Web Application Vulnerabilities

I'm working with Web Application Firewalls (WAF) lately where I have to interact closely with developer teams to know how applications work to apply security policies for protection of the layer 7 against XSS attacks, SQL injection attacks or CSRF attacks. Actually, it's important to know how web application work to allow the maximum length of the URI, the amount of bytes sent for each request/response, the kind of encoding, the parameters' value, etc.

Web Application Firewalls are appliances, physical or virtual, which should be full proxies to analyse traffic in both direction (requests and responses) for blocking malicious patterns. In fact, this is a Benefit of Layer 7 Load Balancing, that along with attack signatures, they are able to block the most Top 10 Critical Web Application Security Risks of OWASP. Thanks to the Hack-it-yourself auction website of F5 Networks and my last Ethical Hacking course, I'm going to show you some Web Application Vulnerabilities.

Parameter Tampering

This is an Insecure Direct Object Reference Attack where the attacker can access to internal objects like URLs, parameters, files, directories, hidden fields, and database keys without authorization. For instance, the attacker can change the account number of the next URL and he can access to another account without authorization:

http://example.com/app/accountInfo?acct=notmyaccount

Hidden Field Manipulation

This is another Insecure Direct Object Reference Attack where the attacker can get and modify hidden fields from the HTML for skipping steps in application wizards, modifying dynamic parameters, changing the access controls profile in a web application, etc. For instance, the attacker can change the price of a product in the client-side with a Web Proxy to buy cheaper in e-commerce applications.

Forceful Browsing

This is a Missing Function Level Access Control where there are security misconfigurations which can be used for sensitive data exposure by attackers. For example, the attacker can jump from www.website.com/ to the unauthorized resource www.website.com/include for reading old or backup files in a website compromising passwords.

Cross Site Scripting (XSS)

This is a common attack that runs the hacker's JavaScript in the client-side. For example, the attacker can use this kind of attack for redirecting the browser to a malicious website, stealing cookies and passwords, or even scanning the internal network. The JavaScript can be uploaded to our website inside forms or other text inputs and when clients visit our website, or click the resource, they will run the malicious script.

Injection attacks

This is another common attack where the attacker injects sentences against an interpreter like SQL, OS or LDAP. The most common attack is SQL injection (SQLi) where the attacker queries directly to the database engine for stealing/reading the whole database, tables and even write or delete data. It can be also used for bypassing the authentication process in the login form, for instance, with the next sentence:

SELECT * FROM users WHERE username = `admin` OR 1=1 `

These are some Web Application Attacks which are easy to block with a WAF but very difficult with an IPS or a layer 4 firewall.

Regards my friends, I'm wondering, should we learn about OWASP at University?

National ForoCiber Summit - Cáceres

I was in the first cybersecurity summit about technological law and IT security last Friday in Cáceres. It has been a good place to take in touch with workmates and experts about the IT and law field to exchange experiences and security knowledge. Therefore, this time, I'm going to write about what I learnt or what the speakers talked and my thought in this summit organized by the law firm called “Picado Abogados” and the University of Extremadura.

The first speaker was Enrique Ávila, who works as a Manager at Spanish National Centre of Excellence on Cybersecurity (CNEC). At the beginning, he said that lawyers don't want to know anything about IT and this is dangerous, but it's most dangerous an IT engineer who has read a law and thinks that he is doing something right, when, maybe, he hasn't understood the law. This is a shout for collaboration between IT engineers and lawyers against cybercrime. He really spoke about many things like international law, crime as a service, cyberintelligence and counterintelligence, right to be forgotten, threat against industrial systems, IoT, University, etc. Many things, yes, many things.

Next speaker was Silvia Barrera, who works as an Inspector at the Spanish National Police. She spoke about social networks (RRSS) and its dangers. She highlighted that complaints against sextortion, bullying, etc isn't the solution, but security awareness, because it lasts too many time since someone complains about something till it is resolved. In addition, social networks companies don't have to save records like ISPs do, as a result, this is another reason for delaying investigations. Sometimes, it's late, the victim doesn't want to bear for more time, and she/he commits suicide. Therefore, she showed us many examples about bad practices in social networks, and she told us to be careful on the net because there are many people - teenagers and adults - who don't know how to use it.

After the social networks talk, we went for a coffee to continue thereafter with a debate between Andrés Caro, Juan Luis Picado, José Luis González and Josep Albors.

 

 

Andrés works as a professor at University of Extremadura and he admited that the security field isn't in the IT engineer curriculum at the University of Extremadura. In addition, he emphasized about penalties against a murderer and a cybercriminal, it isn't the same, and sometimes a murderer has less penalties than the cybercriminal.

Juan Luis works as a lawyer at the law firm “Picado Abogados” and he spoke about the necessity of working together the University and private companies for teaching the real world to students.

José Luis works as a manager at COMPUTAEX-Cénits and he highlighted about the danger of HPC if it is used for cracking passwords. He also said that many small companies can't afford to have security people in their small companies and this is a risk that they are willing to accept.

Josep works as a chief communications officer at ESET of Spain and he scared a little bit to students because he told them that the University is the beginning and they have to keep studying to be updated. This is a big truth, I haven't stopped of learning new things after finishing my degree.

Regards my friends, drop me a line with the first thing you are thinking!!!

Who is who in the EU Security Directives?

I have finished reading the Security Directives for the European Union last week, but I would like to highlight this time the group of people and organizations that have to work together to achieving a high common level of security of network and information systems (NIS) within the Union. Mainly, I have drawn the main actors that play an important role in the European Union when an incident takes place within the Union, as this is a significant fact that involves incident reports from the bottom to up.

Reporting Hierarchy

OPERATORS OF ESSENTIAL SERVICES

The first thing that Member States have to do is to make a list of operators of essential services to ask them for notifying incidents to the CSIRT. What are essential sectors? Energy like electricity, oil and gas; Transport; Banking; Financial market infrastructures; Health sector; Drinking water supply and distribution; and Digital Infrastructure like IXPs, DNS service providers and TLD name registries. This list should be done by 9 November 2018.

DIGITAL SERVICE PROVIDERS

As operators of essential services, Member States have to identify digital service providers as well, and these should report incidents to the CSIRT too. What types of digital services they have to identify? Online marketplace, online search engines and cloud computing services. This list, along with the operators of essential services, should be done by 9 November 2018.

CSIRT

Each Member State shall designate one or more CSIRTs (Computer Security Incident Response Team) with adequate resources to effectively carry out their tasks. CSIRT can use the CSIRT Networks for cooperation and to be able to do their tasks efficient and effective. This team should be done, and performing their tasks, by 9 February 2017.

CSIRTs NETOWRKS

The CSIRTs Network is composed of representatives of the Member States' CSIRTs and CERT-EU, where the Commission and ENISA also participate. Their tasks are exchanging information, discussing and identifying a coordinated response to an incident within the EU; provinding Member States with support in addressing cross-border incidents; discussing, exploring and identifying further forms of operational cooperation; informing the Cooperation Group of its activities; discussing lessons learnt; issuing guidelines in order to facilitate the convergence of operational practices, etc.

SINGLE POINT OF CONTACT

Each Member State shall designate a national single point of contact who exercise a liaison function to ensure cross-border cooperation. In addition, this single point of contact should be able to consult and cooperate with the relevant national law enforcement authorities and national data protection authorities. By 9 August 2018, and every year thereafter, the single point of contact shall also submit a summary report to the Cooperation Group on the notifications received, including the number of notifications, the nature of notified incidents and the actions taken.

ENISA

The European Network and Information Security Agency helps Member States in developing national strategies on the security of NIS and in developing national CSIRTs. Moreover, ENISA collaborates with the Cooperation Group to exchange best practice between Member States and helps them in building capacity to ensure the security of networks and information systems.

COOPERATION GROUP

The Cooperation Group will support, facilitate strategic cooperation and exchange information among Member States with the goal of developing trust and confidence with a view of achieving a high common level of security of network and information systems in the Union. By 9 August 2018, and every year and a half thereafter, the Cooperation Group shall also prepare a report assessing the experience gained with the strategic cooperation. In addition, this group, along with the CSIRTs networks, shall begin to perform their tasks by 9 February 2017.

COMMISSION

The Commission will submit a report to the European Parliament and to the Council assessing the consistency of the approach taken by Member States in the identification of the operators of essential services by 9 May 2019. Moreover, the commission will also take into account the reports of the Cooperation Group and the CSIRTs network on the experience gained at a strategic and operational level for reporting to the European Parliament and to the Council by 9 May 2021.

And this is all we have till now. Next step? Developing the Cooperation Group and CSIRTs by next February. We'll wait for it.

Regards my friends, drop me a line with the first thing you are thinking!!!

Security Directives for the European Union

I read the Cybersecurity Strategy of the European Union and the Cybersecurity Strategy of Spain three years ago to apply for the ISACA Challenge for Young Professionals. However, this summer, the European Parliament and the Council of the EU have published measures for a high common level of security of network and information systems (NIS) across the Union, which are interesting and I wanted to read to discuss in this blog.

The goal of this document is to have a minimum security threshold for the Member States to have the same security level of network and information systems in the whole European Union due to the fact that, today, the existing capabilities aren't sufficient and each country has his own security measures. For instance, reporting and notification of all incidents is one of the main measures of cooperation.

Reading the Directives, I have remembered when we implemented the ISO 27001 in Ariadnex S.L. and it's amazing how processes and tasks referenced in this document of the European Union are the same than in a small company but in a huge context. For example, we can read the next processes or domains:

ASSETS MANAGEMENT

While we identified assets like servers, firewalls, software, etc the European Union has to identify operators of essential services, like gas and water suppliers or air transport operators, and digital service providers like cloud computing operators. Therefore, the first task is to make a list of operators of essential services.

 

In addition, once we have identified the operators of essential services, we have to give an indication of the importance of each sector. For that, Member States should take into account the number and the size of those operators.

 

RISK MANAGEMENT

Another process that we should take into account is the risk management, where we have to think about incidents that would have a significant disruptive effect on the provision of an essential service, or as we called it “Risk assessment”, to make measures and mitigate risks.

 

SECURITY POLICY

After writing the Cybersecurity Strategy of the EU, Member States should write their own Cybersecurity Strategy. Once it is done, they have to write concrete policy actions.

 

INCIDENT MANAGEMENT

This is an important process within these Directives where CSIRTs play an essential role because Member States should report all incidents to a single point of contact for sharing incidents information with the whole EU. Therefore, international cooperation is a must and to do this, cooperation between the public and private sectors is essential.

 

BUSINESS CONTINUITY MANAGEMENT

If we want to know how well we are doing it, we have to test ourself with exercises to simulate real-time incident scenarios. For example, the biggest ever European cyber-security exercise organized by ENISA concluded recently.

SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE

There are two fundamental groups, operators of essential services and digital service provides, but we should take into account hardware manufactures and software developers as well due to the fact that their product have to enhance the security of network and information systems.

 

SUPPLIER RELATIONSHIPS

When we outsource some service, we have to ensure that service providers offer the same security level as we have. Therefore, security requirements should be written as contractual obligations.

 

COMPLIANCE

This Directive must respect all other laws in the European Union and this is done referring in the next paragraph.

As we can see, a information security framework, like the ISO 27001, always includes main processes that we should take into account to implement security to our organization.

Regards my friends, drop me a line with the first thing you are thinking!!!