Application Risk Assessments
One of the most critical sources of risk to organizations today resides within their Web servers. This is because Web servers and applications open systems and information to be accessed by suppliers, partners, and customers.
Performing a security risk assessment and implementing adequate security risk management policies in this area can be critical. Compromised Web servers can damage organizations in many ways, from surrendering customer privacy data and accepting fraudulent transactions to indirectly damaging corporate reputation as the result of a defaced homepage.
While it may seem that a myriad of bad things can happen as the result of a million different vulnerabilities, we can succinctly categorize the core ‘points of pain’ to be addressed in your Web security risk management plan in a few primary areas:
Web servers often are installed with default configurations that may not be secure. These insecurities include unnecessary samples and templates, administrative tools, and predictable locations of utilities used to manage servers.
User input validation
Web sites and applications need to be interactive in order to be useful. However, Web applications that do not perform sufficient validation of user input screens allow hackers to directly attack the Web server and its sensitive databases. Invalid input leads to many of the most popular attacks.
It is a sad fact that although modern encryption algorithms are virtually unbreakable, they are underutilized. In years past, performance considerations were cited as a factor in limited usage of encryption. However, today’s high-performing CPUs and specialized cryptographic accelerators have broken down the price/performance barriers related to encryption. The issue with limited encryption has more to do with poor application design and a lack of awareness among developers.
Another factor one should consider when developing a security risk management plan is that many Web applications do a poor job of managing unique user sessions. This can include using weak authentication methods, poor cookie management, failure to create session timeouts, and other session weaknesses. This often leads to session hijacking and other compromises of legitimate user identities.
Failure to implement security risk management policies that keep Web servers updated with the latest vendor patches, as well as neglecting to perform continued testing of proprietary Web applications, creates additional risk.
All of these major problems usually are the result of a lack of due care within the Web application development and maintenance processes. In organizations where security is not ‘baked in’ to both the business planning and application development processes, there can be an appalling lack of awareness of the need to incorporate security best practices from day one. This is a dangerous situation, and the results of the general lack of awareness about the risks associated with Web servers and applications are evident from the weekly headlines reporting stolen consumer and corporate information.
The best way to avoid such disasters is to establish an ongoing security risk management process that begins with quantifying the value of Web applications, as well as the data they manage, through a complete security risk assessment. Organizations then must continuously identify and mitigate the vulnerabilities and risks associated with those systems from the beginning and throughout their lifecycle: from development through production.
This approach to security risk management—consistently performing a security risk assessment, then identifying and remedying vulnerabilities by correcting application development errors, applying security patches, and fixing system misconfigurations—will lead organizations to continuous improvement of their business-technology infrastructure and a thorough reduction of risk.
Why use a CI/SO Services Company?
While a presence on the web is an essential part of doing business in this century, that requirement does not come inexpensively nor without risk. As can be seen in the following list of the Top Ten Cyber Security Menaces for 2008 from the SANS Institute, organizations of all sizes have a major burden of responsibility to be diligent about managing their assets.
Top Ten Cyber Security Menaces for 2008
Twelve cyber security veterans, with significant knowledge about emerging attack patterns, worked together to compile a list of the attacks most likely to cause substantial damage during 2008. Participants included Stephen Northcutt, Ed Skoudis, Marc Sachs, Johannes Ullrich, Tom Liston, Eric Cole, Eugene Schultz, Rohit Dhamankar, Amit Yoran, Howard Schmidt, Will Pelgrin, and Alan Paller. Here's their consensus list in ranked order:
1. Increasingly Sophisticated Web Site Attacks That Exploit Browser Vulnerabilities - Especially On Trusted Web Sites
2. Increasing Sophistication And Effectiveness In Botnets
3. Cyber Espionage Efforts By Well Resourced Organizations Looking To Extract Large Amounts Of Data - Particularly Using Targeted Phishing
4. Mobile Phone Threats, Especially Against iPhones And Android-Based Phones; Plus VOIP
5. Insider Attacks
6. Advanced Identity Theft from Persistent Bots
7. Increasingly Malicious Spyware
8. Web Application Security Exploits
9. Increasingly Sophisticated Social Engineering Including Blending Phishing with VOIP and Event Phishing
10. Supply Chain Attacks Infecting Consumer Devices (USB Thumb Drives, GPS Systems, Photo Frames, etc.) Distributed by Trusted Organizations