It is an accepted fact nowadays that our current society is largely dependent on cyber technologies. Majority of people store their personal files and information online, do transactions over the Internet, and use the World Wide Web as one of their primary forms of communication. Aside from people, many companies and economies are powered by the internet. Thus, it can be said that the internet is an indispensable part of today’s society.
Despite this fact, the World Wide Web is still largely unprotected due to its status as a free and autonomous system, free from any governing bodies or policies. Because majority of tasks are done online now, this makes the Internet a primary target for criminals to perform their deeds. They exploit the security issues of the Internet and use it to obtain data that can be used for various crimes. These are collectively known as the threats to web security, and these primarily come in the form of malware and fraudulent transactions although other tactics involve emails and hyperlinks. Aside from stealing data, they also makes infected computers be a part of a larger botnet, which in turn can be used to attack other major data systems (“What Are Web Threats—Definition”).
Web security threats pose a great risk to today’s society. The may result in identity theft, financial problems (especially when data related to banking is involved), and in the tarnishing of the reputation by an individual or a collective group. There is therefore a need to identify some of the most common web security threats, and various methods in which they can be fixed and prevented.
Phishing
One of the oldest tactics in web security threats is phishing, in which a user is tricked into believing that a fake copy of a website is in fact the original one. Phishing largely relies on the facts that web sites, including ones that are similar to other sites, can be created over the internet, and a largely undiscerning individual cannot tell the difference between the two sites. Once a user is led to believing that a fake website is a real one, then there is the potential to enter highly sensitive information in the fake site, in which criminals can then collect and use for other crimes. Phishing usually occurs in hyperlinks found in email addresses and the like (“Phishing”).
Take for example a phishing scenario involving a fake banking website. The user comes across a fake security warning that asks for the user’s bank account and password. The unknowing user then gives out the information in the hopes that doing so will strengthen the security of his or her account, but the opposite happens. The person behind the phishing site has now access to information and can use it to withdraw money, or to commit identity theft. A similar scenario can happen in social media sites like Facebook. If a user enters their email address and password into these fake sites, then their account is compromised and can therefore be used for spam attacks, among other things.
The most effective way in shielding one’s personal information is checking the URL—the address of the website—to see if it is in fact, the genuine site and not merely a replica. Fake sites have their domain names misspelled, or have their URLs completely different. In addition, clicking on links is discouraged when manually typing out the address of the site or using a bookmark will do. In this way, threats due to phishing can be largely eliminated.
Web Browser Exploits
Another way in which cybercriminals can pose a threat to web security is by use of web browser exploits. This involves using certain security flaws in browser in order collect information regarding the user without their consent. Because browsers are specifically designed to browse the Internet (hence the name), they are complex pieces of software; they are able to open HTML files, various software like PDF files and Flash players, and multimedia files such as images, sounds, and videos. However, no matter how sophisticated web browsers are, they are still designed by humans and are thus subject to flaws. For example, Firefox 3.0 is estimated to have at least 130 vulnerabilities (“Web-based Security Threats: How Attacks Have Shifted and What to Do About It”). If cybercriminals take hold of even one of those, they can breach the security of the users of these browsers and therefore compromise their accounts. They can collect information that normally the user of the browser has access to. Like many other web security threats, web browser exploits can ultimately lead into identity thefts (“Securing Your Web Browser”).
The most efficient way to avoid web browser exploits is to regularly update the browser an individual is using. Each browser update fixes all the detected flaws in the previous browser version, thereby making the browsing experience relatively safer and rendering security threats that rely on these security flaws void. In addition, it is recommended to use browsers that have the least amount of bugs, such as Google Chrome or Firefox. These browsers have a large amount of users, thereby making detection of potential security breaches far much easier. In addition, these browsers have a committed group of software engineers who work on detected flaws so that they can be improved on the next update.
Third Party Add-ons
Add-ons are various software designed to help an individual enjoy the full range of his or her browsing experience. Some of the popular third part add-ons are Adobe Flash Player, which allows the user to view and play Flash files, and Acrobat Reader, which allows viewing of files in PDF format. These two can be integrated into web browsers. However, due to their prevalence, cybercriminals have used them as a vectors in which to promulgate their attacks. Software updates on the OS, as well as recent updates on the browsers used, have made it difficult for criminals to target browsers and operating systems. However, even when users continually and regularly update their browser to the latest version to protect themselves, most forget to update these third party add-ons as well. As a result, criminals exploit the vulnerabilities in these add-ons as a means of furthering malware and the like (Cobb).
The main way to address these threats is to update these add-ons regularly. Like browsers, these software regularly check for bugs in the previous versions and attempt to fix in the next update. Another alternative is to use browser that have built-in add-ons so as to reduce the use of third party add-ons in the first place. Google Chrome, for example, has a built-in Flash Player that does not require Adobe Flash Player in the first place.
Downloads and Executable Files
While cybercriminals generally prefer security attacks that run in the background without the user’s consent, a better breach of security can be achieved through the use of executable files, which requires the user to download and install these files on their computers in the first place.
In order to make users run executable files, cybercriminals need to gain the trust of the users that the file that they are running will not harm their computer. One way to do this is to use the reputation of highly legitimate websites. When a trusted website asks a user to run a file in order to use the website to its full extent, they will do so without first checking if the executable file is safe. However, installing a safe executable files usually comes with other programs that will be too installed in the system if the user is not careful and meticulous in checking what programs are being allowed to run on his or her computer.
Another way is to exploit on the consumer’s fears that their account and personal data are being compromised. For example, a program may falsely warn a user that their computer is infected with various amount of spyware and in order to remove those, a certain antivirus program must be installed on the system. However, the antivirus program that is being encouraged to be installed is also a spyware in itself under the guise of a malware blocking program.
Lastly, criminals may employ fake search engines—websites that collect highly popular keywords and use an algorithm to make them rank high in top search lists. However, malware will be installed on the user’s computer the moment these links are clicked.
The most effective way to prevent these is to be meticulous in the usage of the Internet. When a software is asked to be installed, a careful reading of the Terms and Conditions, as well as inspection of the other offers that come with the software, is required so as to minimize the installation of unwanted software that could potentially harm the computer. In addition, individuals must also be wary of the links and offers that crop up on the Internet—they needs to make sure whether these are legitimate or merely a scam (“Web-Based Security Threats”).
DDoS Attacks
A distributed denial-of-service attack is a technique used by hackers to render a site unusable by flooding it with traffic from various sources, using and exceeding its bandwidth and overloading its server with requests. As a result, access to the site is severely limited. This practice is termed as such because the requests from the site comes from many computers at once, usually ones that are part of a larger botnet (Zetter). A DDoS is not hazardous to a site’s data per se; it is how it can be combined with other web threats that makes it so powerful.
Like any other web-based threat, the way to ensure that one’s computer will not be a part of a DdoS is to regularly scan for malware.
Conclusion
These examples are only a few of the myriad of security threats happening on the Internet today. Although they have different modes of execution, they all have the same intent: to obtain data that will be used to commit other crimes. In many cases, cybercriminals will employ a hybrid of these attacks.
As always, the best method of solution to these threats is prevention—one should keep their personal, and online security strong and up-to-date. One must employ common sense so as to shield his or her data from cyber threats.
Works Cited
Cobb, Michael. "Web Browser Extension Security: Mitigating Browser Plug-in Threats." TechTarget. TechTarget. Web. 24 Apr. 2016. <http://searchsecurity.techtarget.com/tip/Web-browser-extension-security-Mitigating-browser-plug-in-threats>.
"Securing Your Web Browser." US-CERT. Department of Homeland Security, 8 Sept. 2015. Web. 24 Apr. 2016. <https://www.us-cert.gov/publications/securing-your-web-browser>.
"Web-based Security Threats: How Attacks Have Shifted and What to Do about It." GFI. GFI Security, 2011. Web. 24 Apr. 2016. <http://www.gfi.com/whitepapers/GFI-Web_Based_Threats_v2_Whitepaper.pdf>.
"What Are Web Threats—Definition." Kaspersky Labs. Kaspersky Labs. Web. 24 Apr. 2016. <https://usa.kaspersky.com/internet-security-center/threats/web>
Zetter, Kimberly. "Hacker Lexicon: What Are DoS and DDoS Attacks?" Wired. 16 Jan. 2016. Web. 24 Apr. 2016. <http://www.wired.com/2016/01/hacker-lexicon-what-are-dos-and-ddos-attacks/>