Modern Web Apps: Not The Risk They Used To Be (They’re Worse!)

Even a tiny Web application without a single byte of confidential data can expose your corporate crown jewels to cybercriminals.

Ilia Kolochenko, Partner, Platt Law

February 26, 2016

5 Min Read
Dark Reading logo in a gray background | Dark Reading

The role of a cybersecurity team is to properly implement, maintain, and monitor the efficiency and effectiveness of security controls designed to mitigate security risks defined by management. But, within organizations - there is always a certain amount of permissible --- the so-called residual risks, which ISACA defines as the risk that remains even after implementing a risk response. These are the risks that companies accept to tolerate because of their low level of impact or probability.

Today many large companies seriously underestimate the risks of vulnerable Web applications and move them into the residual risks group, or in the best-case, mitigate only the most critical threats for the most sensitive Web apps. In reality, any insecure Web application is a universal armor-piercer of your corporate defense.

What’s the easiest way to conduct an APT today? Compromise the victim’s website, place an exploit pack on a specific page, and send spear-phishing emails to few employees. In the vast majority of organizations, the corporate website will be whitelisted on many internal security systems, the employees will blindly trust their own website, and then bravely click on the link. Once clicked – the attackers are in your network. There is no need to purchase a one-million-dollar iOS exploit, when you have an insecure Web application and much less expensive Adobe Flash zero-days. Moreover, many companies still fail to update their internal users in a timely manner, and hackers may break in even with a private exploit for a public vulnerability, costing just few thousand dollars on the Dark Web.

Let’s take a look at a few recent cases that led to costly consequences when companies underestimated the risk of compromised Web applications.

Even a single web app can cause serious reputational harm

The hacking of a small Swiss bank last year serves as an unfortunate example of the dangers of underestimating the risks of insecure Web applications. One of the bank’s “insignificant” Web applications was hacked by cybercriminals demanding a ransom. When the bank refused the ransom, cybercriminals published personal data stolen from the website. Even though the majority of the exposed personal records were not from bank customers, the incident made headlines in both international and local media, causing significant reputational damage due to one tiny Web application on a forgotten subdomain.

RBAC, 2FA & change control may not save you

A first hand example I witnessed recently involved a private European clinique, which discovered a large amount of money sent to a forged bank account. Security controls included two-factor authentication (2FA) for external access to the corporate web-based ERP system with RBAC (Role Based Access Control), change control and monitoring. Yet, criminals successfully exploited a zero-day RCE [via local file inclusion] vulnerability in the ERP, located in the area accessible to non-authenticated users.

The hackers gained access to the funds by changing several bank account numbers stored in the RFP financial Wiki, designed for part-time and newly-hired accountants. Because it was a direct modification in the database, change control, implemented on the application level, didn’t trigger any alert. This type of vulnerability (unlike more complicated ones) could have been easily mitigated by a WAF they considered “useless” due to the above-mentioned security controls already in place.

Segregated secure storage may let you down

In another case, one financial institution my colleagues worked with in the past, decided to minimize costs by splitting their Web applications into sensitive and non-sensitive categories. Sensitive apps processed, stored or accepted client-related data, while non-sensitive apps were mainly designed for marketing purposes. Applications were hosted in different physical locations: secure in-house data-center and rented virtual private servers, respectively.

As you might expect, great attention was given to the sensitive apps, while the others were practically abandoned after their average lifecycle of less than a year – for example, a website dedicated to music festival sponsorship). Web developers were using an external backup service to host the code for all web applications under isolated accounts.

Once, one of the developers was debugging the backup for a non-sensitive Web application designed for a charity project. He tried to connect to the backup server with another account of a sensitive Web application. After the backup was finally working, credentials for the sensitive app were left [commented] in the configuration file. Few weeks later, the charity Web application was hacked via a new WordPress vulnerability. Attackers managed to get access to all the files (including the backup config), connect to the backup of the sensitive Web application and extract all source codes and hardcoded databases credentials.

These simple but painful examples are proof positive that even a tiny Web application, with not a single byte of confidential data, may open access to your crown jewels. Companies need to maintain up-to-date inventory of all their websites and Web applications, and pay close attention to every Web application security that is accessible externally. A good place to start is with ISACA’s 10 Important DevOps Controls, and apply the most appropriate ones, such as regular vulnerability scanning, WAF and continuous monitoring, on every externally accessible Web application. 

Related content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

About the Author

Ilia Kolochenko

Partner, Platt Law

Dr. Ilia Kolochenko is a Swiss expert in cybersecurity, cybercrime investigation, and cyber law. He is also a lawyer admitted to the DC Bar in Washington, DC. His legal practice is mainly focused on data protection, privacy, and cybersecurity law. Dr. Ilia Kolochenko currently serves as a Chief Architect and CEO at ImmuniWeb, a global application security company headquartered in Geneva, Switzerland. He is also a Partner & Cybersecurity Practice Lead at a US law firm with offices in New York and Washington. As part of his academic activities, Dr. Kolochenko is an Adjunct Professor of Cybersecurity Practice & Cyber Law at Capitol Technology University in Maryland, and a Faculty Member at the DC Bar Continuous Legal Education (CLE) Program, where he teaches a cybersecurity and privacy course for lawyers and other legal and judicial professionals.

Dr. Ilia Kolochenko has an LL.M. (Master of Laws) degree in Information Technology Law from the University of Edinburgh Law School, an M.Sc. in Criminal Justice (Cybercrime Investigations & Cybersecurity) from Boston University, and a Ph.D. in Computer Science from Capitol Technology University. He currently completes an advanced LL.M. in Cyber, Information and National Security (CINS) at George Mason University, Antonin Scalia Law School.

He is a Fellow of Information Privacy (FIP) and a Privacy Law Specialist (PLS) at the International Association of Privacy Professionals (IAPP), two most advanced credentials in privacy practice and privacy law by the IAPP, respectively, while also holding AIGP, CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPM, and CIPT privacy certifications. Additionally, he earned numerous offensive and defensive security certifications by the Global Information Assurance Certification (GIAC) after ongoing training in advanced cloud security, cyber operations, and investigations at SANS Institute.

Dr. Ilia Kolochenko currently serves a Vice-Chair of the Information Security Committee at the American Bar Association (ABA), also being a Fellow at the European Law Institute (ELI) and a Member of the Cybercrime Investigation & Cybersecurity (CIC) Center at Boston University. Additionally, Dr. Kolochenko is part of the Europol's Data Protection Experts Network (EDEN), INTERPOL's Digital Forensics Expert Group (DFEG), National Association of Criminal Defense Lawyers (NACDL), SANS CISO Network, and the EU CyberNet.

Dr. Ilia Kolochenko has authored over 75 articles on cybersecurity, computer crime investigations, cyber law, and artificial intelligence. His interviews and expert comments have been published in over 250 media across Europe and the US; he is also a frequent lecturer at cybersecurity, law enforcement, and legal conferences around the globe.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights