Web applications are surprisingly vulnerable to malicious attacks. No longer is the biggest threat to your safety an alleged, long-lost Nigerian uncle who needs all your bank account information so he can wire you a million dollars. Instead, an arsenal comprising parasitic apps, keyloggers, SQL injection and incredibly well-designed XSS shadow sites and emails is available to those who wish to steal even the savviest internet user's information. With the proliferation of advanced threats in this Post-Overseas-Uncle Era, allowing preventable attacks is inexcusable — and web application security testing is critical to protecting your customers' data
Though developers often view security testing as time-consuming, it should be a priority since remediating software vulnerabilities goes a long way toward preventing damaging cyberattacks. When viewed in hindsight, there's always a glaring weakness in a hacked company's network — and with recent news indicating that one of our largest industries is also one of the most vulnerable, it's time to revisit the importance of thoroughly securing your entire system with web application security testing.
Much Ado About Utilities
The utilities industry has found itself among the most attacked in recent years. Last year, more than half of the 256 cyberincident reports investigated by the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) were in the energy sector. Fortunately, none of those incidents caused power outages — a situation that has happened before. However, they did include web-application hacking, and odds are good that these types of attacks will continue as customer transactions move online. The industry's terrifying self-reporting on vulnerabilities in its control systems does not bode well for its attention to the security of client-facing web applications.
The utilities industry is still in the process of automating and moving its systems online, both internally and on the customer-facing side. No longer are pay stubs and landlines reasonable security confirmations; instead, customers type in usernames and passwords to set up payments, link bank accounts and social security numbers and provide other private information to complete online transactions.
Hackers can, and often do, conduct scans on web applications to look for vulnerabilities they can exploit. And despite the fact that utilities institutions require users to provide a lot of personal information, the industry itself is yet to face the same scrutiny that financial institutions do. Vulnerable websites are treasure troves for hackers looking for information to steal, and the appealing combination of causing palpable chaos while gaining enough sensitive information to commit massive identity theft might make utility companies more desirable future targets than even banks. We're already seeing an unhealthy increase in healthcare data being targeted — could utility customer information be next?
Utility companies said they recognize the need for change after recent reports indicated they were massively unprepared for persistent hacking efforts. The question is whether they have the commitment and resources to assess all their web applications in a systematic way, especially when transitioning from an existing system that has yet to be attacked. With so much sensitive information and potential for havoc, though, the truth is that cyberattacks are no longer a matter of if, but when.
Photo Source: Flickr