Five reasons why hackers easily get in

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.csoonline.com/article/3007579/application-security/five-reasons-why-hackers-easily-get-in.html

There are many ways hackers can get at your Web site and data, but in many
of the most recent major data breaches the common weak link has been
vulnerable web applications. Despite that many companies still
underestimate the importance of web application security in their
cybersecurity and risk management strategy.

According to PwC’s Global State of Information Security Survey 2016, in
2015 companies detected 38 percent more security incidents than in 2014.
Risk Based Security Q3 2015 Data Breach Report (
https://www.riskbasedsecurity.com/2015/11/q3-2015-data-breach-quickview-report-a-record-breaking-year-in-the-making/)
highlights a 29 percent increase in the number of incidents reported
compared to last year, and a 40 percent increase in the number of incidents
exposing 1 million or more records.

Today, the vast majority of Advanced Persistent Threats (APT) gain their
first foothold inside target companies by sending a few emails. Ten years
ago, many people would easily click on any link from an email or open an
exe file from an attachment. Today users are much better educated, and this
is why modern APTs start with your corporate website, even if it has no
sensitive information and it is hosted on the other side of the world.

Instead of sending you a link to a phishing domain (e.g. with a typo), or
to a newly registered website in a shady TLD zone that your corporate email
gateway will quite probably block on-fly, attackers would rather send you a
link to… your own website.

First of all, hackers will compromise your corporate website or one of your
web applications (e.g. subdomain or different domain your company owns). As
many companies still believe that their websites do not deserve more
sophisticated protection than automated vulnerability scanning and a WAF,
attackers will probably get in within a couple of hours or even quicker.

Once your website is under their control, attackers will create a
legitimate page on it that will look like any other page on your website
with similar content, so leaving you none the wiser when you visit the
page. Attackers will host a recent exploit-pack on the page, the most
expensive of which would cost them just a few thousand dollars on the Black
Market. Hackers do not even need expansive zero-days: a Verizon report says
that 99.9 percent of exploited vulnerabilities in 2014 were publicly
discovered more than a year prior to exploitation.

Finally, an email will come from a legitimate looking email address on a
legitimate domain from a person you may have briefly met in the past, and
will contain a link to your own [authentic] website that is quite probably
whitelisted in your corporate IPS/IDS. The content of the email will be
relevant enough to encourage you to click onto the link in nine out of 10
cases. Once clicked, one of the recent vulnerabilities in your browser, its
plugins or components (e.g. Flash) will be exploited to execute arbitrary
code - quite probably successfully. Now your machine is under the
attacker’s control. A local privilege escalation exploit will help to gain
local admin rights, and intrusion will spread to all available machines and
hosts in the same segment of your local network (if your network is
segmented of course).

ALSO ON CSO: The 15 worst data security breaches of the 21st century

Further intrusion to your corporate network will be quite probably quick
and easy, as internal penetration testing is often considered “useless” or
economically unjustified – fair enough, but only if you don’t let attackers
get into your network from the outside, and have properly implemented patch
management (including patches for third-party software), access control and
user segregation.

But let’s come back to the entry point of the attack: unsecure web
application. Here are five most common reasons why almost any website or
web application today can be so easily compromised:

1. Underestimation of risks and threats related to unsecure web applications

Many large companies and international organizations still seriously
underestimate the value of their web applications, and have their security
as the lowest priority in their risk management. And I am not even speaking
about complicated SSRF or application logic flaws, but at least about
proper detection and remediation of OWASP Top Ten vulnerabilities. As we
can see from the beginning of this article, companies just don’t realize
that a vulnerable website is a perfect vector to start an APT without
spending much money on it.

2. Lack of continuous monitoring

Web technologies are constantly evolving, and what is secure today may
become vulnerable tonight. Therefore, a quarterly scan and annual pen test
to achieve PCI DSS compliance is not enough anymore to stay ahead of
hackers. Many companies do not perceive web application security as a
continuous process, but rather as a one-time audit, putting their web
infrastructure and related back-end at critical risk.

3. Missing or poorly-implemented Secure Software Development Life Cycle
(S-SDLC)

In spite of a plethora of guidelines and standards of secure software
development in existence today, many companies still ignore them due to
high complexity or expense of implementation. The situation is even worse
in companies where software development teams have existed for years – as
any change to well-established [but insecure] procedures will be met with
hostility, as nobody wants to spend additional time on software security if
not paid additionally for it.

4. Dominance of business needs over security processes

Data breaches via insecure web applications regularly occur even in
companies where S-SDLC is mature and well integrated into a company’s daily
business processes. The consequences of financial crisis of 2009 are still
here – many companies suffer from sluggish demand and very tough global
competition. Often business requires a new feature to be done in few hours
on Friday evening to outperform a competitor – of course, we can forget
about security when such pressure occurs. Nevertheless, it’s the business
who pays the salaries to developers and infosec folks, and it’s always the
business who has the last word. However, it's also the business who shall
be ready to take the responsibility for a new data breach and related costs.

5. Ignorance of third-party risks

Many companies start introducing thorough security and compliance
guidelines for their third-party suppliers and partners, however they often
fail to mention proper web application security with them. As a result,
attackers can compromise a website of your long-time supplier, consultant
or partner, and instead of hosting malware on your website – they host it
on a trusted-party website, achieving the same result at the end.

Jan Schreuder, partner, cybersecurity leader from PwC Switzerland, says:
"Recently we've seen many organizations attacked through sophisticated
cyber attacks on their supply chain partners. With global supply chains
becoming more and more digital and interconnected, establishing trust in
your supply chain is becoming more challenging all the time."

As paying for an anti-smoking patch is much cheaper and less dramatic than
spending a six-digit amount on cancer treatment, spending on preventive web
application security is much more cost-effective and less painful than
paying for APT forensics. Therefore, if you are currently finalizing your
cybersecurity budget for 2016 – don’t forget about proper web application
security, not just vulnerability scanning.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!