Web Security. Discovering, Analyzing and Mitigating Web Security Threats

Transcription

1 Web Security Discovering, Analyzing and Mitigating Web Security Threats

2 Expectations and Outcomes Mitigation strategies from an infrastructure, architecture, and coding perspective Real-world implementations that work. The testing aspect of vulnerabilities (tools and techniques). Focus maintained on security strategies rather than coding level implementation (best practices) Managing your hosting service provider Top 10 most critical web security application risks & mitigation strategies Face value and brand risk - Keeping the content fresh and up to date Reference to the National Information Security Strategy & Framework

3 Introduction Computer Forensics Consult is an ICT security consultancy firm founded in Areas of focus include Forensics Security Audits Policy Advisory Business Intelligence Solutions CFC has been in the business of electronic risk mitigation for the past 10 years and currently spend an enormous amount of time doing security research. We have since witnessed a large number of developments in this industry over the years that make security threats more deadly today than they were just a few years ago.

4 Web Security The website has evolved from being simply a collection of pages that give information about a company, cause or brand, to an interactive social and systematic platform where interactions are defined and aggregated. Web sites are unfortunately prone to security risks and so are any networks to which web servers are connected. Setting aside risks created by employee use or misuse of network resources, your web server and the site it hosts present your most serious sources of security risk. Web servers by design open a window between your network and the world. The care taken with server maintenance, web application updates and your web site coding will define the size of that window, limit the kind of information that can pass through it and thus establish the degree of web security you will have.

5 Web Security Threats 1. Bigger, Subtler DDoS Attacks When IT specialists think about distributed denial-of-service attacks, they envision the most basic kind: floods of packets overwhelming a victim's network so that valid requests can't get through. But improvements in defenses have forced attackers to change the way they attack. Packet floods have become larger, maxing out at 100 Gbps. In a six-month campaign against U.S. banks, for which a group of alleged Muslim hacktivists claimed credit, the volume of attack traffic has regularly surpassed 30 Gbps -- throughput rarely seen five years ago. 2. Old Browsers, Vulnerable Plug-Ins Cyber attacks that account for millions of dollars a year in bank account fraud are fueled by browser vulnerabilities and, more frequently, the browser plug-ins that handle Oracle's Java and Adobe's Flash and Reader. Exploit kits bring together a dozen or so attacks on various vulnerable components and can quickly compromise a company's systems if the patches aren't up to date.

6 Web Security Threats 3. Good Sites Hosting Bad Content Attackers are targeting well-known, legitimate websites to take advantage of users' trust in those sites. For example, in the VOHO watering hole attack last year, attackers infected legitimate financial and tech industry websites in Massachusetts and Washington, D.C., commonly accessed by their intended victims, says security vendor RSA. 4. Mobile Apps And The Unsecured Web The bring-your-own-device movement has led to a surge in consumer-owned devices inside corporate firewalls. But mobile apps are notoriously poorly programmed, putting business data at risk. There's been a lot of talk about the increasing amount of mobile malware published online, but few security experts are issuing warnings about how programming mistakes turn legitimate mobile apps into dangerous threats. Poor Programming is as big a risk as malware! 5. Failing To Clean Up Bad Input Since 2010, SQL injection has held the top spot on the Open Web Application Security Project's list of top 10 security vulnerabilities. Dynamic websites that pass search queries or other application inputs to a back-end database server are vulnerable to SQL injection.

7 6. The Hazards Of Certificates Web Security Threats Two years ago, a series of hacks against certificate authorities -- the companies that determine who's trusted online -- gave attackers the tools they needed to issue fraudulent SSL certificates that could disguise a malicious website as a legitimate, well-known company's site. The attacks, against Comodo, DigiNotar and other certificate authorities, underscored the danger of relying too much on a single security technology. 7. The Cross-Site Scripting Problem Attacks exploiting cross-site scripting flaws let the attacker run scripts as if they came from a vulnerable website. They don't give the attacker access to the vulnerable website but instead target the users that go to that site. An attacker going after a banking site with a cross-site scripting vulnerability could run a script for a login box on the bank's page and steal users' credentials. "XSS exploits the trust that a browser has for a website 8. The Insecure 'Internet Of Things' Routers and printers, videoconferencing systems, door locks and other devices are now networked via Internet protocols and even have embedded Web servers. In many cases, the software on these devices is an older version of an open source library that's difficult, if not impossible, to update. Welcome to the Internet of things.

8 Web Security Threats 9. Getting In The Front Door Not all attacks are aimed at breaching a company's defenses. Automated Web bots scrape from Web pages information that can give a competitor better intelligence on your business 10. Recycled threats Many IT security threats are simply recycled to take advantage of lax policies, procedures and staff awareness. While a particular IT security threat may have been the hot topic of a year ago, many staff may have forgotten all about them by now, returning to their risky habits.

9 Threat Mitigation Anti-Virus & Anti Malware - The countermeasures developed for detecting viruses can often detect other forms of malware as well. Deploying antivirus programs on client devices and scanning network traffic as it enters the network are appropriate countermeasures for combating malware. In addition, locking down client devices for example, denying most users the privileges needed to install software or update the Windows registry can prevent the installation of malware that manages to avoid detection. DDoS Defense - There are plenty of DIY solutions to DDoS attacks, but they will be limited in effectiveness by your ability to restrict the right packets of information a tricky task. However, more sophisticated solutions, like Cloud DDoS mitigation, can help scrub the incoming data before it reaches your system, helping to overcome the majority of successful DDoS attacks. Another solution to such network and service level attacks is by hosting your web services on a CDN

10 Threat Mitigation Regular Security Training for all staff - Keep staff regularly updated about the key IT security threats facing your company and remind them of the potential result if they let good habits slip loss of account control and data loss, for example. Adaptive security techniques - Quite simply, do not rely on sandboxing as a silver bullet for negating IT security threats. Yes, it will certainly help to uncover many stealthy attacks and used alongside a good anti-virus it will do a good job of protecting your system. That said, at the end of the day you cannot rely on it completely. Security is a practice not software

11 Web Security Best Practices A challenge faced by many organizations and governments is that most of their websites and web services are developed by third parties, mitigating this risk is difficult given the applications are not developed in-house as such the best mitigation is by enforcing security best practices; 1. Find and prioritize all website properties by designating their importance to the business and the party responsible for their security. Because you can t secure what you don t know you own. 2. Find and fix website vulnerabilities before the bad guys exploit them by assessing them for weaknesses with each code change. 3. Timely remediate vulnerabilities based on severity, threat and score. 4. Implement a secure software development process utilizing an organizational standard development framework. 5. Utilize a defense-in-depth website vulnerability management strategy.

12 Hosting provider Security 1. What is your security policy? 2. How do you handle security breaches? 3. What is the platform under my application? 4. Do you offer SSL (HTTPS)? 5. Do you backup? 6. Who is responsible for installing applications and CMS platforms (e.g. WordPress)? 7. Can I disable applications and services I m not using? 8. Who is responsible for updating applications and software? 9. Do you do any security monitoring? Anti-malware scanning to check for malicious files hosted on your site Web application firewalls (WAF) to filter out malicious attacks against your applications and databases Blacklist monitoring to alert you when a third party detects a compromise 10. How are uploads secured?

13 Brand Risk One of the main purpose of websites is for branding and informational purposes Today websites form a key role in trust building between user and the organization they are interfacing with This trust can be breached when; Information is inaccurate Outdated Offensive Unavailable Hacktivists take advantage of the brand value for dubious gain Demo:

14 Tools Web Application Vulnerability Scanners are the automated tools that scan web applications to look for known security vulnerabilities such as cross-site scripting, SQL injection, command execution, directory traversal and insecure server configuration. AVDS by Beyond Secutiy AppScan by IBM NeXpose by Rapid7 WebApp360 by Tripwire WebInspect by HP

15 Conclusion The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks. Provisions in the National Information Security Strategy & Framework pave the way for standardization and application of best practice security implementation. Questions & Answers