Understanding is key to keep your data locked away, writes Phil Neray, pictured, VP of Enterprise Security Strategy, Veracode.
Earlier this year, a massive cyberattack by a Russian hacker ring shocked the world by demonstrating the incredible scale on which cybercriminals now operate. However, whilst now mostly forgotten by the media, the web application vulnerability exploited during this breach is still very much at large.
In what is widely considered to be the greatest data breach to date, the eastern European crime ring reportedly amassed 1.2 billion username and password combinations and more than 500 million email addresses from more than 420,000 separate websites. The same ring has recently been implicated in a breach of the JP Morgan Corporate Challenge website, which is used to manage a foot race sponsored by the bank. (The website is managed by a third-party vendor and isn’t connected to the bank’s internal network.)
Whilst the scope of the breach suggests a high level of sophistication, in reality the cyberattackers used one of the most common attack vectors – SQL injection (SQLi). SQLi attacks seek out insecure coding practices in standard web applications such as web portals, e-commerce software and content management systems (CMS). Despite being around for over a decade and regularly appearing on the OWASP Top 10 list, this vulnerability continues to expose enterprises to large-scale breaches and brand damage. In fact, web application attacks such as SQLi are the #1 attack vector for successful breaches, according to the Verizon Data Breach Investigations Report (DBIR).
Whilst SQLi breaches are not uncommon, the breach by the Russian hacker ring also demonstrated a brazen new method to maximise results. The group used a network of zombie computers already infected with their malware to do their bidding. The automated malware sought out SQLi vulnerabilities on every site visited by users of the infected computers. The vulnerability was then exploited by injecting SQL instructions into user input fields such as login forms, thereby causing back-end databases to reveal their contents. If the site proved to be vulnerable to this type of attack, it would then be highlighted and returned to later for exfiltration of the entire database contents.
Understanding the threat
British businesses have woken up to the threat of cybercrime. With 81 percent of large corporations and 60 percent of small businesses in the UK reporting a cyberbreach in 2013, businesses are feeling the sting of these breaches. But whilst most organisations understand that cybercrime and cyberespionage threaten their firms, many have yet to realise that traditional perimeter defences such as network firewalls and IDS/IPS systems (and even next-generation firewalls) aren’t sufficient to reduce application-layer risk.
Network-layer defences typically can’t prevent malicious application-layer traffic from targeting web applications. Nor will they distinguish malicious SQL commands from legitimate user input. The responsibility, therefore, falls to organisations to identify these application-layer vulnerabilities before they can be exploited by cyberattackers.
Finding SQL vulnerabilities in applications is now relatively easy with automated assessment solutions. This can be accomplished either via static analysis software testing (SAST) or dynamic analysis software testing (DAST). But with organisations leaving nearly two-thirds of their web applications untested for common vulnerabilities such as SQLi, it becomes clearer how groups like the Russian hacker ring were able to infiltrate so many websites.
The greatest challenge in combatting SQLi is knowing where to look for these critical vulnerabilities. The growing use of mobile and cloud computing has significantly increased the attack surface for most organisations. This fast expansion has made it difficult for IT departments to keep track of all their web properties and, as a result, many businesses aren’t even aware of the sheer number of web applications they have in their corporate domains. This includes unknown sites acquired via M&A, cloud-hosted development sites and obscure sites developed by third-party vendors and marketing agencies.
What can businesses do to mitigate the risks?
Cyberattackers continue to improve their tactics at an alarming rate. They look for paths of least resistance, searching every nook and cranny of your application infrastructure to find weak spots such as SQLi. As a result, enterprises need to constantly assess all their web applications – whether developed in-house or by third-party developers – and they should be assessed both before and after deploying them to production. Full visibility of the entire web application perimeter – including business-critical applications as well as less critical sites – is essential to preventing cybertheft of sensitive customer and corporate data.
This doesn’t have to be a long arduous task, nor does it require organisations to hire expensive consultants or slow down development cycles. Automated, cloud-based assessment solutions integrate tightly with agile development processes and nightly builds via APIs. You can also use massively parallel, auto-scaling cloud infrastructures to analyse thousands of production websites simultaneously, versus being limited to a single on-premises server that only scans a handful of applications simultaneously, as with first-generation approaches. And unlike with legacy network scanners, you can leverage a combination of advanced search techniques – such as DNS keyword searches, production-safe crawling, analysing page redirects and machine learning – to quickly identify unknown sites outside your corporate IP range (such as cloud-hosted sites). When working with organisations to reduce application-layer risk using these techniques, Veracode typically finds 40 percent more websites than they originally believed they had.
Make it continuous
Knowing the full scope of your web perimeter allows organisations to quickly determine which of their web applications are susceptible to common cyberthreats such as SQLi and Cross-Site Scripting (XSS). But ad-hoc testing once a year isn’t sufficient. Automated cloud-based solutions help maintain secure web perimeters by continuously monitoring your entire web perimeter. This ensures your organisation isn’t vulnerable to critical threats introduced by new or changed applications – or by newly-discovered vulnerabilities such as Heartbleed and Shellshock.
Be pragmatically ruthless
Organisations can rapidly reduce risk simply by shutting down “forgotten” or unpatched sites that are no longer required – it’s a quick win that immediately reduces your attack surface. Another way to rapidly mitigate risk is to integrate security intelligence from automated application security assessments into Web Application Firewalls (WAFs). This provides a “virtual patch” that immediately protects the organisation until the vulnerabilities can be remediated in the application code itself.
With the constant evolution of sophisticated cyberattacks by cybercriminals and nation-states, it’s impossible to create an infrastructure that is completely impenetrable. However, organisations have the ability – and the responsibility – to mitigate risk by understanding where the battle lines are drawn. Reducing web application perimeter risk by performing continuous security monitoring for all web applications – without slowing innovation – has become a best practice as well as a business imperative. With the advent of scalable and automated cloud-based solutions, it has now become a practical reality.
