Today, the sophisticated attacks on the internet target a combination of vulnerabilities. Consequently, the one-on-one protection approach based on a combination of security technology and threat is not enough. To effectively counter the current attacks posed by the internet, it is essential that a multi-vector security strategy is in place.
To understand it better, let us consider the example of a wide-scale SQL injection attack which harassed websites early in the month of May 2012.
Deciphering the attack
In the first step, an attacker checks the trustworthy websites for vulnerabilities, for instance, SQL injection or XSS vulnerability. In this incident, the attackers added an iframe to trustworthy, but vulnerable, websites via SQL injection. This served to redirect visitors of the website to one of the following domains: hgbyju.com, hnjhkm.com, nikjju.com, or njukol.com. At this stage – where one exploits a security loophole in a website - the risk of a successful attack could have been reduced by employing a reactive security technology such as a web application firewall. It could also have been averted through proactive security technologies like:
- Source code review and binary analysis (static, non-runtime)
- Web application scanner (dynamic, runtime)
The attack in question aimed various popular websites and randomly targeted unsuspecting website visitors. Despite the fact that step two in the figure was not actually a part of the attack, it could have been used to make it more effective - by sending an email to a targeted victim tempting him/her to visit an SQL injection or an XSS exploited website. This is the second stage where the risk can be reduced by deploying a security technology such as a SPAM filter to intercept phishing emails.
The third step in the attack involves the victim visiting an apparently trustworthy website, but being redirected to a malicious website. This is the third stage where the attack could possibly have been stopped, by deploying a security technology such as a content filter which could block either the dangerous content from the malicious website or the entire website itself.