Taking a trip of discovery into the unknown

Ben Harknet says security teams need to develop an effective external threat management programme as a core component of their overall security capability to deal with broken SSL certificates and third party app vulnerabilities.

Taking a trip of discovery into the unknown
Taking a trip of discovery into the unknown

When it comes to information security the most prominent strategy organisations choose to follow remains an in-depth defence approach tied to the belief that the perimeter to be defended is the firm's firewalls and internal networks. While this strategy can be effective at protecting internally hosted assets, cyber-criminals are constantly seeking out new and innovative ways of compromising traditional defences.

The balance of consumer and enterprise interactions are now increasingly happening on the web or via mobile applications and organisations are responding by developing new digital assets, many of which reside outside the firewall; on hosted web platforms, in mobile app stores and on social media sites. As a result, the external attack surface of many companies is now far more expansive than their internal one, often by several orders of magnitude.

To help quantify this external attack surface RiskIQ performed a detailed survey of the websites, web assets and mobile applications associated with 35 top banks and financial services firms, checking for potential security issues and weaknesses.

Outside the firewall

The research uncovered over 260,000 digital assets that are accessible on the open web or in app stores – that's 7,500 assets per bank on average.

We found that more than 60 percent of these assets are hosted externally, on external servers outside the IT department's control. Of those 35 top banks, 93 percent had assets hosted with cloud-based IaaS providers such as Amazon Web Services or Rackspace and 94 percent incorporated code from one or more third-party analytics/tracking services that could pose a security risk. One example of this happening was in November 2014 when Gigya was hacked by the Syrian Electronic Army (SEA) using a DNS redirect, leading to the website defacement of several well-known commercial sites.

The survey also found that seven out of 10 banks (70 percent) were also running their own digital ads using third party ad serving technology. Similarly, 94 percent incorporated code from one or more third-party JavaScript libraries, which is seen as a common attack vector. In fact, jQuery, the world's most used JavaScript library, has been attacked several times.

Vulnerabilities

Another area of vulnerability is in broken SSL certificates that can potentially allow attackers to perform man-in-the-middle attacks or can fail to prevent domain squatters from hijacking known URLs to redirect unsuspecting users to their farming websites. A total of 97 percent of the banks surveyed had a minimum of 13 broken SSL certificates in their websites with 54 percent having more than 100.

It's often the case that these threats against an organisation's external digital footprint can be segmented by the delivery system used to reach the user and the source of the vulnerabilities. Delivery systems include redirecting or farming websites and web assets, brand spoofing via unauthorised websites, or phishing emails. Vulnerability sources such as software and communication security flaws, scripting languages, third-party components and libraries, and uncontrolled asset hosting can lead to an injection of rogue or compromised assets, software bugs, etc. 

Mobile apps also show vulnerabilities and potential weaknesses. The research uncovered 1,777 mobile apps amongst the 35 top banks – on average, 51 per bank. Only six percent of those mobile applications were found in the official app stores (Google Play, Apple App Store, Windows Phone Store, etc). The rest were scattered through a secondary tier of app distribution sites, making it difficult or impossible to tell if updates or security patches would reach customers.

In addition, 80 percent of the discovered apps required users to grant them ten or more permissions, typically in excess of what was needed for app functionality. These often grant unnecessary access to functions such as a user's contact details or a recording tool. 

As the research shows, today's digital business brings with it more digital exposure and therefore more digital risk. In response, security teams need to develop an effective external threat management programme as a core component of their overall security capability. This brings with it an ‘outside looking in' approach that strives to protect users of digital channels and the integrity of the digital brand in addition to protecting corporate assets.

Banks know that they need to utilise new ways to reach and engage customers but with it comes a growing ‘attack surface' which is susceptible to ever changing threats. Only by being aware of what assets they have and the potential threats they face, can banks adequately protect their customers, employees and brand.

Contributed by Ben Harknett, vice president EMEA, RiskIQ

Also see: SC Roundtable: Application security,  25 June 2015