Experts on Web application security gathered recently at a seminar organized by Dimension Data and Check Point to discuss serious business implications of Distributed Denial of Service (DDoS) attacks if not properly addressed by enterprises.
The conference was organized by Computerworld Hong Kong in partnership with Internet security company Check Point, and IT services and solution provider Dimension Data. The objective was to openly discuss and find collaborative efforts on the growing number of DDoS attacks experienced by large to medium enterprises worldwide, resulting in huge amount of business losses and the profound dent on the corporate image of top global companies.
Web applications are significantly on the rise, according to Billy Ng solutions architect at Dimension Data. And they are being developed and adopted by companies to facilitate interactive interfaces via the Internet for their target markets.
"It provides best user experience, reduce business operating cost but since its available 24/7, it is vulnerable to attacks and hacks that could result in both intangible and tangible business losses," Ng said.
According to the Open Web Applications Security Project (OWASP), an international and open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted, Web applications of all kinds have in recent years increasingly become the target of hacker attacks.
It added that the attackers are using methods which are specifically aimed at exploiting potential weak spots in the Web application software itself - and this is why they are harder to detect, or are not detected with sufficient accuracy, by traditional IT security systems such as network firewalls or IDS/IPS systems.
DDoS is a type of DOS attack where multiple compromised systems -- which are usually infected with a Trojan -- are used to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack.
In a DDoS attack, the incoming traffic flooding the victim originates from many different sources -- potentially hundreds of thousands or more. This effectively makes it impossible to stop the attack simply by blocking a single IP address; plus, it is very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin.
Challenges in addressing DDoS attacks
Calvin Ng, Country Manager Hong Kong & Macau, Check Point reiterated during the conference that the challenge faced by most enterprises in addressing DDoS is not only coming from threats outside their network, but can also be internal.
"Today, 60% of businesses are generated via the Internet which makes it crucial for us to create a collaborative network to address cyber attacks," Ng added.
Another reason for attacks on Web applications are becoming prevalent is due to the proliferation of smartphones and devices such as tablets in the market today, according to Ng.
"Previously users only have one device to access the network, today they have up to four devices -- smartphone, tablet, laptop and another device -- to connect to enterprise network, hence hackers have more opportunities to attack," Ng said.
"Yesterday's technology will not be able to protect you today,' Ng added, citing what happened to companies like Amazon.com and Yahoo -- which both use Web applications to interact with online users. Both experienced DDoS attacks causing them to lose huge amounts when their systems went down for about 10 hours.
Ng said Check Point sees Web traffic challenges today originating from two areas -- Web sites and applications. While enterprises in the last five years were able to traditionally control their applications, it is no longer the case today.
This is because Web applications today can be accessed through mobile gadgets that don't require a browser to access the Web.
Ng said that they had a client who previously had to develop Web applications every two years. With the Web 2.0's advent, they need to develop Web applications every six months to keep pace with the changing needs of the market.
"For us we can protect them in the next 6 months, but not in the future, that is the big challenge that we face," Ng said.
DDoS initiated by hackers can be detected but when an unknown attack from other external source such as CD or USB that is accidentally plugged in one of the network's workstation, it can quickly populate and infect the whole network, Ng explained.
"We do not know what will attack us in the future. We are fighting the unknown that is why we need to do something in advance," Ng added.
Citing a case study during his presentation, Ng said that a client who had a DDoS attack sought their help last year and within an hour, they were able to find the cause of the attack and created a patch for the application to prevent further attacks.
The advent of cloud computing also makes it easier for Check Point to keep their customers protected from DDoS attack. "The beauty of cloud is we can do collaboration work in helping customers update their patches," he added.
Understanding DDoS vulnerabilities
Ng from Dimension Data said that there should be a security level embedded on Web applications during its production stage to block unauthorized access or attacks.
One way of ensuring security level of Web application is to refer to OWASP's report on the top ten mobile security risks, which discusses vulnerabilities that enterprises should look into in developing Web applications to protect against DDoS attacks.
Dimension Data's Ng said that of the 12,000 Web applications recently scanned the Web App Consortium showed that 15% can be easily compromised using automatic scanning tools. About 6,000 Web sites are also suffering from medium to high vulnerabilities.
"This shows that most enterprises' applications may contain Web application vulnerabilities that they don't recognize," he warned. "If your organization is not doing regular testing of your application and your development team relies only on 3rd party vendors, I'd recommend a study of your Web development practice and procedures."
OWASP assists companies detect attacks in various database and helps them understand what devices or tools they need to deploy to protect their Web applications from DDoS attacks, according to Anthony Lai, chairman of OWASP Hong Kong Chapter.
"The problem with Hong Kong companies is that they don't know what secure application is, because of the lack of standards in developing Web applications; risk management is also not strictly implemented," Lai said. "OWASP can help on this area since we've been promoting Web security for almost a decade now."
He added that the basic principle is that every Web application should be developed as secure as possible. This is because the later vulnerability is detected in the life cycle of a Web application, the greater the risk of a successful attack, and often also the amount of work involved in correcting the issue.