IT Security Risks Associated with Web Servers and Frameworks For Mitigation

The purpose of risk management is to understand risk an organization faces. This is well understood by senior officers in a corporation when it is about threats to revenue; however, this knowledge falls short when it comes to operational risk (Grobler, 2018). Then, when it comes to cyber risks it is seldom understood, if at all by senior executives and board members (Grobler, 2018). This is due to the complexity of cyber threats and the plethora of threat actors, each with varying tactics, techniques and procedures (Grobler, 2018). This is even further exacerbated by the fact there is blurring of lines between nation state actors and criminal enterprises (Grobler, 2018). Combine this with growing sophistication of malware, there is no wonder understanding risks is hard for non-technical organizational leadership (Grobler, 2018).

            Managing risk is today’s world is even more complex than ever before (Serafin, 2013). Besides the traditional risks of operations, financial and compliance, it also includes strategic risks (Serafin, 2013). Strategic risk has now become a focus. In today’s always on and fast news cycle environment, organizations do not have the traditional news cycle to determine what to do and respond (Serafin, 2013). In the current environment, organizations need an immediate response (Serafin, 2013). This forces greater preparation and understanding of the risks facing an organization (Serafin, 2013). This has shifted the focus on strategic risks (Serafin, 2013). Most of organizations are looking at strategic risks through the lens of any major risks that could affect the organization’s long-range positioning and performance (Serafin, 2013). This isn’t about if a strategy fails but will the overall strategy of the organization fail (Serafin, 2013). Operational risks are those that would keep an organization from carrying out their strategic plan (Serafin, 2013). The financial risks are about liquidity, credit risks, valuation, market share and financial reporting (Serafin, 2013). Compliance risks are about regulatory and legal risks and ensuring the organization adheres to them (Serafin, 2013).

            Reputational risks have risen to the biggest risk concern for most of organizations (Serafin, 2013). This is largely to the prevalence of social media (Serafin, 2013). Social media is one of the factors driving the need to have response to problems that arise (Serafin, 2013). Organizations have a harder time controlling perceptions due to the speed of social media (Serafin, 2013). New technologies are not leveling off or slowing, they are growing in speed and reach (Serafin, 2013). Therefore, it will continue to get harder for organizations to keep much less control their perception (Serafin, 2013).

            Most organizations have a need to collect data from customers and business partners. This is usually accomplished through the help of web servers. Web servers serve as the interface. They also house collected data and are networked with some of the most sensitive data within an organization. This makes them targets of malicious actors (Mohammad, 2016). Web servers can be hardware, software or both working together (Mohammad, 2016). For hardware, web servers are computers that store web server software and associated web files such as HTML documents, Cascading Style Sheets and JavaScript files (Mohammad, 2016). The software includes several components that control how users access the web files (Mohammad, 2016). The files on a server are read through the use of a web browser such as Microsoft Edge, Chrome, Firefox, and Opera (Mohammad, 2016). If the web server is using a database of some kind to take in data from customers or business partners, it then becomes a highly sought-after target by malicious actors. These databases are usually networked into the organization and become one of the many ways in which a malicious actor can gain a foothold inside an organization in preparation for lateral movement to further compromise of an organization (Mohammad, 2016).

            There are numerous methods for attacking web servers (Mohammad, 2016). These include URL interpretation attacks, input validation attacks, SQL injection attacks, impersonation attacks and buffer overflow attacks (Mohammad, 2016). These methods allow the malicious actor numerous attack vectors to gain the foothold required to compromise and breach a network (Mohammad, 2016).

            The URL interpretation attack, sometimes called a URL poisoning attack, on a web server is conducted by manipulating the URL so information beyond the URL can be discovered (Mohammad, 2016). These attacks are often successful against CGI-based websites (Mohammad, 2016). An example of this kind of attack would be when an attacker goes to a website that requires a login and selects the forgot password button (Mohammad, 2016). After answering the security question, the server will verify the information in the database (Mohammad, 2016). The URL once read can be used to try and gain access to information from another user (Mohammad, 2016). This type of attack can be prevented by implementing a vendor supplied patch or fix and an in-depth verification of web server configurations (Mohammad, 2016).

            Input validation is another type of attack on a web server (Mohammad, 2016). This is type of attack is when an attacker executes injected code on a web or database server (Mohammad, 2016). When an attacker injects JavaScript code to bypass the client-side checking (Mohammad, 2016). Data sent to a web server can be in a variety formats which include URL, HTTP headers, POST requests and cookies (Mohammad, 2016). If the code used on the webserver was negligent then it may lead to input validation attacks (Mohammad, 2016). The only way to counter these types of attacks is coding best practices for validating inputs such as data types, data ranges and buffer sizes to just name a few (Mohammad, 2016).

            Another input type of attack is the SQL injection attack (Mohammad, 2016). This method tries to modify or extract information from a database (Mohammad, 2016). The database can be manipulated by SQL scripts either by authorized users or threat actors who intend to use these same techniques with malicious intent (Mohammad, 2016). The primary target for this kind of attack are e-commerce websites that have large databases of customer data that includes credit card information (Mohammad, 2016). These kinds of attacks can have disastrous consequences for a company (Mohammad, 2016). An SQL injection attack has no easy mitigation (Mohammad, 2016). It requires a thorough source code review (Mohammad, 2016). Other principles such as least privilege should also be considered (Mohammad, 2016). Deleting redundant and unnecessary database users and any procedures should be well-thought-out (Mohammad, 2016). These are just some of the review suggestions.

            Impersonation attack is carried out by an attacker who is spoofing an IP address that has access to the web server (Mohammad, 2016). Therefore, this kind of attack is also known as an IP spoofing attack (Mohammad, 2016). This attack requires special software that allows the attacker to create an IP packet that appears to be from another IP that is reserved for authorized users (Mohammad, 2016). This exploits vulnerabilities in authentication protocols to gain access. Countering these attacks are done by restricting web configurations (Mohammad, 2016). The use of a firewall to track source IP from where the request is being conducted is also a best practice (Mohammad, 2016). Cookies should also be obfuscated so it isn’t possible to manipulate them (Mohammad, 2016).

            Another attack vector is the buffer overflow attack (Mohammad, 2016). This happens when an attacker deliberately overflows memory that is reserved for user inputs (Mohammad, 2016). These attacks are conducted for a denial of service (DoS) or to inject executable code into the memory in hopes it will be executed, thereby, giving the attacker access (Mohammad, 2016). The outcome is dependent on the return address specified by the attacker (Mohammad, 2016). After the buffer overflow causes a system crash and upon recovery may see the injected code as within parameters, thus executing the attackers code (Mohammad, 2016). The best countermeasure for this attack is a vendor supplied corrective action or patch (Mohammad, 2016). Like many of the previous attack vectors, a thorough review of the code is also a good first countermeasure (Mohammad, 2016).

            The last attack vector that’ll be discussed, but not the last one available to attackers, is the denial of service attack (Mohammad, 2016). This is where an attacker tries to keep legitimate users from using the web server (Mohammad, 2016). This is accomplished by multiple methods. One previously presented is the buffer overflow (Mohammad, 2016). As previously stated, a buffer overflow causes a web server to crash, thus becoming unusable (Mohammad, 2016). Other methods for causing a DoS against a web server include sending invalid input data that causes application termination, flooding the web server with automated request which causes it to crash (Mohammad, 2016). Mitigating DoS attacks is possible by using a server firewall that inspects the entire HTTL traffic and stops any data packet that appears malicious or generating from an unauthorized source (Mohammad, 2016). There are also vendors that can assist with DoS mitigation (Mohammad, 2016).

            Attack vectors on web servers are mitigated with the appropriate configuration and procedures applied. How does an organization ensure they are following best practices and not missing something in their configurations (Mohammad, 2016)? This is accomplished using standards. Some of these standards are ISO 27001/27002 and COBIT 5.

            The ISO 27001/27002 standard is built for cyber security. It was based on the U.K.’s BS7799-2 standards with additional enhanced content (An Introduction To ISO 27001 (ISO27001), 2013). This standard provides requirements for an Information Security Management System. ISO 27001 (An Introduction To ISO 27001 (ISO27001), 2013). The first standard in 2005 was set against the “Plan-Do-Check-Act” model (An Introduction To ISO 27001 (ISO27001), 2013). The subsequent version from 2013 has more emphasis on measuring and evaluating how well an organization’s ISMS performance (An Introduction To ISO 27001 (ISO27001), 2013). ISO 27002 outlines hundreds of potential controls and control mechanisms within ISO 27001 (Introduction To ISO 27002 (ISO27002), 2013). ISO 27002 is details the controls of the overall guidance of ISO 27001 (Introduction To ISO 27002 (ISO27002), 2013). It gives the organization the guidance to ensure the corrective actions are taken to mitigate threats such as the web server threats described above. This gives the organization the knowledge to know where to ensure everything is considered to mitigate threats (Introduction To ISO 27002 (ISO27002), 2013).  

            COBIT 5 is another framework to use in cyber security (Garsoux). It was developed by ISACA to assist organizations in bringing order to a multitude of complex frameworks and be able to get value from them. It also helps in supporting all stakeholders in an organization to protect assists, so value can be derived from them (Garsoux). COBIT 5 is a comprehensive approach to IT management (Garsoux). This assist in the overall management of IT security to mitigate risks (Grobler, 2018).

            These frameworks are not exclusive but inclusive. They are often used together. Some organizations have used COBIT frameworks as the overall guidance, the ‘wrapper’ for the other frameworks (Frisken, 2015). Then the ISO 27001 can be used to get deeper into the how an organization will use the security policies and then use the ISO 27002 to further define the exact procedures to follow (Frisken, 2015). This way, the standards form an all-encompassing methodology of security so attack such as those on web servers are mitigated (Frisken, 2015).

References

An Introduction To ISO 27001 (ISO27001). (2013). Retrieved from The ISO 27000 Directory: http://www.27000.org/iso-27001.htm

Frisken, J. (2015). Leveraging COBIT to Implement Infromation Security. ISACA.

Garsoux, M. (n.d.). COBIT 5 ISACA's new Framework for IT Governance, Risk, Security and Auditing. Retrieved from Qualified Audit Partners: http://www.qualified-audit-partners.be/user_files/QECB_GLC_COBIT_5_ISACA_s_new_framework_201303.pdf

Grobler, J. (2018). Cyber risk form a chief risk officer perspective. Journal of Risk Management in Financial Institutions, 125-131.

Introduction To ISO 27002 (ISO27002). (2013). Retrieved from The ISO 27000 Directory: http://www.27000.org/iso-27002.htm

Mohammad, A. (2016, February 19). Top 10 Web Server Attacks: Impact And Prevention. Retrieved from Theem'on: https://theemon.com/top-10-web-server-attacks-impact-and-prevention/

Serafin, T. (2013). Exploring Strategic Risk. Forbes Insight.