Modern Web Security Basics

Today’s digital, hyper-connected world has enhanced our lives, both personally and professionally. The internet, mobile devices, cloud computing, social networks and a dozen of other things enable us to be connected to each other all the time. They also allow us to work remotely, and to conduct our entire business online (for example, e-commerce stores).

But this rapid technology development brought with it a rising threat: cyber-crime.

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

Generally, web threats are malicious software programs designed to target online users. They can appear in many forms such as viruses, spam, phishing, spyware, adware, bots and other versions of cybercrime designed to infect victims’ computers. These programs are installed without the consent of users and can cause a number of unpleasant effects, such as crippling computer performance, mining systems for personal data, erasing data or even adversely affecting the operation of computer-controlled hardware.

In this article we’ll take a look at web security basics, such as  types of malicious cyber-attackers, most common cyber-attack types, and how to protect yourself from them.

Types of malicious cyber-attackers

As more sophisticated ways to infiltrate user systems are being developed, the malware market is constantly expanding. Cybercriminals use malware to harass their targets or to steal sensitive data.

Those who execute those kinds of attacks are usually:

Extortionist – Threaten to disable a website and then demand ransom money to prevent an attack.

Exfiltrators – Use decoy attacks to divert attention from their real objective – stealing data they can monetize, whether that’s intellectual property or credit card credentials.

Hacktivists – Different than other types of attackers, they want to make a political statement or shine a spotlight on a cause. Their attacks can seem random and are often incited by a particular news story. When they run into security controls they’re unlikely to back off.

Competitors – May disable your site to gain an advantage; or they might screen scrape information on your site, for example, to determine and beat your pricing.

Most common types of attacks

With the advent of cloud computing, organizations are rapidly moving toward cloud-based applications for many of their business processes thus eliminating the need for costly appliances consisting of on-premise hardware and software solutions. Cloud delivery eliminates many of the security issues that plague traditional business-technology systems such as patching and software misconfiguration.

The automation of software updates eliminates a substantial burden for the IT staff, and reduces the amount of time and expense required to manage ongoing operations.

  • A rise in application layer attacks as hackers probe and exploit vulnerabilities in web service security using techniques such as HTTP floods, buffer overflow exploits, or SQL injections
  • The advent of multi-dimensional attacks that combine multiple tactics and attack avenues, such as an attention-diverting DoS attack coupled with a SQL injection attack aimed at stealing data
  • Dramatic growth in the scale of attacks, as attackers employ large networks of automated “bots”
  • The emergence of politically-motivated “hacktivists” who seek to advance their cause with high-profile attacks on corporate or government web properties

Distributed Denial of Service (DDoS) attacks

The distributed denial-of-service attack (DDoS) has as its final goal to stop the functioning of the targeted site so that no one can access it. The services of the targeted host connected to the internet are then stopped temporarily, or even indefinitely, which can cause a significant loss of revenue.

The hack is done through the master computer system that communicates with, sometimes as many as hundreds of thousands, controlled end user machines. These machines, known as zombies or bots, follow the instruction from the master system and massively launch packets at the targeted site to overwhelm the targeted machine and stop it from functioning.

Common types of DDoS attacks include:

  • DNS flood
  • UDP amplification
  • HTTP flood
Diagram illustrating a DDoS attack from bots to a targeted victim.
Image Source

DDoS attack tools available on the internet are rapidly growing in numbers and types, but so are the techniques that try to lessen the intensity of the attacks i.e. lower the number of the packets launched at the targeted host. Those techniques are known as the DDoS mitigation methods. Packets that flood the targeted system come from multiple sources, and sometimes multiple techniques must be combined.

The attack prevention also depends on the entire internet community and their keeping of machines up to date with patches and security tools.

If you want to learn more about DDoS attacks and how to prevent them, check out our comprehensive DDoS guide.

Phishing

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information.

An attack can have devastating results. For individuals, this includes unauthorized purchases, the stealing of funds, or identify theft.

Moreover, phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an advanced persistent threat (APT) event. In this latter scenario, employees are compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data.

Bad Bot threats

A bot is a software application that runs automated tasks (scripts) over the Internet. Typically, bots perform tasks that are both simple and structurally repetitive, at a much higher rate than would be possible for a human alone. The largest use of bots is in web spidering (web crawler), in which an automated script fetches, analyzes and files information from web servers at many times the speed of a human. More than half of all web traffic is made up of bots.

Bad bots scrape data from sites without permission in order to reuse it (e.g., pricing, inventory levels) and gain a competitive edge. The truly nefarious ones undertake criminal activities, such as fraud and outright theft.

The Open Web Application Security Project (OWASP) provides a list of the different bad bot types in its Automated Threat Handbook.
Left unaddressed, bad bots cause very real business problems that could harm the success — or even the continuance — of your organization.
If you’re interested in learning more about current Bad Bot threats, and how to prevent them, check out our free Bad Bot Report 2018.

Conclusion

This article was just a short introduction into various modern web threats. We’ll take a deeper look at various cyber-attacks techniques, and how to prevent them, in following weeks. Until then, if you have any questions about how we can help you protect your website and business from bad bots, contact us today to help you out with your performance and security needs.

Latest Articles

Complying with AWS’s RI/SP Policy Update: Save More, Stress Less

Shared Reserved Instances (RIs) and Savings Plans (SPs) have been a common workaround for reducing EC2 costs, but their value has always been limited. On average, these shared pools deliver only 25% savings on On-Demand costs—far below the 60% savings achievable with automated reservation tools. For IT and DevOps teams, the trade-offs include added complexity, […]

Itay Tal Head of Cloud Services
21st November, 2024
Three Ways CISOs Can Combat Emerging Threats in 2025

73% of CISOs fear a material cyberattack in the next 12 months, with over three-quarters convinced AI is advancing too quickly for existing methods to combat it. But what can CISOs do to prepare for the coming wave – and access the resources they need to deal with this evolving threat landscape? To find out, […]

11th November, 2024
How Optimizing Kafka Can Save Costs of the Whole System

Kafka is no longer exclusively the domain of high-velocity Big Data use cases. Today, it is utilized on by workloads and companies of all sizes, supporting asynchronous communication between even small groups of microservices.  But this expanded usage has led to problems with cost creep that threaten many companies’ bottom lines. And due to the […]

Itay Tal Head of Cloud Services
29th September, 2024
Migrating Volumez RedHat VMs into Amazon Linux 2 for higher effective discounts rate of Saving Plan

A cloud data infrastructure company relied on extensive use of multiple instance types to test its products. But this made it difficult to optimize costs – a fact which had begun to impact their ability to scale the business.   The GlobalDots team helped the company identify and implement a new infrastructure configuration that both saved […]

Itay Tal Head of Cloud Services
19th September, 2024

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

    GlobalDots' industry expertise proactively addressed structural inefficiencies that would have otherwise hindered our success. Their laser focus is why I would recommend them as a partner to other companies

    Marco Kaiser
    Marco Kaiser

    CTO

    Legal Services

    GlobalDots has helped us to scale up our innovative capabilities, and in significantly improving our service provided to our clients

    Antonio Ostuni
    Antonio Ostuni

    CIO

    IT Services

    It's common for 3rd parties to work with a limited number of vendors - GlobalDots and its multi-vendor approach is different. Thanks to GlobalDots vendors umbrella, the hybrid-cloud migration was exceedingly smooth

    Motti Shpirer
    Motti Shpirer

    VP of Infrastructure & Technology

    Advertising Services