While reading through my blog inbox and writing up my 2010 Wishlist for work, I thought I’d drop a quick post to highlight five web security ‘problem areas’ that still exist after at least a decade of patches, pleas, and regulatory requirements.
- SQL Injection
- Hack the Web Server
- Cross Site Scripting
- Cookie Tampering
- Session Hijacking
I often find myself explaining what these are and providing examples, in order to garner support for remediation.
The traditional network security approach to securing your web servers and database servers is more than likely going to get you in trouble some day. Think about it. Network Security preaches deny everything and permit only what you need. Great, open up port 443 and send encrypted traffic to your web server. KaBOOM gotcha!
PCI DSS called for implementation of code reviews and web-application firewalls (WAF’s) in order to continue compliance and fight off the Breach Boogieman. Organizations can also conduct code reviews, as outlined in section 6.
Some ‘experts’ believe the web firewalls are just another piece of technology being thrown on the bonfire, while others believe you will never find all the potential bugs and flaws in an organization’s custom code, let-alone commercial software.
Interestingly, there continue to be heated discussions debating the usefulness of WAF’s, where they have to be deployed, what they are supposed to inspect, and whether businesses should be distracted by WAF’s in the first place. The most important aspect of all this is the functionality that is to be provided by this technology. The WAF requirements outlined in requirement 6.6:
- Verify that an application-layer firewall is in place in front of web-facing applications to detect and prevent web-based attacks.
Make sure any WAF implementation meets the full extent of the requirement because “detect and prevent web-based attacks” can get a little sticky. As technology goes, there are a few variations in how WAF’s have been developed. Some products use reverse proxying to interrupt the web session for the ‘detect’ and accomplish the ‘prevent’ by only allowing valid sessions. This validation is being done in variations just like typical IDS/IPS’s operation: you get your choice of signatures, anomaly detection, protocol inspection, and combinations thereof. Some of the available products skip the proxy function and monitor the web traffic like a traditional IDS/IPS for known or suspicious threats either in-line or via a SPAN or TAP. Companies can not only choose their type of technology but can also decide on using open-source software or commercially supported products or a cross between the two.
The open-source route offers mod_security for apache and if companies need commercial support, you can get an appliance running mod_security. I found it interesting, in a recent Oracle Application deployment, Oracle recommends the use of mod_security to service as an application-layer firewall and URL-filtering firewall for DMZ-deployments. If mod_security doesn’t fit your needs, Guardian is also an open-sourced software with detection and prevention capabilities. Both have commercial support and product options.
mod_security has some other interesting options. It is possible to take the SNORT web signatures and convert them to mod_security rules via a script provided with mod_security. There are also several groups that provide signatures / rules for mod_security to identity new threats.
Outside the open-source space, there are products like Imperva’s SecureSphere gateways that use anomaly detection and profiling to determine whether something should or should not be allowed to access a web server. This company’s product line features an interesting twist, the dynamic profiling technology relied upon to ‘detect and prevent’ comes from none other than the man that developed ‘stateful packet inspection’ in CheckPoint firewalls.
Along with Imperva, are F5, Cisco, CheckPoint, and the usual list of security vendors ready to snatch up your “bail-out” funding 🙂 . As with any security technology, only after a review of your organizations needs and a thorough pilot of the prospective technology will identify the best-fit for any organization.
At the end of the day, the use of WAF technology to mitigate web application security is but one of the many defenses an organization should have in place to provide data security and data privacy.
What do you use to guard the security of your web applications?
You’ve read the reports, seen the stats, and probably heard the hype: XX% of Security Breaches are done by insider threats.
Insider threat boils down to a problem of trust. Employees are implicitly trusted, in most organizations, to perform the duties they are assigned, in the manner they were instructed. The consequences for not doing so, are theoretically termination, which happens to be one of the more prevalent sources of insider incidents according to several sources. The Insider Threat Study research concluded:
[I]nsider attacks have occurred across all organizational sectors, often causing significant damage to the affected organizations. These acts have ranged from low-tech attacks, such as fraud or theft of proprietary information, to technically sophisticated crimes that sabotage the organization’s data, systems, or network. Damages are not only financial; widespread public reporting of the event can also severely damage the organization’s reputation.
I would argue that insiders have ALWAYS been more likely to create, cause, or influence a security incident than outsiders by a comfortable majority. The reasoning being, back in the “good ole days” when there were 56K frame relay lines tying offices to branch offices and the Internet was just catching on, most security incidents occurred because someone brought in an infected floppy disk from home or take home a zip drive full of company information. It was practically impossible, short of a physical break-in, to have an outsider security threat for most organizations. There was no email server to send spam to or Internet-facing web server to hijack and there certainly wasn’t some outsourcing effort in India to be concerned with.
CERT has an entire section devoted to understanding Insider Threats from the behavioral aspects to implications for various industries obtained through joint research with the US Secret Service. They also clarified insider, for purposes of their research and case investigations:
The definition of an insider for this study includes current, former, or contract employees of an organization. USSS NTAC.
Their research suggests that most insider incidents were performed by less technical personnel, it wasn’t always an administrator level individual. The research also suggests that most of the insider incidents “did not rely on extremely sophisticated attacks“. This might be comforting to companies with multiple highly talented network, system, or security administrators that have detailed knowledge of key systems. There are a number of websites that discuss prevention and detection methods for dealing with and responding to insider threats / incidents, in addition to the CERT/USSS research:
- US Security Awareness
- Mike Chapple distills the USSS/CERT Research
- InfoWorld: Fear of Insider Threats Hit Home
- eWeek: Inside the Insider Threat
- Reprint of DOD Security Awareness Bulletin
It is also important to note this threat is not limited to organizations but extends to government agencies as well. Here is an interesting article, entitled Losing Secrets I came across that emphasises the relevance of insider threats and national security.
Security has become sexy and it has become widely accepted. TV shows sport trendy security speak and security gadgets. Forensics is so popular that all the major networks have shows based in some part on forensics. Indiana Jones (Harrison Ford) starred in a movie named, oddly enough, Firewall. I thought Firewall was a much better movie than Swordfish with John Travolta and Halle Berry, even though Berry is much cuter than Ford. I would be remiss if I didn’t mention 24 or CSI:Everywhere.
For all the marketing, awareness, and research being poured into Security one might think we would be able to solve the rampant Security problems of the current era: Data Loss, Fraud, and Identity Theft. Unfortunately, there are two competing dichotomies undermining or taking advantage of security visible in the following observation: businesses often fail to embrace security, because of perceived costs or rigidness, until after it is too late, because criminals find security, or rather the lack of security, a very profitable proposition.
Looking at one aspect of why things are where they are:
Business: The Flaw with Consensus
In a perfect world, businesses map out their business model, identify their assets, determine their risks, and implement policies and measures to mitigate or accept those risks. Most businesses pick and choose security models inside their company based on their access needs and use of the data in these electronic storehouses. Security is always a balancing act because it gets in the way of a business’s bottom line and exceptions to newly implemented policy are often needed in order to continue business operations. As long as security is ruled by consensus, these compromises will leave lasting effects that can be leveraged by the bad guys.
The Security Landscape ends up being the sum of compromises instead of the artifact of Security Policies and Practices.
Enter The Bad Guys:
Unfortunately, the bad guys often have more interest, resources, and desire to exploit security than their would-be targets have to protect themselves. In fact, Organized Crime has more money to spend on and to be made from gaining access to electronic record storehouses than the businesses that own these electronic record storehouses typically invest in securing these storehouses. Sadly, the bad guys don’t care if their target is a Fortune 500 company or not.
Small businesses make as good a target as any major brand or corporation and because of the dependence on the Internet, more and more companies are exposing their information to more and more of the world. This exposure is universal and provides a virtual play ground for the bad guys to take advantage of these businesses through network probes, phishing, pharming, and botnet attacks.
If this weren’t enough, for a given business that manages to place adequate security in place, to thwart electronic trespassing, there is always the human factor. Disgruntled, under-paid employees litter the landscape of every organization on this planet who would welcome an unexpected payday for sharing their password or other sensitive information. its more efficient to probe the network defenses of a company than identify these disgruntled employees.
What can we do?
Know your business, identify the risks associated with how the business works, and carefully consider how to mitigate these risks. Take the time to understand the technology, people, and processes used in your business. Map out a security strategy that compliments the business.
It isn’t necessary to spend a fortune on security or have the latest and greatest widget from Cisco, IBM, or Microsoft. A good technology or security consultant can be worth their weight in gold. If your business is going to rely on technology, it would be wise to retain and listen to staff that fully understand said technology versus relying on product vendors who are notorious for over-promising ad under-delivering.
The saying is very true: an ounce of prevention is worth a pound of cure.