Top 3 OWASP Risks for the Financial Services Industry in 2021 and How to Mitigate Them
The Open Web Application Security Project (OWASP) is a non-profit organization that helps security experts protect web applications from cyber attacks. OWASP has 32,000 volunteers around the world who conduct security assessments and research cybersecurity threats that the broader cybersecurity community should be aware of.
The OWASP Top 10 prioritizes the most significant security risks affecting web applications in a single document and is widely regarded as the security risk record document. Of course, there are well over ten security risks. The goal of the Top 10 OWASP is simply to identify the risks security professionals need to pay special attention to so they can develop plans to mitigate them. The OWASP periodically assesses the risks of cyber attacks based on four criteria: usability, prevalence, detectability and business impact. Using their assessment of these factors, they identify the top 10 most serious attack risks. Click here for a full description of the Top 10 OWASP updated in 2017.
The top three OWASP attack risks by volume that have impacted the financial services industry since early 2021 are data leak, RCE / RFI, and cross-site script (XSS).
Data breaches fall under the OWASP category A3: 2017-Exposure of sensitive data. The OWASP organization sums up the risk as follows: “Many web applications and APIs do not adequately protect sensitive data, such as financial and health information and personal information. Attackers can steal or modify this weakly protected data to commit credit card fraud, identity theft, or other crimes. Sensitive data can be compromised without additional protection, such as encryption at rest or in transit, and requires special care when exchanged with the browser.
OWASP classifies RCE / RFI as A1: 2017-Injection. According to OWASP, “Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. Hostile attacker data can cause the interpreter to execute unintentional commands or access the data without proper authorization.
Overview: Key Risks of OWASP for the Financial Services Industry
|Attack name||OWASP Category||Percentage of attacks||Main risk for the financial services industry|
|Data leak||A3: 2017-Exposure of sensitive data||21.9%||Data leaks allow attackers to steal or modify weakly protected but high-value sensitive financial data, allowing them to commit credit card fraud, identity theft or other crimes.|
|RCE / RFI||A1: 2017-Injection||20.5%||For financial services in particular, when remote attackers execute malicious code on servers to exfiltrate data, the data is often sensitive personal data. Once exfiltrated using this method, attackers use it to commit credit card fraud, identity theft, etc.|
|Cross-site scripts (XSS)||A7: 2017-XSS Cross-Site Scripts||19.4%||Cybercriminals inject client-side scripts into web pages viewed by other users. Since the malicious script is client side, it is not attached to the targeted website but to unsuspecting website users. This poses a significant risk to the financial services industry, as cybercriminals can use this method to extract valuable information (e.g. session cookies) that can be used to support customer accounts on service sites. financial.|
How OWASP’s Risks to Financial Services Compare to Other Industries
Incident volume by attack type in financial services largely mirrored other industries, with the only significant difference being that XSS incidents in financial services were nearly 8% higher, likely due to an increase in the number of people switching to online banking since 2020. Research shows that the pandemic has forced the widespread adoption of online banking. According to an analysis by Fidelity National Information Services, in April 2020, the number of new registrations of mobile banking services increased by 200%. The jump accompanied a 50% drop in bank branch traffic in the same month, according to US banking data firm Novantas. Data breaches accounted for the largest number of incidents in financial services at 22%. Again, this may be due to the high number of people using online banking to manage their finances and also the high value of data held by financial institutions, making it a bigger target for cybercriminals. .
How you can mitigate your risk
As a security professional in the financial services industry, how do you manage these risks?
To mitigate the exposure and leakage of sensitive personal data, you should consider:
- Identify sensitive data and apply the appropriate security controls.
- Do not store sensitive data unless it is absolutely necessary. Ignore sensitive data, use tokenization or truncation.
- Encrypt all sensitive data at rest using strong algorithms, protocols, and encryption keys.
- Encrypt data in transit using secure protocols such as TLS and HTTP HSTS.
- Disable sensitive data caching.
- Store passwords using strong and salty hash functions like Argon2, scrypt, and bcrypt.
To mitigate code injection attacks, Imperva recommends:
- Use a secure API that completely avoids the use of the interpreter
- Use positive or “whitelist” server-side input validation
- Escape special characters
- Use LIMIT and other SQL controls in queries to prevent massive record disclosure during SQL injection.
A web application firewall (WAF) is the most commonly used solution for protection against XSS attacks and web applications. WAFs thwart attack vectors with signature-based filtering to identify and block malicious requests.
Learn more about how Imperva protects financial services data and all the paths to it.
The publication The Top 3 OWASP Risks for the Financial Services Industry in 2021 and How to Mitigate Them appeared first on Blog.
*** This is a syndicated Security Bloggers Network Blog blog written by Grainne McKeever. Read the original post at: https://www.imperva.com/blog/the-top-3-owasp-risks-to-the-financial-services-sector-in-2021-and-how-to-mitigate- them/