Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

2/26/2016
12:00 PM
Ilia Kolochenko
Ilia Kolochenko
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Modern Web Apps: Not The Risk They Used To Be (They’re Worse!)

Even a tiny Web application without a single byte of confidential data can expose your corporate crown jewels to cybercriminals.

The role of a cybersecurity team is to properly implement, maintain, and monitor the efficiency and effectiveness of security controls designed to mitigate security risks defined by management. But, within organizations - there is always a certain amount of permissible --- the so-called residual risks, which ISACA defines as the risk that remains even after implementing a risk response. These are the risks that companies accept to tolerate because of their low level of impact or probability.

Today many large companies seriously underestimate the risks of vulnerable Web applications and move them into the residual risks group, or in the best-case, mitigate only the most critical threats for the most sensitive Web apps. In reality, any insecure Web application is a universal armor-piercer of your corporate defense.

What’s the easiest way to conduct an APT today? Compromise the victim’s website, place an exploit pack on a specific page, and send spear-phishing emails to few employees. In the vast majority of organizations, the corporate website will be whitelisted on many internal security systems, the employees will blindly trust their own website, and then bravely click on the link. Once clicked – the attackers are in your network. There is no need to purchase a one-million-dollar iOS exploit, when you have an insecure Web application and much less expensive Adobe Flash zero-days. Moreover, many companies still fail to update their internal users in a timely manner, and hackers may break in even with a private exploit for a public vulnerability, costing just few thousand dollars on the Dark Web.

Let’s take a look at a few recent cases that led to costly consequences when companies underestimated the risk of compromised Web applications.

Even a single web app can cause serious reputational harm

The hacking of a small Swiss bank last year serves as an unfortunate example of the dangers of underestimating the risks of insecure Web applications. One of the bank’s “insignificant” Web applications was hacked by cybercriminals demanding a ransom. When the bank refused the ransom, cybercriminals published personal data stolen from the website. Even though the majority of the exposed personal records were not from bank customers, the incident made headlines in both international and local media, causing significant reputational damage due to one tiny Web application on a forgotten subdomain.

RBAC, 2FA & change control may not save you

A first hand example I witnessed recently involved a private European clinique, which discovered a large amount of money sent to a forged bank account. Security controls included two-factor authentication (2FA) for external access to the corporate web-based ERP system with RBAC (Role Based Access Control), change control and monitoring. Yet, criminals successfully exploited a zero-day RCE [via local file inclusion] vulnerability in the ERP, located in the area accessible to non-authenticated users.

The hackers gained access to the funds by changing several bank account numbers stored in the RFP financial Wiki, designed for part-time and newly-hired accountants. Because it was a direct modification in the database, change control, implemented on the application level, didn’t trigger any alert. This type of vulnerability (unlike more complicated ones) could have been easily mitigated by a WAF they considered “useless” due to the above-mentioned security controls already in place.

Segregated secure storage may let you down

In another case, one financial institution my colleagues worked with in the past, decided to minimize costs by splitting their Web applications into sensitive and non-sensitive categories. Sensitive apps processed, stored or accepted client-related data, while non-sensitive apps were mainly designed for marketing purposes. Applications were hosted in different physical locations: secure in-house data-center and rented virtual private servers, respectively.

As you might expect, great attention was given to the sensitive apps, while the others were practically abandoned after their average lifecycle of less than a year – for example, a website dedicated to music festival sponsorship). Web developers were using an external backup service to host the code for all web applications under isolated accounts.

Once, one of the developers was debugging the backup for a non-sensitive Web application designed for a charity project. He tried to connect to the backup server with another account of a sensitive Web application. After the backup was finally working, credentials for the sensitive app were left [commented] in the configuration file. Few weeks later, the charity Web application was hacked via a new WordPress vulnerability. Attackers managed to get access to all the files (including the backup config), connect to the backup of the sensitive Web application and extract all source codes and hardcoded databases credentials.

These simple but painful examples are proof positive that even a tiny Web application, with not a single byte of confidential data, may open access to your crown jewels. Companies need to maintain up-to-date inventory of all their websites and Web applications, and pay close attention to every Web application security that is accessible externally. A good place to start is with ISACA’s 10 Important DevOps Controls, and apply the most appropriate ones, such as regular vulnerability scanning, WAF and continuous monitoring, on every externally accessible Web application. 

Related content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Ilia Kolochenko is a Swiss application security expert and entrepreneur. Starting his career as a penetration tester, Ilia founded High-Tech Bridge to incarnate his application security ideas. Ilia invented the concept of hybrid security assessment for Web applications that ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/29/2016 | 1:46:37 PM
WAF
24% annual growth is large but I have yet to see WAF as a major utilization point. Who are some organizations that have incorporated WAF and outside the obvious what type of functionality does it provide?
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/29/2016 | 1:42:32 PM
serious reputational harm
Its difficult to associate a monetary value to reputational harm but trust me when I say even though the calculation between repurational harm and montery cost is difficult, the correlation between reputational harm and cost is present.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internet—and What Your Organization Can Do About It
The Threat from the Internet—and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15564
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing Arm guest OS users to cause a hypervisor crash because of a missing alignment check in VCPUOP_register_vcpu_info. The hypercall VCPUOP_register_vcpu_info is used by a guest to register a shared region with the hypervisor. The region will be map...
CVE-2020-15565
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS denial of service or possibly gain privileges because of insufficient cache write-back under VT-d. When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs....
CVE-2020-15566
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a host OS crash because of incorrect error handling in event-channel port allocation. The allocation of an event-channel port may fail for multiple reasons: (1) port is already in use, (2) the memory allocation failed, o...
CVE-2020-15567
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing Intel guest OS users to gain privileges or cause a denial of service because of non-atomic modification of a live EPT PTE. When mapping guest EPT (nested paging) tables, Xen would in some circumstances use a series of non-atomic bitfield writes...
CVE-2020-15563
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing x86 HVM guest OS users to cause a hypervisor crash. An inverted conditional in x86 HVM guests' dirty video RAM tracking code allows such guests to make Xen de-reference a pointer guaranteed to point at unmapped space. A malicious or buggy HVM g...