Can Your Clients Afford to Cut Back on Web Application Security?
Some businesses may feel that security vendors and MSSPs are trying to sell them something by scaremongering. After all, the chances that the business is going to be the next breach victim like Capital One or Equifax are probably as remote as the Titanic sinking. That’s true, but what they may not realize is the fact that it’s not just the Russian spies, cybercriminal gangs, or pro hackers that are a danger to their money. In the world of IT security, even an experimenting teenager or an opportunist thief could cost them so much that they may have to go out of business, and while it’s less probable, it’s still possible.
“Hacking” is easy!
In the early days of hacking, every person who wanted to discover ways to go around security measures was basically on their own. That’s why the term hacker was originally associated with people with exceptional skills. With the development of the Internet, blockchain payments, and the dark web, now “hacking” for easy money is child’s play. For every common vulnerability, you can readily find an exploit that is easier to use than your web browser. Very often, all you have to do is point it and press a button. And there’s no problem with getting unmarked cash in a white envelope – we’ve got bitcoins for that.
The world is, unfortunately, full of people wanting to make a quick buck, and they’re not like professional car thieves from movies who spend hours figuring out how to go around immobilizers. They’re like those misled kids that walk along a street and pull on every car door handle to find one that’s unlocked for a joyride. And then they crash for fun or rip out your radio. Same with web applications – these script kiddies, as we call them, are not after complex password-protected sensitive data. Rather than that, they’ll have fun and deface the front page or pop in user-friendly, press-one-button ransomware to get some bitcoins.
What will that cost?
Your client may be thinking, “I’m fine.” They’ve got you taking care of all their primary systems. These systems are regularly scanned, and you’re prioritizing all the major vulnerabilities to make sure your client has no RCEs in primary business systems. They might also have WordPress sites made by marketing for campaigns, but there’s no sensitive data there, so there’s no point in worrying about them, and they haven’t hired you to protect them. They don’t scan them at all. After all, what’s the worst that could happen?
There’s some bad news.
Let’s assume that a script kiddie has managed to hack into one of such campaign sites and defaced the front page. What’s next?
Primary attack target forensics
First of all, your client will need a forensics expert to analyze their system and will need to take that system down immediately. The cost of taking down a marketing campaign for a few days may not be that huge, so things are looking okay so far. Since they don’t hire IT forensics experts full-time, they spend some time finding a contractor, signing a contract, and getting them to start working – maybe even you or maybe even with your help. And the clock is ticking.
Secondary target forensics
The forensics expert goes into the defaced site and confirms that the attacker could have downloaded the whole WordPress database with all logins and passwords used by the marketing team. One of your client’s marketing employees admits that they’re using the same login and password for the campaign site as for their primary business site, and the password is just 6-characters long, so it could be cracked in a few seconds (even though it contains a number, a capital letter, and a special character).
So, the next thing the forensic expert does is look at primary business site logs. There, they see access attempts from the same IP as in the case of the campaign site hack. They recommend that your client takes down their primary business site for a while and performs deep analysis. Tick. Tock. Tick. Tock. Now your client’s primary site is down for hours or days.
Et tu, Brute?
As your client loses more and more money because more systems are found to be potentially affected and need to be taken down for deep analysis, they’re being stabbed from yet another direction. Someone saw their defaced site, found it very funny (the attacker was creative), and posted it all over social media. A commentary video making fun of their brand is now hitting millions of views on TikTok with a catchy song.
Your client’s customer service center agents are now working 24 hours a day with unending calls and messages from customers worried about their data and money. Their channel teams are sweating – their partners are worried about supply chain effects. Their PR department is trying to reach out to all the news sources and issue statements that will mitigate potential business losses as much as possible. It’s not the catchy TikTok and making fun of them that’s the problem. It’s the fact that a lot of people now know that they’ve been hacked and lose trust in them.
This armageddon luckily quiets down in a few days, but it’s going to have long-term consequences. Your client lost a lot of business, which means they may be unable to afford some new initiatives (including hiring you to protect all their systems), and that will cost them even more business. They may have to lay off employees, which makes other employees unhappy and uneasy and more likely to leave (including those difficult-to-find security experts). There is that gloomy feeling that their HR must now spend months to reverse. And last but not least – even though it was their decision not to have you protect their campaign site and the hack is absolutely not your fault, it’s probably you, the MSSP, that’s going to get the blame in the end.
All-in-all, while this may seem like an extreme scenario, that’s pretty much what happens with every security breach. What costs most is not the credit card numbers that were stolen – it’s the business lost due to web applications having to be taken offline and the fact that the company can do very little except focus on all the activities associated with the hack. Not to mention the long-term consequences. The perceived savings now are very likely to cost your client a lot more later and cause irreparable damage.
Is this scaremongering? No, it simply happened way too many times already. For example, SolarWinds has spent more than $18 million already on remediating the events of December 2020. That’s why, while it is understandable that your client’s budget is limited and they must prioritize, you should encourage them to try to focus their budget cuts elsewhere. Don’t just let them ignore that campaign site – they don’t have to prioritize it, but they must make sure it’s not completely forgotten. You should help them find every site they have (by using web asset discovery) and make sure it’s there in the scanning queue.
Guest bog courtesy of Invicti, an international web app security company headquartered in Austin, Texas. See more Invicti guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.