The
purpose of risk management is to understand risk an organization faces. This is
well understood by senior officers in a corporation when it is about threats to
revenue; however, this knowledge falls short when it comes to operational risk (Grobler,
2018) .
Then, when it comes to cyber risks it is seldom understood, if at all by senior
executives and board members (Grobler, 2018) . This is due to the
complexity of cyber threats and the plethora of threat actors, each with
varying tactics, techniques and procedures (Grobler, 2018) . This is even
further exacerbated by the fact there is blurring of lines between nation state
actors and criminal enterprises (Grobler, 2018) . Combine this with
growing sophistication of malware, there is no wonder understanding risks is
hard for non-technical organizational leadership (Grobler,
2018) .
Managing risk is today’s world is even more complex than
ever before (Serafin, 2013) . Besides the
traditional risks of operations, financial and compliance, it also includes
strategic risks (Serafin, 2013) . Strategic risk has
now become a focus. In today’s always on and fast news cycle environment,
organizations do not have the traditional news cycle to determine what to do
and respond (Serafin, 2013) . In the current
environment, organizations need an immediate response (Serafin,
2013) .
This forces greater preparation and understanding of the risks facing an
organization (Serafin, 2013) . This has shifted
the focus on strategic risks (Serafin, 2013) . Most of
organizations are looking at strategic risks through the lens of any major
risks that could affect the organization’s long-range positioning and
performance (Serafin, 2013) . This isn’t about if
a strategy fails but will the overall strategy of the organization fail (Serafin,
2013) .
Operational risks are those that would keep an organization from carrying out
their strategic plan (Serafin, 2013) . The financial risks
are about liquidity, credit risks, valuation, market share and financial
reporting (Serafin, 2013) . Compliance risks
are about regulatory and legal risks and ensuring the organization adheres to
them (Serafin, 2013) .
Reputational risks have risen to the biggest risk concern
for most of organizations (Serafin, 2013) . This is largely to
the prevalence of social media (Serafin, 2013) . Social media is one
of the factors driving the need to have response to problems that arise (Serafin,
2013) .
Organizations have a harder time controlling perceptions due to the speed of
social media (Serafin, 2013) . New technologies are
not leveling off or slowing, they are growing in speed and reach (Serafin,
2013) .
Therefore, it will continue to get harder for organizations to keep much less
control their perception (Serafin, 2013) .
Most organizations have a need to collect data from
customers and business partners. This is usually accomplished through the help
of web servers. Web servers serve as the interface. They also house collected
data and are networked with some of the most sensitive data within an
organization. This makes them targets of malicious actors (Mohammad,
2016) .
Web servers can be hardware, software or both working together (Mohammad,
2016) .
For hardware, web servers are computers that store web server software and
associated web files such as HTML documents, Cascading Style Sheets and
JavaScript files (Mohammad, 2016) . The software includes
several components that control how users access the web files (Mohammad,
2016) .
The files on a server are read through the use of a web browser such as
Microsoft Edge, Chrome, Firefox, and Opera (Mohammad, 2016) . If the web server
is using a database of some kind to take in data from customers or business
partners, it then becomes a highly sought-after target by malicious actors.
These databases are usually networked into the organization and become one of
the many ways in which a malicious actor can gain a foothold inside an
organization in preparation for lateral movement to further compromise of an
organization (Mohammad, 2016) .
There are numerous methods for attacking web servers (Mohammad,
2016) .
These include URL interpretation attacks, input validation attacks, SQL
injection attacks, impersonation attacks and buffer overflow attacks (Mohammad,
2016) .
These methods allow the malicious actor numerous attack vectors to gain the
foothold required to compromise and breach a network (Mohammad,
2016) .
The URL interpretation attack, sometimes called a URL
poisoning attack, on a web server is conducted by manipulating the URL so
information beyond the URL can be discovered (Mohammad, 2016) . These attacks are
often successful against CGI-based websites (Mohammad, 2016) . An example of this
kind of attack would be when an attacker goes to a website that requires a login
and selects the forgot password button (Mohammad, 2016) . After answering the
security question, the server will verify the information in the database (Mohammad,
2016) .
The URL once read can be used to try and gain access to information from
another user (Mohammad, 2016) . This type of attack
can be prevented by implementing a vendor supplied patch or fix and an in-depth
verification of web server configurations (Mohammad, 2016) .
Input validation is another type of attack on a web
server (Mohammad, 2016) . This is type of
attack is when an attacker executes injected code on a web or database server (Mohammad,
2016) .
When an attacker injects JavaScript code to bypass the client-side checking (Mohammad,
2016) .
Data sent to a web server can be in a variety formats which include URL, HTTP
headers, POST requests and cookies (Mohammad, 2016) . If the code used on
the webserver was negligent then it may lead to input validation attacks (Mohammad,
2016) .
The only way to counter these types of attacks is coding best practices for
validating inputs such as data types, data ranges and buffer sizes to just name
a few (Mohammad, 2016) .
Another input type of attack is the SQL injection attack (Mohammad,
2016) .
This method tries to modify or extract information from a database (Mohammad,
2016) .
The database can be manipulated by SQL scripts either by authorized users or
threat actors who intend to use these same techniques with malicious intent (Mohammad,
2016) .
The primary target for this kind of attack are e-commerce websites that have
large databases of customer data that includes credit card information (Mohammad,
2016) .
These kinds of attacks can have disastrous consequences for a company (Mohammad,
2016) .
An SQL injection attack has no easy mitigation (Mohammad, 2016) . It requires a
thorough source code review (Mohammad, 2016) . Other principles
such as least privilege should also be considered (Mohammad,
2016) .
Deleting redundant and unnecessary database users and any procedures should be
well-thought-out (Mohammad, 2016) . These are just some
of the review suggestions.
Impersonation attack is carried out by an attacker who is
spoofing an IP address that has access to the web server (Mohammad,
2016) .
Therefore, this kind of attack is also known as an IP spoofing attack (Mohammad,
2016) .
This attack requires special software that allows the attacker to create an IP
packet that appears to be from another IP that is reserved for authorized users (Mohammad,
2016) .
This exploits vulnerabilities in authentication protocols to gain access. Countering
these attacks are done by restricting web configurations (Mohammad,
2016) .
The use of a firewall to track source IP from where the request is being
conducted is also a best practice (Mohammad, 2016) . Cookies should also
be obfuscated so it isn’t possible to manipulate them (Mohammad,
2016) .
Another attack vector is the buffer overflow attack (Mohammad,
2016) .
This happens when an attacker deliberately overflows memory that is reserved
for user inputs (Mohammad, 2016) . These attacks are
conducted for a denial of service (DoS) or to inject executable code into the
memory in hopes it will be executed, thereby, giving the attacker access (Mohammad,
2016) .
The outcome is dependent on the return address specified by the attacker (Mohammad,
2016) .
After the buffer overflow causes a system crash and upon recovery may see the
injected code as within parameters, thus executing the attackers code (Mohammad,
2016) .
The best countermeasure for this attack is a vendor supplied corrective action
or patch (Mohammad, 2016) . Like many of the
previous attack vectors, a thorough review of the code is also a good first
countermeasure (Mohammad, 2016) .
The last attack vector that’ll be discussed, but not the
last one available to attackers, is the denial of service attack (Mohammad,
2016) .
This is where an attacker tries to keep legitimate users from using the web
server (Mohammad, 2016) . This is
accomplished by multiple methods. One previously presented is the buffer
overflow (Mohammad, 2016) . As previously
stated, a buffer overflow causes a web server to crash, thus becoming unusable (Mohammad,
2016) .
Other methods for causing a DoS against a web server include sending invalid
input data that causes application termination, flooding the web server with
automated request which causes it to crash (Mohammad, 2016) . Mitigating DoS
attacks is possible by using a server firewall that inspects the entire HTTL
traffic and stops any data packet that appears malicious or generating from an
unauthorized source (Mohammad, 2016) . There are also
vendors that can assist with DoS mitigation (Mohammad, 2016) .
Attack vectors on web servers are mitigated with the
appropriate configuration and procedures applied. How does an organization
ensure they are following best practices and not missing something in their
configurations (Mohammad, 2016) ? This is
accomplished using standards. Some of these standards are ISO 27001/27002 and COBIT
5.
The ISO 27001/27002 standard is built for cyber security.
It was based on the U.K.’s BS7799-2 standards with additional enhanced content (An
Introduction To ISO 27001 (ISO27001), 2013) . This standard
provides requirements for an Information Security Management System. ISO 27001 (An
Introduction To ISO 27001 (ISO27001), 2013) . The first standard
in 2005 was set against the “Plan-Do-Check-Act” model (An
Introduction To ISO 27001 (ISO27001), 2013) . The subsequent
version from 2013 has more emphasis on measuring and evaluating how well an
organization’s ISMS performance (An Introduction To ISO 27001
(ISO27001), 2013) .
ISO 27002 outlines hundreds of potential controls and control mechanisms within
ISO 27001 (Introduction To ISO 27002
(ISO27002), 2013) .
ISO 27002 is details the controls of the overall guidance of ISO 27001 (Introduction
To ISO 27002 (ISO27002), 2013) . It gives the
organization the guidance to ensure the corrective actions are taken to
mitigate threats such as the web server threats described above. This gives the
organization the knowledge to know where to ensure everything is considered to
mitigate threats (Introduction To ISO 27002
(ISO27002), 2013) .
COBIT 5 is another framework to use in cyber security (Garsoux) . It was developed by
ISACA to assist organizations in bringing order to a multitude of complex
frameworks and be able to get value from them. It also helps in supporting all
stakeholders in an organization to protect assists, so value can be derived
from them (Garsoux) . COBIT 5 is a
comprehensive approach to IT management (Garsoux) . This assist in the
overall management of IT security to mitigate risks (Grobler,
2018) .
These frameworks are not exclusive but inclusive. They
are often used together. Some organizations have used COBIT frameworks as the
overall guidance, the ‘wrapper’ for the other frameworks (Frisken,
2015) .
Then the ISO 27001 can be used to get deeper into the how an organization will
use the security policies and then use the ISO 27002 to further define the
exact procedures to follow (Frisken, 2015) . This way, the
standards form an all-encompassing methodology of security so attack such as
those on web servers are mitigated (Frisken, 2015) .
References
An Introduction To ISO 27001 (ISO27001). (2013). Retrieved from The ISO 27000 Directory:
http://www.27000.org/iso-27001.htm
Frisken, J. (2015). Leveraging COBIT to Implement
Infromation Security. ISACA.
Garsoux, M. (n.d.). COBIT 5 ISACA's new Framework
for IT Governance, Risk, Security and Auditing. Retrieved from Qualified
Audit Partners:
http://www.qualified-audit-partners.be/user_files/QECB_GLC_COBIT_5_ISACA_s_new_framework_201303.pdf
Grobler, J. (2018). Cyber risk form a chief risk
officer perspective. Journal of Risk Management in Financial Institutions,
125-131.
Introduction To ISO 27002 (ISO27002). (2013). Retrieved from The ISO 27000 Directory:
http://www.27000.org/iso-27002.htm
Mohammad, A. (2016, February 19). Top 10 Web
Server Attacks: Impact And Prevention. Retrieved from Theem'on:
https://theemon.com/top-10-web-server-attacks-impact-and-prevention/
Serafin, T. (2013). Exploring Strategic Risk.
Forbes Insight.
