Businesses have embraced both the creation and use of web services and web applications at an astronomical rate. But as many companies—most recently Equifax®—have found out, protecting web services and web applications is serious business. In the case of Equifax, the failure to patch a known vulnerability in the Apache® Struts Framework led to a major data breach. If the General Data Protection Regulation (GDPR) was already in effect, they could have faced severe repercussions for not notifying both the regulatory authorities and the data subjects within the 72-hour deadline.
It’s not unreasonable to suggest that web services are the weakest technological link in the struggle against cybercriminals. Web applications and web services are vulnerable to customer account compromise from poor user behaviour or even complete compromise due to technical flaws or weak administrative passwords. Given the mandates of GDPR to protect data subjects’ personal data, a webserver hosted by a business could present a clear and present danger of a data breach. What follows is an analysis of how website owners are responding to the danger of presenting an open portal of personal data to the internet. And if your business develops web applications, you may want to implement some of these techniques.
All website services suffer from a severe challenge—authenticating legitimate users (and blocking out fraudulent ones). The entire web application industry has struggled with this challenge for years. The issue revolves around the user ID and password combination people use to log in to a web service, whether a banking website, a remote access portal, or online storage space. Businesses must have safeguards in place to ensure any login attempts come from a legitimate user rather than an imposter trying to gain unauthorized access.
There are many behind-the-scenes techniques that website owners use to help ensure a legitimate user is matched to a legitimate account. A multistage authentication process offers a degree of assurance that the person attempting to log in is the true account owner.
To improve your application security, try building logic into your authentication process that answers the following questions:
This technique helps ensure the connection between the website and the client browser uses a top level of security and is as cryptographically secure as possible. Out-of-date browsers may provide less secure connections, potentially exposing login and internet session information to others. Many websites, especially financial institutions, require a top level of encryption to even connect to the login page.
One important technique involves analysing the IP address presented to the web service. Applications can compare the IP address to a “black list” or threat intelligence feed of bad IP addresses to immediately determine if the authentication attempt may likely be fraudulent.
Whitelisting and tracking account IP addresses is becoming more common. This technique involves logging the IP addresses a user connects from to establish a pattern of activity. If the user appears from a “new” IP address or one that is significantly and geographically different, the user could be prompted to authorise the connection with a text message or email link. If a user typically accesses a web service only from Scotland, and there is a login attempt from Latvia, the user can be required to authenticate via email or text, or they can be prompted with security questions as well.
This is a relatively new approach that uses data from previous data breaches. Since many customers re-use passwords and user IDs, a comparison of the account information to data from a known breach often leads applications to temporarily disable an account or demand a password change via email link. This protects the user from a password re-use attack on their account.
Malware designed to steal website session information is often used to hijack a legitimate user’s connection and piggy back on their website session. Many websites now watch for multiple IP addresses connected to a single session. If that happens, the account may be suspended and the company may issue a warning to the account owner via email or other means.
More websites than ever are implementing MFA or 2FA to protect users. This could involve using applications like Google® Authenticator or sending text messages with an authentication code to a phone number associated with the account. MFA remains one of the best ways of helping ensure only legitimate users access their online accounts—I recommend that it be made mandatory when the website contains personal, private, or financial information. In fact, some analysis of a recent Deloitte® data breach indicates the breach could have been prevented by activation of 2FA on an administrator account.
Due to the rising threat of account compromises via web services, many website owners are building systems to ensure legitimate users and administrative users are protected. And with the increased responsibilities of organizations under GDPR, the stakes are even higher when it comes to web application security. As a website owner, you must do your best to safeguard your customers from fraudulent logins if you want to avoid a potentially severe data breach and penalties under the GDPR (and to make your sure your customers are safe).
This document is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR may apply to you and your organization. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organization, and how best to ensure compliance. SolarWinds MSP makes no warranty, express or implied, or assumes any legal liability or responsibility for the information contained herein, including the accuracy, completeness, or usefulness of any information.
Search your ‘data at rest’ for risk areas and start the data mapping you need to get ready for GDPR. Click here to start a Risk Intelligence trial today.
© 2017 SolarWinds MSP UK Ltd. All rights reserved.