It’s easy to forget how dramatically the delivery of tech tools has changed over the decades. These days, few of us depend on a long list of desktop apps to do our work. Instead, we spend our working day logged into several web apps – simultaneously.

Likewise, we can miss just how complex and interconnected the web app ecosystem is. Think you’re just using a single web app provided by a single vendor? Think again; that web app depends on countless underlying apps and components that function in concert.

All of this works so well because of the web’s incredibly open approach. For example, the public web address you use to access a web app can receive incoming requests from anyone, anywhere in the world.

[ Learn 10 tips to improve web application security. | Get a 30-day free trial. Contact one of our experienced Solution Engineers to find out how. ]

The web’s openness has a price

There’s a catch however: the web’s mix of complexity and openness, combined with the public nature of the web, can leave the door open for malicious actors.

Once you add software bugs, lax security and the attraction of valuable data such as credit card details into the mix, it’s easy to see why hackers are hammering away at web applications.

Let’s look at just one example of a typical attack vector: formjacking. Formjacking involves the interception of sensitive information typed into a website form and it’s an incredibly common way web apps are exploited. Through 2018, just one security vendor detected 3.7m formjacking attempts.  

It is an astonishing number that should, in theory at least, make any CISO sit up straight.

But why do we need to worry, it’s not our app?

OK, so clearly web apps are at the sharp end of the cybersecurity threat. Whether it’s a website set up to serve customers, or a website that enables a critical business process. 

Often, though, these web apps are owned by third party vendors. You pay the vendor for the use of the app, and that’s the end of the story, right?

Not so. 

Just because it’s a third-party vendor that supplies the app does not mean that your company won’t be in the firing line if an app is hacked. 

Just consider the following:

• Downtime and lost business. If your website or the web app you use for everyday operations is down, you may not be able to do business with your customers. You’ll lose the sales revenue, and it’s an open question whether your company will recover that revenue.

• Theft of data. Hackers can steal important data from web apps – including credentials to other services (think access to banking products). You might also be storing confidential information unique to your business in a web app, data that you wouldn’t want out in the open.

• Data loss. A compromised app can also mean that you lose key business data that you need for everyday operations. This loss can be devastating, to the extent that a business is forced to close down because it cannot recover – all because of a third-party web app.

• Reputational risk. What is the impact if an app your business relies on to deal with customers is clearly and visibly compromised? How much business will your company lose if news of data loss becomes public? Assigning a number to the lost business, lost growth and lost trust is difficult, but the impact can be game-changing.

• Compliance and fines. Over and above the reputational risk, government authorities such as the EU are known to impose stiff fines even if your company was not at fault or willfully negligent. Pleading that a third-party app was involved won’t help.

So, there’s plenty to keep in mind when you’re considering how your company is vulnerable to an exploited web app that’s provided by a third party.

Hang on, we only use that web app to… 

To be fair, web app security risks vary. Sometimes a web app going wrong poses minimal risk to your company, even if you use that app every day.

It’s also true that companies have limited budgets and, understandably, security leaders will want to spend available time and funds and respond in a way that’s proportional to the underlying risk. 

Your company is at high risk and should keep a close eye on web application security if it’s heavily dependent on multiple cloud vendors for day to day operations. High risk also kicks in where your product or field of business is controversial, or where your company handles personally identifiable data such as financial and healthcare records.

There’s less risk associated with static websites that have no interactivity, or where your company hardly makes use of online services for its day to day functionality. However, that would be a minority of modern businesses. 

The known and the unknown

There’s a final factor that CISOs should think about concerning web app security. Many of the threats faced by websites have been discovered, patched and can easily be guarded against. These are known vulnerabilities. Yes, known vulnerabilities require vigilance but they are essentially easier to protect web apps against.

However, one of the key reasons why web app security is so worrying is because of unknown vulnerabilities. In other words, weaknesses that have not yet been exploited by malicious actors, but which do exist – and can be exploited once found.

Guarding against unknown vulnerabilities requires a comprehensive approach from security experts that know their stuff. It’s an open question as to whether the vendors supplying the apps you rely on take their security obligations seriously.

Yes, your company can safely deploy web apps

There’s no way your company can simply set aside the web apps it uses every day because of the security risks. Modern-day tech relies on web apps, end of story.

The good news is that web app security can be boosted with some simple steps. You can read our full article here, but here are some important actions you can take to mitigate web app security concerns:

• Catalog the apps you use, assess where you are exposed
  
• Check the security measures of your vendors
  
• Enforce good practice such as password security and locking down credentials
  
• Test, monitor and protect apps using the available tools
  
• Involve an external cybersecurity expert to risk assess and strategize

In contrast, simply sitting back and relying on web-driven applications as if these apps are infallible can open your company to a wide range of risks.

Today’s agile, fluid tech brings enormous benefits – but risks too. Thankfully your company can continue to enjoy cutting-edge tech without outsize risk exposure – as long as it recognizes the risks, and takes mitigating steps.

Looking for a web application vulnerability scanner? Contact us to schedule a free demo of our products in action.

Web applications are exposed. Unlike internal network applications, everyone can get to a web application; all they need is an internet connection. That includes hackers too. In fact, an automated tool may be attacking the web applications you depend on as you read this article.

But developers often overlook web application security. Teams frequently spend all their energy on the code, the visual design and the functionality of an app – and little to no time making sure their web apps are secure.

Simple but effective steps can help your organization improve security around the web apps it depends on – whether those apps are from third-party vendors or developed in-house. Here are our top ten suggestions.

[ Learn everything you need to know about web security. | Get a 30-day free trial. Contact one of our experienced Solution Engineers to find out how. ]

1. Create an inventory

You can’t protect what you don’t know about. We suggest you start making a list of web applications including proprietary and third-party applications.

Your company may develop and publish its own web apps, but also think about the intermediary apps your customers use to interact with your business. The web applications your company uses for its day to day operations must be included as well.

When you make this list, prioritize your web apps according to the amount of damage that could be done if something goes wrong. You don’t need to worry too much about the app you use to book Friday’s after-work drinks, but do take a close look at the app that processes your credit card transactions, for example.

A good vulnerability management system requires a good inventory system. If the systems to be scanned do not show up on the inventory management system then the system will not show up on the vulnerability scans and consequently will not be patched.

George Viegas, CSO

2. Develop cyber security best practices

You should develop cyber security best practices, or even good practices – meaning everything you know you should be doing, but probably forget to do. 

Strong and unique passwords for every web application you use is a must. Consider enabling multi-factor authentication (MFA), if available – and definitely enable MFA on your most critical apps. 

If you have development control over an app, make sure that you deploy HTTPS and the latest version of TLS. Web apps also benefit from security tweaks including the x-xss-protection security header and adding subresource integrity to <link> or <script> elements. 

X-XSS-Protection header can prevent some level of XSS (cross-site-scripting) attacks, and this is compatible with IE 8+, Chrome, Opera, Safari & Android. Google, Facebook, Github use this header, and most of the penetration testing consultancy will ask you to implement this.

Chandan Kumar, Geekflare

3. Be meticulous with access rights and credentials

This is a tough one, particularly in fast-growing companies or where you may be dependent on temporary workers. However, it is critical that you use a database of user credentials for web applications and revoke credentials once an employee leaves or changes roles. 

Whenever you allow access to an application, do so with the principle of least privilege (PoLP); only give users access to information and tools they need to do their jobs.

For example, don’t give full admin access when view or edit will do. It may seem time-consuming, but you’ll protect your web apps not only from hackers but also from potentially malicious employees.

Not applying the principle of least privilege is a fundamental security mistake that threatens your organization, encourages the propagation of insider threat, and puts your business’ data at high risk.

Bianca Soare, Heimdal Security

4. Employ professional (white hat) hackers

If your business revolves around a web app that your company has developed, you could consider hiring professional hackers to try to penetrate your app. 

Yes, trying to get your app hacked by a friendly actor can be beneficial. Ethical hackers under contract can find vulnerabilities and allow you to fix issues before they’re uncovered by criminal hackers. Alternatively, think about a bounty program where you pay a reward to anyone who identifies vulnerabilities in your app.

These “white-hat hackers” differentiate themselves from criminal hackers in that they won’t do anything illegal. Many work for government agencies or corporations, while others operate out of home laboratories, preferring to just hack for fun…

This type of ethical hacking can have real implications for people’s safety. In 2015, hackers were able to remotely hijack a Jeep while someone was driving, prompting Chrysler to recall 1.4 million vehicles.

Zoe Schiffer, Vox

5. Backup, backup, backup

Think backups are old hat because it’s been years since you’ve heard a hard drive spin-up? Think again. Your web applications’ data is at constant risk and must be backed up outside of the application. Outside also means off-site; don’t back up your data on the same cloud infrastructure that hosts your app.

Consider deploying fallback applications as well – such as a fallback credit card processor. Where that’s not possible, make sure you have a disaster plan in place, so you know what to do if an app goes down.

Losing any amount of data can compromise your personal identity, erase your family history, and even bankrupt your entire company. No matter if you store years of highly sensitive customer data or just save a lot of photos of your dog, you never want to find out that a large chunk or even all of your data is gone.

Alexa Drake, G2

6. Review security measures regularly

Remember that list we said you should make? Well, web application security is not a set and forget measure; you need to constantly review your security measures. Regularly check whether a new critical but vulnerable app has been onboarded, and continuously review your security policies.

It’s worth setting up a review process – even if it’s as simple as a diary entry in a calendar. Yes, security leaders are paid to get security right but it’s too easy to verify that a technology estate is secure – and then neglect to run a regular review.

A McAfee report on data exfiltration, found that people inside organizations caused 43% of data loss, one-half of which was accidental. Improved cybersecurity policies can help employees and consultants better understand how to maintain the security of data and applications.

Staff, McAfee

7. Keep an eye on your vendors

Your security reviews should also involve your technology partners because a security chain is only as strong as its weakest link. Your web apps will likely depend on other vendors for critical functionality so regularly review the security policies and practices of your partner vendors.

We’ll go even further as to say that you might want to look at the companies your vendors depend on. There may be countless connected, background services; these may also be a weak link in the web security chain.

Monitoring your organization’s internal cybersecurity posture is a given, but companies often make the mistake of overlooking their vendors’ cybersecurity procedures. It’s important to identify your vendors’ potential vulnerabilities as your own.

Phoebe Fasulo, SecurityScorecard

8. Consider a web application firewall

For some reason or another, your app or website may be the target of hackers. Sustained, persistent hacking attempts are hard to stop. However, you could consider deploying a web application firewall (WAF) which filters inbound traffic, vetting web clients before sending the request through to your website. 

A WAF behaves in a similar way to a traditional network firewall by checking against a watchlist and using AI to recognize suspicious behavior. WAFs are very effective but can be resource-intensive and block false positives. 

A WAF has an advantage over traditional firewalls because it offers greater visibility into sensitive application data that is communicated using the HTTP application layer. It can prevent application layer attacks that normally bypass traditional network firewalls.

Margaret Rouse, TechTarget

9. Deploy a scanning tool

Scanning tools from a third-party security provider are usually the most effective way to check for security vulnerabilities. Security testing vendors stay on top of new vulnerabilities every day; it’s their job. A vulnerability assessment vendor can alert you if your web apps can be exploited by a new vulnerability or if a configuration issue allows attackers to get in.

Automated scanning tools such as black box fuzzers can simulate an actual hacking attack to let you know if there are any holes that can be successfully exploited. This proactive approach gives you the chance to step in and block an attack before it happens. Beware though, some scanning tools are intrusive and can break an app and won’t always find existing vulnerabilities, so choose your tool carefully.

Video: Security testing tools with Aviram Jenik

10. Partner with a security expert

Even the largest of enterprises with extensive internal IT teams hire outside help when it comes to cybersecurity. Cyber threats have simply become so broad, diverse and urgent that it is almost impossible for internal teams to possess all the knowledge to protect their employers against every threat, all the time. 

Partnering with security experts will deepen your company’s web app security approach. It’s an opportunity to identify missed opportunities and glaring omission alike. Don’t try and go it alone in the fight against cybercrime.

The complexity of cyberattacks have made many organisations realise the advantages of outsourcing their IT security to expert partners. The reality of modern Web security and DDoS mitigation is that no one can ever know exactly what’s going to happen. So, when it’s time to evaluate and select a cybersecurity partner, you need to know as much as you can about the company.

Ben Rossi, InformationAge

Final Words: You can boost web app security – but you must act

Companies have become incredibly dependent on web applications; a modern cutting-edge business using the latest tech is more likely than not highly reliant on web apps. 

It’s too easy to assume that these apps are secure. Likewise, vendors that develop and provision web apps can forget how exposed their apps are.

However, there are plenty of options to boost web app security. We’ve provided ten suggestions – but it is up to your company to take the necessary action.

Looking for a web application vulnerability scanner? Contact us to schedule a free demo of our products in action.

Last updated on April 24, 2020.

Web security, your site and your network

Web sites are unfortunately prone to security risks. And so are any networks in which web servers are connected. Setting aside risks created by employee use or misuse of network resources, your web server and the site it hosts present your most serious sources of security risk.

Web servers by design open a window between your network and the world. The care taken with server maintenance, web application updates and your web site coding will define the size of that window, limit the kind of information that can pass through it and thus establish the degree of web security you will have.

Is your site or network at risk?

“Web security” is relative and has two components, one internal and one public. Your relative security is high if you have few network resources of financial value, your company and site aren’t controversial in any way, your network is set up with tight permissions, your web server is patched up to date with all settings done correctly, your applications on the web server are all patched and updated and your web site code is done to high standards.

Your web security is relatively lower if your company has financial assets like credit card or identity information, if your web site content is controversial, your servers, applications and site code are complex or old and are maintained by an underfunded or outsourced IT department. All IT departments are budget-challenged, and tight staffing often creates deferred maintenance issues that play into the hands of any who want to challenge your web security.

Web security risk – should you be worried?

If you have assets of importance, or if anything about your site puts you in the public spotlight, then your web security will be tested. We hope that the information provided here will prevent you and your company from being embarrassed – or worse.

It’s well known that poorly written software creates security issues. The number of bugs that could create web security issues is directly proportional to the size and complexity of your web applications and web server. Basically, all complex programs either have bugs or at the very least, weaknesses. On top of that, web servers are inherently complex programs. Web sites are themselves complex and intentionally invite ever greater interaction with the public. And so the opportunities for security holes are many and growing.

Technically, the very same programming that increases the value of a web site, namely interaction with visitors, also allows scripts or SQL commands to be executed on your web and database servers in response to visitor requests. Any web-based form or script installed at your site may have weaknesses or outright bugs and every such issue presents a web security risk.

Contrary to common knowledge the balance between allowing web site visitors some access to your corporate resources through a web site and keeping unwanted visitors out of your network is a delicate one. There is no one setting, no single switch to throw that sets the security hurdle at the proper level. There are dozens of settings if not hundreds in a web server alone, and then each service, application and open port on the server adds another layer of settings. And then the web site code… you get the picture.

Add to that the different permissions you will want to grant visitors, prospects, customers, partners and employees. The number of variables regarding web security rapidly escalates.

A web security issue is faced by site visitors as well. A common web site attack involves the silent and concealed installation of code that will exploit the browsers of visitors. Your site is not the end target at all in these attacks. There are, at this time, many thousands of web sites out there that have been compromised. The owners have no idea that anything has been added to their sites and that their visitors are at risk. In the meantime visitors are being subject to attack and successful attacks are installing nasty code onto the visitor’s computers.

Web server security

The world’s most secure web server is the one that is turned off. Simple, bare-bones web servers that have few open ports and few services on those ports are the next best thing. This just isn’t an option for most companies. Powerful and flexible applications are required to run complex sites and these are naturally more subject to web security issues.

Any system with multiple open ports, multiple services and multiple scripting languages is vulnerable simply because it has so many points of entry to watch.

If your system has been correctly configured and your IT staff has been very punctual about applying security patches and updates, your risks are mitigated. Then there is the matter of the applications you are running. These too require frequent updates. And last there is the web site code itself.

Web site code and web security

You site undoubtedly provides some means of communication with its visitors. In every place that interaction is possible you have a potential web security vulnerability. Web sites often invite visitors to:

• Load a new page containing dynamic content
• Search for a product or location
• Fill out a contact form
• Search the site content
• Use a shopping cart
• Create an account
• Logon to an account

In each case noted above, your web site visitor is effectively sending a command to or through your web server – very likely to a database. In each opportunity to communicate, such as a form field, search field or blog, correctly written code will allow only a very narrow range of commands or information types to pass – in or out. This is ideal for web security. However, these limits are not automatic. It takes well trained programmers a good deal of time to write code that allows all expected data to pass and disallows all unexpected or potentially harmful data.

And there lies the problem. Code on your site has come from a variety of programmers, some of whom work for third party vendors. Some of that code is old, perhaps very old. Your site may be running software from half a dozen sources, and then your own site designer and your webmaster has each produced more code of their own, or made revisions to another’s code that may have altered or eliminated previously established web security limitations.

Add to that the software that may have been purchased years ago and which is not in current use. Many servers have accumulated applications that are no longer in use and with which nobody on your current staff is familiar. This code is often not easy to find, is about as valuable as an appendix and has not been used, patched or updated for years – but it may be exactly what a hacker is looking for!

Known web security vulnerabilities and unknown vulnerabilities

As you know there are a lot of people out there who call themselves hackers. You can also easily guess that they are not all equally skilled. As a matter of fact, the vast majority of them are simply copycats. They read about a KNOWN technique that was devised by someone else and they use it to break into a site that is interesting to them, often just to see if they can do it. Naturally once they have done that they will take advantage of the site weakness to do malicious harm, plant something or steal something.

A very small number of hackers are actually capable of discovering a new way to overcome web security obstacles. Given the work being done by tens of thousands of programmers worldwide to improve security, it is not easy to discover a brand new method of attack. Hundreds, sometimes thousands of man-hours might be put into developing a new exploit. This is sometimes done by individuals, but just as often is done by teams supported by organized crime. In either case they want to maximize their return on this investment in time and energy and so they will very quietly focus on relatively few, very valuable corporate or governmental assets. Until their new technique is actually discovered, it is considered UNKNOWN.

Countering and attempting to eliminate any return on this hacking investment you have hundreds if not thousands of web security entities. These public and private groups watch for and share information about newly discovered exploits so that an alarm can be raised and defense against unknown exploits can be put in place quickly. The broad announcement of a new exploit makes it a KNOWN exploit.

The outcome of this contest of wills, so to speak, is that exploits become known and widely documented very soon after they are first used and discovered. So at any one time there are thousands (perhaps tens of thousands) of known vulnerabilities and only a very, very few unknown. And those few unknown exploits are very tightly focused onto just a very few highly valuable targets so as to reap the greatest return before discovery. Because once known the best defended sites immediately take action to correct their flaws and erect better defenses.

Your greatest web security risks: known or unknown?

Your site is 1,000 times more likely to be attacked with a known exploit than an unknown one. And the reason behind this is simple: There are so many known exploits and the complexity of web servers and web sites is so great that the chances are good that one of the known vulnerabilities will be present and allow an attacker access to your site.

The number of sites worldwide is so great and the number of new, as of yet undocumented and thus unknown exploits so small that your chances of being attacked with one is nearly zero – unless you have network assets of truly great value.

If you don’t attract the attention of a very dedicated, well financed attack, then your primary concern should be to eliminate your known vulnerabilities so that a quick look would reveal no easy entry using known vulnerabilities.

Web security defense strategy

There are two roads to accomplish excellent security. On one you would assign all of the resources needed to maintain constant alert to new security issues. You would ensure that all patches and updates are done at once, have all of your existing applications reviewed for correct security, ensure that only security knowledgeable programmers do work on your site and have their work checked carefully by security professionals. You would also maintain a tight firewall, antivirus protection and run IPS/IDS.

Your other option: use a web scanning solution to test your existing equipment, applications and web site code to see if a KNOWN vulnerability actually exists. While firewalls, antivirus and IPS/IDS are all worthwhile, it is simple logic to also lock the front door. It is far more effective to repair a half dozen actual risks than it is to leave them in place and try to build higher and higher walls around them. Network and web site vulnerability scanning is the most efficient security investment of all.

If one had to walk just one of these roads, diligent wall building or vulnerability testing, it has been seen that web scanning will actually produce a higher level of web security on a dollar for dollar basis. This is proven by the number of well defended web sites which get hacked every month, and the much lower number of properly scanned web sites which have been compromised.

Web security using a web site security audit

Your best defense against a attack on your web site is to regularly scan a competently set up domain that is running current applications and whose web site code was done well.

Web site testing, also known as web scanning or auditing, is often provided by a hosted service. For simplicity, we suggest a service that requires no installation of software or hardware and is done without any interruption of web services.

A good vulnerability scanner will look for known issues using a complete database of security vulnerabilities. The security vulnerability database will contain each kind of exploit with a known combination of web site weaknesses that must be present to be accomplished. Thus by examining a server for the open port, available service and/or code that each known exploit requires, it is a simple matter to determine if a server is vulnerable to attack using that method.

Vulnerability scanners can quickly run through an entire database of over ten thousand vulnerabilities and can report on which are present and better yet, confirm the thousands that are not. With that data in hand you and your staff can address your actual web security vulnerabilities and, when handled, know that your site is completely free of known issues regardless of what updates and patches have been done and what condition your code is in or what unused code may reside, hidden, on your site or web server.

A vulnerability scanner can be run on a regular basis so that your site will be tested against new vulnerabilities as they become known and provide you with solid data as to whether action is vital, needed or low priority. You will also be alerted if new code has been added to the site that is insecure, a new port has been opened that was unexpected, or a new service has been loaded and started that may present an opportunity to break in.

In complex, large systems it may be that daily web scanning is the ONLY way to ensure that none of the many changes made to site code or on an application may have opened a hole in your carefully established security perimeter!

Looking for a vulnerability scanner? Contact us to schedule a free demo of our products in action.

REST APIs have allowed us to create modern web and mobile applications; By using the power of an API, we can open up the world of services – pulling in data and sharing information and oiling the wheels of the internet.

But building an API-enabled service also means that you potentially open up your web or mobile application to cybercriminals.

In the first nine months of 2019, 7.9 billion data records were breached; many of these breaches originated at the API layer.

API-enabled systems and services come with an Achilles heel in the form of security vulnerabilities. As APIs have blossomed, data breaches have followed. Here, we take a deep dive into API attack vectors and how using API fuzz testing can help find them. 

Top ways API breaches happen

Before you do anything, you need to know what you are dealing with; this is also true for API security. Because web applications use APIs that share data across a very wide surface, if you don’t find a vulnerability first, someone else will.

Fortunately, there is an industry group, the Open Web Application Security Project (OWASP) that researches where APIs are most at risk. The OWASP API Security Project, outlines the ‘top ten’ list of the most at risk areas for an API. Included in this list are vulnerabilities such as:

Security misconfiguration. One of the main ways that APIs can be attacked is if they are insecurely configured. Attackers can easily look for insecure instances of API-based services – such as your API-enabled web application – using the search engine, Shodan. Attackers used Shodan to detect an instance of Elasticsearch which was insecure and open for the world to see; this resulted in personal data of over 56 million US citizens being exposed.

HTTP instead of HTTPS. HTTPS is the secure version of the internet protocol that allows data (such as HTML documents) to be transferred between web servers and clients. If an API-enabled web service uses HTTP instead of HTTPS it will be vulnerable to a cyber-attack where sensitive and personal data can be intercepted and stolen. 

Injection attacks. Attackers can use vulnerabilities in an API to introduce (inject) malicious code. This code can make the service act according to an attacker’s wishes, e.g., send the attacker the personal data of users. A cyber-attack at Heartland Payment Systems exposed 134 million credit cards when cybercriminals exploited an injection vulnerability.

Other things to consider:

Third-party integrations 

APIs, by design, often connect across many third-party services. This places API-enabled web services at a high risk of containing vulnerabilities. However, a Deloitte survey found: 

“62 percent of CEOs fail to hold their extended enterprise to the same risk standards as their own”.

Because vulnerabilities come in all forms and across the entire extended API surface, API-enabled web applications must be tested in a holistic and dynamic manner. 

Hunting for API vulnerabilities

The REST API attack surface is large and complex, often containing many third-party integrations. The very interoperability that REST APIs are designed for, makes them vulnerable. Making headway in locating vulnerabilities in APIs requires a systematic plan of action and smart tools for the job. The following steps are a guide for any API vulnerability hunter when testing their service:

Know what you are looking at. Have a blueprint of your expanded API services and all components. Plan out your approach. Make sure it covers everything. You may also need to look at specific compliance areas that impact data security in your industry. 

Know your data. What data flows through which web applications? Categorize the data into different levels of priority in-line with your business. 

Know your vulnerabilities. Determine which vulnerabilities are a priority. For example, Sucuri’s “Website Threat Report 2019” found that “Primary infection vectors include vulnerable third-party components and software defects.” Prioritization helps when you later detect vulnerabilities.

Black box and fuzz testing for vulnerability detection. To find vulnerabilities in extended cloud services you need to be able to use a tool that can look deeply into the underlying REST APIs.

• API test tools are used to automate and standardize tests across your entire product line. 
• Black Box testing is a way to dig deep into the potential attack surface of an API-enabled web application. 
• Multi-protocol Fuzz testing works systematically across the entire API surface; the ‘fuzz’ is in the form of random or invalid data. 

Apply your vulnerability knowledge. The output from a black box and fuzz testing process is used as part of a risk detection and management process. This builds the information needed by your security team to make sure that no malicious entity exploits an API vulnerability.

Your web service is a valuable commodity, one which a cybercriminal will exploit if they find a way in. Attackers are always on the lookout for API vulnerabilities – so you have to do the same. Using automated tools, such as Fuzz testing, you can beat the hackers at their own game. 

Knowing what vulnerabilities exist in your web service is an essential step in the fight against API-based cybercrime. 

Concerned you might have an API vulnerability, or just want to be a step ahead of threats? Contact us to schedule a free demo of our network and application vulnerability assessment products.

This article was originally published on Enterprise Management 360 on March 31, 2020.

Penetration testing is the Marmite of cybersecurity: you either love it or you hate it. Taking a neutral stance on the matter, it’s easy to see both sides. On one hand, pen testing provides indisputable evidence of vulnerabilities for organisations to action. Pen testers are also often able to identify even the smallest of vulnerabilities that hackers would exploit (and businesses would usually miss).

However, on the other hand, pen testing can be an expensive endeavour, and can cause serious damage if not done correctly. Furthermore, pen testing also requires that you trust the testers, which is a calculated risk organisations simply must take.

Despite the disadvantages, pen testing is a keeper for its highly proactive approach to cybersecurity – it just needs bolstering in some way. Fortunately, automation provides the means to do exactly that.

Enterprise technology has called upon automation as a solution to numerous enterprise challenges. Famously, automation can eliminate or minimise risk of human error, as well as speed up process times, making it the natural answer to many problems. Cybersecurity is no exception to this, as technologies such as robotic process automation and SOAR continue to take centre-stage.

Why should pen testing be automated?

To better demonstrate how pen testing can benefit from automation, we will use one of our favourite offerings: beSECURE by Beyond Security. Firstly, some background on the company: Beyond Security provides solutions to help businesses and governments improve their network and application security. Harnessing industry-leading expertise and decades of experience, the company delivers highly accurate testing to give organisations peace of mind.

beSECURE remedies the drawbacks that manual pen testing often presents. For example, it eliminates the issues found with frequency; pen tests are periodic, and new security situations can present themselves between intervals in just a matter of days. In other words, new vulnerabilities can sit on the network without consideration until the next test.

Organisations can use beSECURE in combination with vulnerability assessment management on a monthly, weekly, or even daily basis, making it perfect for frequently changing services (web applications, etc). In turn, you can quickly detect and test new hosts and identify weaknesses introduced by changes to the host at speed.

As mentioned previously, automation minimises the potential for human error. Such is the case with beSECURE, which hones in on ease-of-use so any competent network admin can run it. What’s more, with beSECURE, speed is everything. It delivers to-the-point reports, that encourage compliance in turn, and can scan entire networks quickly.

Finally, beSECURE will not burn a hole in your pocket. Instead, you can purchase a typical beSECURE installation for the cost of one comprehensive pen test.

If you and your stakeholders are aware of the risks above, then you’ve already begun your mobile security risk assessment. 

Awareness is both the first and last step of evaluating and managing the risks that may affect your mobile workforce. We also recommend identifying company assets and planning for exits and crises. 

Improve mobile security awareness. Security Awareness Training (SAT) starts with you. If you’re reading this, you’re probably responsible for the information security at your company. Don’t keep that responsibility to yourself; share. 

• Share research on the latest threats.
• Share tips on reducing risk. 
• Share your organization’s security policies – regularly.

If you don’t have the time or resources for in-house training, many online cybersecurity awareness training courses cover mobile security – and offer a certificate to show completion (so you know your staff is taking this seriously). 

Mobile security awareness training, coupled with MDM technology, is your greatest defense against risk. We’ll cover MDM later. 

Identify company assets. A data breach could cost your company $3.86 million on average, according to the Ponemon Institute’s 2018 study – and much much more if it’s a mega breach involving 50 million records which might cost $350 million (or billions if you’re Equifax). 

The threat is real and stakes are high. 

Interestingly enough, Ponemon notes you’re more likely to experience a data breach of at least 10,000 records than you are to catch the winter flu (which is good news in the days of Corona). 

Securing your digital assets from mobile data leaks and other mobile security threats involves a little stock taking.

• What is considered sensitive data?
• How do you collect, store and transfer data?
• Who has access to your data?
• Do mobile devices have access to your data?
• Where does sensitive data change hands?
• Can a lost or stolen device compromise your data?
• What are the consequences of a data breach?

“Analyzing how mobility could lead to data loss feels like a shot in the dark. At a moving target, with a blindfold on.” – Michael Davis, CISO, CTO, Author

But an assessment may indicate the risk is lower or different than you might expect, as in Davis’ case when he realized mobile phones couldn’t reach his company’s accounting software, but employees could share financial data via email.

Plan for exits and crises. You probably have an onboarding plan, but do you have an offboarding and WTSHTF plan?

What happens when you fire a disgruntled employee who has access to your entire database? What happens when your developer leaves? HR? Sales?

• How long do you wait to wipe devices and change passwords? 
• Do you know what devices were being used? 
• Were they approved devices? 
• Were they BYOD or company-issued? 
• What applications were they using?
• What level of access did they have? 
• Where did they store data?
• Who owns the data on their phones?
• Can you legally wipe their phones?

You need a plan, not only for fires, but also for your run-of-the-mill “I found the job of my dreams” exits. Because you never know. Though this article is about threats to mobile devices, people are your greatest security threats – often unwittingly.  

A recent white paper found 87% of employees surveyed admitted they took data they created upon leaving a company.

What if they use that data maliciously or they are hit by a phishing scam such as the Coronavirus fake-map scam that infects devices with information-stealing malware?

You need to prepare – for anything.

Exits

• Ensure HR and IT are on the same page.
• Review non-disclosure agreements and security policies.
• Retrieve company-issued devices.
• Wipe corporate apps and data. 
• Disable company email.
• Revoke access to systems and applications. 
• Change passwords to company accounts.
• Monitor suspicious activity.

Crisis

• Document your risks and assets.
• Build and train an incident response team.
• Create an incident report system.
• Prepare an incident notification list.
• Backup critical data.
• Ensure incidents can be handled remotely. 
• Practice incident response.

It’s getting tougher and tougher to stay ahead of threats, but a little planning will help you offboard employees with minimal risk and shorten the duration of any crisis.

Key Takeaway:

The rise in mobility and cloud computing creates favorable conditions for cyber attacks just as dynamic as the devices they attack. Your initial assessment is just the beginning. It’s part of an on-going strategy to understand your risks, educate your staff and plan your defense.

“For Health and Safety Reasons“, by Paul Noth, is licensed under CC By 4.0

2. Implement a BYOD & remote access policy

In a short time, working from home (WFH) has grown from 5.2% of workers (in the U.S.) to most people working from home. This is meant to keep them safe from the Coronavirus outbreak. They know what to do. The internet is flooded with tips on personal hygiene.  

• Stay inside.
• Wash your hands.
• Don’t touch your face.
• Sneeze into your elbow.
• Wear a mask.
• Keep your distance.

But what about cyber hygiene?

Most people are willing to change their habits and routines during this challenging time, but they aren’t willing to give up their personal devices. 61% of Gen Y and 50% of 30+ workers believe BYOD tools make them more productive. 

This opens up a can of worms for employers and employees alike, warns QUT researcher, Dr. Kenan Degirmenci. BYOD and, more broadly speaking, mobile access to enterprise systems, presents unique security challenges that cannot be ignored. 

“Organizations aren’t moving quickly enough on cybersecurity threats linked to the drive toward using personal mobile devices in the workplace.”

– Dr. Kenan Degirmenci, Researcher, QUT (Paraphrased)

The time to act is now. 

While the world is suffering from a public health crisis, you can prevent an organizational cyber crisis by laying out some ground rules. You don’t want to assume your employees are obtuse, but you also didn’t want to tell them to wash their hands.

A BYOD and remote access policy can safeguard your company – and your employees – against mobile security threats. 

We suggest covering the following:

• Allowable Devices & Applications
• Mobile App Vetting & App Stores
• Secure Configuration
• Acceptable Use & Misuse
• Authentication & Password Management 
• Access Privileges & Permissions
• Social Media & Email Safety
• Browser & Web Application Security
• Encryption & Secure Connection Methods 
• Privacy, Compliance & Confidentiality
• Separation of Personal & Corporate Data
• Data Loss Prevention (DLP) Strategies
• Security Patches & Software Updates

Your BYOD and remote access policy should cover a range of endpoint, network and cloud security guidelines – ranging from what might seem like common sense tips to technical configurations meant to reduce exposure to hackers.

“Whether an employee intends to or not, their device may introduce cyber threats to the network that are difficult to control, as the device is not managed.”

– Nilly Assia, CMO, Portnox

If you want to ensure your employees’ devices are compliant with your policies, a Mobile Device Management solution is worth trying. You might also benefit from a network visibility and control solution that quarantines devices that do not meet your mobile security requirements. No pun intended. 

Key Takeaway:

The sudden exodus of workers from offices to their homes – and in many cases from company-owned devices to BYOD – is a great time to create a mobile device policy and exercise a little control. That said: you should be realistic about what your IT department can realistically handle, where you must turn over control to your employees and how you can all work together to mitigate your risk.

Video: BYOD – bring your own device policy

All solutions have slightly different features, but most platforms allow you to:

• Control Access
• Manage Apps
• Enforce Policy
• Update Over-the-Air (OTA)
• Troubleshoot Devices
• Track Devices
• Remote Wipe

MDM is essentially about control and insight – getting a grip on what a user can do with a device and what happens to corporate data on a device – while also understanding how devices are used to access corporate networks.

The best results are obtained with a thoughtfully considered MDM implementation – rather than simply putting in place an off the shelf MDM solution. 

Your MDM solution will be most successful if you:

Maximize self-service and autonomy. Employees enjoy the flexibility of BYOD. Reducing these flexibilities too much should be avoided; it can backfire. Moreover, MDM that delivers user autonomy can reduce the strain on IT support staff – giving the ability to reset passwords, tracking lost devices, etc, to the end user.

Keep end-user privacy. Your employees may be using their devices for a mix of personal and business use. While MDM can gain control over these devices, it should not be at the expense of user privacy – and you don’t want to find yourself in a legal battle over lost personal data.   

Consider your policies. The out-of-the-box policies of most MDM platforms can provide a solid start, but don’t skimp on refining these policies for the purposes of your organization. MDM policies can be incredibly granular – twisting and shaping to match your organizational requirements.

Require updates. Across the board, your MDM strategy should involve frequent updating – refreshing the MDM software in use, ensuring that devices are running the latest OS – and also running the latest versions of apps. Doing so will minimize the security holes that are common with unpatched software.

Key Takeaway:

MDM is essential to mitigating the risks posed by BYOD and mobile devices, but a watertight security approach involves a broad approach. Yes, MDM will give you the initial insight and control, but you must also practice mobile-first security thinking – considering how mobile and remote use benefits your employees as well as affects security parameters.

Final Words

The way people work is changing and remote and mobile work is not going away. The challenges associated with mobile working and personal devices are unique and, in some ways, still being assessed. 

But your security partner can help you understand your risks and choose the best mobile device security solutions for your needs. Assessing your risks, implementing a BYOD and remote access policy and choosing an MDM solution is an excellent starting point. 

Need Mobile Security?

Schedule a live demo to see our products in action.

On one level, cybersecurity is all about electronics – securing machines, networks and so forth. But, even the most technologically advanced cyber attacks are driven by human motivation.

Humans motivate cyberattacks, and humans also, often unknowingly, facilitate cyberattacks. People are essential to mounting a defence as well  – as much as automated tools are a powerful barrier.

It’s no surprise, then, that the theme for the 2020 RSA Conference is set to be The Human Element. Leading up to the conference next week, we thought it worth reviewing five human elements that impact the way CSOs handle enterprise cybersecurity.

It may be the age of AI, but humans are still at the core of cybersecurity.

1. Human Perpetrators

CSOs must continuously assess where their technology estate is vulnerable. Part of a comprehensive assessment involves searching for motivation – theft, political expression, foreign interference, etc. The common thread, of course, is human needs and wants.

Why would individuals, or indeed groups of people, want to compromise your enterprise systems? Do they intend to gain financially, or do they intend to influence? Automated vulnerability assessment is crucial, but merely scanning a network only goes so far. 

Understanding the possible motivations behind attacks will give much broader insight into attack vectors and the vulnerabilities they depend on.

In contrast, not paying enough attention to the human motivation behind cyberattacks can put companies at risk: motivations and methods of attack can reach beyond the expected, and a company’s unique line of service, clientele or other stakeholders can point to cyber risks.

A key part of the CSO’s task is, therefore, to understand the possible range of motivations behind attacks – and this requires getting to grips with human nature.

2. IT Management Weaknesses

Weaknesses can start at the top. Even the best cybersecurity tools will fail in their goals if planned, implemented and managed poorly. Human actors initiate, manage and monitor cybersecurity programs and only the right – human – approach will result in comprehensive cybersecurity.

It is a cultural issue too, as management teams must instill a sense of good practice and a security-first approach in employees, from cybersecurity staff right through to people who contribute to the everyday activities of a company.

In fact, an argument can be made that in today’s threat environment cybersecurity is no longer the domain of IT leaders alone. Everyone at the board and C-level must engage, tackling cybersecurity not so much as an IT issue but indeed a business issue. 

Only by actively managing cybersecurity from the very top can organisations stay safe from cybersecurity risks, and this requires a deft human touch.

3. Human Fallibility

Human error is behind a surprisingly high proportion of cybersecurity breaches. Data from the Notifiable Data Breaches Scheme in Australia suggests that 67% of reported breaches were the result of human error, including compromised credentials.

Consider, for example, the increasingly powerful social engineering methods hackers use to bypass otherwise potent cybersecurity measures. Few users will still be fooled by a badly worded password reset email, but end users find it difficult to watch out for sophisticated, long-winded attacks that depend on extensive groundwork and clever methods of deception. 

The repercussions are serious: an FBI estimate found that business email compromise cost US companies $12.5B between 2013 and 2018. Another factor to consider is the increasing reliance on biometrics, and how easily biometrics can be compromised.

Sheer human error is, of course, another factor CSOs have to contend with – whether its errors made by cybersecurity staff or indeed an end-user that accidentally exposes company data. Particularly where budgets are tight, and roles are shared – or indeed outsourced – the risk of human error accelerates.

Identifying and responding to these human points of failure is at the core of cybersecurity. CSOs can mitigate the risks with internal controls and prevention measures.

4. Mobility and BYOD

The where and when of IT can also pose unique cybersecurity risks – and here the human factor of device mobility and BYOD is a real wildcard. 

Where, and under what circumstances will end-users access corporate data? Which devices will they use, and what threat do these devices pose? 

From a mobility perspective, public and indeed fake Wi-Fi remains a big concern – but so do other risks posed by the location of a device: theft, for example, or unauthorised access when a user steps away from their personal device. Mobility has the net effect of establishing a corporate endpoint in a random location, and on a random network.

Bring your own device (BYOD) brings a different set of risks – which other apps will be installed on a device, and what risks do these apps pose? It’s an unknown and CSOs will find it difficult to lock personal devices down quite as much as they’d like to. Instead, CSOs must try to anticipate BYOD behavior as best they can.

The unpredictability of human behavior makes predicting mobility and BYOD risks tough and CSOs cannot afford to ignore the unique risks of personal devices – and unknown locations.

5. Rapidly Moving Technology

Finally, it is worth pointing out that technology is moving at a pace never seen before in the past. In a hyperconnected age, threats are emerging more quickly than ever before. Some of these threats can be guarded against through automation – AI-enabled cybersecurity tools that can halt brand new threats in their tracks.

However, in many cases, human cybersecurity experts remain the first responders. Expert security staff must analyze and respond to new threats, coming up with methods to defend organisational assets against even the most creative cybercrime efforts. Doing so is not easy, however, as humans grapple with the velocity of technology change.

It’s an incredible challenge that CSOs will continue to grapple with, and it may mean that in some cases technology adoption is held back until the security risks can be thoroughly evaluated, though that won’t guard against hackers empowered by new tech such as the ability to crack previously secure encryption algorithms.

CSOs must be aware that what they perceive as a stable state of cybersecurity can rapidly change.

So, how do CSOs account for the human factor of cybersecurity?

In the last section we hinted at one option – intelligent automation of cybersecurity using security tools that use cutting edge tech against rouge actors. In some ways the machine vs. machine approach can deliver excellent results, a blanket of protection.

That said, automation will only ensure so much in terms of effective cybersecurity. CSOs need to be cognizant of how humans behave in the technology world – both as rogue actors and as end users. Furthermore, CSOs need to watch what skills they recruit for – focusing on analytical, computer-engineering skills can skew defences towards automated solutions. In contrast, CSOs should recruit infosec staff that understand the human side of cybersecurity.

Take a minute to consider this: humans, not machines, are the biggest threats to your networks.

The Biggest Issue in Cybersecurity is Humans, Not Machines

As the RSA 2020 conference tackles the most challenging human elements of cybersecurity, you can rely on Beyond Security to give you the deep advice and automated tools that provide a comprehensive layer of protection – both against known vulnerabilities and against the unpredictable elements that the human factor brings to the table. 

Want to Learn More?

Schedule a live demo to see our products in action.

Cybersecurity threats are growing in size and prevalence  – and the nature of cybersecurity is continuously shifting. In particular, operational technology (OT) such as industrial control systems – e.g. SCADA – are newly at risk. In this article we discuss why OT is so vulnerable, what vulnerabilities you should watch out for and what your company can do to protect against OT threats.

Why Operational Technology Puts Your Enterprise at Risk

Operational technology has typically been siloed systems – hardcoded tools that were never exposed to other networks, never mind the internet. As a result, many long-standing cyber risks that affect information technology (IT) systems never posed much of a threat to OT.

Unfortunately, the OT security landscape is changing rapidly.

A broad and deep increase in enterprise system interconnectivity (effectively a convergence of IT and OT) alongside a profusion of connected devices deployed across OT now means that highly critical, core industrial operations are increasingly exposed to the outside world.

It’s led to a range of prominent exploits where hackers were able to manipulate OT for malicious purposes. 

Examples include:

• In December 2015, hackers attacked Ukraine’s power grid leaving 225,000 customers without an electricity supply. A post-mortem found a deeply co-ordinated attack that built up over six months – all starting with a malicious e-mail attachment.
• August 2017 saw powerful malware called TRITON in action, this time at a petrochemical facility in Saudi Arabia where hackers were able to compromise critical safety devices in the plant. Thankfully, a flaw in TRITON code triggered an alarm before damage could be done.
• Perhaps the most famous attack, in 2012 the Iranian nuclear program was compromised using Stuxnet, which wormed its way past Windows systems after a staff member inserted a USB drive. It allowed the attackers to modify systems so that a large number of expensive enriching centrifuges became inoperable.

Tips for Guarding Against OT Threats

So, what can companies do to protect against the risks posed by critical industrial and control systems? At Beyond Security we’ve helped countless organizations guard against OT risks. 

In the broad, we think essential steps would include:

Obtain and Maintain Visibility

A company cannot protect what it doesn’t know exists, so a comprehensive inventory and frequent updates of this inventory is essential. OT asset management allows companies to ensure software and firmware updates are made frequently, while zero-day vulnerabilities can be more easily guarded against.

Segregate and Ring-Fence

Yes, OT needs connectivity to the outside world but companies can take measures to limit just how exposed OT is, and exactly how far OT integrates with IT. Put restrictions in place, and minimise the degree of communications wherever possible.

OT Vulnerability Scanning

Even with comprehensive visibility some gaps may be left. Tools including fuzzing can help your company discover security loopholes and vulnerabilities that have slipped through the cracks; OT scanning is therefore an essential activity.

Find a Partner Vendor

Cybersecurity risks are broad and deep and simply put comprehensive prevention and protection requires a security partner. Look for a vendor that understands OT and industrial security risks as these are very different from typical IT cybersecurity risks.

Key Takeaway:

Companies should also keep an eye on at-risk suppliers who are frequently associated with successful attacks, log and monitor carefully to catch intruders and ensure that sufficient, qualified security staff are available to counter OT risks.

Conclusion: Inaction is the Biggest Risk

To wrap up, while the cybersecurity risks affecting operational technology has been widely known for some time, appearances are that organizations have been relatively slow to respond. We’ve outlined some of the top areas in which OT poses a cybersecurity threat, but arguably the biggest threat lies in a lack of response.

Of course, mounting a response is a challenge. If your company is unsure about how to respond to OT cybersecurity risks, get in touch with Beyond Security. We will gladly help you find the OT security solution for your needs and advise on best approaches that will ensure ongoing, persistent defences against even the toughest of OT risks.

Want to Learn More?

Schedule a live demo to see our products in action.

Testing for behavior vs version

The primary requirement for a Vulnerability Assessment solution is accurate testing. Ease of use and clear reports are important, but if accuracy isn’t there then little else matters. Poor accuracy in Vulnerability Assessment produces two kinds of testing error. Overlooking a vulnerability (a false negative) leaves a security flaw you don’t know about. Reporting a vulnerability as present when in fact none exists (false positive) sends you looking for something that can’t be found. Obviously you don’t want either. Clearly it’s important for a solution to find the vulnerabilities. But an inaccurate tool that misidentifies problems too often can be more trouble than it’s worth.

If the first 4 vulnerabilities reported by your solution didn’t actually exist upon close examination, it becomes pretty difficult to take the 5th vulnerability seriously. ‘Crying wolf’ creates complacency. A VA report that says there are dozens of serious security issues when there are really only 5 is more distraction than assistance. Also, how valuable is your time? Your security budget doesn’t get larger just because your VA system says there *may be* dozens or hundreds of vulnerabilities on your network. The hidden cost of an inaccurate VA system is the man-hours it takes to chase false positives, prove that they are false and check them off the list. The total cost of ownership of a VA system with a 5% false positive rate is doubled when the time to verify and eliminate false positives is included. Even a 2% error rate can be a headache.

Version analysis – not so good…

Nearly all VA solutions depend upon version checking as their primary method of assessing the relative vulnerability of network hardware or software. VA solutions typically look at the response header and from the version data there they deduce whether the hardware or software is vulnerable. If an old version is known to have 5 vulnerabilities and the header says that the old version is in use, then it is assumed that all 5 of those vulnerabilities exist and need to be fixed, even if they have already been resolved by configuration settings or back door updates that may have been done.

Version checking has many advantages for the vendor and one key disadvantage for the customer. It is easy to program and claim ‘45,000 tests’. Also, a version analysis scan that finds many old versions can produce a long and impressive list of vulnerabilities. This makes the solution look good.

The disadvantage: Poor accuracy misses real problems and list dozens if not hundreds of vulnerabilities that don’t actually exist. Version information contained in a header doesn’t reflect the presence or absence of a security issue with high accuracy.

Behavior analysis – proof that a vulnerability exists

The fundamental indicator of a real and present vulnerability is ‘unwanted response to a query’. Vulnerabilities can be exactly and accurately identified by how the host responds when given a special query.

beSECURE alone, in the field of Vulnerability Assessment solutions, specializes in using specially crafted queries and the resulting behavior of network components and web applications as its primary indicator of whether a vulnerability exists or not. This strategy requires a great deal more effort in the programming of vulnerability tests but produces so few false positives that most of our customers never experience one.

Why is Behavior Analysis in Vulnerability Assessment Better?

The version number reported in the header is only a general indicator of a possible vulnerability. It is not accurate enough for mission critical application in Vulnerability Assessment.

Examples of false negatives using headers:

• The header can be hidden or suppressed
• A firewall could be faking header information
• An update changed the version number, but failed to install completely
• A version update loaded, but the server never rebooted to complete installation

Examples of false positives using headers:

• The vulnerable service, feature or function can be turned off
• Configuration settings block the vulnerability
• A workaround was established to avoid the vulnerability
• A patch was applied that didn’t change the version number

Why is accuracy in VA so important?

False negatives are clearly a catastrophic failure in VA. All vendors recognize this and the broadly accepted solution is to declare every possible issue a vulnerability and let the network administrator try to prove otherwise. This and the race to have the most tests and report the most vulnerabilities has made the false positive endemic to Vulnerability Assessment.

A 5% false positive rate may not be a problem for small networks – depending upon what the admin’s time is worth. If there are 5 false positives in a network of 300 IPs, that may not seem like a big deal. But if all 5 are also flagged critical then it just doubled your work time chasing ghosts.

What if you have 1000 IPs with 50 high risk false positives? It may take weeks to sort out.

Example

Nearly all VA solutions depend primarily upon the version number to determine if an application is vulnerable. It therefore requires additional manual labor to verify that each problem actually exists and at least one VA company recommends that you buy and run an additional tool to do just that.

beSECURE doesn’t care what the application version number says. It automatically does the ‘manual labor’ needed to prove that the vulnerability exists.

A real life vulnerability test:

The SOAP interface to the eMBox module in Novell eDirectory 8.7.3.9 and earlier, and 8.8.x before 8.8.2, relies on poorly executed client-side authentication. This allows remote attackers to bypass authentication via requests for /SOAP URIs, and this can cause a denial of service (daemon shutdown) opportunity or allow arbitrary files to be read. NOTE: it was later reported that 8.7.3.10 (aka 8.7.3 SP10) is also affected.

How version-dependent VA tools test:

1) Check the version of eMBox. Is it 8.7.3.9 or earlier?

2) If yes, then report it as vulnerable

How beSECURE tests:

1) Confirm it’s an HttpStk server by sending it a request that triggers a pre-defined error page (basically an invalid HTTP request)

2) Then HTTP POST this to the server:
  <?xml version=”1.0″?>
  <SOAP-ENV:Envelope xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/”>
   <SOAP-ENV:Header/>
   <SOAP-ENV:Body>
    <dispatch>
     <Action>novell.embox.connmgr.serverinfo</Action>
     <Object/>
     <Parameters/>
    </dispatch>
   </SOAP-ENV:Body>
  </SOAP-ENV:Envelope>

3) If it returns:
  novell.embox.connmgr.serverinfo

  beSECURE knows it is talking to the right type of server

4) Send a followup request with:
  <?xml version=”1.0″?>
   <SOAP-ENV:Envelope xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/”>
    <SOAP-ENV:Header/>
    <SOAP-ENV:Body>
     <dispatch>
      <Action>novell.embox.service.getServiceList</Action>
      <Object/>
      <Parameters>
       <params xmlns_EMR=”emtoolsmgr.dtd”>
        <EMR:NamesOnly>0</EMR:NamesOnly>
       </params>
      </Parameters>
     </dispatch>
    </SOAP-ENV:Body>
  </SOAP-ENV:Envelope>

5) If it returns
  </EBX:XError>

  beSECURE knows it’s secure.

Any other response indicates the host is vulnerable regardless of what version number the header provides. The test itself makes no change to the host and doesn’t interfere with any other traffic.

Accurate VA Testing With beSECURE

Testing the behavior of hosts and applications is harder to program than just asking for the version number, but it results in accurate testing, conclusive and actionable reports and a dramatic reduction in the time it takes to clean up network vulnerabilities.

Why VM got a bad rap

The number of servers, desktops, laptops, phones and personal devices accessing network data is constantly growing. The number of applications in use grows nearly exponentially. And as known vulnerabilities grew in number, IT managers found that traditional vulnerability management tools could easily find more problems than could be fixed with their existing budgets.

One solution to the problem of having known, unfixed weaknesses on internal hosts has been to concentrate on building better walls around the network to keep attackers from accessing the weaknesses. Vulnerabilities have been addressed when and if there are resources available and sometimes never.

Other solutions are to either scan just the most important network resources, or to prioritize the vulnerabilities so that limited resources could be applied to fixing just those that were most likely to be attacked or be the source of data loss.

None of these solutions are working very well. Even random and unfocused attackers are routinely bypassing antivirus, firewall and IPS to find and exploit the vulnerabilities on secondary systems or hosts that were left unrepaired because they weren’t high risk. After gaining a foothold there hackers have then moved deeper into the network and walked away with the good stuff.

The vast majority of successful attacks are on the most well known, easily discovered and easily exploited vulnerabilities. Most attackers study up on a specific vulnerability then search broadly for any network that has that weakness and then they exploit it to gain access. From that beachhead they expand their control through the network and then look for the valuable data they can steal without being discovered.

Is the use of vulnerability management tools an art?

Vulnerability management tools fell from grace because they failed on two fronts. Their reports have been riddled with errors and their vendors got into a race of who could find the most vulnerabilities. VM reports became so thick as to be un-usable.

If pockets were deep and resources unlimited then every vulnerability found by a traditional vulnerability management tool could be validated and then fixed. In the real world nobody had that much time or money. And so the decade of building better walls was launched. It’s called the layered approach to security and it’s not working.

And now we are faced with running multiple, complex systems that overlap and disagree with each other and don’t seem to be keeping the attackers out.

It boils down to not having the right vulnerability management tool and not having the head count to do the real work needed. We propose that the solution is to revisit your vulnerability assessment tools, but this time focus on accuracy and usability.

“Closing the door.” – Dealing with known vulnerabilities

Almost all attacks are accomplished using known vulnerabilities. Even Stuxnet utilized a blend of known and 0-day vulnerabilities and would have been severely limited in its scope had there been no known and unresolved vulnerabilities in the networks it attacked. So, making sure that every server, every workstation and every device is up-to-date with the latest security patches is the solution to the out of control complexity of network security.

Unfortunately this is not so simple. Many organizations need to deal with thousands of network assets and small networks often have hundreds. Even if vulnerability management tools have been used to put every Microsoft patch in place, there are still devices and applications in your network from dozens of other vendors. Many are not good at patching problems rapidly. Moreover, most networks have accumulated applications and code that are no longer in production but are kept around, just in case. If these are not actively tested and patched or removed, then these offer an easy avenue for entry to your system.

A vulnerability management tool such as beSOURCE, the automated vulnerability detection system, automates this process by identifying all the known vulnerabilities in your network and prioritizing them based on the importance of the asset and the criticality level of the vulnerability. With vulnerability management you can gain certainty that your limited resources are being applied to the most serious network issues.

Vulnerability management tools & behavior analysis

You have limited resources and can’t afford to chase vulnerabilities that don’t exist or miss fixing something really important.

Most Vulnerability Management tools rely primarily on checking application banners to read the version number. They then assume that if version X is present, then all the vulnerabilities of version X are also present. This can be false for a number of reasons including ‘back-doored’ updates (common in Linux) or if server or application settings make access to the vulnerability impossible.

Most vulnerability management tools assume that if a host displays the most current version, then it is free of vulnerabilities. This too may not be the case as a patch may not have completely installed or a machine may not have rebooted, leaving the patches incomplete.