Not Concerned About Web Application Attacks in Financial Services? Well, You Should Be

IT teams in the financial services industry have historically invested in, and deployed, web application firewalls (WAFs) to comply with Payment Card Industry Data Security Standards (PCI DSS). However, many of today’s data security professionals recognize that unprotected web applications have become attractive targets for cybercriminals looking for easy entry points into their networks.

In fact, according to recent data, 83 percent of enterprise IT executives believe application security is critical to their IT strategy. Additionally, 82 percent of respondents believe application security is highly important to their overall IT strategy.

Between legacy applications and new and emerging mobile apps, the potential attack surface is broader than it’s ever been, and the dichotomy between old vs. new presents unique and consistent challenges to IT teams.

Why Web Application Firewalls Are Necessary in Financial Services

Many externally facing web apps are potentially vulnerable to a number of different attacks. Here are a few that IT teams should pay close attention to:

• Cross-site scripting (XSS): These types of attacks inject malicious scripts into vulnerable web sites. Flaws that allow these attacks to succeed are quite widespread, and can occur anywhere a web application uses input from a user to modify the output it generates without first validating or encoding it. Cross-site scripting attacks enable attackers to enter and steal sensitive financial data or even take control of targeted devices.
• SQL injection: When these types of attacks are successful, attackers can use them as a way to bypass authentication measures to retrieve information from databases. In 2015, a group was accused of using SQL injection attacks to make $30 million using stolen financial information.
• Layer 7 Denial of Service: Layer 7 (application layer) attacks are commonly used in the financial services industry to overload a specific function as a means to distract security teams from a security breach occurring in parallel.

Internal web apps are considered to be even easier than external apps to compromise if attackers are able to gain access to the internal network. This is the case for many financial services organizations that mistakenly believe they’re fully protected by their perimeter defenses. Custom code is traditionally one of the weakest security links for many organizations, as internal application development teams are often simply unable to stay informed of all new attack types.

Commercial code can also be vulnerable, especially when a lack of resources inhibits IT teams from applying patches and security fixes as soon as they’re available.

How Web Application Security Solutions Can Assist

Sophisticated web application security services leverage information to keep web apps safe from the OWASP Top 10 list of risks, and more. They do so by utilizing such things as IP reputation services that help screen out identified malicious sources before they have a chance to do damage.

Additionally, many web application security solutions offer a correlation engine that pulls multiple events across all security layers, enabling them to provide more accurate decisions and better protect against today’s increasingly complex attacks. By combining information from all layers, organizations are able to stay ahead of nearly all application-based attacks, including those zero-day threats that standard signature file-based systems can’t uncover. Vulnerability scanning is another critical element to staying protected against the ever-changing threat landscape.

Final Thoughts

As threats continue to evolve both in number and sophistication, organizations in the financial services industry need to consider investing in a multi-pronged web application security approach. Single security devices are not typically enough to defend the entire network. And it’s also becoming increasingly important to have a centralized, unified console through which you are able to manage and orchestrate, multiple gateway devices at the same time.

FortiWeb offers the tools needed to do just that. With FortiWeb, security professionals can configure and manage multiple gateways from a single management console. If an aggregated view of attacks is needed, FortiWeb also integrates into FortiAnalyzer reporting appliances for consolidated reporting and logging.

Let’s get a conversation going on Twitter! How is your organization staying protected against today’s attacks on web applications?