Are you cyber-secure?

There is always a lot of work with websites. You must take care about adding content, trying to grow your audience, maintaining it. But there is another, very important area you cannot miss. Did you know that 86% of websites contain at least one serious cybersecurity flaw? There are different security incidents happening and you could even have to close your business. To avoid this kind of situations, you should get familiar with some cybersecurity basics. You should know that even such powerful companies like Google or Facebook make serious mistakes. On day on Instagram you could remove a comment posted by Justin Bieber and on the other sensitive personal information of 77 million users were stolen from Sony. Both of them are large and have security departments.

Should I really be afraid of begin attacked?

Remember, for some reasons you are always a potential target even if you don’t have 77 million users.

You should consider the following points:

• your competition;
• that one employee you fired last year;
• someone curious;
• criminals

What are the potential attackers looking for?

• an information diclosure;
• a sabotage;
• a defacement;
• a challenge or making fun;
• a botnet or cimeware deployment.

Your website most probably has leaks

Research of WhiteHat Security shows that about 86% of websites contain at least one serious cybersecurity issue. Information leak from many of web applications and every second issue stays unresolved for at least one year. Over 50% of companies don’t have security department or even one employee who could take action on this sensitive issue. Well, if you don’t secure your systems, you are not a part of those successful 14%.

System components

Let’s try to explain what is system? It is not only the application, because there is always a hardware too and other, additional components like an underlying operating system. IoT Devices, people at your company, other systems exchanging information with your system. A lot of it.

It seems that the most sensitive area are people. Of course every single part of the whole eco-system has its own problems, but the mentioned above is the most danger. It concerns every single person in the company, a developer or a QA engineer with a lack of security skills, a team with close deadlines, a product owner with no cybersecurity awareness, an external library developer, even a manager, a lawyer or a CEO.

Known issues

The approach to the security issue that many people have is strange. They treat it like a “normal” bug which this is obviously not. Unfortunately you have to sacrifice some of your resources to make sure your systems are secure. But don’t expect any return. There is none. There only exists an unknown probability that someone will attack you and fail because of your improved security. This is the same thing with buying a life insurance. So don’t wait, make the investment.

General attack structure

Here below in a few points you can read how an attacker approaches your system.
There are four main parts of an attack.

1. Information gathering

First an attacker is collecting information. He wants to know everything about the target (your company). The attacker is searching through social media, websites, documents, everything that can be found.

Tools include:

• search engines: Google, DuckDuck.go, Baidu, Bing, Foundstone, Sitedigger;
• programs: nslookup, whois, host.

2. Scanning

With enough information the attacker gets to know the system. It’s critical for the rest of the attack.

The points of interest are:

• the server information (OS version, open ports, applications running);
• the application information (libraries, their versions and issues);
• the application metafiles information;

o the network structure (other endpoints, especially with outdated software or test environments).

Tools include:

• search engines like Google, DuckDuck.go, Baidu, Bing, Foundstone Sitedigger and Shodan.io;
• scanners (nmap, OWASP Zed Attack Proxy, WebScarab);
• bug databases (CVE Details, Exploit DB).

3. Exploitation

Once the attacker knows what are the endpoints, the applications and libraries, it can use this knowledge to add or change the system behaviour. This often requires the attacker to send modified packets or HTTP requests as well as submitting malicious code (e.g. a query or a javascript code) via forms or requests. There are of course lots of different techniques that apply to different situations.

The point here could be for instance:

• to get a list of users and their sensitive data;
• create a trap for an administrator or other users;
• gain control over a server.

Tools include:

• OWASP Zed Attack Proxy;
• Metasploit;
• own code and activities;
• XSSer;
• exploits (programs, code snippets) found on Internet.

4. Damage

At this point, the attacker has everything it needs to cause a real damage. The attacker could for instance crack the user’s password and access and/or damage it’s data, remove information from database, put some nasty content on the company’s main page, force your devices to join a botnet and more.

What should I do?

The process of securing your company and/or products is very complex and consists of many levels. It is therefore beyond the scope of this article. I’ll give you however a brief summary of what can be done right now.

Most companies are aware of insecure software consequences, but the teams’ knowledge is usually fragmentary. Security monitoring often doesn’t exist, no policies or procedures are applied, the tests are conducted ad hoc. Wanna do better? Here are some rules you should follow when protecting a system:

1. Least Privilige Principle

This rule applies to users, processes and applications. They should own a minimal set of priviliges that allow them to accomplish their goals. Watch out for a default configuration too.

2. Defense in Depth Principle

This one is conceived by NSA. Use more than one protection measure. For example, a common practice is to secure a local network and disable some of the authorization mechanisms inside, so that e.g. a production web site can connect to it’s database without any security check. But what if someone breaks into the network? Here comes the Defense in Depth Principle, saying that you should introduce an additional security measure for this database (e.g. require a user name and a password).

3. Minimization Principle

Use only the software your product actually requires to run. An old, abandoned FTP software could make you vulnerable, big time.

4. Compartmentalization Principle

Isolate your applications — use virtualization and different accounts when possible.

5. Segregation of Duties Principle

This rule applies to your development team. Think for instance about who should have an access to your production keys.

6. Accountability Principle

Changes made to your system should be auditable. Log a lot!

7. Hardening your cybersecurity

A great way to improve the system protection is to harden it. A hardening process is a set of rather small changes you have to make to your server configuration that is improving it’s security. You can find more information here.

Summary

As Bruce Schneier once said, “security is a process, not a product”. This means that you cannot stop on a single security audit, applications’ update or execution of one set of penetration tests. It also means, you cannot buy it. You have to implement it.

Make sure:

• each person involved in a product development including a product owner, a business analyst and a project manager is aware of cybersecurity’s importance;
• your technical team has an appropriate knowledge required to develop a secure system (it often requires additional training);
• there are assigned people responsible for your sysem security.

On the technical side, the bare minimum you have to do is to:

• keep your applications and libraries up-to-date;
• make sure only required applications run on the server;
• make sure only required ports are open on the server;
• also you can check third party libraries used in application.

In this article, we barely touched a tip of the iceberg which the cybersecurity is. There are lots of topics out there: a security development lifecycle, all these attack and proctection techniques, a threat modeling.