Professional Documents
Culture Documents
A Focus on Small-to-Mid-Sized Enterprises Plus Recommendations to Help Your Security Managers, Business Managers and Software Developers Improve Your Website Security
January 2013 Jeremiah Grossman Founder and CTO WhiteHat Security
WH IT E PAP E R
THE BIGGEST MYTH ABOUT WHOS NOT AT RISK FOR WEBSITE ATTACKS
Since this whitepaper was published in December of 2011, youve probably seen headlines almost every day about new attacks against well-known commercial and industrial websites around the world. Actually, thats hardly news at all to companies in the business of providing Web security. What is new, however, is that so many of the attacks have been directed against small-to-medium-sized enterprise [SMEs]. In fact, what we are now finding at WhiteHat is that hackers are focusing their attacks on SME websites. And that the SMEs under attack often believe in the same Top 5 Myths of Website Security that continue to plague the entire online industry. The main purpose of this whitepaper is to once again set the record straight: All commercial / industrial enterprises with a presence on the Web are now at risk of being attacked with the results often being financially disastrous. Typically, SMEs are identified as organizations whose annual revenues total less than $500MM. And while the financial losses due to a Web breach on paper to an SME may appear to be less significant than a massive loss such as a recent Fortune 500 companys loss of at least $1.5 billion the impact on a small-to-medium-sized company can be even more devastating. As an example, in September of 2012, Bitfloor, the top US Bitcoin exchange, suffered a security breach resulting in the theft of Bitcoins worth over $250,000. And while the loss of Fortune 500 breach mentioned above was 6,000 times more than the Bitfloor theft, the much smaller Bitfloor breach almost put the company out of business.1 And why was this breach of security able to nearly create the situation of Sorry, Were No Longer in Business for Bitfloor? It happened because Bitfloor, as an SME, operates its entire business, including providing all of its customer service, via its Web applications. In fact, like Bitcoin, most SMEs conduct their business exclusively on the Web, and therefore must keep all of their applications secure 24/7. A second instance of a mid-sized enterprise that was hacked occurred in May of 2012, when the hacker group UGNazi stole thousands of passwords and credit card details from billing and customer support provider WHMCS. The company markets itself as an all-in-one client management, billing & support solution for online businesses. Handling everything from signup to termination, WHMCS is a powerful business automation tool that puts you firmly in control. The attackers tricked the companys hosting provider into releasing administrator credentials, which UGNazi then used to access WHMCSs database and steal over 500,000 hashed customer credit card numbers and passwords, usernames and support tickets. That data, as well as WHMCSs control panel and its website information, were dumped online in a 1.7 gigabyte cache. Then, UGNazi tweeted links to the cache using WHMCSs own Twitter account, which the attackers also hijacked.2
1 2
http://thenextweb.com/insider/2012/09/28/after-250000-theft-bitcoin-exchange-bitfloor-reopens/ http://www.esecurityplanet.com/hackers/whmcs-hacked.html
WHITEPAPER: TOP FIVE MYTHS OF WEBSITE SECURITY A FOCUS ON SMALL-TO-MID-SIZED ENTERPRISES | JANUARY 2013
INTRODUCTION
Hackers share a common characteristic with water: It is both of their natures to follow the path of least resistance. Today the path of least resistance in the world of application security leads over SSL (Secure Sockets Layer), because theres nothing past the firewall to protect the website and all the information residing on it. This lack of protection beyond the firewall applies to websites of any size and/or the number of sites a company may be supporting. Heres a quick description of how hackers view their world and yours: Using almost any browser and then performing a few simple tricks, they can penetrate a website, access the credit card database, steal critical customer information and even a companys intranet data without being detected and without leaving any trace.
APPLICATION SECURITY FORCES VS. INTERNATIONAL HACKERS: AN ONGOING BATTLE OF GOOD VS. EVIL
On the positive side, network firewalls and patch management are now standard practices at most SMEs, so their overall network perimeters have become increasingly more secure. However, hackers have responded to this increased level of network security by focusing attacks on websites directly in order to stay one step ahead of the latest security techniques. Confirming this new method of attacking websites directly, the Gartner Group has reported that over 70% of cyber attacks are now occurring at the application layer. Even more alarming for SMEs, many that have only the most basic Internet presence, is that WhiteHat Security now finds serious vulnerabilities on 8 of every 10 websites it assesses. Many of the website vulnerabilities were currently discovering are well known, such as SQL Injection and Cross-Site Scripting. Less common methods of attack include Insufficient Authorization and Predictable Resource Location. Whats for certain is that regardless of how familiar or unfamiliar a particular vulnerability you may be facing is, they all pose serious security risks to almost every website you have.
WHITEPAPER: TOP FIVE MYTHS OF WEBSITE SECURITY A FOCUS ON SMALL-TO-MID-SIZED ENTERPRISES | JANUARY 2013
server.com/
webapp.cfm?id+999
Database
1. Websites that use SSL are secure. 2. Websites protected by a firewall are safe from hackers. 3. The vulnerability scanner did not report any website security issues, so our sites are secure. 4. Website security is a developer problem. 5. We conduct annual security assessments on our websites, so theyre secure. Now lets examine each of these myths and discover whether there are facts to support them.
WHITEPAPER: TOP FIVE MYTHS OF WEBSITE SECURITY A FOCUS ON SMALL-TO-MID-SIZED ENTERPRISES | JANUARY 2013
However, SSL has absolutely no impact on website security nor on the manner in which a users private information is safeguarded. Thats because private data stored on a website is at risk on the server level, and not in the connection between the user and the site.
WHITEPAPER: TOP FIVE MYTHS OF WEBSITE SECURITY A FOCUS ON SMALL-TO-MID-SIZED ENTERPRISES | JANUARY 2013
Apache / Micro
soft IIS
x Windows / Linu
/ OS X
However, because there are no well-known security issues present in custom-written Web code, even these newest network scanners miss all the vulnerabilities present on the Web application layer. Statistically, there are security issues present on just about every website; but, these issues remain unidentified until someone looks specifically for them. Currently, there is no way to do a general or generic search for vulnerabilities in custom-written code. For the small percentage of organizations that run their websites using the same off-the-shelf software, finding or identifying security problems is less problematic. But with even most SMEs building their websites with custom code, what does this mean in regards to being secure from sophisticated attacks? Basically, any SME website requiring thorough security must consider these three facts: Fact No. 1 Todays average Web application is woefully insecure. Fact No. 2 No network vulnerability scanner can identify flaws other than those within its signature database. Fact No. 3 Yes, most off-the-shelf vulnerability scanners will give most websites an all clear or thumbs-up report. But, typically within moments, a Security Technician in WhiteHats Threat Research Center can directly query the back-end database and obtain customer credit card numbers from that supposedly vulnerability-free site. So much for the effectiveness of off-the-shelf scanners
WHITEPAPER: TOP FIVE MYTHS OF WEBSITE SECURITY A FOCUS ON SMALL-TO-MID-SIZED ENTERPRISES | JANUARY 2013
Clearly, you can never know whether the entire code base for a software project is unique; or whether one of your websites will still be safe and secure after code from different sources are combined and begin to interact. Also, youre certainly aware that as deadlines approach and it becomes necessary to rush projects, take shortcuts, etc., that many errors are likely to occur in the code. As Your Enterprise Grows, So Do Your Security Risks Given how the first four Myths described above are so commonly believed to be true, lets now imagine that two developers at the same company independently create two separate, secure software modules. The modules are consistently secure, in and of themselves. However, when they interact, they create serious security issues. Now, imagine multiplying this situation by intermingling tens of thousands, or hundreds of thousands, or even millions of lines of code. The chances of a business logic security loophole not occurring are probably zero. Of course, realistically, software will always have bugs. In any type of computing, we experience this as a matter-of-fact problem every day. And with security vulnerabilities basically just a different type of bug, training your developers to write secure code can make a significant improvement in code quality. However, Training developers to write secure code does not necessarily mean the code they write will be secure. Thats because theres currently no way to prove absolutely that software is secure and bug-free. Essentially, everyone who develops code makes mistakes. And some of those mistakes will remain buried and undiscovered perhaps for years. And thats why business logic reviews must become a key component of any SMEs Web application security strategy.
WHITEPAPER: TOP FIVE MYTHS OF WEBSITE SECURITY A FOCUS ON SMALL-TO-MID-SIZED ENTERPRISES | JANUARY 2013
CONCLUSION
Whether youre in the process of developing your websites, or theyre currently active and serving customers, its essential that you evaluate your application security frequently. Following are some recommendations that we believe can help you get a good start on improving your website security: Business Managers: We recommend that security reviews be performed each time you update one of your websites. Thats because every new line of code is potentially a new security risk. Security Professionals: Use your website vulnerability scanners in combination with a manual testing process. This mechanical / engineer pairing ensures complete search for & discovery of vulnerabilities throughout even the largest sites. Naturally, we recommend you consider WhiteHat Sentinel. This approach also allows website operators to focus their attention on tackling the logic issues that must be resolved, which is where their skills are most critically needed. Software Developers: Never trust client-side input. It is the No. 1 cause of security vulnerabilities. Thats because client-side code can give hundreds of millions of website visitors who you dont know direct access to your software. So the general rule is: If you receive any code that you did not expect to receive, never use it.
RESOURCES: Web Application Security Consortium (WASC): A source of up-to-date web application security information: http:// www.webappsec.org/ The Center for Internet Security: A best practices resource for platform security guidelines and utilities
WHITEPAPER: TOP FIVE MYTHS OF WEBSITE SECURITY A FOCUS ON SMALL-TO-MID-SIZED ENTERPRISES | JANUARY 2013
Predictable Costs Unlimited Assessments WhiteHat Sentinel provides subscription-based website security solutions designed to fit any budget. Whether you run your application assessments once a week or once a month, your costs are always the same. Full Integration Via Our Open XML API An open API combined with industry-leading bug tracking, Security Information and Event Management (SIEM), and Web Application Firewall (WAF) products, means you can share website security data across departments. PCI Compliance The patented methodology of WhiteHat Sentinel exceeds the strictest industry standards, as established by the PCI Security Standards Council, founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.
Jeremiah Grossman is the Founder and Chief Technology Officer of WhiteHat Security, where he is responsible for Web security R&D and industry evangelism. Mr. Grossman has authored dozens of articles and whitepapers, credited with the discovery of many cutting-edge attack and defensive techniques, and is a co-author of XSS Attacks: Cross Site Scripting Exploits and Defense. His work has been featured in the Wall Street Journal, NY Times, USA Today, Washington Post, NBC News, and many other mainstream media outlets. As a well-known security expert and industry veteran, Mr. Grossman has been a guest speaker at hundreds of international events including BlackHat Briefings, OWASP, RSA, ISSA, SANS, Microsofts Blue Hat, and many others. Mr. Grossman is also a co-founder of the Web Application Security Consortium (WASC) and previously named one of InfoWorlds Top 25 CTOs. Before founding WhiteHat, Mr. Grossman was an information security officer at Yahoo!, where he was responsible for performing security reviews on hundreds of the companys websites.
Founded in 2001, and headquartered in Santa Clara, California, WhiteHat Security provides end-to-end solutions for Web security. The companys cloud technology platform and teams of expert security engineers turn verified security intelligence into actionable insights for customers. Through a combination of core products and strategic partnerships, WhiteHat Security provides complete Web security at a scale unmatched in the industry. WhiteHat Sentinel, the companys flagship product line, currently manages thousands of websites including sites of leading companies in the most regulated industries, such as top e-commerce, finance and healthcare organizations.
WhiteHat Security, Inc. | 3970 Freedom Circle | Santa Clara, CA 95054 408.343.8300 | www.whitehatsec.com Copyright 2013 WhiteHat Security, Inc. Product names or brands used in this publication are for identification purposes only and may be trademarks of their respective companies.
011013