Web-based Application Attacks and Identity Thefts Require an Emergency Response Plan, Breach Security Suggests Appropriate Measures for Implementation

The question is no longer if an attack will happen. It’s a matter of when and how an organization minimizes damage.

CARLSBAD, Calif., – June 24, 2005 – Breach Security, Inc., a pioneer of web application security solutions, today encouraged enterprises to immediately put a plan into place to address and minimize the damage of malicious attacks against their web-based applications such as online banking, e-commerce and healthcare systems.

According to Breach, and as demonstrated by the many large-scale attacks over the past month, identity theft is no longer a question of whether, but when an organization will suffer an attack. Faced with sophisticated hackers who have moved beyond network attacks to exploit the always open ports 80 and 443, organizations must focus on responding to and minimizing the inevitable damage.

Since web applications are by nature unique and constantly evolving, they require customized application-level protection that is both continuous and challenging to maintain manually. Web applications are obvious targets because they enjoy widespread deployment and can allow attackers to circumvent traditional perimeter security measures such as firewalls and IDS/IPSes. They are a serious security concern because they allow attackers easy access to confidential information without having to compromise individual servers.

As recently noted by Gartner, consumers are taking notice of all these security threats and attacks and it is having a direct adverse effect on e-commerce. Gartner said people are shopping less online, which in the end will slow down e-commerce growth. According to recent figures from IDC, annual e-commerce revenue is projected to increase from $9.2 trillion this year to $12.8 by the end of 2006.

“If these incidents of identity theft are allowed to continue unabated, they will erode consumer confidence in online commerce and have a significant impact on retail sales this upcoming holiday season,” according to Kevin Overcash, Vice President of Product Management at Breach.

“Although there’s no silver bullet for web-based security,” said Marc Shinbrood, CEO of Breach Security, “there are appliances that can provide 99.9% protection. We strongly suggest that organizations understand the areas of vulnerability so they can mitigate risks by implementing solutions that provide the best protection against hacks today and, in addition, implement a plan of action so they’re prepared for attacks.” Shinbrood added, “Organizations shouldn’t be surprised by an attack anymore and should immediately be prepared to minimize damage to their customers and the company.”

Breach suggests an Emergency Response Plan that includes at least the following security measures:

  1. Test applications for security defects and identify areas of risk during development and deployment;
  1. Recognize the limits of network intrusion detection and prevention systems to defend against application-layer attacks on Web applications. Most cannot be customized for the unique vulnerabilities of each web application. Further, many such systems do not support real-time decryption of SSL-encrypted Web application traffic, and are thus blind to many application-layer attacks;
  1. Acknowledge that hackers will be able to extract sensitive identity information from databases connected to Web applications by performing extensive and invisible reconnaissance;
  1. Realize 100% protection against web-based attacks doesn’t exist. However, intelligent solutions exist that address the existing security challenges and provide protection of application vulnerabilities in a comprehensive, flexible way;
  1. Immediately execute the Emergency Response Plan when attacked. The plan identifies how to repair the areas of breach and how to immediately notify customers at risk; and

  1. Implement a Web application security solution with forensics capability so that in the event of a breach, the steps leading up to it as well as the consequences are known. This is especially significant when regulations require notification of customers impacted by the breach, as organizations can notify the specific customers affected rather than notify all customers that their information might have been stolen.

About Breach Security, Inc.

Breach Security, Inc. is a leading provider of next-generation web application security that protects corporate-critical information. Breach effectively protects web applications of commercial enterprises and government agencies alike against Internet hacking attacks and provides an effective solution for expanding security challenges such as identity theft, information leakage, and insecurely coded applications. Breach’s solutions are ideal for any organization’s regulatory compliance requirements for security.  Breach was founded in 2004 and is headquartered in Carlsbad, Calif. For more information visit: www.breach.com.

# # #


Breach Security, BreachGate WebDefend and BreachMarks are trademarks of Breach Security, Inc.  All other companies’ names and product names are trademarks of their respective organizations

Media Contacts:

Breach Security, Inc. U.S.

Dan Chmielewski, Principal
Madison Alexander PR, Inc.
dchm@madisonalexanderpr.com
(949) 231-2965