Attacks/Breaches
3/7/2014
01:40 PM
Garret Grajek
Garret Grajek
Commentary
Connect Directly
LinkedIn
Google+
RSS
E-Mail
50%
50%

The Case For Browser-Based Access Controls

Is "browser-ized" security a better defense against hackers than traditional methods? Check out these two examples.

It’s apparent that network access is a hacker’s preferred point of attack. Just look at recent hacks, and to others as far back as the 2011 RSA breach. You'll see that the complexities and nuances of each network deployment simply encourage hackers. In fact, improper network segmentation is believed to be one of the primary factors in the Target HVAC breach.

Should we be giving network access to all these users? Of course not.  

Since the advent of browser-based information sharing, the need to allow full network access has incrementally decreased every year. Full network connectivity to various administrators, workers, and contractors is not only unnecessary today, it is downright dangerous.  

Security-wise, there is much that can be delivered today via the prism of an app, including browser-based apps. Take, for example, Google, which is doing a pretty good job with Google Apps teaching the world that a browser can accomplish a lot more than just sending emails and sharing pictures of cats.

Think about it. When was the last time a bank gave you network access to retrieve information on your bank account? What is standard practice to secure enterprise data in banking today is to “browser-ize” it by:

  • Hardening the web server
  • Conducting code scans
  • Filtering for known L7 attacks (cross-site scripting, etc.)
  • Securing the credential collection forms
  • Applying two-factor access controls

Once the enterprise data is put behind a quantifiable prism (which is the functionality that browsers perform), we can discern what information is being delivered to the user, such as which data stores the app is allowed to see, the roles, permissions, and authorization the app is allowed to see, and the security mechanisms the user should accomplish to achieve access.

Case in point: healthcare
Recently I was working on a project where foreign contractors were initially granted network access to manage the final leg of healthcare data processing. The enterprise auditors came in and flagged the network access as a violation of Personal Healthcare Information (PHI) access regulations. The solution? We created a web form that allowed offshore contractors to view the data they were allowed to see, and then submit an approval in accordance to the guidelines set forth by the enterprise. Most importantly, these contractors were granted no network access and thus had no visibility to the full set of PHI data.

In this case, once access was given to the user, modern L7 (web session) methods could be utilized to automate the authentication process via other web-based resources. For example, the SSO that provides information from one resource to the next can be intelligently conducted with access controls, including re-checking of group membership and re-verification of authorization. Mechanisms such as re-authentication with second factor on a timed basis, or step-up authentication for more access to the portal can also be inserted along with device registration and device inspection.

Mobile apps can also foil hackers
Mobile apps can serve the same functionality as the browser-based app, effectively quantifying both the user access and the data access in a single, functional prism of view. The mobile browser app can have similar control mechanisms, including device registration, two-factor, and host-inspection analytics. Additional mobile centric authentication can also be used, such as PUSH technology and Smart Card/NFC identification.

By restricting access to a web or mobile app or a set of web/mobile apps via a portal, enterprises can itemize and restrict:

  • Which users (or groups) get access
  • What type of authentication is required
  • What resources to which the users can have access
  • What data these resources are accessing

What’s more --  all of this access is logged, with access controls pre-determined and approved by the security, infrastructure, and yes, the network team.

Garret Grajek is a CISSP-certified security engineer with more than 20 years of experience in the information security and authentication space. As Chief Technical Officer and Chief Operating Officer for SecureAuth Corp., Garret is responsible for the company's identity ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon2505142574
50%
50%
anon2505142574,
User Rank: Apprentice
3/14/2014 | 10:27:47 AM
Browser Based Contrrols
It's a lot easier to insure a form-collection page/mobile app is secure - than to insure that proper network access controls are implemented across all sector  (Wifi, Lan, remote access, etc) of your network. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/13/2014 | 12:19:27 PM
Interesting example form healthcare
Garret, I'm curious to know how common is the strategy you described where offshore contractors were able to view data via a web form with no actual network access. 

 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.