March 15, 2016 at 13:37

Web Application Information Security Risks



    The use of information systems and technologies is associated with a certain set of risks. Risk assessment is necessary to monitor the effectiveness of activities in the field of information security, take appropriate protective measures and build effective economically sound protection systems.

    The basis of the risk is formed by possible vulnerabilities and threats to the organization, therefore, identifying potential or real risks of violating the confidentiality and integrity of information, the spread of malware and financial fraud, classifying information security threats is one of the primary tasks of protecting a web application.

    Risks need to be monitored constantly, periodically reassessing them. Note that a conscientious and carefully documented first assessment can greatly simplify follow-up. Risk management, like any other activity in the field of information security, must be integrated into the life cycle of the information system. Then the effect is greatest, and the costs are minimal. We can distinguish the main stages of the life cycle of an information system:

    • initiation, according to the business processes of the company;
    • installation;
    • exploitation;
    • decommissioning.

    Information system and its components


    The first step in the risk assessment process is to determine the object of assessment, that is, the boundaries of the analyzed information system, as well as the resources and information that make up the IP. The following information must be collected about the system:

    • IP architecture;
    • hardware used;
    • software used;
    • system interfaces (internal and external connectivity);
    • network topology;
    • data and information present in the system;
    • support staff and users;
    • system mission (i.e., processes performed by IP);
    • criticality of the system and data;
    • sensitivity (i.e. the required level of security) of the system and data.

    Actions: assessment of the technical specifications of the system’s functionality and its actual components.

    Management of risks


    Risk management includes two types of activities that alternate cyclically:

    • routine risk assessment;
    • selection of effective and cost-effective protective equipment (risk mitigation).

    In relation to the identified risks, the following actions are possible:

    • elimination of risk (for example, by eliminating vulnerabilities);
    • risk reduction (for example, through the use of additional protective equipment or actions);
    • risk acceptance (and development of an action plan in appropriate conditions).

    Risk management can be divided into the following stages:

    • inventory of analyzed objects;
    • selection of risk assessment methods;
    • asset identification;
    • analysis of threats and their consequences;
    • defining security vulnerabilities;
    • risk assessment;
    • selection of protective measures;
    • implementation and verification of selected measures;
    • residual risk assessment.

    To determine the main risks, you can follow the following chain: source of threat> factor (vulnerability)> threat (action)> consequences (attack) .
    • The source of the threat is potential anthropogenic, man-made, or spontaneous carriers of a security threat.
    • A threat (action) is a possible danger (potential or real) of an act (action or inaction) directed against the object of protection (information resources) that is harmful to the owner, owner or user, which is in danger of distortion and loss of information.
    • Factor (vulnerability) is the reasons inherent in the object of informatization, leading to a violation of the security of information at a particular object and due to shortcomings in the process of functioning of the object of informatization, the properties of the architecture of the automated system, communication protocols and interfaces used by the software and hardware platform, and operating conditions.
    • Consequences (attack) - this is the possible consequences of the threat (possible actions) during the interaction of the threat source through the available factors (vulnerabilities).

    Actions: implementation of the company's information security policy.

    Source of threat


    Anthropogenic sources of information security threats are entities whose actions can be qualified as intentional or incidental crimes. Countermeasures are directly dependent on the organizers of information security.

    As an anthropogenic source of threats, one can consider an entity that has access (authorized or unauthorized) to work with the standard means of the protected object. Or, in simple words, it is either an attacker or their group, or company personnel motivated by various factors to commit illegal or illegal acts. Subjects (sources), the actions of which can lead to a violation of the security of information can be both external and internal.

    External sources may be random or deliberate and have different skill levels. These include:

    • criminal structures;
    • potential criminals and hackers;
    • unscrupulous partners;
    • Telematic service providers technical staff
    • representatives of supervisory organizations and emergency services;
    • representatives of law enforcement agencies.

    Internal subjects (sources), as a rule, are highly qualified specialists in the field of development and operation of software and hardware, are familiar with the specifics of the tasks to be solved, the structure and basic functions and principles of the operation of software and hardware information protection, have the ability to use standard equipment and network hardware. These include:

    • core staff (users, programmers, developers);
    • representatives of the information security service.

    Actions: compilation of a probabilistic scale of threat sources.

    Threat analysis


    The main source of threats to the information security of a web application is external intruders.

    External intruder - a person motivated, as a rule, by a commercial interest, having the ability to access the company’s website, not having knowledge of the information system under study, highly qualified in network security issues and extensive experience in implementing network attacks on various types of information systems.

    Based on this, we need to take measures to identify the maximum possible number of vulnerabilities to reduce the potential surface area of ​​the attack. To do this, it is necessary to carry out identification procedures for technical vulnerabilities. They can be both one-time and regulatory and affect various infrastructure objects.

    In the context of a web application, they can be divided into the following steps:

    • Search for vulnerabilities in server components;
    • Search for vulnerabilities in the web environment of the server;
    • Checking the resource for the possibility of openly receiving confidential and secret information;
    • Password selection.

    Actions: drawing up the work schedule for identifying vulnerabilities, patch management.

    Identification of technical vulnerabilities


    Identification of technical vulnerabilities is performed for the external and internal perimeter of the corporate network. The external perimeter is the aggregate of all network entry points. The internal perimeter includes hosts and applications that are accessible from the inside.

    Traditionally, two main testing methods are used:

    • black box testing;
    • white box testing.

    Testing by the “black box” method implies the lack of any knowledge on the part of the testing party about the configuration and internal structure of the test object. Moreover, against the test object, all known types of attacks are implemented and the stability of the defense system against these attacks is checked. The testing methods used emit the actions of potential attackers trying to break into the security system.

    The “white box” method involves the preparation of a testing program based on knowledge of the structure and configuration of the test object. During the test, the presence and operability of security mechanisms, the compliance of the composition and configuration of the protection system with the safety requirements, are checked. Conclusions about the presence of vulnerabilities are made on the basis of an analysis of the configuration of the used security features and system software, and then are tested in practice.

    Also, there is a testing method called “gray box”, which combines the above methods when partial information about the test object is known.

    A separate point of the study is the ability of the infrastructure to work at peak loads and withstand the large amount of “junk traffic” generated by intruders or malware.

    To study the response time of the system at high or peak loads, “stress testing” is performed, in which the load created on the system exceeds the normal scenarios of its use. The main goal of load testing is to create a certain expected load in the system (for example, through virtual users) to monitor the performance of the system.

    Actions: information security audit, including regulatory (for example, according to PCI DSS).

    Risk treatment


    When combining the value of assets with threats and vulnerabilities, it is necessary to consider the possibility of creating a combination of threat / vulnerability problems for the confidentiality, integrity and / or accessibility of these assets. Depending on the results of these reviews, appropriate values ​​of the asset value should be selected, i.e. values ​​that express the consequences of a breach of confidentiality, or integrity, or accessibility.

    Using this method can lead to consideration of one, two or three risks for one asset, depending on the specific threat / vulnerability combination under consideration.

    When determining actual threats, the expert-analytical method determines the objects of protection that are exposed to a particular threat, the characteristic sources of these threats and vulnerabilities that contribute to the implementation of threats.

    Based on the analysis, a matrix of the relationship between the sources of threats and vulnerabilities is compiled from which the possible consequences of the implementation of threats (attacks) are determined and the hazard coefficient of these attacks is calculated as the product of the hazard coefficients of the respective threats and the sources of threats identified earlier. At the same time, it is assumed that attacks with a hazard coefficient of less than 0.1 (expert assumption) may not be considered in the future because of the low probability of their occurrence at the object in question.

    Actions: compliance management, consolidation and control of compliance with the requirements of IT and IS policies.

    Neutralization and Countermeasures


    Risk mitigation includes setting priorities, evaluating and implementing countermeasures that reduce risks and are recommended based on the results of a risk assessment.

    Since complete elimination of risks is impossible, the organization’s management should follow the principle of minimum sufficiency, implementing only the necessary, most appropriate safety controls in order to reduce risks to an acceptable level with minimal negative impact on the organization’s budget, resources and mission.

    A necessary element of risk management is the evaluation of economic efficiency, the purpose of which is to demonstrate that the costs of implementing additional countermeasures pay off by reducing risks. When calculating the costs of implementing safety controls, consider:

    • hardware and software acquisition costs;
    • decrease in the operational efficiency of the IP, if the performance or functionality of the system falls as a result of increased security measures;
    • the costs of developing and implementing additional policies and procedures;
    • additional costs for personnel involved in the implementation of the proposed safety regulators;
    • staff training costs;
    • escort costs.

    As security measures, the following solutions can be implemented (both individually and collectively) prepared by full-time specialists and / or through outsourcing of information security:

    • Systems of protection against attacks at the application level (WAF);
    • IS incident and event management systems (SIEM);
    • Compliance Management Systems;
    • Identity and Access Management Systems (IAM);
    • Single and multi-factor authentication systems in corporate networks;
    • Systems of protection against leakage of confidential information (DLP);
    • Information Access Control Systems (IRM);
    • Public Key Infrastructure (PKI);
    • Network security solutions;
    • Anti-virus protection systems;
    • Email protection systems against spam, viruses and other threats;
    • Content filtering systems for web traffic;
    • Access control systems for peripheral devices and applications;
    • Integrity monitoring systems for software environments;
    • Cryptographic protection systems for information storage.

    Actions: implementation of technical measures to ensure information security; implementation of administrative measures; raising staff awareness.
    Tags:

    Also popular now: