Web Application Security: The Basics
Most of us know the benefits of web applications. The convenience of not having to download them and simply access web apps through a web browser like Google Chrome, Mozilla Firefox or Safari; the use of less storage space and the greater accessibility on various platforms like desktops, laptops, phones or tablets, wherever you are. But working mostly with web applications, a small business may be using them without understanding the risks. Here’s help.
What is a Web application or Web app?
“It is an application program that is stored on a remote server and delivered over the Internet through a browser interface. {…} For a web app to operate, it needs a Web server, application server, and a database. Web servers manage the requests that come from a client, while the application server completes the requested task. A database can be used to store any needed information.”
Web applications include online forms, shopping carts, word processors, spreadsheets, video and photo editing, file conversion, file scanning, and email programs.
Some examples of popular web apps:
Microsoft 365 for businesses includes Outlook, Microsoft Teams, OneDrive, Word, Excel, Power Point, etc.
Google Apps for work includes Gmail, Google Docs, Google Sheets, Google Slides, online storage, shared calendars, and more.
Security threats with web application
Most businesses no longer have all their technology and software solutions on-site. The old cybersecurity perimeter around the IT premises will no longer be enough, not with so many applications available to you online and in the cloud.
Think of it this way: a firewall perimeter is like a moat around your business castle. No one could get in without crossing the drawbridge. That worked well before to secure your locally hosted server and desktop computers. Now, though, companies are relying more on cloud vendors and Software as a Service (SaaS), which means hackers could get in without using the drawbridge or crossing the moat. It’s like an alien invasion: cybercriminals teleport in without you even knowing it.
This is a big challenge for cybersecurity. Web apps are different from what you host in your secure company environment. Information is transmitted online. The solution itself is often hosted in the public cloud.
Three of the biggest breaches so far of 2021, as examples of this threat:
An exploit of SolarWinds’s network management platform, Orion, is attributed to Russia. The breach targeted the U.S. Secretary of State and the government departments of Homeland Security and Commerce, plus the Treasury. Microsoft, Intel, Cisco, and Deloitte were also affected.
A database of 1.9 million user records belonging to online photo-editor Pixlr was leaked by a hacker and dumped on a dark web forum. The leaked records include email addresses, usernames, hashed passwords, user’s country, and other sensitive information whether they signed up for the newsletter.
An undisclosed number of T-Mobile customers were affected by SIM swap attacks, or SIM hijacking, where scammers take control of and switch phone numbers over to a SIM card they own using social engineering. With access to customer phone numbers, scammers receive messages and calls which allows them to log into the victims’ bank accounts to steal money, change account passwords, and even locking the victims out of their own accounts that use two-factor authentication.
How to increase your Web App protection
Step 1: Inventory Your Web Apps
You need to know what you are using to fortify your defenses. This can also mean surveying employees about their use of unauthorized apps (known as Shadow IT). They likely mean no harm, but by downloading third-party apps IT doesn’t know about, they put your protection at risk.
The size or type of Web app doesn’t matter. IT needs to know every application the company and its employees are using.
Step 2: Enhance Security Measures
Turn on multi-factor authentication (MFA). Two-factor authentication (2FA) or similar provides an added barrier for the bad actor. Done right, you can cut the user experience friction and stymy the cybercriminal.
Step 3: Backup Your Data
If the worst does happen, you want immediate access to a backup of your important systems, as it can reduce your downtime. A current backup can also reduce the risk of your having to give in to a ransomware demand.
With cloud-based apps, business owners forget to backup data that was generated in the cloud. You will either want a third-party service to back up the data on your cloud services or to download a copy to a local computer.
Step 4: Track Third-Party Vendor and Cybersecurity News
With the inventory you completed in step 1, you’ll know what apps to follow. You might set an alert for announcements about those brands and “breach.” Also, make sure that your contact information with the third-party vendor is current. That way, you are sure to get any notifications they might make. Plus, immediately install any patches and security updates they provide.
Working with Zakini will help you beef up your security measures. Consider us the brave knights on the barricades helping to keep an eye out for attackers. As your MSP, we can inventory your apps and make sure you are working safely. Contact us at 305 400 0992.