Five most common myths about web security
Almost 3 terabytes of data stolen in the Panama Gate scandal will shortly become searchable online. Mossack Fonseca, the breached legal firm behind one of the largest data leaks in the history, had numerous high-risk vulnerabilities in its front-end web applications, including its Client Information Portal. Actually, few hacking groups would spend money on expensive zero-days and complicated APTs, when the information can be easily stolen via insecure web applications. Moreover, even if your corporate website doesn’t contain a single byte of sensitive data, it’s still a perfect foothold to get into your corporate network.
Today many people, including cybersecurity professionals, underestimate the importance of web application security, focusing their attention rather on APT detection, enterprise immune systems and other activities applicable when it’s already "too late" to react to prevent the breach. A common-sense approach suggests that before installing expensive anti-burglar equipment and alarm in a house, the owner should first close the doors and the windows and probably build a fence around, otherwise you’re throwing money down the drain. Let’s have a look at five most common myths that exist today about web application security, leading to sensational data breaches, huge financial loses and CISO dismissals:
Protection of corporate crown jewels is more important than web apps
No, you cannot secure one part of your network and ignore another one. Information security shall be comprehensive and holistic: you shall analyze all threats, vulnerabilities and thus attack vectors in their integrity. Today, no cybercriminals will try to steal your crown jewels directly wherever they are [securely] stored.
Breaking in via your web applications in pair with spear phishing will probably be one of the cheapest, reliable and silent ways to get into your corporate network and bypass your defense-in-depth. When you perform a risk assessment -- think like a professional cybercriminal -- keep the costs and time spent [on the attack] as low as possible. When you are mapping attack vectors and vulnerabilities - the more external people that can join your brainstorming session, including law enforcement agencies and victims of data breaches from your industry - the better.
My web applications are secure -- I am PCI compliant
No, even if you have successfully passed your last PCI DSS compliance audit, it can never replace a holistic risk assessment and common-sense approach to security. Even with PCI DSS 3.2 that now requires to have a multi-factor authentication to access the Cardholder Data Environment (CDE), it does not mean that only the web applications within the CDE scope shall be properly protected. A vulnerable subdomain, spear-phishing and a $10,000 exploit-pack can lead to compromise of your technical team machines, opening any doors inside your company network, including the CDE scope (if victim’s machine is backdoored, even 2FA can be easily intercepted and compromised).
Automated vulnerability scanning is sufficient
No, unlike SSL testing for example, fully-automated vulnerability scanning is not enough for modern web applications. Recent research from NCC group compared various vulnerability scanners, and even the best of them had about 50 percent of false-positives. Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory confirmed that neither humans nor Artificial Intelligence has proven successful at maintaining cybersecurity on their own, and proposed a combination of human and machine to achieve the highest results. This is why the leading cybersecurity companies that used to rely on automation, now partner with companies that develop hybrid vulnerability detection technologies. Yes, you should automate as much as you can, but you cannot automate everything.
Penetration testing is the ultimate way to test web security
No, because penetration testing is not scalable and cannot be used in a 24/7 continuous mode. Even if you can afford monthly penetration testing, nobody can guarantee that within the 30-day period no zero-days will go public, or your web developers will not make a dangerous error in the code.
Penetration testing can perfectly complement your continuous monitoring, but it can never replace it. This is why MIT folks say that the future belongs to hybrid systems that combine 24/7 continuous monitoring leveraging machine-learning, but supervised and managed by humans.
WAF can reliably protect web infrastructure
No, even being a must-have technology to prevent simple and automated attacks,WAF cannot prevent exploitation of all the vulnerabilities. Application logic, access control, chained vulnerabilities, authentication and data encryption issues are not the vulnerabilities your WAF can reliably detect and prevent.
High-Tech Bridge performed a detailed research on ModSecurity WAF to demonstrate that some complicated flaws, such as Improper Access Control and CSRF, can be patched via WAF, however it will take so much time and manual efforts that it doesn’t make sense to use WAF for this purpose. Otherwise, in the epoch of agile and JIT software development, you always have to select -- either your WAF will block some of the legitimate customers and you will lose your money, or it will overlook some of the attacks allowing hackers to get in. And yes, currently fashionable RASP solutions have similar and even worse problems than WAFs.
Yan Borboën, partner at PwC Switzerland, MSc, CISA, CRISC, comments: "Cyber defense is not only a technological problem which needs to be solved by CISO. All companies’ stakeholders (Board of Directors, C-Levels) must be involved in the cyber defense in order to obtain the right mix between technologies, processes, and people measures. Moreover, in our PwC’s Global Economic Crime survey 2016, we noted that 63 percent of respondents have not a fully operational incident response plan, even we all know that in today’s business landscape, information security incidents are a question of "when", not "if". This would be also a myth that I would recommend companies to tackle. Incidents will happen at your company, so be prepared".
Five above-mentioned myths are busted with common-sense approach and pragmatic technical analysis. Remember about them when building your corporate cybersecurity strategy and you will avoid numerous pitfalls and problems later.
Ilia Kolochenko is CEO & Founder of High-Tech Bridge. He has a university degree with honors in Mathematics and Computer Science from Geneva, his city of origin. Ilia started his career as a penetration tester, he also was a security expert and team leader working for various financial institutions and large companies in Switzerland and abroad. At the end of 2007 he founded High-Tech Bridge, aiming to deliver efficient and effective penetration testing to companies of all sizes.