Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

2/26/2016
12:00 PM
Ilia Kolochenko
Ilia Kolochenko
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Modern Web Apps: Not The Risk They Used To Be (Theyre Worse!)

Even a tiny Web application without a single byte of confidential data can expose your corporate crown jewels to cybercriminals.

The role of a cybersecurity team is to properly implement, maintain, and monitor the efficiency and effectiveness of security controls designed to mitigate security risks defined by management. But, within organizations - there is always a certain amount of permissible --- the so-called residual risks, which ISACA defines as the risk that remains even after implementing a risk response. These are the risks that companies accept to tolerate because of their low level of impact or probability.

Today many large companies seriously underestimate the risks of vulnerable Web applications and move them into the residual risks group, or in the best-case, mitigate only the most critical threats for the most sensitive Web apps. In reality, any insecure Web application is a universal armor-piercer of your corporate defense.

What’s the easiest way to conduct an APT today? Compromise the victim’s website, place an exploit pack on a specific page, and send spear-phishing emails to few employees. In the vast majority of organizations, the corporate website will be whitelisted on many internal security systems, the employees will blindly trust their own website, and then bravely click on the link. Once clicked – the attackers are in your network. There is no need to purchase a one-million-dollar iOS exploit, when you have an insecure Web application and much less expensive Adobe Flash zero-days. Moreover, many companies still fail to update their internal users in a timely manner, and hackers may break in even with a private exploit for a public vulnerability, costing just few thousand dollars on the Dark Web.

Let’s take a look at a few recent cases that led to costly consequences when companies underestimated the risk of compromised Web applications.

Even a single web app can cause serious reputational harm

The hacking of a small Swiss bank last year serves as an unfortunate example of the dangers of underestimating the risks of insecure Web applications. One of the bank’s “insignificant” Web applications was hacked by cybercriminals demanding a ransom. When the bank refused the ransom, cybercriminals published personal data stolen from the website. Even though the majority of the exposed personal records were not from bank customers, the incident made headlines in both international and local media, causing significant reputational damage due to one tiny Web application on a forgotten subdomain.

RBAC, 2FA & change control may not save you

A first hand example I witnessed recently involved a private European clinique, which discovered a large amount of money sent to a forged bank account. Security controls included two-factor authentication (2FA) for external access to the corporate web-based ERP system with RBAC (Role Based Access Control), change control and monitoring. Yet, criminals successfully exploited a zero-day RCE [via local file inclusion] vulnerability in the ERP, located in the area accessible to non-authenticated users.

The hackers gained access to the funds by changing several bank account numbers stored in the RFP financial Wiki, designed for part-time and newly-hired accountants. Because it was a direct modification in the database, change control, implemented on the application level, didn’t trigger any alert. This type of vulnerability (unlike more complicated ones) could have been easily mitigated by a WAF they considered “useless” due to the above-mentioned security controls already in place.

Segregated secure storage may let you down

In another case, one financial institution my colleagues worked with in the past, decided to minimize costs by splitting their Web applications into sensitive and non-sensitive categories. Sensitive apps processed, stored or accepted client-related data, while non-sensitive apps were mainly designed for marketing purposes. Applications were hosted in different physical locations: secure in-house data-center and rented virtual private servers, respectively.

As you might expect, great attention was given to the sensitive apps, while the others were practically abandoned after their average lifecycle of less than a year – for example, a website dedicated to music festival sponsorship). Web developers were using an external backup service to host the code for all web applications under isolated accounts.

Once, one of the developers was debugging the backup for a non-sensitive Web application designed for a charity project. He tried to connect to the backup server with another account of a sensitive Web application. After the backup was finally working, credentials for the sensitive app were left [commented] in the configuration file. Few weeks later, the charity Web application was hacked via a new WordPress vulnerability. Attackers managed to get access to all the files (including the backup config), connect to the backup of the sensitive Web application and extract all source codes and hardcoded databases credentials.

These simple but painful examples are proof positive that even a tiny Web application, with not a single byte of confidential data, may open access to your crown jewels. Companies need to maintain up-to-date inventory of all their websites and Web applications, and pay close attention to every Web application security that is accessible externally. A good place to start is with ISACA’s 10 Important DevOps Controls, and apply the most appropriate ones, such as regular vulnerability scanning, WAF and continuous monitoring, on every externally accessible Web application. 

Related content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Ilia Kolochenko is a Swiss application security expert and entrepreneur. Starting his career as a penetration tester, Ilia founded High-Tech Bridge to incarnate his application security ideas. Ilia invented the concept of hybrid security assessment for Web applications that ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/29/2016 | 1:46:37 PM
WAF
24% annual growth is large but I have yet to see WAF as a major utilization point. Who are some organizations that have incorporated WAF and outside the obvious what type of functionality does it provide?
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/29/2016 | 1:42:32 PM
serious reputational harm
Its difficult to associate a monetary value to reputational harm but trust me when I say even though the calculation between repurational harm and montery cost is difficult, the correlation between reputational harm and cost is present.
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .