Security audit from REG.RU - what is it and why is it needed?

Introduction

The modern world is characterized by extremely rapid growth in information volumes, globalization and computerization of all sectors of society. Information technology is firmly rooted in our lives - the majority of the world's population uses Internet access almost constantly for work, training, games, and entertainment. This naturally entails the monetization of all possible services. Consequently, the total amount of time spent on transactions using plastic cards increases linearly: cashless payments for goods purchased, transactions in online banking systems, foreign exchange and other payment transactions with service providers. Accordingly, the "web space" is expanding, in which there is information about the owners of cards and other authentication data.

The increase in the number and variety of services available to the end user via the Internet is directly proportional to the expansion of the field for fraud. In the context of the problem under consideration, the main types of attacks by attackers can be defined as:

• Service Provider Attack
• End User Attack

In the event of an attack on the end user, the fight against cybercriminals is carried out primarily by installing client software that meets security requirements and informing the user about possible threats. When the attack is aimed at the vendor, complex protective measures are necessary, a special stage of which is the prevention of intrusions. This important role of intrusion prevention can be explained by the fact that leakage of even a part of confidential data and its use by intruders leads to significant financial losses for both the service provider and the end user. Therefore, to reduce the risk of service hacking, interruptions in operation, data leakage, as well as to maintain the reputation of the resource, it is recommended to conduct an information security audit.

What is an information security audit?

The concept of "information security audit" appeared relatively recently. Nevertheless, at present, information security auditing is one of the most relevant and dynamically developing areas of strategic and operational management in the field of information systems security and arouses the constant interest of specialists. Its main task is to objectively assess the current state of information security (IS) of the company, as well as its adequacy to the goals and objectives of the business to increase the efficiency and profitability of economic activity. Therefore, an audit of information security of a corporate system is usually understood as a systematic process of obtaining objective qualitative and quantitative assessments of the current state of information security in a company in accordance with certain criteria and security indicators. It is believed that the results of a qualified audit of a company’s information security allow you to build a corporate security system that is optimal in terms of efficiency and cost, adequate to current tasks and business goals.

Thus, a brief definition of an information security audit (IS) can be given: An
information security audit is a test of a resource’s ability to successfully counter information security threats.

Who needs an IS audit?

All companies aiming for success. A successful business cannot be built on hacked sites. The level of user confidence instantly falls and the attendance of the resource decreases. As a result, sales fall, the number of customers decreases, financial losses occur. Given that now absolutely all Internet resources are of interest to cybercriminals (fraudsters are equally interested in hacking resources containing information about plastic cards, passport details, passwords, accounts, etc., and hacking sites used in the future for dubious purposes: mailing spam, use for black SEO, creating a botnet, etc.), IS audit is not a waste of money, but an investment in stability.

Why not popular?

In most cases, due to a banal misunderstanding of the real need of the service. Most companies are not ready to give a lot of money for "just" checking for the possibility of compromising the system. This is because the owners are not informed about the number and extent of hacker threats. Often using the principle “Not thundercloud is in every cloud; and thunder, let it not strike; but it will strike, but not for us; but for us too, maybe it won’t kill! ”, companies begin to think about security only when the system is already compromised and serious damage is done. But it’s better to learn and draw conclusions from the mistakes of others, so the following are some real-life examples where an IS audit could save nerves and money.

The site of one of the ministries of a certain country

The story happened 3 years ago when testing a state web resource for penetration. At the first site inspection, a vulnerability of the type PHP-injection was revealed - that is, all links were organized by the inclusion of other PHP-pages, the name of which was transmitted by a GET request. Server settings could also not be called safe - there was access to important system files mq = off, allow_url_fopen = On, which was already enough to read important information, and then gain full access to the server.
Such a request made it easy to read the web server logs:
www.xxx.gov/main.php?query=../../../proc/self/fd/2%00
As it turned out later, the plain PHP code was to blame:

To eliminate the vulnerability, it was recommended to check the variable for the existence of the file, use the strpbrk function to detect special characters - “ /. \? ", Prohibition of reading from under the web / proc / self / , setting in php.ini: magic_quotes_gpc = on , allow_url_fopen = Off.

It would seem that protection should be one of the first priorities, because it is easy to imagine what a hacking of a state website entails. Penetration into the local network, gaining access to computers that store information, for example, about licensed testing of specialists (response keys to CROC, external independent evaluation, etc.). Then, perhaps, the authenticity of the certificates that all higher education institutions require, and therefore the competence of future doctors, etc., will be called into question.

E-commerce

More and more entertainment resources use their own game currency, which can be converted into real money. When conducting a penetration test of one of these sites, an SQL injection was detected with the output as error based.

The essence of the site was that you have a car, you arrange races, improve cars, etc. Some of these operations required investments in the account balance. During the check, the entire database structure was obtained through SQL injection, the directory scanner detected old or test versions of the site with the installed Joomla content management system. To simulate the actions of cybercriminals, password hashes from Joomla were all obtained through the same vulnerability, they were successfully picked up by a crude brute force, and access to the server was obtained via the “php-shell” download in the Joomla admin center. As a result, passwords for access to the database were also obtained, which provided the ability to manage the balance of accounts without a real transfer of funds. The balance sheet was organized very simply:



In addition, passwords were stored in clear text.

Recommendations for fixing the vulnerability were as follows:
• Process input parameters with mysql_real_escape_string ;
• Disable error output;
Do not leave “useful” directories accessible from the web (old versions, dumps, test scripts, etc.);
• Even on test versions of sites do not set passwords that may be in dictionaries;
• Process passwords with an irreversible encryption algorithm.

Invisible threat

When analyzing one of the hacked servers, the introduction of i-frame code on sites without a specific source was noted. Files on the server maintained integrity, their contents were not changed, but malicious code was "thrown out" to site users. A characteristic feature was the accidental appearance of malicious code on absolutely all server sites: the Apache malware module DarkLeech, which spread malware, “transparently” appending a couple of lines of code to the given pages of the web server, was to blame. The physical names of the modules were: mod_spm_headers.so, mod_spm_mem.so, mod_log.so and mod_security.so. There was a line in httpd.conf :





LoadModule spm_headers_module modules/mod_spm_headers.so

Vulnerable scripts were discovered on the server for access logs through which hacking occurred, malware modules were disabled and the kernel of the operating system was updated due to the suspicion of malicious users using local root exploits.

This once again confirms the importance of the integrated protection function of the web resource, and not only the protection of the source code, which provides a full audit of information security.

How much is it?

The cost of IS audit in most cases cannot be determined right away - it all depends on the nature of the work (what vulnerabilities are determined - from programmer errors to social engineering). In addition, some companies calculate the cost of the service depending on the number of problems found, the number of lines of the analyzed code and the form for presenting the results (report, video report, recommendations for elimination, additional consultations). But on average, prices start at $ 100. At the same time, such a cost of work is typical either for companies that have just entered the market and work without certified specialists and audit standards, or for amateur teams, which mainly consist of former black-hat or unprofessional information security specialists. Of course, you cannot say

In this case, the prices will already be very different - from $ 300-500 to $ 5000, depending on the tariff. For example, in REG.RU, prices for these services are as follows: 25,000 rubles. for the "Budget" tariff and from 150 000 rubles. for “Corporate” (https://www.reg.ru/web-sites/security-audit/#prices). Such a high price is due to the multi-analysis of all parts of the system in order to identify critical places and the introduction of comprehensive protection measures, as well as the high qualifications of specialists with Offensive Security Certified Professional (OSCP) and Certified Professional Penetration Tester (eCPPT) certificates.

conclusions

What does the service order “ Site Security Audit in REG.RU ” give ?

• Description and assessment of the current level of security of the information system;
• Analysis of risks associated with the possibility of internal and external threats in relation to the resources of the information system;
• Drawing up a model of a potential attacker;
• Recommendations on the technical, organizational component of information security (elimination of vulnerabilities in the code, development of information security policies)
• Getting the maximum return on investment in information protection systems;
• Confirmation that the internal controls used are in line with the organization’s objectives and enable business efficiency and continuity.
• Justification of investments in information security systems.

Most owners of hacked sites did not suspect an intrusion on their resource. Some system administrators did not take any actions when detecting an intrusion, if there were no visible violations of the site, due to a lack of knowledge on this issue. Security audit is able to provide objective information about the security of the site, which will allow the owner of the resource not to jeopardize his business and business reputation. After all, trusting their personal data to any organization, users and partners are confident that it will be able to ensure their confidentiality.