Safeguarding your data and applications requires staying up to date on the latest threats. But not all successful hacks or malware infections are new threats. In fact, a large percentage of attacks on IT systems leverage previously known – even old—vulnerabilities that IT administrators forgot to patch or didn’t realize were there. And web applications are common targets.
A case in point is the well-publicized Equifax breach revealed in July. That attack exploited a known vulnerability in Apache Struts web application framework. Had Equifax’s IT team implemented the patch when it was released, they could have averted the embarrassing and expensive exposure of key personally identifiable information from as many 143 million consumers.
Web Application Security - Getting Started
Failure to install patches for web applications and servers within an operationally reasonable time is, unfortunately, a common problem. Uninformed IT managers might assume that a web site that’s not used for ecommerce doesn’t require the same vigilance as backend IT systems. But as Alert Logic’s Cybersecurity Evangelist Paul Fletcher notes, hackers can easily identify and exploit these openings in web apps to gain a foothold in an organization’s network. From there, they may be able to upload malware, run malicious code, and do reconnaissance for additional vulnerabilities in systems deeper within the client environment.
In Paul’s recent webcast on this topic he revealed that the top two types of web attacks are remote code execution (RCE) and SQL injections. RCE attacks make up nearly a quarter (or 23%) of all web application attacks, according to a 2017 survey by Alert Logic. Unpatched vulnerabilities make these attacks quite simple. In one recent example from September, researchers discovered a new, and critical, remote code execution vulnerability in Apache Struts web application framework that enables hackers to take over an affected server.
An even more common mode of attack is SQL injection, in which an attacker uses a web form to send a specially crafted SQL query to a web application database that tricks it into executing a malicious command. SQL injections are possible on any web site with a web form and a database, and according to Alert Logic’s recent survey, these account for 57% of all web application attacks. They can cause enormous damage, including altered data, voided transactions, spoofed identities or fully-revealed or destroyed system data. Despite being one of the most common types of web application attacks year after year, these vulnerabilities still exist widely.
Common Characteristics of Hacker Activity
Hackers sometimes go after a specific organization, like an Equifax, that has substantial valuable data or is a target of revenge. More often they crawl the internet and dark web searching for reports of web application vulnerabilities and then search for organizations that have those apps. Application bugs are widely discussed online, so there are plenty of sources for locating vulnerable apps. Alternatively, a hacker might do a “mass vulnerability crawl” across the internet looking for information on vulnerable servers. A hacker might enter a search string that identifies vulnerable web sites. In one search on Google, it took just a second to find over 3,000 servers with a specific vulnerability. Some of them may be patched quickly, but odds are that many will not.
Companies may reveal aspects of their specific IT systems via IT help wanted ads, employee titles on the web site, or even as part of website code. Hackers also have tools to crawl the targeted web site to discover software versions, .js files, and hidden forms. Some hackers manually go through web sites gathering domain information, web plugins and directory structures, and testing web forms to see what malicious commands they’ll accept.
Preventing Web Application Hacks
While having a website compromised because of attack may not seem like more than an irritant to companies that don’t rely on their sites for business, a web hack can become a significant problem if it provides access into backend systems. The recommended approach is to treat web security seriously and prevent hacking attempts in the first place. Here are a few options to get your started:
Secure your code. Incorporate security into your code and development process. Limit developer access privileges to database servers and other backend systems. Use encryption whenever possible. Also, consider adding small delays—just a few milliseconds—which can convince automated scanning tools that your system isn’t hackable. These tools often operate in a set response time and applications that respond more slowly don’t merit placement in the hacker’s list of vulnerable sites. Milliseconds are sufficient to trip up system scanners but not enough to affect the end user’s experience. Finally, religiously scan your code and plugins after every update.
Create access management policies. Strictly defined access management policies will limit the damage that can be done if an account is hacked. Take the time to define different user roles and responsibilities and provide the minimum privileges necessary for each role. If you can, avoid creating general user roles that include access to multiple systems. It may be easier handing out general access accounts, but it will make life miserable later if one of those accounts is seized. If you have seven web sites connecting to a database, you should also have seven different sets of access credentials so that, should one be compromised, the others are safe. If possible, audit access to IT systems on a monthly or quarterly basis.
Develop and religiously enforce patch management policies. Timely patching is crucial, as Equifax can attest. Create and maintain a regular patching schedule. Keep track of reported vulnerabilities from vendors and IT security forums, and compare them to your organization’s systems. You should also classify them by risk, as some will be more critical than others. Test patches before deploying them into the production environment, ensuring that the patches themselves have not been infected with malicious code.
Consider leveraging a managed security service provider. Most IT organizations need help checking off all of their security to-dos, and managed security providers are regularly updating and releasing new managed service options. The market is evolving rapidly, so even if you looked a month ago, it’s likely there are more, and better, security services available today.
Keep up-to-date on new vulnerabilities. Security management responsibilities include keeping up with the latest threats. While many hackers target old vulnerabilities, plenty of others are developing and using new exploits via the dark web. Some of the sites I leverage include:
To learn more about web application security, watch this on-demand webinar, Better Protect Your Web Apps by Knowing How They Will Be Attacked. As always, feel free to reach out directly with any questions or considerations.
Brian Anderson is Director of Security Product Management at TierPoint where he is responsible for the care and upkeep of the Managed Security services portfolio. Brian brings 20+ years of experience leading product management and engineering teams focused on building and delivering advanced Cybersecurity, Risk, and Threat Intelligence services on a global scale. While he is currently based in suburban Philadelphia, he’s never far from the InfoSec front lines.