Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

2/26/2016
12:00 PM
Ilia Kolochenko
Ilia Kolochenko
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Modern Web Apps: Not The Risk They Used To Be (They’re Worse!)

Even a tiny Web application without a single byte of confidential data can expose your corporate crown jewels to cybercriminals.

The role of a cybersecurity team is to properly implement, maintain, and monitor the efficiency and effectiveness of security controls designed to mitigate security risks defined by management. But, within organizations - there is always a certain amount of permissible --- the so-called residual risks, which ISACA defines as the risk that remains even after implementing a risk response. These are the risks that companies accept to tolerate because of their low level of impact or probability.

Today many large companies seriously underestimate the risks of vulnerable Web applications and move them into the residual risks group, or in the best-case, mitigate only the most critical threats for the most sensitive Web apps. In reality, any insecure Web application is a universal armor-piercer of your corporate defense.

What’s the easiest way to conduct an APT today? Compromise the victim’s website, place an exploit pack on a specific page, and send spear-phishing emails to few employees. In the vast majority of organizations, the corporate website will be whitelisted on many internal security systems, the employees will blindly trust their own website, and then bravely click on the link. Once clicked – the attackers are in your network. There is no need to purchase a one-million-dollar iOS exploit, when you have an insecure Web application and much less expensive Adobe Flash zero-days. Moreover, many companies still fail to update their internal users in a timely manner, and hackers may break in even with a private exploit for a public vulnerability, costing just few thousand dollars on the Dark Web.

Let’s take a look at a few recent cases that led to costly consequences when companies underestimated the risk of compromised Web applications.

Even a single web app can cause serious reputational harm

The hacking of a small Swiss bank last year serves as an unfortunate example of the dangers of underestimating the risks of insecure Web applications. One of the bank’s “insignificant” Web applications was hacked by cybercriminals demanding a ransom. When the bank refused the ransom, cybercriminals published personal data stolen from the website. Even though the majority of the exposed personal records were not from bank customers, the incident made headlines in both international and local media, causing significant reputational damage due to one tiny Web application on a forgotten subdomain.

RBAC, 2FA & change control may not save you

A first hand example I witnessed recently involved a private European clinique, which discovered a large amount of money sent to a forged bank account. Security controls included two-factor authentication (2FA) for external access to the corporate web-based ERP system with RBAC (Role Based Access Control), change control and monitoring. Yet, criminals successfully exploited a zero-day RCE [via local file inclusion] vulnerability in the ERP, located in the area accessible to non-authenticated users.

The hackers gained access to the funds by changing several bank account numbers stored in the RFP financial Wiki, designed for part-time and newly-hired accountants. Because it was a direct modification in the database, change control, implemented on the application level, didn’t trigger any alert. This type of vulnerability (unlike more complicated ones) could have been easily mitigated by a WAF they considered “useless” due to the above-mentioned security controls already in place.

Segregated secure storage may let you down

In another case, one financial institution my colleagues worked with in the past, decided to minimize costs by splitting their Web applications into sensitive and non-sensitive categories. Sensitive apps processed, stored or accepted client-related data, while non-sensitive apps were mainly designed for marketing purposes. Applications were hosted in different physical locations: secure in-house data-center and rented virtual private servers, respectively.

As you might expect, great attention was given to the sensitive apps, while the others were practically abandoned after their average lifecycle of less than a year – for example, a website dedicated to music festival sponsorship). Web developers were using an external backup service to host the code for all web applications under isolated accounts.

Once, one of the developers was debugging the backup for a non-sensitive Web application designed for a charity project. He tried to connect to the backup server with another account of a sensitive Web application. After the backup was finally working, credentials for the sensitive app were left [commented] in the configuration file. Few weeks later, the charity Web application was hacked via a new WordPress vulnerability. Attackers managed to get access to all the files (including the backup config), connect to the backup of the sensitive Web application and extract all source codes and hardcoded databases credentials.

These simple but painful examples are proof positive that even a tiny Web application, with not a single byte of confidential data, may open access to your crown jewels. Companies need to maintain up-to-date inventory of all their websites and Web applications, and pay close attention to every Web application security that is accessible externally. A good place to start is with ISACA’s 10 Important DevOps Controls, and apply the most appropriate ones, such as regular vulnerability scanning, WAF and continuous monitoring, on every externally accessible Web application. 

Related content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Ilia Kolochenko is a Swiss application security expert and entrepreneur. Starting his career as a penetration tester, Ilia founded High-Tech Bridge to incarnate his application security ideas. Ilia invented the concept of hybrid security assessment for Web applications that ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/29/2016 | 1:46:37 PM
WAF
24% annual growth is large but I have yet to see WAF as a major utilization point. Who are some organizations that have incorporated WAF and outside the obvious what type of functionality does it provide?
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/29/2016 | 1:42:32 PM
serious reputational harm
Its difficult to associate a monetary value to reputational harm but trust me when I say even though the calculation between repurational harm and montery cost is difficult, the correlation between reputational harm and cost is present.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11976
PUBLISHED: 2020-08-11
By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5
CVE-2020-13179
PUBLISHED: 2020-08-11
Broker Protocol messages in Teradici PCoIP Standard Agent for Windows and Graphics Agent for Windows prior to 20.04.1 are not cleaned up in server memory, which may allow an attacker to read confidential information from a memory dump via forcing a crashing during the single sign-on procedure.
CVE-2020-8918
PUBLISHED: 2020-08-11
An improperly initialized 'migrationAuth' value in Google's go-tpm TPM1.2 library versions prior to 0.3.0 can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both 'encUsageAuth' and 'encMigrationAuth'...
CVE-2020-9244
PUBLISHED: 2020-08-11
HUAWEI Mate 20 versions Versions earlier than 10.1.0.160(C00E160R3P8);HUAWEI Mate 20 Pro versions Versions earlier than 10.1.0.270(C431E7R1P5),Versions earlier than 10.1.0.270(C635E3R1P5),Versions earlier than 10.1.0.273(C636E7R2P4);HUAWEI Mate 20 X versions Versions earlier than 10.1.0.160(C00E160R...
CVE-2020-9403
PUBLISHED: 2020-08-11
In PACTware before 4.1 SP6 and 5.x before 5.0.5.31, passwords are stored in a recoverable format, and may be retrieved by any user with access to the PACTware workstation.