Web security is now mandatory

Gone are the days when security was optional

More than 70 percent of hacking attempts from total hacking attempts are carried out through the web.

It is not easy even for experts to guarantee the web security. It is because there currently is no standardized security measures for web security, and each company has built its own security system differently.

In order to secure web services, the security managers have to fully understand the web security and establish a web security system that fits the company’s IT system. For this needs, most of the companies are installing web security solutions. However, there are very few that install and operate web security solutions in the right place, fully understanding web security.

In other words, in order to achieve web security, understanding the IT system and web security is absolutely necessary.

Understanding the IT System

Understanding the client-server structure is required to fully understand IT system.

Figure 1. Client-Server Structure

Figure 1. Client-Server Structure

We generally use desktops, laptops and mobile devices to access the web.

In IT terms, desktops, laptops and mobile devices that are used to access the web are called “clients.” The service providers are called “servers,” they save web contents such as websites and mobile applications, and show them when clients access. (In IT system, not all servers are web servers, but we take web servers for example since we are discussing web security here.) Simply put, the web is the network that connects clients and web servers.

From the security’s point of view, clients’ security is generally related to the safety of the individual’s system, whereas servers’ security is related to the safety of enterprises’ systems
Of course, there are concerns about internal security of companies, but we would like to talk about the server security, which is the core of the web security in enterprises.

To understand the server system structure of enterprises, let’s take a look at the IT system structure.

Figure 2. IT System Structure

Figure 2. IT System Structure

An IT system consists of a network layer, a system layer, and an application layer. There are many IT system models, such as OSI 7 layers and TCP/IP layers. Still, those three layers including network, system, and application layers are the common denominators in both hierarchical classification as you can see from the figure above. The three layers interact with one another to make IT systems work.

Each layers have their own basic functionality. Network layer communicates to send and receive data System layer is the platform that various application can run on, just like operation systems such as Windows and Linux. On this system layer, application layer provides protocol (HTTP, FTP, etc.) and application services.

System structure of server basically follows this system structure, as well. Therefore, when these three layers, network, system and application layers, are all secured, we can say that the server is secured.

In an IT System, network and system security is actually implemented as follows..

Knowledge basic network security

In order to secure network, access control of unsafe IP or port is required, and traffic coming through allowed IP or port must be checked if harmful traffic is contained. For this reason, most companies install firewalls and intrusion detection/prevention systems (IDS/IPS). However, the firewall cannot block attacks from allowed IPs and ports. Furthermore, detection of harmfulness by IDS/IPS in the network layer has its limits since IDS/IPS system does not understand application layer. Therefore, they cannot defend attacks that aim at application vulnerability.

System Security
System security is mostly related to OS. The manufacturers, who are in charge of developing and providing OS such as Windows, Linux, and Unix, are preparing for known web threats through security updates and patches. Security managers of enterprises have to maintain system security all the time, through not only security updates and patches, but also periodical scanning for malicious code in the system. For this purpose, companies usually install anti-virus solutions.

You might be wondering why there is no explanation about the application security.

From the description about network and system security, now you know that most companies understand network and system security, and they try to secure them. However, when it comes to application security, the situation is not the same. Compared to network layer or system layer, the application layer is much diversified. Also, there are many different type of applications, so most of the security managers have difficulties in securing web applications. It is the same for building web security.

But ironically, the application security is the most important one in the web security.

The Core of Web Security = the Application Security

All the web we generally use is composed of web applications.

Websites and mobile apps are all made of applications. Web threats targeting the applications are mostly aiming at the vulnerability of applications, as well. The infamous web attacks including SQL Injection and XSS are the attacks that aim at the vulnerability of websites, which are web applications. The web based malicious code that is called Web shell is a web application made of PHP, too. It is no exaggeration to say that more than 90 percent of all web attacks now are aiming at web applications. In the end, if you want to secure the web, securing the web application is inevitable.

Despite the fact that the application security is most important in securing the web, applications are not protected properly due to the difficulties building the security system.

Security administrators of corporates implement various web security solutions to provide against web attacks.
However, there are not many security administrators out there who know the role of web security solutions that their company is purchasing, and accurately distinguish solutions that are related to application security among them. In other words, except for basic network security solutions, there are not many companies that are applying and operating appropriate web security solutions to secure application.

The application environment like this lowers a company’s overall security level, and makes itself a potential target of hackers attack.

Web Application Security and Web Security Solutions

Thus, application security has be a concern throughout the all the steps from development stage which is an early stage of building an application to the maintenance stage after building. The main reason why it is so difficult to practice like that is not only because of the lack of appropriate guidelines, but also because the web application security is not very easy to understand. The terms like Web Scanner or Web Application Firewall themselves are not very difficult, still it isn’t easy to know the exact features and operating points by the names.

However, web application security and operation points of its each solutions can be explained very well when compared to building houses.
Figure 3. Mimetic Diagram of Web Application Security Solutions Web applications mainly consist of “Web Application Server” and “DB.”

Secure Coding

First of all, development stage is when you build a house. When building a house, you have to build it on a solid ground with strong and safe bricks. If you compare it to application, it’s like the secure coding stage where you use safe sources and programs, excluding all the codes that might have vulnerabilities.

Secure coding is the way of coding. Programmers write code considering security from the designing stage to minimize all the vulnerabilities that can be caused by developer’s mistake, lack of knowledge or programming language’s own weakness. You need to think about shortening the developing period, but it is more important to take safe and systematic development into account rather than speed in application development. It is because just implementing other web security solutions to the unsafe development environment is a merely stopgap measure.

Web Scanner

When a house all built, you need to check if any bricks on the wall is cracked or whether the house is inclined or not. Web scanners check on applications from the outside, just like people check the bricks or degree of inclination of the house from the outside.

Web scanner, which is also called web vulnerability scanner, finds and analyses potential or wrongly designed vulnerabilities through the communication from outside of web application. There are many kinds of web scanners sold in the market now. There are various free web scanner for non-commercial use. The performance of a web scanner can be different, but you have to continuously check the application’s status is to see the effectiveness of web scanners.

Web-Based Malware Detection

You need to check the house if rain leaks in from somewhere, or if there’s any dog holes or wormholes. Like so, there are web-based malware detection solutions that do internal inspection of applications.

Generally the web-based malware is called “Web Shell,” it means a malicious code that operates inside of applications. Hackers can bypass security system using web shell, which enable them to access systems without any authentication. You need to use a solution that is specialized in detecting Web Shell, and detect inside of server. Like web scanner, web-based malware detections have to be checked and run regularly, in order to see the effectiveness..

Web Application Firewall

After building a house, you need to build a fence or wall to prevent risks that have not been found, and keep the house safe from unexpected external access. The Web Application Firewall plays a roles as the fence application security.

WAF detects and takes actions against the intruders or web attacks through the web. It not only secures the web security vulnerabilities preventing them to be exposed, which is the role of Secure Coding and Web Scanner, but also blocks the attacks before they get to these solutions. It blocks malicious code for web server to be uploaded to the web server. This is made possible because WAF is developed especially for web applications, different from typical firewall.

Also, it is easily installed on external side, so it does not have to be built or applied to server unlike other solutions, which results in saving much cost. The latest WAF blocks a wide range of web attacks in real-time, and respond to the external attacks more accurately and efficiently by applying rules using “Rules Learning” mode.

Data Security

Finally, it is very important to have a measure to keep the most valuable assets of the family, such as cash and bankbooks. In application, the important data like these assets are personal information, credit card information, or account information. In general web application environments,data are stored and managed in the database (DB).

In order to manage data safely, you need to implement a web security solution, which is related to data security. Data encryption solutions, which make data that hackers want unreadable by encryption, are generally implemented. However, the encryption is not the end of the job, you have to give much attention to access control and audit log that determine who can access the data and when the data is accessed for more advanced security. Also, managing key, which allows holders to open the encrypted data, is very important. Therefore, key management must be given much attention.

The Completion of Web Security

Web security can be easy to understand if you divide it up into network, system, and application. If every web security solutions mentioned is put into one picture according to the each layers, it is as shown above.

Figure 4. Three Layers of Web Security and Security Solution for Each Layer

In order to achieve web security, you need to understand the each security layer’s characteristics, and implement web security solutions where they are really required. Also, application security is mostly focused in this article because it accounts for the largest part in web security, but .

“An organization’s overall security is only as strong as its weakest link.”

It means that the weakest part out of multiple security elements determines the security level of the entire company. The imbalanced security heavily specialized on one side is an unnecessary act except for particular cases. Each of security layers has its own security issues that you need to solve, and there are different solutions for each security problems.

Web security solution market is constantly growing every year.
The report released in 2014 by Frost & Sullivan forecast that the size of content security management market in Asia Pacific will be 1,570 million USD with 17.9 percent of the annual growth rate. The growth rate is huge compared to the 7 to 9 percent of general IT industry’s growth rate.

Many web security solutions have been released and will be released in the future. It is highly recommended that you understand and know all the functions and operating points of each web security solutions, and implement web security solutions where they are really need to secure web security.

Growth of Web Threats

To access the web, also known as internet, people had to access their PCs the past. But with smartphones and tablets, you can access the internet anywhere you go.

In addition to browsers such as internet Explorer, Chrome, and Safari, mobile applications including Kakao Talk, Line, and mobile games are accessed through communications between websites and web servers. Each mobile app looks different, but they all communicate through the web, based on the original architecture of the internet.

All smart phones and tablet PCs communicate through the web. As a result, these mobile devices have become so popular that the web has similarly become an inextricable part of our lives.
With the rising popularity of the web, companies have also gone online with their existing offline services. As a result, services including internet banking and financial transactions, resident registration card issuances, and customer service platforms are now available as web services. The web is acting an essential part of everyday life.

As the web becomes more popular, cyber criminals today have shifted to their attention to the web as their chosen attack target, motivated by profits resulting from the sale of stolen information and assets. Most big hacking cases have been carried out over the web, often the pathway to company’s important assets. Therefore, web threats pose a broad range of risks, including identity theft, financial damages, and the destruction of internal system.

Finding ways hack web environments is not difficult. If you try to find attack methods in search engines, you will find all types of tutorials, tools and videos on how to hack web servers and sites. Indeed, even those not very familiar with hacking can follow these demonstrations with ease, and the outcomes can often be fatal.

Many companies consider network security (such as network firewalls and IDS/IPS) important, and try to take appropriate steps into providing a safe environment. It has therefore become difficult for attackers to get into systems directly. However, companies have to leave the web service open, because it is the only pathway through which they can provide services to public. That is why the web application has been the most popular attack target for the last three years. Not surprisingly, web security has become an important issue. Many CEOs and security managers are looking for new security trends. We need to realize that the web has become a part of our lives now, and that web security has become essential, rather than optional.

To build a secure web service, you need to understand what types of web threats are out there. Analyzing well-known hacking incidents, for example, will allow you to have a better understanding of the important components surrounding this issue.

Types of Web Threats

Generally required components for online services are as follows.

growth-web-1

A cracker will find a vulnerability from the elements above, and start attacking it.

The vulnerabilities can be categorized as follows.

growth-web-2

A security threat can occur from vulnerabilities of the web environment’s components. Each security threats can combine to each other, and become a bigger security threat.
Elements of online services and security vulnerabilities can be categorized as follows.

growth-web-3

The figure above shows a typical corporate network configuration and web threat types.

Web threats can be divided into two broad categories: attacks aimed at external networks and those aimed at internal networks. The external attack is when the hacker breaks into a network from the outside, and the second attack is when hacker accesses the network from within.

External attacks can be further divided into web server hacking and internal computer hacking.
Typically, web servers are hacked through websites. Hackers attack the web with techniques like SQL injections to gain access to web servers and administrator accounts, which allows them to access the internal system.

Internal PC hacking happens usually when recipients mistakenly open a website or email, and follow links to malicious websites or open attachments with malware. In addition, if update servers for certain applications are hacked and infected, the PC can then be infected when connected to the server to update the application
When the web server or internal PC is infected, it enables hackers to access the internal system. This results in information leakage by accessing database server or work server, seizing or destroying the internal system by accessing the integrated server.
At first glance, it seems that hacking takes place through various methods, but when actually classifying them, there aren’t many hacking types that do not fall into these two categories.

Security Threats and Examples

An open system is dangerous. However, this is the Web era in which we cannot close the system.

info-se-3

Openness and accessibility are the fundamental parts of the Web era and some of the greatest features. However, those very features are threats that can violate information security. There are too many computer users in the world, and some of them are malicious. The Web has been created for a lot of anonymous users to request service. Most requests are legal, predictable, and applied to the design. However, there are still some users who try to access the open system in an illegal way.

The behaviors of information security threats look complicated. Every day, new and unfamiliar terms are pouring in. However, the target of security is to protect people. The biggest error is to classify all people who make trouble as malicious attackers. In some cases, some people cause problems unconsciously and there are many attacks that contain no malicious intent.

Hackers

The most explicit attacker is a hacker. or sometimes we refer to them as a “cracker.” A cracker is a criminal who targets the system vulnerability with his or her greed and takes advantage of the system vulnerability. A cracker steals information from a system and sells the information to the competitor, or collects financial information, including credit card numbers, and sells it to other criminals. Sometimes, a cracker enjoys the behavior of intruding into the system for fun. A cracker is dangerous, but prevention against crackers does not mean perfect security.

Infected Computers and Software

A general user as well as a malicious cracker can be an attacker. Because of the amount of vulnerabilities and security defects in software, a lot of computers have already been infected. If software in the computer connected to a company’s network has been infected, the software may attack other computers and servers while users are unaware. Behaviors of information security threats may look very complicated. But they can be classified as follows:

  • Loss and destruction of information: A cracker can intrude into the system and format the storage devices. A careless administrator may erase all data by mistake. The storage device hardware may be broken.
  • Manipulation of information: What if a malicious and unknown visitor intruded into the system and changed the file? How long does it take to find out that the information has been manipulated? Manipulation of information is worse than loss of information. Manipulation of data and programming is invisible, and it is very difficult to detect that information has been manipulated. Even if you know that there is a security vulnerability in the system, how can you find whether the file has been manipulated or not? If a program is suspicious, you can re-install the program. However, it is very difficult to find out whether the data is reliable or not.
  • Distributed Denial-of-Service: The security business is witnessing a flood of DDoS attack reports. DDoS occurs very frequently these days. DDoS is one of the dangerous threats that can be prevented in advance. It makes it difficult or impossible for users to access services, or makes access to services intentionally slow.
  • Exposure of Information: In many cases, data should be stored in the system or transmitted and received via a network in a secure way. Specifically, information-related substantialization such as finance and credit information requires a high level of security. If information is leaked, there is no other way except to prevent exposure of the information. Sometimes, the information of a company that has built strong and powerful security is leaked. In this case, the only way to protect the honor and credibility of the company is to prevent information from being exposed. The original and fundamental way to prevent information exposure is data encryption, which is to encrypt the valuable information into useless binary data.

Let’s take a look at the major issues regarding web hacks thus far.

  • Personal information of more than 10 million users of Auction Korea were leaked in February 2008. Cyber criminals hacked the web server, which enabled them access to the database. (“Largest private information leakage case,” ETNews, 2008)
  • 35 million of Nate (owned by SK communications) users’ personal information were hacked in July 2011. In this case, criminals obtained access to the ALZip update server first, and when SK Communications computers conducted their routine check for updates, the computers became infected through the web. The hackers accessed the user databases using the infected computers. (“Chinese hacks target 35M Korean social media accounts,” ZDNET)
  • Personal information of some 2 million users on EBS (Educational Broadcasting System) were stolen in May 2012. The attackers hacked the web server by uploading malware using a Webshell upload through the web. (“4M EBS users’ personal information stolen,” Edaily)

In addition, some hacking attacks, also known as “3.20 South Korea Cyber Attack’,” paralyzed a number of financial institutes and media entities on March 20, 2013. The hackers used both web server hacking and internal computer hacking methods for the initial attack. First, the hackers accessed the web server by finding vulnerabilities in the website’s message board. The hackers infected the web server, followed by the C&C (command control) server. At the same time, they infected internal computers with malicious codes. Next, they spread additional malicious codes to the infected internal computers using the C&C server, and then infected the management server, which enabled them to destroy the internal system itself with destructive malicious codes. (Source: NSHC ‘Red Alert Research Report 3.20 South Korea Cyber Attack’)

By looking at the types of web security threats and recent cases, one can clearly see that cyber-attacks that were critical have aimed the web. These incidents were editable if appropriate web security tools had been implemented and used properly.

Web Application Firewall (WAF)

A Web Application Firewall to protect your web applications

A WAF (Web Application Firewall) detects and blocks the attacks to a website and prevents manipulation of websites. In addition, it protects assets by preventing information leakage through web attacks.

First, if a web application is developed in a secure way, the web application firewall is unnecessary. However, development of a web application with perfect security is near impossibly. It is very difficult to establish a security system that can properly cope with growing web security threats. In some cases, the effort to ensure security is harder than developing the web application. As such, web security is complicated and difficult.

In addition, as the web service system gets more complex, the web application gets larger and more complex. Even if development is based on a careful security plan, it is impossible to forecast every situation. It is difficult to modify and maintain the application and respond to the situation. Most of all, the size of the web application is too large to cover with a single security policy.

The financial necessity in the field leads to the emergence of time-cost saving methods, more manageable security policies, and the Internet firewall.

A WAF is not a simple device that can be placed in front of servers for installation. It is very important to analyze the business, systems, plan installation and operation. As the web application gets more complex, the importance of analysis and planning increases.

Before installing the WAF,

It is mandatory to understand the business characteristics and expected vulnerabilities of the website. A web attack targets the most vulnerable point. Therefore, the initial domain analysis is very important. Checking the web server domain and establishing a security policy is necessary. In addition, it is necessary to analyze the characteristics of the web application, including compliance with web standards and compatibility with the WAF specifications.

After installing the WAF,

It is necessary to check for mis-detection through simulation hacking, analysis of detection logs, and application of the results to the security policy. The administrator should maintain and manage the firewall based on the security policy. When the website is modified partially or totally, strict management and monitoring is required.

Types of Web Application Firewalls

The WAF can be divided into two types: software and hardware. Software is more affordable with inexpensive price and low maintenance cost, because it is installed on the web server without additional modification. However, it may cause critical problems such as interruption of web services if the WAF is misoperated.

Therefore, most WAF products are of the hardware type. The hardware type does not affect the server directly, because it is separately installed on the network. Therefore, it is very convenient to install and maintain the firewall.

To enhance convenience, the appliance type (software installed on the server) is the most popular product type.

The most important factors that must be considered to determine a WAF are performance and security. When performance is focused, security may decrease. When security is decreased, performance may be degraded. An excellent WAF provides sufficient security without degradation of performance. Generally, the WAF searches the string at the content level to check the signature of the syntax.

The 1st-generation firewall created a list of normal accesses to determine whether to block or not. The white list is a list of safe accesses and the black list is a list of dangerous attacks. However, the 1st-generation firewall frequently considered and blocked a safe access as an attack. To reduce this misdetection, the web service administrator had to update the black list and the white list constantly.

The 2nd-generation firewall has evolved to create the list automatically. With this automation, the problem of the 1st-generation looked to be solved. However, as the size of web services increased, it could not properly respond to the changing environment. In addition, even if the list was automatically created, confirmation of the list was solely left to the administrator.

Why You Should Care

Information security is risk management that controls the potential loss to a company with the lowest cost in the most efficient way. Information security requires continuous response to the changing security threats. According to the type and size of a risk, it is required to utilize multiple methods at the same time.

In addition, it is important to understand all risks comprehensively, not just one specific risk. It takes years of experience, original technologies, and continuous research and development in order to have a fundamental solution for information security.

One question that many people ask is: “Is it required to implement security? If it is, how much will it cost?”

But to respond, we need to ask this next question:

“How important is the information?”

Before establishing the information security policy, we should consider the importance of information and evaluate it. It is essential to determine the attractiveness of information for hackers. The importance of information before the security effort and cost are determined, because cost is taken to protect information.

info-se-1

In conclusion, if the value of information is larger than the security cost, security must be implemented. However, the highest security is not required for all situations.

For instance, the value of information that a person collects for fun is different from the value of information of a company or a government. In particular, military-related information is at the front line of security, because it is the target of all information institutes of every country, as well as hackers. All countries invest an incredible amount of resources to attack the computers of other governments. The government-related system should be seamlessly and completely designed and operated to cope with possible attacks.

If so, if you are a hacker, what information will be precious to you?

information security is about cost

Economically, the cost of security should be lower than the attack cost than the value of the information. If the cost taken to get the information is larger than the value of the information, the information is not meaningful or worthy of extortion. In most cases, general users have no need to consider security much because most information that general users have is not valuable to others.

However, here is another trap of this Web era. The information of network computer users can be abused as a foundation to attack other systems.

“So what you’re saying is, the highest security policy is the most secure way?”

The answer? No. If you disconnect the computer from the network and put it in a safe, then yes, that is the perfect security. However, we know this is impossible. So we need to determine the level of security policy. If you concentrate on safety only, the availability is lowered. For example, think about the physical security of an entrance door. If you strictly verify the IDs of all visitors, retain all recording devices, and make visitors go through a metal detector, security will be significantly high; however, it would take too much time to enter the site and few people would be able to.

Hence, information security is like the physical security of the entrance door. If you apply a very high security policy as checking the ID of visitors and limiting the behaviors on the website, the availability and convenience of user behavior is lowered, which is besides the point.

And yet another thing to consider, as you use more and more security devices that protect the system, like an IDS/IPS intrusion prevention system, difficult login verification procedures, and encryption of all information, the more resources are consumed and performances like processor processing ratio gets lowered. There is a way to prevent lowering of performance such as purchase of separate dedicated hardware. However, it requires higher cost.

There is a kind of trade-off among security factors, but among security | availability | cost | performance, one has to establish security policies to compromise to set an appropriate level by considering the relationship among all factors.