When we think about how to protect our information systems against attack, the typical things that come to mind are firewalls, encryption and applying the latest software patches. These technical solutions are often where the information security focus is both monetary and administrative. Keep the bad guys out of the network and keep the servers up to date and everything’s safe and secure — that’s the management assumption. What many people do not realize, however, is none of these technologies — in any combination — will protect against the thousands of ways that Web sites and Web applications can be exploited. Something needs to change.
I will venture to guess that every viable business today has some type of Web presence. Be it a marketing site, B2B or B2C e-commerce systems, ERP and HR systems, e-mail, data center control systems — if it is a business application, it is probably Web-accessible. And Web servers are not just externally facing — they are often scattered across the internal network in places you would never think about. I am finding that many network administrators and security managers are not even aware of half of the Web servers on their networks. A lack of awareness equals a lack of administration, which leads to Web security vulnerabilities. It is just a matter of time before someone — either inside our outside of your organization — stumbles across and exploits them.
What’s So Vulnerable?
The key to understanding the importance of Web security is seeing just how vulnerable Web-based systems can be. The attacks and exploits are not some magic voodoo that only the propeller heads in IT can understand. Given that most of us use some sort of Web-based system on a daily basis and are familiar with the technology, the vulnerabilities are pretty simple to grasp. Here’s a list of common Web-related weaknesses I come across in my work that highlight the problems we face:
• Underlying weaknesses at the operating system and Web server levels — such as unhardened systems with missing patches that an attacker can take advantage of in order to gain access “below” the application, and thus, often evade Web monitoring and logging systems.
• Vendors placing default user IDs and passwords assigned to Web servers running on firewalls, wireless access points and even physical security control systems — and network administrators not changing them.
• Login weaknesses that give an attacker a leg up on determining valid user names and cracking passwords. This problem is exacerbated when intruder protection is not in place to lock accounts after a specified amount of failed login attempts.
• Web applications that use the person’s network logon ID to authenticate to the system. Anyone knowing the user naming scheme on the network can simply insert another user ID and make it look like they are the one logged in.
• Weak minimum password requirements such as five or six numbers that can be easily-guessed or cracked in a matter of seconds.
• Simultaneous user logins allowed, which create accountability issues if/when an incident occurs.
• Web browsers leaving login credentials stored in memory on shared computers, which an attacker can exploit by simply installing a hex editor on the system and searching the computer’s memory for the previous user’s login ID and password.
• Unvalidated input in Web forms, login pages, etc., that enable a user to input malicious code or too much data for the system to handle. This can cause the server or application to divulge too much information, including the passage of malicious scripts back to the user (a hack called cross-site scripting) as well as enabling an attacker to download information from the back-end database (a hack called SQL injection). This type of input could cause the system to crash altogether.
• Vulnerabilities such as cross-site scripting and SQL injection only when logged-in at a certain user level — something that’s often overlooked.
• Applications that try to hide hard-coded input to the server in what are called hidden fields. These hidden fields — typically found in e-commerce shopping carts — can be easily manipulated enabling the user to change prices, quantities and more on the fly for ill-gotten gains.
• Application logic problems that a crafty user can exploit and “break” the way the application works.
• Unique errors and “undocumented features” generating sensitive information to someone using an unsupported Web browser to access the system.
• Files loaded on a Web server such as PDF files, Excel spreadsheets and system log files accessible by anyone on the Internet that should, instead, be protected via user login.
• Certain Web server management software left enabled that enables anyone to create and delete folders and files on the system.
There are so many variables involved that the list of Web insecurities is endless. There’s even a widely-accepted “Top 10 Web Vulnerabilities” documented by the Open Web Application Security Project (OWASP). Suffice it to say that one or more of these issues may very well be present on one or more of the Web-based hosts on your network. In most cases, unless Web and application logging is enabled and being monitored, no one will ever know the systems have been breached.