4-2 Mitigating Website Risks, Threats, and Vulnerabilities

E-commerce websites need a . . .

clear understanding of the traffic visiting their site for security and marketing purposes.

Web analytics software can provide:

- Visitor location

- Visitor sources

- Visitor type

- Visitor navigation

- Average time on site

- Leave (bounce) rate

Google Analytics is a . . .

common web analytics software package with an easy-to-navigate graphical interface.

Google Dashboard features:

- Visits

- Site Usage

- Visitors Overview

- Map Overlay

- Content Overview

Whom Do You Want to Come to Your Website?

- Driving quality and qualified traffic to a website is a strategic process

- Characteristics of site demographic determine site design

- Create customer profile based on desired demographic

- Profile is a description of your customer based on various criteria (Age range, gender, marital status, geographical location, occupation, etc.)

Identifying the demographic for a website:

- Helps create a focus for the site based on visitor need

- Creates a design suited for a specific group

- Pinpoints characteristics of your ideal customer

- Identifies the geographical area with the highest number of ideal – customers

Accepting User Input on Your Website

- Websites may have interactive elements, designed to engage visitors so they return to the site

- Interactive elements may introduce security considerations, including phishing, bullying, and cyberstalking

- Corporate sites provide various forms of user input including forums, surveys, feedback forms, and email

- Input mechanisms are designed to increase interactivity and communication to visitors

Advantages of forums:

- Repeat visitors

- Increased keyword exposure

- Email address acquisition

- Opportunities to gather demographic data

- Support for online relationships

Disadvantages of forums:

- Requirement for technical expertise

- Requirement for content monitoring

- Need to police for bullying and stalking

- Risk of ad flooding

Website feedback forms:

- Contact Us forms

- Customer support forms

- Signup forms

Online surveys

- Provide a great way for visitors to communicate

- Gather information from the visitor

- Provide a method to interact with the site

- Should be brief and only require a few minutes to fill out

- Choose questions carefully to elicit information you are seeking

The Open Web Application Security Project (OWASP) Top 10 Threats

1. Broken access control

2. Cryptographic failures

3. Injection

4. Insecure design

5. Security misconfiguration

6. Vulnerable and outdated components

7. Identification and authentication failures

8. Software and data integrity failures

9. Security logging and monitoring failures

10. Server-Side Request Forgery (SSFR)

Broken access control:

Vulnerabilities created through the assumption that access control is an automatic feature of routers and firewalls or the misconfiguration of the settings and rules that control an implementation of access control

Broken Access Control Mitigation:

Principle of least privilege

Cryptographic failures:

Also known as a sensitive data exposure, removes all or part of the encryption protection that was to have protected sensitive data

Cryptographic failures Mitigation:

Inventory and classify data at rest and in transit, encrypt sensitive data at rest, use secure protocols, use authenticated encryption, use password-based key derivation function (PBKDF), ensure cryptographic randomness is based on high entropy or an unpredictable seed, avoid deprecated cryptographic functions and padding schemes

Injection

Injection flaws allow attackers to relay malicious code through the web application to another system; common attack is SQL injection

Injection Mitigation:

Principle of least privilege

Insecure design:

Omits or misapplies security measures

Insecure design Mitigation:

Understand organization’s threat and risk exposures and the vulnerabilities they are focused on

Security misconfigurations:

Failure of system administrator or security personnel to understand default configuration settings of hardware and software and the configuration changes needed to fit them into the existing system’s infrastructure and ensure secure operations

Security misconfigurations Mitigation:

Security audits, reviewing product life cycles, understanding the function and role of the system, training and research

Vulnerable and outdated components:

Lack of inventory, software outdated/unmanaged, no vulnerability scans, patches not applied, lack of testing

Vulnerable and outdated components Mitigation:

Harden systems, keep inventory current, track installed software versions and dependencies, implement patch management process, regularly review Common Vulnerability and Exposures (CVE) list and National Vulnerability Database, get email alerts for installed software, track hardware components near end of life

CVE

Common Vulnerability and Exposures

Identification and authentication failures

- Identification validates credentials against those on file

- Authentication uses submitted credentials and requests additional information to verify that the identified person can be authenticated and permitted to access the system

- Muti-factor authentication (MFA) requires a verifying element over and above the standard username and password credentials

Identification and authentication failures Mitigation:

Strong passwords, password rotation, encryption of password storage and transmission, session ID protection, caching and back button

Software and data integrity failures:

- Applications rely on plugins, libraries, or modules, many from untrusted sources, GitHub repositories, and content delivery networks (CDNs)

- An insecure continuous integration/continuous deployment (CI/CD) pipeline can introduce potential for unauthorized access, malicious code, or system compromise

Software and data integrity failures Mitigation:

- Use digital signatures to ensure the update or patch is downloaded from the expected source.

- Ensure libraries in digital repositories are secure.

- Verify that downloaded system components do not contain vulnerabilities.

- Implement review process of code and confirmation changes.

- Ensure unsigned or unencrypted data are not forwarded without clearing an integrity check or digital signature.

Security logging and monitoring failures

Logging omits auditable events:

- No warning or error messages produced

- Suspicious actions of application software and APIs not monitored

- Logs are not consolidated to a central authority

- Alert triggering thresholds and issue escalation processes are not implemented or are ineffective.

Security logging and monitoring failures mitigation:

- Ensure login, access control, and validation failures are logged

- Ensure log data are correctly identified

- Ensure high-value transactions are recorded in a log file and have integrity controls to prevent tampering or deletion.

- Ensure effective monitoring and notification procedures are defined and in place so that suspicious activities are quickly detected and alerted

SSRF:

Server-Side Request Forgery

Server-Side Request Forgery (SSRF):

When a webpage or application sends a request for a remote object (webpage, database, etc.) without considering whether the requested object or its URL are safe, attacker could alter requesting software to send an altered request to a malignant URL

Server-Side Request Forgery (SSRF) Mitigations

- Implement defense-in-depth (DiD) controls.

- Distribute remote resource access over two or more networks.

- Implement “denial by default” firewall rules and network access control policies that permit essential intranet traffic but block all other traffic.

- Log all permitted and denied firewall traffic.

- Validate all client-supplied input data.

- Disable HTTP redirections.

- Enforce URL consistency, using the same structure and syntax in all website URLs.

DiD:

defense-in-depth

Information leakage and improper error handling:

- Occurs when an attacker exploits the information in an unsecured error message

- Information included in error messages

- - Error tracing

- - Network and name information

- - Verification of the existence of a file

- - Database details

Unsecure communications

- Susceptible to data theft and other forms of tampering

- Mitigation: Internet Key Exchange (IKE), which manages the security association (SA) negotiation process for Internet Protocol Security (IPSec) connections

Failure to restrict URL access

When information on a web server is not sufficiently protected, user can find hidden URLs and sensitive data.

Failure to restrict URL access Mitigation:

Implement access control for each function.

- The web user must be authorized explicitly to operate that function.

- Removing risk of attacks requires careful planning.

- Web application developers need to plan from the design stage to implement protection throughout the application.

- Website administrators must perform penetration testing, which mimics an attacker.

Attack strategies:

- Authentication and authorization attacks

- Client-side attacks, including Cross-Site Scripting (XSS) and Cross-Site - - - Request Forgery (CSRF) attacks

- Command execution attacks (malicious execution and SQL injection attacks)

- Information disclosure attacks

Best practices to mitigate and manage attacks strategies

- General network security procedures

- Network security procedures

- Deploy encryption strategies

- User education

- Preventing mitigation tools

CSRF:

Request Forgery (CSRF) attacks