Vulnerable web application is just one of the great gifts left for hackers, as it significantly reduces their time, cost and efforts to get into corporate network. So why do companies fail to secure their web apps?
There are many ways hackers can get at your Web site and data, but in many of the most recent major data breaches the common weak link has been vulnerable web applications. Despite that many companies still underestimate the importance of web application security in their cybersecurity and risk management strategy.
According to PwC’s Global State of Information Security Survey 2016, in 2015 companies detected 38 percent more security incidents than in 2014. Risk Based Security Q3 2015 Data Breach Report highlights a 29 percent increase in the number of incidents reported compared to last year, and a 40 percent increase in the number of incidents exposing 1 million or more records.
Today, the vast majority of Advanced Persistent Threats (APT) gain their first foothold inside target companies by sending a few emails. Ten years ago, many people would easily click on any link from an email or open an exe file from an attachment. Today users are much better educated, and this is why modern APTs start with your corporate website, even if it has no sensitive information and it is hosted on the other side of the world.
Instead of sending you a link to a phishing domain (e.g. with a typo), or to a newly registered website in a shady TLD zone that your corporate email gateway will quite probably block on-fly, attackers would rather send you a link to… your own website.
First of all, hackers will compromise your corporate website or one of your web applications (e.g. subdomain or different domain your company owns). As many companies still believe that their websites do not deserve more sophisticated protection than automated vulnerability scanning and a WAF, attackers will probably get in within a couple of hours or even quicker.
Once your website is under their control, attackers will create a legitimate page on it that will look like any other page on your website with similar content, so leaving you none the wiser when you visit the page. Attackers will host a recent exploit-pack on the page, the most expensive of which would cost them just a few thousand dollars on the Black Market. Hackers do not even need expansive zero-days: a Verizon report says that 99.9 percent of exploited vulnerabilities in 2014 were publicly discovered more than a year prior to exploitation.
Finally, an email will come from a legitimate looking email address on a legitimate domain from a person you may have briefly met in the past, and will contain a link to your own [authentic] website that is quite probably whitelisted in your corporate IPS/IDS. The content of the email will be relevant enough to encourage you to click onto the link in nine out of 10 cases. Once clicked, one of the recent vulnerabilities in your browser, its plugins or components (e.g. Flash) will be exploited to execute arbitrary code – quite probably successfully. Now your machine is under the attacker’s control. A local privilege escalation exploit will help to gain local admin rights, and intrusion will spread to all available machines and hosts in the same segment of your local network (if your network is segmented of course).
Further intrusion to your corporate network will be quite probably quick and easy, as internal penetration testing is often considered “useless” or economically unjustified – fair enough, but only if you don’t let attackers get into your network from the outside, and have properly implemented patch management (including patches for third-party software), access control and user segregation.
But let’s come back to the entry point of the attack: unsecure web application.
Here are five most common reasons why almost any website or web application today can be so easily compromised:
- Underestimation of risks and threats related to unsecure web applications
Many large companies and international organizations still seriously underestimate the value of their web applications, and have their security as the lowest priority in their risk management. And I am not even speaking about complicated SSRF or application logic flaws, but at least about proper detection and remediation of OWASP Top Ten vulnerabilities. As we can see from the beginning of this article, companies just don’t realize that a vulnerable website is a perfect vector to start an APT without spending much money on it.
- Lack of continuous monitoring
Web technologies are constantly evolving, and what is secure today may become vulnerable tonight. Therefore, a quarterly scan and annual pen test to achieve PCI DSS compliance is not enough anymore to stay ahead of hackers. Many companies do not perceive web application security as a continuous process, but rather as a one-time audit, putting their web infrastructure and related back-end at critical risk.
- Missing or poorly-implemented Secure Software Development Life Cycle (S-SDLC)
In spite of a plethora of guidelines and standards of secure software development in existence today, many companies still ignore them due to high complexity or expense of implementation. The situation is even worse in companies where software development teams have existed for years – as any change to well-established [but insecure] procedures will be met with hostility, as nobody wants to spend additional time on software security if not paid additionally for it.
- Dominance of business needs over security processes
Data breaches via insecure web applications regularly occur even in companies where S-SDLC is mature and well integrated into a company’s daily business processes. The consequences of financial crisis of 2009 are still here – many companies suffer from sluggish demand and very tough global competition. Often business requires a new feature to be done in few hours on Friday evening to outperform a competitor – of course, we can forget about security when such pressure occurs. Nevertheless, it’s the business who pays the salaries to developers and infosec folks, and it’s always the business who has the last word. However, it’s also the business who shall be ready to take the responsibility for a new data breach and related costs.
- Ignorance of third-party risks
Many companies start introducing thorough security and compliance guidelines for their third-party suppliers and partners, however they often fail to mention proper web application security with them. As a result, attackers can compromise a website of your long-time supplier, consultant or partner, and instead of hosting malware on your website – they host it on a trusted-party website, achieving the same result at the end.
Jan Schreuder, partner, cybersecurity leader from PwC Switzerland, says: “Recently we’ve seen many organizations attacked through sophisticated cyber attacks on their supply chain partners. With global supply chains becoming more and more digital and interconnected, establishing trust in your supply chain is becoming more challenging all the time.”
As paying for an anti-smoking patch is much cheaper and less dramatic than spending a six-digit amount on cancer treatment, spending on preventive web application security is much more cost-effective and less painful than paying for APT forensics. Therefore, if you are currently finalizing your cybersecurity budget for 2016 – don’t forget about proper web application security, not just vulnerability scanning.
[su_box title=”About Ilia Kolochenko” style=”noise” box_color=”#336588″][short_info id=’60198′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.