With more businesses accepting credit cards online, web application firewalls and correct coding are the best lines of defence. By Rob Buckley.
These days, almost every business does some trade online. Although there are a select few organisations that only provide a web front-end for information and to interact with customers, the majority of organisations now make money from the web. For these e-businesses, a security breach is of far greater concern than to those who merely end up with their home pages ‘owned'. Not only are their reputations at risk, so is their ability to earn money, as customers go elsewhere. Credit card providers can fine them and withdraw their ability to process transactions.
Ask any security professional the first steps anyone should take to secure their business and invariably the answer will be to do a risk assessment: until you know the threats and your vulnerabilities, you cannot begin to secure your business. The difficulty comes from trying to distinguish between hype and genuine threat, and between established knowledge and up-to-date information.
Although large firms may be directly targeted by criminals, just about any company with an internet presence will find itself under attack, although this is almost always an automated scan at first. According to John Kindervag, senior analyst, security and risk management at Forrester Research: “You'll find your IP address scanned consistently every week if you have a presence. People want to know the status of what's behind an IP address and whether there's anything of value.”
Automatic scans are one thing, and if your systems have not been patched and are exposed, your vulnerabilities will almost certainly be spotted. But what are the chances of being deliberately hacked as happened to TK Maxx in 2007?
Kindervag says that he's been told of break-ins by people he speaks to, but with few details disclosed publicly of break-ins and many not reported at all, it's “hard to build actuarial tables”.
However, the Information Security Forum has seen a rise in targeted hacks, including a shift from indiscriminate events to highly targeted and planned attacks, using a combination of social engineering and technical methods to steal identities and information for fraud. The financial crisis is accelerating these changes, fuelled by increasing staff turnover and dissatisfaction, along with the increased involvement of organised criminal groups. These groups see online crime as a lucrative and low-risk alternative to other activities. The ISF also points to evidence that criminal organisations are recruiting employees as moles or sponsoring students through their IT education and placing them into targeted organisations.
“This more sophisticated and planned approach by criminal gangs comes at a time when IT budgets are under pressure and companies are also looking to outsourcing and offshoring to save money,” says Jason Creasey, head of research at the ISF. “These potential weaknesses in the IT infrastructure and third-party relationships – particularly with the advent of cloud computing – pose further threats, and it is important to have the right controls to mitigate risk.”
Many traditional attacks are still used. Malware, including custom Trojans, is predicted by the ISF to be a concern into 2011 at least. Targeted denial-of-service attacks, in which cybercriminals blackmail a site owner with unavailability during busy trading periods after demonstrating their capabilities, used to be popular. They still occur, but are now rarer since they negate one of the big advantages of cybercrime – anonymity.
“It has become more difficult,” says professor Howard Schmidt, president of the ISF. “The motto of my 26 years in law enforcement was ‘follow the money' – it offers a more direct path for law enforcement to follow.” A similar drawback has reduced the popularity of ‘war-driving', in which hackers try to take advantage of open wireless networks – as they have to be physically close to the organisation being attacked.
DNS ‘cache poisoning', in which cybercriminals can make their IP addresses appear to be the correct location for specific domains, allow both customers and businesses to be attacked. Rodney Joffe, senior vice president and senior technologist at NeuStar, says that criminals can even apply for SSL certificates for their redirected domains by re-routing emails; customers' browsers then report that the site being visited is the correct one. At the moment, the technique is little used, but until the widespread adoption of the DNS Sec authentication standard, there are few defences to it, beyond installing NeuStar's authentication servers at ISPs, Joffe says.
However, the most common attacks now used are SQL injection and cross-site scripting. SQL injection relies on the poor checking of the information returned from web pages; by using specific characters, it's possible for SQL commands to be passed back to the databases running the website. The technique is popular because if the hacker can interrogate the database sufficiently, it might be able to extract customer credit card numbers.
A slightly trickier, less common attack, growing in popularity, takes advantage of sites that use both http and https protocols for sending pages: customers' authentication details stored in a session cookie within a secure https session might be accessible via insecure http as well, if a site is not coded correctly. Criminals can then monitor traffic to the site to obtain the customers' credentials. Peter Wood, founder of First Rate Technologies, says the attack has recently been used in a big credit card data theft in Indonesia that he is investigating.
Getting individual card numbers by identity theft and password cracking, does occur, as does hacking web page code to offer products at reduced prices. But this “isn't scalable”, according to Forrester's Kindervag. The aim for gangs at least is to get “a dump”, a list of information such as credit card details that can be sold on the market. “It takes a long time to get a million credit cards. But if you can break in and get a dump, that's much more efficient.”
Protecting against the majority of these attacks has been ISPs' bread and butter for years, with anti-virus software, firewalls, intrusion prevention systems and other systems as important as they have always been. Log parsing tools take on a new importance, according to Ben Rexworthy, MD of Securinet. “Log parsing tools let you see the trends. There are some off-the-shelf tools that can help, but you can also write apps specifically.” By correlating behaviour at the firewall and other systems, provided the systems have all had their times synchronised, it's possible to follow the path of potential attacks and penetrations.
Alan Coburn, managing consultant at Dns, agrees. “The best thing you can do is harden the monitoring of incident response features. Take all your event information from the perimeter and work out attack patterns.”
Equally, says Securinet's Rexworthy, “if there are FTP attempts on servers from a foreign IP address, and you have a business process in place to monitor the logs, you can get an email alert sent out and the firewall team can block a range of addresses”. FTP may seem an odd route for hackers, but often e-commerce sites that rely on distributed workers to provide content will use FTP to upload images of new stock and lists of prices. Hacking those lists will result in goods being sold at a fraction of the price.
For the new breed of attacks, web application firewalls and correct coding are the new lines of defence. The former, offered by a variety of vendors including Check Point and Cyberguard, are able to inspect http packets for known malicious code or types of behaviour and then block those that match particular rules. They can, for example, block http uploads but allow downloads. “They're just about affordable now and the technology is mature,” says Rexworthy.
In a sense, web application firewalls are band-aids to cover up mistakes, not cures in themselves. In particular, a web application firewall will not be able to defend an app that has been designed with poor logic, Peter Wood warns. But even with the best processes in place, it's hard to prevent any security flaws from being created in complex interacting web applications. However, for many, web application firewalls are the only way for companies to protect themselves against these kinds of attacks. Smaller companies may not have the expertise to audit and patch code, even if they use open source, off-the-shelf applications – they also may not have the time to update systems with patches in a 24/7 environment.
It is far better to ensure an application is secure from the beginning. Dave Whitelegg, IT security manager of Capita Software Services, points out that it is far more costly to fix errors once a web application is deployed than it is during development. The Open Web Application Security Project (http://www.owasp.org/) contains excellent guidelines on how to develop web applications securely. Tim Orchard, principal consultant at Activity, recommends not only using them for internal development but also when dealing with third parties: “It's a structured methodology covering all components of a site. Using OWASP should be put into binding contracts.”
There are also auditing tools for examining code for security vulnerabilities. Capita's Whitelegg recommends IBM Rational AppScan but, he says, “it can only go so far. It can't beat the human mind.”
Whatever measures are put in place, frequent penetration testing is a necessary check. Says Forrester's Kindervag: “Most people overestimate the quality of their security and are somewhat naive. I've spoken to CIOs who have told me that on x, y and z they're unhackable. Maybe on that, but there's probably 100 other holes they're unaware of.”
Some penetration testing can be done automatically using apps, says Redstone Managed Solutions's security specialist, Martin Blackhurst. Although free and open source vulnerability scanners such as Microsoft Baseline Security Analyzer and Sara are available, he prefers commercial applications – which include the likes of QualysGuard and Core Impact. “Personally, I trust commercial apps in terms of vulnerability assessments. There are excellent open source apps, but I'm more comfortable with commercial.” However, a human pen tester will be able to uncover more sophisticated exploits. Blackhurst warns, however, that anyone not hosting their site should check with their provider, which may not be willing to let a pen tester test for exploits, for fear of affecting other clients on a shared server, or provide on-site access to inspect equipment. Preferably, suitable clauses should be included in hosting contracts to ensure security checks are possible.
With targeted attacks on the rise and web applications the focus of criminal gangs, code audits, web application firewalls and penetration testing are necessary tools for e-businesses to ensure their security. While the criminals might not have tried to break in yet, it's almost certainly just a matter of time.
Top ten securing tips
1. Code reviews
The route most criminals take to break into e-businesses is through web applications. Review the code used in your website to ensure it is as secure as possible or, better still, get someone else to review it, since a different set of eyes can find new errors.
2. Web application firewalls
Even with a code review – or if you can't afford one – a web application firewall is the best way to ensure that hackers can't find those last remaining flaws in security. Either way, a firewall or a code review is mandated by the latest PCI DSS standards.
3. Pen test
Do not assume you are secure simply because you've installed some new technology or have a managed service provider. Always get someone external to try to break your security at least once a year. If you can, cycle your pen testers to access fresh ideas.
If you're developing a web application, ensure your developers or those developing the application stick with the Open Web Application Standards Project (OWASP). This provides one of the best methodologies for making web applications secure, and also makes it easier for your code to be audited.
The best systems can still be broken into. However, even if you do have vulnerabilities, if data is encrypted – whether at rest or in motion – any security breach will still fail to obtain anything valuable. So always ensure any important information is encrypted, whether it's in a database or in transit.
6. Be careful of the cloud
Although it is tempting to offload all security concerns to a managed service provider, you are still responsible if things go wrong. So ensure in your contract that you are able to make regular security checks of the MSPs and that you will still be PCI DSS-compliant if you use them.
7. Educate users
Although it is easy to focus on technology as the main way of preventing intrusion, your users and developers are going to be your biggest vulnerabilities. Make sure they are well trained in the dos and don'ts of security and have regular reminders of its importance to the future of your business.
8. Make it costly for criminals
Criminals are looking to make money. No system is 100 per cent impenetrable, but if you remove common means of penetration and make your site far harder to break into than someone else's, the criminals will not waste their time and money on you.
9. Assess the new systems
Ensure that a security risk assessment is undertaken on any new system to ensure that the threats and risks are understood. You must be able to implement effective mitigation strategies to reduce the risks to acceptable levels – if you can't remove them entirely.
10. Don't forget the customer
Although criminals are looking to get the most customer data in one go, they can still try to hack user accounts. Try to ensure that your customers don't use weak passwords, and aren't sent marketing emails that make it easier for phishers to dupe users with similar emails.
The Payment Card Industry Data Security Standard (PCI DSS) governs the levels of security e-businesses must have in place for credit card companies to accept their business. Organisations that suffer breaches must be audited and if they are found not to be compliant with standards, the credit card companies will fine them – and potentially withdraw their ability to transact.
The standards themselves have changed over the years. The last version, 1.2, was released in October last year and the PCI standards council is now accepting feedback for the next iteration of the standards. Changes have been minor and have included a clause requiring a web application firewall or code audits, and the removal of WEP as an allowable wireless security protocol.
However, PCI DSS does have its critics. Andrew Walker, CEO of Portaltech, says that, “Even though there have been many versions of the standard, each one is more onerous than the last and has not been successful in ironing out the problems. It has been suggested by some IT security professionals that the PCI DSS does little more than provide a minimal baseline for security; you can be PCI-compliant and still be insecure.”
Despite being just basic measures, they can be hard to comply with, some companies find. In October, a survey by Imprivata found that only 39 per cent of respondents were compliant. Of the remainder, only 65 per cent expected to be compliant within 18 months.
Dave Whitelegg, IT security manager of Capita Software Services, says “people are grumbling, especially merchants”. In particular, the age of the software used by many airline and hotel companies makes it hard for them to comply.
This difficulty, despite the standard essentially being just a minimum, means costs for compliance can be high, with many boards deciding to risk non-compliance rather than make the necessary investment. Indeed, Peter Wood, founder of First Base Technologies, says that one retailer he has spoken to had a £3 million PCI compliance project scheduled for this year, but has now dropped it because of the recession.
John Kindervag, senior analyst, security and risk management with Forrester Research, says that is common. “PCI is a good minimum, but I'm hearing people want to do the least amount they can. It's purely about money, not security.” Whether they avoid being hacked without the security PCI advises remains to be seen.
Case Study: BWIN
Based in Vienna, bwin provides more than 130 online casino, skill and fortune games and operates one of the world's largest poker networks. Bwin's systems have to transact more than 60 different payment types to meet local needs in all the markets it serves. It has 20 million registered customers, turns over more than €3 billion in bets per year and processes over 70,000 financial transactions each day.
The company is an obvious target for criminals. “Security is an ongoing process,” explains bwin head of corporate security, Oliver Eckel. “Like anyone doing business on the internet, we're attacked on a daily basis.” Most attacks are from ‘script kiddies', but hackers trying to improve their chances in games also attempt to break applications. There are also waves of attacks as soon as fresh vulnerabilities are announced.
To ensure the company remains secure requires both technology and processes. Bwin uses the same base standard technology as everyone else, including firewalls and intrusion detection systems. It also uses Tripwire and regular pen testing to check for compliance.
Indeed, to ensure PCI DSS compliance, the company separated not just its company IT systems from its front-end systems, it floated off the entire payment infrastructure into a separate company – it now offers payment processing services to other companies, making it one of the few companies to make good money from having become PCI DSS-compliant.
However, according to Eckel, much of the challenge was in application security. “The most critical point is the application itself. We needed to improve the role of application security products as well as our processes for secure software development and deployment.” So in 2007, bwin began a software assurance programme designed to identify, manage and remediate vulnerabilities. The intention was to make cost savings by fixing security problems in the design and development phase, rather than after deployment.
The company's 140 developers were trained in secure programming methods, PCI DSS and ISO 27001, and now use a modified version of the OWASP secure coding guide when working on applications, according to Christoph Haas, the head of development at bwin. Fortify's 360 Source Code Analyzer has been installed on all the developers' machines and is integrated into nightly builds. Haas reckons that as much as 70 per cent of the vulnerabilities discovered in the 200 applications deployed have been found thanks to Fortify.
But user education remains at the heart of the company's security programme. “We build a security-based culture internally,” says Eckel. “Everyone is aware of the need for security, and the different measures are part of the DNA of our company security.” Not only do the company's developers always have security in mind, the company – from the CEO downwards – understands its importance. But, says Eckel, “they're all human, so you have to implement controls to stick to it”.
While neither regards the company's security as unbreakable, they argue that's not the issue. “It's not about having the tightest security. It's about having better security than your neighbours,” says Haas, “and making it cost too much for hackers to break in.” So far, that theory seems to have worked.