[BreachExchange] Five most common myths about Web security

Audrey McNeil audrey at riskbasedsecurity.com
Thu May 5 20:30:47 EDT 2016


http://www.csoonline.com/article/3064681/application-development/five-most-common-myths-about-web-security.html

Almost 3 terabytes of data stolen in the Panama Gate scandal will shortly
become searchable online. Mossack Fonseca, the breached legal firm behind
one of the largest data leaks in the history, had numerous high-risk
vulnerabilities in its front-end web applications, including its Client
Information Portal. Actually, few hacking groups would spend money on
expensive zero-days and complicated APTs, when the information can be
easily stolen via insecure web applications. Moreover, even if your
corporate website doesn’t contain a single byte of sensitive data, it’s
still a perfect foothold to get into your corporate network.


Today many people, including cybersecurity professionals, underestimate the
importance of web application security, focusing their attention rather on
APT detection, enterprise immune systems and other activities applicable
when it’s already “too late” to react to prevent the breach. A common-sense
approach suggests that before installing expensive anti-burglar equipment
and alarm in a house, the owner should first close the doors and the
windows and probably build a fence around, otherwise you’re throwing money
down the drain. Let’s have a look at five most common myths that exist
today about web application security, leading to sensational data breaches,
huge financial loses and CISO dismissals:

Protection of corporate crown jewels is more important than web apps

No, you cannot secure one part of your network and ignore another one.
Information security shall be comprehensive and holistic: you shall analyze
all threats, vulnerabilities and thus attack vectors in their integrity.
Today, no cybercriminals will try to steal your crown jewels directly
wherever they are [securely] stored.

Breaking in via your web applications in pair with spear phishing will
probably be one of the cheapest, reliable and silent ways to get into your
corporate network and bypass your defense-in-depth. When you perform a risk
assessment – think like a professional cybercriminal – keep the costs and
time spent [on the attack] as low as possible. When you are mapping attack
vectors and vulnerabilities - the more external people that can join your
brainstorming session, including law enforcement agencies and victims of
data breaches from your industry - the better.

My web applications are secure – I am PCI compliant

No, even if you have successfully passed your last PCI DSS compliance
audit, it cannever replace a holistic risk assessment and common-sense
approach to security. Even with PCI DSS 3.2 that now requires to have a
multi-factor authentication to access the Cardholder Data Environment
(CDE), it does not mean that only the web applications within the CDE scope
shall be properly protected. A vulnerable subdomain, spear-phishing and a
$10,000 exploit-pack can lead to compromise of your technical team
machines, opening any doors inside your company network, including the CDE
scope (if victim’s machine is backdoored, even 2FA can be easily
intercepted and compromised).

Automated vulnerability scanning is sufficient

No, unlike SSL testing for example, fully-automated vulnerability scanning
is not enough for modern web applications. Recent research from NCC group
compared various vulnerability scanners, and even the best of them had
about 50 percent of false-positives. Researchers from MIT’s Computer
Science and Artificial Intelligence Laboratory confirmed that neither
humans nor Artificial Intelligence has proven successful at maintaining
cybersecurity on their own, and proposed a combination of human and machine
to achieve the highest results. This is why the leading cybersecurity
companies that used to rely on automation, now partner with companies that
develop hybrid vulnerability detection technologies. Yes, you should
automate as much as you can, but you cannot automate everything.

Penetration testing is the ultimate way to test web security

No, because penetration testing is not scalable and cannot be used in a
24/7 continuous mode. Even if you can afford monthly penetration testing,
nobody can guarantee that within the 30-day period no zero-days will go
public, or your web developers will not make a dangerous error in the code.

Penetration testing can perfectly complement your continuous monitoring,
but it can never replace it. This is why MIT folks say that the future
belongs to hybrid systems that combine 24/7 continuous monitoring
leveraging machine-learning, but supervised and managed by humans.

WAF can reliably protect web infrastructure

No, even being a must-have technology to prevent simple and automated
attacks,WAF cannot prevent exploitation of all the vulnerabilities.
Application logic, access control, chained vulnerabilities, authentication
and data encryption issues are not the vulnerabilities your WAF can
reliably detect and prevent.

High-Tech Bridge performed a detailed research on ModSecurity WAF to
demonstrate that some complicated flaws, such as Improper Access Control
and CSRF, can be patched via WAF, however it will take so much time and
manual efforts that it doesn’t make sense to use WAF for this purpose.
Otherwise, in the epoch of agile and JIT software development, you always
have to select – either your WAF will block some of the legitimate
customers and you will lose your money, or it will overlook some of the
attacks allowing hackers to get in. And yes, currently fashionable RASP
solutions have similar and even worse problems than WAFs.

Yan Borboën, partner at PwC Switzerland, MSc, CISA, CRISC, comments: “Cyber
defense is not only a technological problem which needs to be solved by
CISO. All companies’ stakeholders (Board of Directors, C-Levels) must be
involved in the cyber defense in order to obtain the right mix between
technologies, processes, and people measures. Moreover, in our PwC’s Global
Economic Crime survey 2016, we noted that 63% of respondents have not a
fully operational incident response plan, even we all know that in today’s
business landscape, information security incidents are a question of
“when”, not “if”. This would be also a myth that I would recommend
companies to tackle. Incidents will happen at your company, so be prepared.”

Five above-mentioned myths are busted with common-sense approach and
pragmatic technical analysis. Remember about them when building your
corporate cybersecurity strategy and you will avoid numerous pitfalls and
problems later.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160505/5d94b34e/attachment.html>


More information about the BreachExchange mailing list