Addressing security misconceptions

"We`re safe, we have a firewall." If I had a rand for every time I heard that phrase...

The traditional belief that the firewall secures the entire organisation from all security risks is misguided, outdated and dangerous for your company.

According to a Gartner report, over 70% of cyber attacks now occur at the application layer through the firewall. Firewalls typically filter traffic and allow it to pass only on specific ports, but most lack the ability to interrogate the data and protect the site from malicious activity.

The very accessibility that makes a site an Internet bank, an online e-commerce store or an auction site, becomes the door through which a hacker will attack, unrestricted by a firewall.

SQL injection, for example, involves entering raw SQL queries into an application, usually through forms, to make it perform some unexpected action. This can lead to the bypassing of authentication and gaining of complete control over the server or back-end database. These commands bypass the firewall without restriction.

The IIS Unicode exploit, while old, is another example that uses HTTP and malformed URLs to traverse directories and execute arbitrary commands on the vulnerable Web servers. Because the exploit uses HTTP, it can be entered straight from the address bar of a browser and is seen as allowable traffic by the firewall.

While Web sites using encrypted (HTTPS) sessions prevent an attacker from reading data, for example credit card or account details in transit over the Net, unless the Web application itself is secure, these details may be read or modified. This is done by attacking the application or database directly, with SQL, Unicode or other techniques. Again these attacks are passed straight through the firewall.

Many shopping carts have had the total price figure changed in this way by unscrupulous hackers and many sites still exist that encourage price manipulation directly from a browser through the misuse of hidden tags.

Vulnerability scanners are great for finding possible operating system vulnerabilities. Most good ones now find about 90% of known vulnerabilities. But the best vulnerability scanner can only find those vulnerabilities for which a test exists in its database. The only way to be reasonably confident that you have found all possible vulnerabilities is to use more than one scanner. Most companies only ever buy one. Which is why professional manual testing is so valuable, so vital and why without it, companies are still vulnerable.

The hacker lies waiting for users to make just one mistake, for just one opportunity.

Barry Cribb, MD, IS Digital Networks.

A year is a long time in security terms and it`s a fact of life that software has bugs, and that everyone makes mistakes.

Many Web sites are extremely dynamic with content and format changes being made frequently to suit often-hurried business deadlines. It is especially during these times of haste that problems creep in that can make the site vulnerable.

If these bugs and mistakes are not tested for and eradicated, sooner or later they will be exploited. The hacker lies waiting for users to make just one mistake, for just one opportunity. I have spoken to many IT managers who have been astounded by how quickly their site was attacked after going live.

It is wise to have an application security assessment performed at least annually and still more often on e-commerce sites or where changes are frequent or fraud is more likely.

The Web site www.isdigital.co.za/web.html explains these and other application flaws which may be eliminated though application testing.

No site can be 100% secure. A continuous cycle of testing, in accordance with a properly designed security policy, is the only way to ensure the lowest chance of suffering an attack.

The security policy should be constructed taking cognisance of the business risks and be acknowledged by management as acceptable. Spending too little on security soon proves to have been too costly, particularly when you`re cleaning up after an attack.