and human intervention is almost always necessary to fully detect all the vulnerabilities. It’s not enough to patch 90% or even 99% of the vulnerabilities – hackers will detect the last vulnerability and use it to compromise the entire website.

The need for human skills was recently demonstrated by a major new analysis (reported by Ars Technica) conducted by the universities of KU Leuven (Belgium) and Stony Brook (New York). The researchers tested websites “protected” with various trust seals provided by security vendors delivering automated vulnerability and malware scanning services – reputable companies including Symantec, McAfee, Trust-Guard, and Qualys. The research showed “that seal providers perform very poorly when it comes to the detection of vulnerabilities on the websites that they certify.” This is a weakness inherent in almost all fully-automated solutions – they can only go so far before their output needs to be analysed by a qualified pentester.

As a solution to the new threats High-Tech Bridge has launched ImmuniWeb SaaS – a unique hybrid that uses automated security assessment combined with manual penetration testing.

Tags: Cybersecurity, Financial Crime & Fraud Analysis, Industry Comment

Leave a comment Cancel reply

-or-

Log in with your FinTech Futures account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

Related


  • FinTech Futures presents Dock – a virtual roundtable experience
    Take part in Dock on 18-19 May to discuss the industry’s pertinent problems and find the solutions.
  • One size fits all
    Whatever your reasons for tolerating bad behaviour, that defines you. More than anything else.
  • Three things banks must do to thrive in 2021
    It is the banks who invest now and execute effectively, that will come out on top.
  • The US market: are EU-based challengers coming to rustle up some feathers?
    A deep dive and step-by-step comparison of US banks' and EU challengers' capabilities.
  • Introducing "it's a matter of comms"
    Welcome to #itsamatterofcomms! A new bi-weekly vlog!
  • Reimagining the financial system with tokenised barter
    Modern blockchain powered barter systems will change the way we view accessing, growing, and owning wealth.
  • Is 2021 the year to inspire better banking?
    Sanat Rao says the time is right to invest in back-end systems change.
  • Danish edtech Female Invest targets UK expansion with $1.6m fresh capital
    “It makes a big difference when you see someone like you on a platform."

Related Content

  • New direction, same destination for ISO 20022
  • Boosting economic recovery by harnessing the power of payments
  • How to optimise your digital account opening process
  • A look inside MENA investor Global Ventures’ fintech portfolio

Dock - virtual roundtables

Dock is free to attend for banks and FIs

Click here to register

Sponsorship opportunities available at Dock

Click here for more info

Magazine

Banking Technology February issue out now

10th February 2021

Banking Technology December/January issue out now

16th December 2020
view all

Webinars

Webinar: How to stop massive mobile banking fraud with app security and risk-based authentication

9th February 2021

Webinar: Deep dive on ServiceNow’s purpose built product for finserv operations

7th January 2021

Banking Tech Awards 2020 hosted online by Tom Ward

30th November 2020
view all

Reports & Surveys

Report: The power of data analytics in fintech solutions

25th February 2021

Omdia Universe 2020-21: Temenos recognised as a leader for digital banking platforms

15th December 2020

Report: Digital KYB – a springboard to customer onboarding success

30th November 2020
view all

Content Hubs

COVID-19: industry impact & response

26th June 2020

The rise of challenger banks around the world

26th June 2020
view all

Podcast

What the Fintech? | S.2 Episode 5 | Rising to the top

25th February 2021

What the Fintech? | S.2 Episode 4 | TMRW never dies: digital banking in the ASEAN

18th February 2021

What the Fintech? | S.2 Episode 3 | Israel’s mobile lending tech scene

5th February 2021
view all

Videos

Video: Top fintech stories this week – 26 February 2021

26th February 2021

Video: Top fintech stories this week – 19 February 2021

19th February 2021

Video: Top fintech stories this week – 12 February 2021

14th February 2021
view all

White Papers

Embedded insurance: a $3tn market opportunity, that could also help close the protection gap

4th January 2021

White paper: The business value of ServiceNow for retail banks

12th December 2020

E-book: Migration to cloud – your guide to delivering an intuitive customer experience

8th December 2020
view all

Techwire

KBRA Releases The Bank Treasury Newsletter, The Bank Treasury Chart Deck, and Bank Talk: The After-Show

24th February 2021

BankShift Launches Nationwide For Consumers To Manage And Transact On All Of Their Financial Accounts In One App

24th February 2021

Atria Wealth Solutions Partners with Riskalyze to Empower Financial Professionals with Holistic View on Client Risk

24th February 2021

New Fifth Third Momentum® Banking Offers Checking with No Monthly Fees and a Simple Digital Account Opening Experience

24th February 2021

GiveSignup Closes Series A Funding Round To Compete With Eventbrite, GoFundMe and Classy

24th February 2021

FINCAD Launches Accounting CVA Services for Japanese Financial Institutions

24th February 2021

Buckle Adds Crash Risk Data from TNEDICCA to Auto Insurance Underwriting for Better, Fair Rates for TNC Drivers

24th February 2021

Successful ETF Entrepreneur Returns, Levels the Playing Field with ASYMmetric ETFs™

24th February 2021
view all

Twitter

FinTech_Futures

You called me "How a company treats you through the recruitment process tells you everything you need to know abou… twitter.com/i/web/status/1…

26th February 2021
FinTech_Futures

ICYMI funding round-up: @zolve_officia, Symple Loans, Butn, @FundGuard & more fintechfutures.com/2021/02/icymi-…

26th February 2021
FinTech_Futures

.@atom_bank plans £40m shareholder fundraise in prep for future IPO fintechfutures.com/2021/02/atom-b…

26th February 2021
FinTech_Futures

The power of #data #analytics in #fintech solutions "The data revolution is already here" Read the report- fintechfutures.com/2021/02/report…

26th February 2021
FinTech_Futures

Former international footballer Rio Ferdinand [@rioferdy5] invests in Sokin [@SokinGlobal] fintechfutures.com/2021/02/former…

26th February 2021
FinTech_Futures

.@TheFCA makes handful of executive appointments to boost data strategy fintechfutures.com/2021/02/fca-bo…

26th February 2021
FinTech_Futures

Kalifa's UK fintech report warns "others are waiting for our crown to slip" #RonKalifa #fintech fintechfutures.com/2021/02/kalifa…

26th February 2021
FinTech_Futures

US credit builder @Petal closes $125m debt facility fintechfutures.com/2021/02/us-cre…

26th February 2021

Free webinar: How to stop massive mobile banking fraud

08 March 2021

US Challenger banks: who's who & what's their tech

Free to read

Banking Technology Magazine February 2021

Free digital edition

Banking Tech Awards 2020 Winners Supplement

Free digital edition

Fintech Futures
  • About us
  • Advertise with us
  • Contact us
  • Fintech jobs
  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2021 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X