Security by Design
Servers . Applications . Communications
Insurance & Finance
Health & Social
Improving Web Application Security
When you hear talk about Web application security, there is a tendency to immediately think about attackers defacing Web sites, stealing credit card numbers, and bombarding Web sites with denial of service attacks. You might also think about viruses, Trojan horses, and worms. These are the types of problems that receive the most press because they represent some of the most significant threats faced by today’s Web applications.
These are only some of the problems. Other significant problems are frequently overlooked. Internal threats posed by rogue administrators, disgruntled employees, and the casual user who mistakenly stumbles across sensitive data pose significant risk. The biggest problem of all may be ignorance.
The solution to Web application security is more than technology. It is an ongoing process involving people and practices.
What Is Meant By Security?
Security is fundamentally about protecting assets. Assets may be tangible items, such as a Web page or your customer database or they may be less tangible, such as your company’s reputation.
Security is a path, not a destination. As you analyze your infrastructure and applications, you identify potential threats and understand that each threat presents a degree of risk.
Security is about risk management and implementing effective countermeasures.
Categories of Attackers
Any attacks that come from an IP address external to a customer’s network.
♦ Inadvertant Actor
Any attack or suspicious activity coming from an IP address inside a customer network that is allegedly being executed without the knowledge of the user.
♦ Malicious Insiders
Any attacks that come from an IP address internal to a customer’s network.
Security events that have been identified by correlation and analytics tools as malicious activity attempting to collect, disrupt, deny, degrade, or destroy information system resources or the information itself. Security events such as SQL Injection, URL tampering, denial of service, and spear phishing fall into this category.
♦ Opportunistic Attacks
An opportunistic attack is when an attacker targets various different parties by using one or various generic ways to attack such parties, in the hope that some of them will be vulnerable to attack. In an opportunistic attack, an attacker will have a large number of targets and will not care that much on who the victim is, but rather on how many victims there are.
♦ Targeted Attacks
A targeted attack is one that has been aimed at a specific user, company or organization. These attacks are not as widespread, but rather are designed to attack and breech a specific target.
A targeted attack is much more effective and damaging for the victim since the actions performed by the malicious hacker are tailored. This means that it is much more difficult to stop a targeted attack than an opportunistic one simply because the attacks themselves are not general.
Types of Network Incidents
Sustained probes and scans are typically used to search for potential targets, enabling attackers to see where and when to unleash malicious code.
♦ Malicious Code
Third party software, Trojan software, spear phishing, keyloggers and droppers.
Malicious code also includes First and Second Order SQL Injection attacks.
♦ Denial of Service
Attempts to flood a server or network with large amounts of traffic or malicious traffic so that it renders the service unable to perform its designed function.
♦ Access or Credentials Abuse
Activity that violates the known use policy of the network or falls outside of what is considered authorized, typical usage.
♦ Suspicious Activity
Attempts to access a system by a user or users who do not have access.
♦ Unauthorized Access
Incidents include suspicious activity on a system or failed attempts to access a system by a user or users who do not have access.
There Are a Variety of Processes Related to Server Configuration, Session Management, and Applications Themselves Which are Vulnerable to Attack
Authentication is the process of uniquely identifying the clients of your applications and services. These might be end users, other services, processes, or computers. In security parlance, authenticated clients are referred to as principals.
Two of the most common issues affecting web application authentication are those of Concurrent Authentication Sessions and Weak Password Policies.
Authorization is the process that governs the resources and operations that the authenticated client is permitted to access. Resources include files, databases, tables, rows, and so on, together with system-level resources such as registry keys and configuration data. Operations include performing transactions such as purchasing a product, transferring money from one account to another, or increasing a customer’s credit rating.
Unauthorized access to resources is accomplished through Parameter Manipulation or Forced Browsing. Additional vulnerabilities exist in the form of social engineering attacks, inclusive of Clickjacking or Cross Site Request Forgery (CSRF).
From a security perspective, availability means that systems remain available for legitimate users. The goal for many attackers with denial of service attacks is to crash an application or to make sure that it is sufficiently overwhelmed so that other users cannot access the application.
Confidentiality, also referred to as privacy, is the process of making sure that data remains private and confidential, and that it cannot be viewed by unauthorized users or eavesdroppers who monitor the flow of traffic across a network. Encryption is frequently used to enforce confidentiality.
Encryption protocols describe how algorithms should be used. For instance, the SSL protocol determines variables of the encryption for both the link and the data being transmitted.
Weak SSL Protocols and Ciphers enable attacks through encryption processes.
Integrity is the guarantee that data is protected from accidental or deliberate (malicious) modification. Like privacy, integrity is a key concern, particularly for data passed across networks. Integrity for data in transit is typically provided by using hashing techniques and message authentication codes.
♦ Information Leakage
Leakage is used to describe leakage of information by the application itself rather than by the server software (such cases have been categorized as Server Configuration issues). The most common leakage vulnerability is that of revealing user error messages. One common example of this type of vulnerability is observed when a login page sends an error message that reveals a particular user does not exist. An attacker could exploit this knowledge to enumerate valid usernames. Other leakage vulnerabilities affecting a large proportion of applications include a number that could be significant within a shared computer environment, such as a failure to disable auto completion for sensitive form fields; or caching of authenticated pages.
♦ Input Validation
Input validation refers to the process of validating all the input to an application before using it.
The most prevalent vulnerability identified within this category is that of Cross-site Scripting (XSS), a class of vulnerability that could be used by an attacker for various purposes, including hijacking authenticated sessions belonging to other users.
♦ Session Management
A classic error is not setting the appropriate cookie flags (HTTPOnly and Secure) when required. Additionally, many applications allow sessions to be ported from one computer to another. If these are prevented, session hijacking can be drastically reduced.
♦ Server Configuration
Server configuration issues have consistently accounted for the most vulnerabilities. Revealing HTTP headers, system error messages, and a lack of search index protection are generally classified as low impact issues. However, the use of vulnerable software versions could potentially have more serious consequences for an organization.
Whether You Are an Individual or Small Business, or a Larger Corporate, Reducing Your Attack Surface is a Primary Security Concern
♦ Analysis & Guidance
Policy development based on benchmark data that compares your privacy and data protection practices to others in a comparable industry.
Determine how your privacy and data protection program should be structured and staffed.
The development of a data classification schema to assist you in understanding potential business and regulatory risks.
Although the preferred policy is to build in security from the beginning, and then to implement services, we can audit infrastructure and existing applications and effect security solutions.
Secure Socket Layer, or SSL, is a technology that encrypts customer information from the time they enter the information on the website and protect the information as it travels to the server. Web browsers check a website’s SSL certification and display a warning if a site lacks the certification.
An important element of website security analysis is analyzing website password policy. When users sign up on a website, they provide their email addresses, usernames, and passwords. The passwords should conform to the website password policy, which refers to a set of rules set up by websites to ensure password security. For example, websites may require users to set passwords with a minimum number of letters or numbers. Some websites have a lockout threshold that blocks users who try to log in to the site with incorrect passwords.
♦ Multiple Protection Points
Modern hackers use advanced tools such as Trojan horses and advanced spyware programs to steal or damage data in private and public networks. Website security analysis audits data protection methods used in websites and helps to develop multiple data protection systems to deter unauthorized access.
♦ Server Firewall
Another significant component of website security is a properly configured server firewall. In addition to the basic packet filtering component of a firewall, other features can be employed to enhance your overall security profile. These can include login authentication, process tracking, directory watching, port flood protection, connection limit protection, proxy-server architectures, Port/IP address redirection and network address translation.
Effective auditing and logging is the key to non-repudiation. Non-repudiation guarantees that a user cannot deny performing an operation or initiating a transaction. For example, in an e-commerce system, non-repudiation mechanisms are required to make sure that a consumer cannot deny ordering 100 copies of a particular book.
♦ Server Hardening
Because a web server is often placed at the edge of the network, it is one of the most vulnerable services to attack. Therefore, it’s vital to configure and compile the web server with a focus on security. Disabling unnecessary modules and reconfiguring default settings, along with custom configurations and authentications provides a framework to avoid being compromised.
Apate can assist you in the development of a strategic vision for privacy and data protections.