Businesses are faced with an increasing number of malicious attacks on their web applications according to research conducted by Imperva.
In their fifth annual ‘Web Application Attack Report’ they reported that there was a 10% year-on-year increase in SQL injection (SQLi) attacks and a 24% increase in Remote File Inclusion attacks (from 38% to 62%). These attacks are also 44% longer compared to the previous year.
Web applications associated with retail organisations suffered the most attacks (48%), with those associated with financial institutions second (10%). 40% of all SQLi attacks and over 60% of malicious HTTP traffic, such as protocol violations and malformed requests, were directed at retail applications.
You only need to look at the attacks on the American bank JP Morgan Chase in August 2014, which the bank said affected 76m households and the group of Russian hackers stole in excess of 1.2 billion matching passwords and usernames, plus over 500 million email addresses by using viruses to test and exploit vulnerabilities in websites’ SQL code to see the potential scale of attacks – and their repercussions – on organisations.
For those organisations operating an IBM i system, there are a number of in-built features that help to protect them from malicious attack:
- Object-level authorisation controls
- A security audit journal
- System history log
- An architecture that is inherently virus-resistant
- An intrusion detection and prevention system (IDS)
All work in favour of the IBM i. However, these features cannot protect your business-critical data on their own.
Regulatory and industry-specific compliance requirements, such as Sarbanes-Oxley, PCI and HiPAA stipulates that sensitive data must be stored securely and protected against unauthorised access or modification. It is recommended that organisations should deploy additional security solutions.
Specifically in terms of application security for example, Raz-Lee AP-Journal issues real-time alerts when predefined thresholds are met for changes to applications. It will provide a list of all accesses to the application, which were performed not using the official application, i.e. when using Data File Utility (DFU) or SQL instead of the organisation’s ERP system.
Raz-Lee’s View acts to restrict access to specific application database records or fields from unauthorised users. It also protects and controls the display of classified data on-screen.
With a background of increasing malicious threats to your business-critical data and web applications – can you afford not to invest in your organisation’s security?
Posted by Paul on 16th October 2014.