tm tm
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
IntroductiontoRealtimePublishers
by Don Jones, Series Editor
Forseveralyearsnow,Realtimehasproduceddozensanddozensofhighqualitybooks thatjusthappentobedeliveredinelectronicformatatnocosttoyou,thereader.Weve madethisuniquepublishingmodelworkthroughthegeneroussupportandcooperationof oursponsors,whoagreetobeareachbooksproductionexpensesforthebenefitofour readers. Althoughwevealwaysofferedourpublicationstoyouforfree,dontthinkforamoment thatqualityisanythinglessthanourtoppriority.Myjobistomakesurethatourbooksare asgoodasandinmostcasesbetterthananyprintedbookthatwouldcostyou$40or more.Ourelectronicpublishingmodeloffersseveraladvantagesoverprintedbooks:You receivechaptersliterallyasfastasourauthorsproducethem(hencetherealtimeaspect ofourmodel),andwecanupdatechapterstoreflectthelatestchangesintechnology. Iwanttopointoutthatourbooksarebynomeanspaidadvertisementsorwhitepapers. Wereanindependentpublishingcompany,andanimportantaspectofmyjobistomake surethatourauthorsarefreetovoicetheirexpertiseandopinionswithoutreservationor restriction.Wemaintaincompleteeditorialcontrolofourpublications,andImproudthat weveproducedsomanyqualitybooksoverthepastyears. Iwanttoextendaninvitationtovisitusathttp://nexus.realtimepublishers.com,especially ifyouvereceivedthispublicationfromafriendorcolleague.Wehaveawidevarietyof additionalbooksonarangeoftopics,andyouresuretofindsomethingthatsofinterestto youanditwontcostyouathing.WehopeyoullcontinuetocometoRealtimeforyour educationalneedsfarintothefuture. Untilthen,enjoy. DonJones
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
IntroductiontoRealtimePublishers.................................................................................................................i Chapter1:CombinedRiskofDataLossandLossofCustomerTrust................................................1 EvolvingSecurityLandscape..........................................................................................................................1 ProfessionalismofCybercrime.................................................................................................................2 DivisionofLaborinCybercrime..........................................................................................................2 MarketForces..............................................................................................................................................3 DiversificationintheCybercrimeMarkets.....................................................................................3 GrowthinCybercrime.............................................................................................................................5 AutomationofVulnerabilityScanning..................................................................................................7 EmergenceofAPTs........................................................................................................................................7 RiskofDataLossandThreatstoInformationSecurity......................................................................9 InterceptingCommunications...................................................................................................................9 Spoofing...........................................................................................................................................................10 DirectedAttacks:APTsandInsiderAbuse.......................................................................................10 ImproperlyManagedAccessControls................................................................................................11 ImpactoftheNewSecurityLandscapeonCustomerTrust...........................................................11 WellPublicizedDataBreachesandAttacks....................................................................................11 WellPublicizedCybercriminalandHackingOrganizations.....................................................12 PotentialImpacttoBuildingTrustOnlinewithCustomers......................................................13 HowBusinessesCanRespondtoInformationLoss..........................................................................14 Summary..............................................................................................................................................................15 Chapter2:HowSSLCertificatesCanProtectOnlineBusinessandMaintainCustomerTrust .......................................................................................................................................................................................16 HowSSLCertificatesWork...........................................................................................................................16 ComponentsofanSSLCertificate.........................................................................................................17 OverviewofHowSSLCertificatesSecureCommunications.....................................................20 OverviewofHowSSLCertificatesSupportAuthentication......................................................22
ii
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
WebApplicationsWithoutandWithSSLCertificateProtection.................................................24 Scenario1:WebApplicationsWithoutSSLCertificateProtection........................................24 Scenario2:WithSSLCertificateProtection.....................................................................................27 AuthenticationandTrust..............................................................................................................................28 HowCertifyingAuthoritiesAuthenticate..........................................................................................29 DevelopingTrust..........................................................................................................................................29 Summary..............................................................................................................................................................30 Chapter3:Planning,Deploying,andMaintainingSSLCertificatestoProtectAgainst InformationLossandBuildCustomerTrust.............................................................................................31 PlanningfortheUseofSSLCertificates..................................................................................................31 ProcessandAssetInventory ...................................................................................................................32 CompanyWebSite.................................................................................................................................32 OnlineCatalog..........................................................................................................................................33 CustomerServiceSupportPortal....................................................................................................34 CustomerFeedbackApplication......................................................................................................35 TrackShipmentApplication..............................................................................................................35 ProductDocumentation.......................................................................................................................35 MultiTierApplications.............................................................................................................................37 DeterminingtheTypeofSSLCertificateRequired.......................................................................38 KeyPointsAboutChoosingandDeployingSSLCertificates..........................................................39 Summary..............................................................................................................................................................40
iii
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
Copyright Statement
2012 Realtime Publishers. All rights reserved. This site contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtime Publishers (the Materials) and this site and any such Materials are protected by international copyright and trademark laws. THE MATERIALS ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtime Publishers its web site sponsors. In no event shall Realtime Publishers or its web site sponsors be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials. The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part, except that one copy may be downloaded for your personal, noncommercial use on a single computer. In connection with such use, you may not modify or obscure any copyright or other proprietary notice. The Materials may contain trademarks, services marks and logos that are the property of third parties. You are not permitted to use these trademarks, services marks or logos without prior written consent of such third parties. Realtime Publishers and the Realtime Publishers logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. If you have any questions about these terms, or if you would like information about licensing materials from Realtime Publishers, please contact us via email at info@realtimepublishers.com.
iv
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
Chapter1:CombinedRiskofDataLossand LossofCustomerTrust
BusinessesfaceanincreasinglycomplexsetofthreatstotheirWebapplicationsfrom malwareandadvancedpersistentthreats(APTs)todisgruntledemployeesand unintentionaldataleaks.Althoughthereisnosinglesecuritymeasurethancanpreventall threats,therearesomethatprovidebroadbasedmitigationtoanumberofthreats.The useofSSLencryptionanddigitalcertificatebasedauthenticationisoneofthem. Changesinthewaywedeliverservices,theincreasinguseofmobiledevices,andthe adoptionofcloudcomputingcompoundedbytheeverevolvingmeansofstealing informationandcompromisingservicesleaveWebapplicationsvulnerabletoattack.SSL encryptioncanprotectservertoservercommunications,clientdevices,cloudresources, andotherendpointsinordertohelppreventtheriskofdataloss.Alaterchapterprovides astepbystepguidetoassessingyourneeds,determiningwhereSSLencryptionanddigital certificatebasedauthenticationmaybehelpful,planningfortherolloutofSSLtoWeb applications,andestablishingpoliciesandprocedurestomanagethefulllifecycleofSSL certificates.Inthischapter,weturnourattentiontothecombinedriskoflosingdataand losingcustomertrust.
EvolvingSecurityLandscape
Businessinformation,fromcustomeridentityinformationtotradesecrets,isvaluableto morethanjustthebusinessthatcontrolsit.Attackersandcybercriminalscanexploit weaknessesinITsystems,resultingindataloss,andinsomecases,involvingpublic disclosureaswell.Moreover,informationsecurityattacksarenotlimitedtooneortwo industries,governments,orevengeographiclocations.Inadditiontodirectattacksonthe interestsofbusinesses,governments,andotherorganizations,therearecasesofmalicious attacksthataremorelikevandalismthantheft.Thesemayhavelessdirectcostsbutcan stillcauseconcernaboutthetrustworthinessofonlineresources. Theevolutionofthesecuritylandscapeiscreatingwhatappearstobeaglobal,continuous andcrossindustrythreat.Anumberoffactorsarecontributingtotheadvancementof cybersecuritythreats: Theprofessionalismofcybercrime Theabilityforotherstoautomaticallyscanpotentialtargetsforvulnerabilities EmergenceofAPTs
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
ProfessionalismofCybercrime
Cybercrimeisabusiness,literally.Ifyouwereanoutsiderlookinginontheoperationsof theundergroundmarketforstolencreditcardsandbankcredentialsandyoudidnotknow theillegaloriginsoftheproductsforsale,itmightbehardtodistinguishtheoperations fromalegitimatebusiness.Cybercrimehascharacteristicsonewouldexpectinother professionsandbusinesses,including: Divisionoflabor Marketforces Diversification Growth
Thefactthatcybercrimehasdevelopedthesecharacteristicsassociatedwithfreemarkets speakstothepersistence,professionalism,anddriveforefficiencyinthisarena. DivisionofLaborinCybercrime Thereisafullverticalindustrydedicatedtocreditcardandbankcredentialfraudthat includes,accordingtotheFBI,awelldefineddivisionoflabor: ProgrammerswhodevelopTrojansandothermalwaretostealfinancialinformation Distributorswhoestablishonlinemarketplacesandsellstoleninformation Fraudsterswhodevelopphishingscamsandothersocialengineeringschemesto lurevictimsintorevealinginformation Cashiersandmoneymules(lowlevelparticipantswhousetheiraccountsinthe moneytransferprocess
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
MarketForces Pricesappeartobesetintheundergroundmarketsimilarlytothewayspricesaresetin legitimatefreemarkets:bysupplyanddemand.Forexample,PandaSecurityreportsonthe costofanumberofdifferentproductsintheirreportTheCyberCrimeBlackMarket. Stolencreditcarddetailswillcostyoubetween$2and$90(thepricewillvarydepending onfactorssuchascreditlimit,amountofcarddetailavailable,timesincethenumberwas stolen).Bankcredentialscostbetween$80and$700;thehigherpricedcredentialscome withbalanceguarantees.Banktransferandcheckcashingservicesareprovidedatrates from10%to40%ofthetransactiontotal.Thosecriminalsthatliketooperateinthe physicalrealmcanpurchasecreditcardclonersforanywherefrom$200to$1000buta fakeATMcardcancostupto$35,000. Ofcourse,thereiscompetitionintheundergroundmarket,sotherewillbeinnovative waystodistinguishoffersbasedonmorethanprice.ThePandaSecurityreportnoted offerssometimescomewithtryandbuydemos,bulkdiscounts,andevencustomer serviceandsupport. Anotherindicatorofthematurityofthemarketisthewaypricesforstolengoodsare influencedbythelawsofsupplyanddemand.Toomuchsupplywilldrivedownprices.In thespringof2011,theSonyPlayStationnetworkwasattackedandinformationfrom101.6 millioncustomerswasstolen(Source:https://www.privacyrights.org/databreach asc?title=Sony).Sonyandtheircustomerswerenottheonlyonesconcernedaboutthis massivebreachothercybercriminalswereconcernedthataninfluxofalargenumberof newstolencreditcardswoulddrivedownthepricefortheirstolengoods.TheNewYork TimesquotedKevinStevens,aseniorresearcheratTrendMicroasreporting,Therewasa lotofdiscussiontakingplaceinhackerforumsabouttheSonydatabreach.Severalcredit carddealersareworriedthatthedistributionofmillionsofcreditcardswouldfloodthe marketandlowerprices.AndaEuropebasedhackerwhowasnotfurtheridentified indicated,WerekeepingacloseeyeontheSonystoryasitwoulddrasticallyaffectthe resaleofothercards.(Source:NickBolton,HowCreditCardDataisStolenandSold,The NewYorkTimes,May3,2011).Giventhedynamicsoftheundergroundcybercrimemarket combinedwiththeriskoflargeswingsinsupply,itisprudentfortheriskaverse cybercriminaltodiversify. DiversificationintheCybercrimeMarkets Cybercriminalscandiversifyinthewaytheyattacktheirvictimsandinthewaytheyselect theirtargets.Cybercriminalsdiversifythedistributionofmalwareandinfectdevices aroundtheglobe.TheAntiPhishingWorkingGroup(http://www.antiphishing.org/) reportsthatmorethan10millionmalwaresamplesweredetectedinthesecondhalfof 2010.Inaddition,atleast10countrieshaveinfectionratesgreaterthan50%(seeFigure 2.1).
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
Figure2.2:ReportsofInternetcrimetotheFBIarefairlywellevenlydistributed acrossagegroupswithunder20yearoldsfairingthebest.
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
Figure2.3.Diversitydoesnotextendasmuchtotheindustriestargeted.Financial servicesandpaymentservicesaccountformorethanthreequartersofphishing scams(Source:AntiPhishingWorkingGroup,PhishingActivityTrends,2ndHalf 2010). Inadditiontodiversifyingtheresourcesusedtocommitcybercrime,wehavewitnesseda growthintheamountofcybercrime. GrowthinCybercrime Thereislittledoubtthatcybercrimeisgrowing.Wehavealreadynotedtheincreasing sophisticationofundergroundmarkets,thedivisionoflaboramongcybercriminals,high malwareinfectionratesinsomepartsoftheworld,andeventheeffectsofmarketforceson thecriminalenterpriseatlarge.Therearealsostatisticsthatprovideevidenceforthe increaseinthenumberofcybercrimes.Figure2.4,forexample,showsanincreasing numberofcybercrimesreportedperyearbetween2000and2010.
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
Figure2.4:ThenumberofInternetcrimecomplaintsfiledwiththeUSFederal BureauofInvestigation(FBI)isanotherindicatorthatcybercrimeisanestablished, ongoing,andgrowingproblem(Source:FBI,2010InternetCrimeReport). Thereisagrowingsupplyofmalicioussoftwareandmethodsfordistributingmalwarethat canbeusedtoexecutecybercrimes: Afewyearsago,PandaSecurityreportedreceiving500newthreatsperday;today theyreceive63,000newthreatsperday(Source:PandaSecurity,TheCyberCrime BlackMarket). McAfeeprocessed55,000piecesofnewmalwareeverydayin2010(Source: http://blogs.mcafee.com/corporate/cto/globalenergyindustryhitin nightdragonattacks). Inthe15yearperiodfrom1991to2006,PandaSecuritycompiledadatabaseof 92,000strainsofmalware;in2009,thatnumberreached40million;andin2010, thenumberjumpedto60million(Source:PandaSecurity,TheCyberCrimeBlack Market). Symantechasfoundthatenterprisingattackersbuyadspaceandusetraffic distributionsystems(thatis,vendorsthatbuyandsellWebtraffic),avoidingthe needtoinfectWebsites.Thisprocesshasbecomeanothercommonmethodfor distributingmaliciouscode(Source:Symantec,WebBasedMalwareDistribution Channels:ALookatTrafficRedistributionSystems). TheincreasinguseofshortenedURLshelpstomaskmalicioussites.Inonestudyof maliciousshortenedURLspostedtosocialnetworkingsites,88%ofthemalicious linkswereclickedatleastonce(Source:Symantec,TakingtheShortcuttoMalicious Attacks). 6
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
Theextentofcybercrimeandthemeansbywhichitisexecutedarebothgrowingand, unfortunately,thereislittleinthedatatosuggestthetrendwillchangeintheforeseeable future.Infact,asSymantechassummarized,thethreatsinthepastdecadehavebecome increasinglysophisticated;seeADecadeinReview:CybercriminalMotivationsbehind Malwareforatimelineofmajorcybercrimeeventsinthepast10years. Cybercrimeisclearlyawellestablished,professional,andillegalindustry.Businessdata, especiallypersonalconsumerdata,isahighlyvaluedtarget.Thisputspressureon businessestoprotectthatdata,andwellpublicizeddatabreachescanleadcustomersto questiontheprotectionsinplacearoundtheirinformation.Thisrealityultimately underminestrustintheabilityofthebusinesstoperformonlinetransactionswithout compromisingpersonalinformation.
AutomationofVulnerabilityScanning
Theproliferationofcybercrimehasbeenenabled,inpart,bytheemergenceofa professionallyruncybercrimemarket.Anotherfactorinfavorofcybercriminalsisthe availabilityoftechnologyforvulnerabilityscanning.Onecanimaginea(false)senseof securityyoucoulddevelopbyassumingthatwithallthedevicesontheInternet,whatare thechancesanattackerwouldfindoneofmyserversanddetectanunpatchedapplication oramisconfiguredservice?Thiskindofreasoningfailstoaccountforsecuritytoolsthat canbeusedtohelplockdowndevicesorexploitthem. Automatedvulnerabilityscanningtoolscanbeusedtodiscoverdevices,assess configurations,detectaccesstosensitivedata,anddeterminewhetheravulnerableversion ofanapplicationwithaknownvulnerabilityisrunningonadevice.Vulnerabilityscanning toolsarevaluabletosecurityandnetworkprofessionalsworkingonidentifyingand correctingweaknesses.Theyareequallyusefulforcybercriminalsinidentifyingand exploitingweaknesses. Cybercriminalsfunctionundersimilarbusinessdriversaslegitimatebusinesses,including theneedtoperformoperationsmoreefficientlyandtodevelopbusinesspracticesthat allowthemtoscaletomarketdemandsandopportunities.Automationofrepetitivetasks, suchaslookingforvulnerabilitiesinWindowsandLinuxservers,isonewaytoimprove attackerproductivity.Automatedvulnerabilityscanningcanbeusedtoscanawiderange ofIPaddresseslookingforvulnerablesystemsandapplicationsortheycanbeusedin moretargetedattacks.
EmergenceofAPTs
Acommonmotiveinmodernheistmoviesistheneedforstrategicplanninganddetailed tacticalmovesbeforethetheftcanbeaccomplished.Moviesabout1920sbankrobberies couldworkwithahandfulofbankrobbersrushingintoabankwithgunsandminuteslater runningouttothegetawaycarwithbagsfullofcash.Thatstorylineneedstoberevisedin ordertoseemrealisticbytodaysstandards.Securityatmodernbanks,casinos,andother likelytargetsdemandmoreinsiderknowledgeofweaknessesandfinessewhenitcomesto execution.Thisappliestocybercrimesaswell.
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
MalwareplaysacentralroleinAPTs,buttheyaremorethanviruses.Malwarecanbe injectedintoavictimsdevicebyluringthevictimtoasitecontrolledbytheattackerand convincingthevictimtodownloadafileorbyfindingaweaknessinperimeterdefensesor avulnerabilityinanapplicationthatallowsmalwaretobeinjected.Chancesofanantivirus programdetectingthemalwarearereducedbythefactthatmalwaredeveloperscantest theirTrojansandothermalwareagainstantivirussoftwarebeforeitisdeployedandcraft themalwaretoavoiddetection. ThescopeofanAPTcanbesubstantial: In2009,acoordinatedattackusingsocialengineering,intelligencegathering, breachesofperimeterdefenses,andSQLinjectionattackswereusedagainstoil,gas, andpetrochemicalcompanies.Theattacktargetedresourcesandpersonnelinthe UnitedStates,theNetherlands,Kazakhstan,Taiwan,andGreece(Source:McAfee, GlobalEnergyCyberattacks:NightDragon,Feb.10,2011). In2010,researchersdiscoveredacoordinatedattackonbusiness,government,and academiccomputerstargetingpoliticallysensitiveinformationrelatedtotheIndian governmentandtheDaliLamasoffice(Source:InfoWarMonitor,Shadowsinthe Cloud:Aninvestigationintocyberespionage2.0). In2011,McAfeereportedonOperationShadyRat,amultiyearAPTthattargeted morethan70business,government,andevennonprofitorganizations(Source: McAfee,Revealed:OperationShadyRat).
NotallAPTsarebroadlytargeted,though.In2011,Symantecmadepublicitsanalysisofthe Duqumalware,whichusespiecesofthewellknownStuxnetmalwarethattargets industrialmachinerycontrols.Duquisdesignedtogatherintelligenceonspecificindustrial targets(Source:Symantec,Duqu:ThePrecursortotheNextStuxnet).Suchattacksmaynot garnerattentiongrabbingheadlinesbuttheyposesignificantriskstothetargetedvictims. TheimpactofAPTscanbesubstantialbecauseintellectualpropertyisoftenthetarget. Competitorswhocanstealbidsformajorcontractsorproductdesignscannegateany competitiveadvantagethevictimmayhavehad.Untilrecently,APTshavenotgarneredthe attentionofthepressinthesamewaydataleaksdo.Reportingonthelossofmillionsof customerspersonaldataisrelativelyeasy,buttrackingdownandexplainingthedetailsof alongterm,sophisticatedcyberattackismuchmoredifficult.
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
RiskofDataLossandThreatstoInformationSecurity
Datalosscanoccurinmanyways,fromeavesdroppingandmistakenidentitiestoinsider abuseandimproperlymanagedaccesscontrols.
InterceptingCommunications
Communicationsanddatatransferscanfollowmanyroutesfromonepointtoanother. RemotesitesandtravelingexecutivesmayhavetousethepublicInternettoaccess resourcesatcorporateheadquarters.Thiscanpresentanopportunityforanattackerwho hastargetedthatbusinessorexecutive.Unlessthecommunicationsareencrypted, typicallyusinganSSLbasedmechanism,itisatriskofinterceptionbyamaninthemiddle attack(seeFigure2.5).
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
Spoofing
Spoofingisanotherwayofstealinginformationthatdependsontrickingusersinto believingamaliciousserverorotherdeviceisactuallyalegitimatedevice.Spoofingcanbe avoidedbydeployingSSLcertificatesonservers.Doingsoallowsuserstoauthenticatethe server(thatis,verifytheserverisactuallytheoneitappearstobe)beforetransmitting sensitivedata.SSLcertificatescanbeprovidedbytrustedthirdpartieswhoverifythe identityoftheorganizationrequestingthecertificate.Thecertificatesaredesignedto identifyaserver(orgroupofserversdependingonthetypeofSSLcertificate).Ifadigital certificateforoneserverwasstolenandplacedonanotherserver,awarningmessage wouldbegeneratedduringtheauthenticationprocess. CommonInternetbrowsersareallconfiguredwithinformationaboutthemajorSSL certificateproviders.Ifauserweretonavigatetoaspoofedserverwithaninvalid certificate,thebrowsercouldimmediatelydisplayawarningindicatingthespoofedserver isnotactuallytheoneitpurportstobe.
DirectedAttacks:APTsandInsiderAbuse
Anothersetofriskstobusinesses,governments,andotherorganizationsisdirected attacks.InadditiontoAPTs,anotherpotentialavenueofdatalossisinsiderabuse. Insidersareemployees,contractors,andotherswithlegitimateaccesstoinformation.The waysinsiderscanstealorleaksensitivedataislimitedonlybytheirimagination.The PrivacyRightsClearinghouse(http://www.privacyrights.org)maintainsadatabaseof breachesthatincludesdetailsonthewaysdataislost.Someofthemorerecentcasesof insiderabusehaveincluded: Awaiterstealingcreditcarddetailsofcustomers. AVeteransAffairsworkerusingpersonalpatientinformationtocreatefraudulent dependentinformationandthenusinghistaxpreparationbusinesstosubmit fraudulenttaxreturns. Amedicalcenteremployeestealinginformationaboutpersonsresponsiblefor medicalbillpayment,whichwasthenusedbycoconspiratorstoopencreditcards andobtaincashadvances. Abankemployeedisclosingcustomernames,SocialSecuritynumbers,drivers licensenumbers,bankaccountnumbers,andotherdetailstococonspiratorsinan identitytheftring. Evenwhensoundpracticesareemployed,suchaslimitingaccesstodatatoonlythosethat needitandseparatingdutiestoreducetheriskasinglepersoncouldcommitfraud, determinedinsiderscanstillsucceedinstealingsensitiveinformation.
10
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
ImproperlyManagedAccessControls
Anotherriskfordatalosscomesfromimproperlymanagedaccesscontrols.Atelling examplewasrecentlyreportedbytheAssociatedPressinNewDataSpillShowsRiskof OnlineHealthRecords.Thearticledescribesacaseinwhichmedicalinformationabout 300,000Californianswasavailableforpublicviewing.Aprivacyresearcher,Aaron Titus, found the information using Internet searches and then contacted the firm hosting the data (as well as the press). The data was intended to be used only by employees with legitimate need for the data, but proper access controls were not in place, in violation of the firms policies. Poorlymanagedandimplementedaccesscontrolswillnotnecessarilyresultinpublic disclosurebuttheycancreateadditionalrisksnonetheless.Forexample,whenan employeewhoisresponsibleforaccountspayableistransferredtoworkonaccounts receivables,hisaccesspermissionsshouldberevisedtopreventaccesstoaccountspayable systems.Failuretodothiscanunderminetheseparationofdutiesprincipleandcreatean opportunityforabuse.Thereareawidevarietyofriskstotheconfidentialityandintegrity ofdata,frominterceptedcommunicationsandspoofingtoinsiderabuseandmismanaged accesscontrols.
ImpactoftheNewSecurityLandscapeonCustomerTrust
Wecouldeasilykeepourfocusontheinternalconsequencesofthenewsecuritylandscape. Wecouldconcernourselveswithhardeningourdefenses,improvingourauditingand monitoringprocedures,andothermeasuresthatreducetheriskthatanattackwouldbe successful.Wecoulddothisandwewouldbejustifiedindoingit,butwewouldalsobe missinganimportantaspectoftheserisks:theirimpactoncustomertrust.
WellPublicizedDataBreachesandAttacks
YoudonothavetobeanITprofessionaltobeawareofthestateofinformationsecurity thesedays.Thepopularpressseemstohaveanalmoststeadystreamofstoriesabout securityrisks,databreaches,andhackingattempts. ItisnotjusttheAmericanpressthatispublishinginformationsecuritystories;thisisa globalphenomenon: TheHongKongStockExchangesuspendedtradingonsevenstocksafterthe exchangesWebsitewasattackedandsensitiveresultswerereleasedaccordingto TGDaily(Source:HongKongStockExchangeHacked,Aug.10,2011). Privateinformationon35millioncustomersofEpsonKoreawasstolenafterthe companyWebsitewashacked.Informationdisclosedincludednames,userIDs, passwordsandresidentregistrationnumbersaccordingtotheYonhapNews Agency(Source:EpsonKoreasays35MillionCustomers'DataHacked,Aug.20, 2011).
11
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
Storiesaboutfinanciallymotivatedattacksarecomplementedbywhatmightbecalled humaninterestcybercrimecases: TheGuardianreportsonacasedemonstratingthatattacksarenotalwaysfinancially motivated,describinga33yearoldattackersactions,Heaccessedhighlypersonal dataandphotographsinasophisticatedemailscamfromhismothersfrontroom, takingcontrolofsomevictimswebcamsremotelytoseeinsidetheirhomes,atone pointboastingtoafriendthathemadeateenagegirlcrybydoingso.(Source: ComputerExpertJailedafterHackingVictimsWebcams,Nov.23,2010). FollowingthephonehackingscandalattheBritishnewspaperNewsoftheWorld thatbecamepublicinthesummerof2011,ScotlandYardbegananinvestigation intocomputerhackingbytheorganization,accordingtoTheGuardian.Thiswas spurredinpartbyallegationsthataformerarmyintelligenceofficerreceivedan emailwithaTrojanprogramthatcopiedemailsfromthevictimandsentthemto theattacker(Source:ScotlandYardtoSetupupNewComputerHackingTaskForce,, July29,2011).
Governmentsandpoliticalorganizationshavealsobeentargetedfororganizedattacks. Examplesinclude: DeutscheWellereportsin2010thatnewnationalidentitycardsprovidedto Germancitizenswhichweresupposedtoimprovesecurityforonlinetransactions wereeasilyhackedbymembersoftheChaosComputerClub(Source:NewGerman IDcardeasilyhackedbyordinarycomputernerds,Sep.23,2010). ATaiwanesepresidentialcampaignwasattackedandtheattacktargetedplanning information.Policewereinvestigatingallegationsthattheattackerswerebacked bytheChinesestateaccordingtotheTimesofIndia(Source:TaiwanPoliceProbe ChinaHackingClaim,Aug.11,2011).
WellPublicizedCybercriminalandHackingOrganizations
Decadesago,onlyinsiderswouldrecognizethenameofhackinggroupsliketheChaos Club,buttoday,groupslikeAnonymousandLulzSecaremakingheadlinesalongwithmore threateningorganizations,suchastheRussianBusinessNetwork(RBN)andstate sponsoredgroups. LulzSechasclaimedresponsibilityforstealinginformationfromlawenforcementagencies, mostnotablytheArizonaDepartmentofPublicSafety,aswellasbusinessessuchasNews Corporation.Whencomparedwithorganizedcrimesyndicateswhichcommitcybercrimes, groupslikeLulzSecaremoreakintovandalsthanseriousfelons.Anonymoushasmade newswithpublicreleasesofstolendocumentsfromBankofAmericaandattacksonSony, bothinresponsetowhatthegroupconsideredobjectionablecorporatebehavior.
12
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
Otherorganizedgroupsarefarmorethreatening.TheRBNisreportedtobeagroupbased inRussiathathasahistoryofdevelopingmalware,conductingDenialofService(DoS) attacks,andprovidingspamservices.Theyhavealsobeenimplicatedinthetheftoftensof millionsofdollarsfromCitibankin2009(Source:ComputerWorld,Report:RussianGang LinkedtoBigCitibankHack,Dec.22,2009). Morerecently,newsstorieshighlightedOperationShadyRat,thewidespreadAPTattack onmorethan70organizations,andNightDragon,thetargetattackongas,oil,and petrochemicalcompanies.Theseattackshaveimplicatedstateactors. Storiesaboutorganizationsrangingfromcybervandalstostatesponsoredcybercriminals willlikelyaddtothepopularconcernaboutinformationsecuritygeneratedbyanear continuousstreamofstoriesfromaroundtheglobeaboutdatabreachesandcyberattacks. Thisisnotjustalawenforcementproblemorapublicpolicyissue.Howweasconsumers andcustomersrespondtothesethreatscandirectlyimpacttheeffectivenessofonline services.
PotentialImpacttoBuildingTrustOnlinewithCustomers
Customersarejustifiediftheyareconcernedaboutthesecurityoftheirpersonaland financialinformationonline.Itisnotunreasonabletothinkthatcustomerswillmake choicesbasedonhowwelltheythinkacompanywillprotecttheirinformationinmuchthe samewaytheynowconsiderprice,productquality,andcustomerservice. Businessesshouldconsiderhownewevaluationcriteriathatincludesecurity considerationswillaffectthem.Onecanbeginbyunderstandingthesecurityconcerns customersmayhave,suchas: Concernforidentitytheft Concernforcreditcardfraud Lossofprivacy
Organizationssuchasbanksandhospitalsthatrequiremorepersonalandfinancial informationthanmanybusinessesarelikelytobeespeciallyawareofconcernsabout identitytheft.Businessesthatprovideservicestobanks,hospitals,governments,and similarorganizationsthatmayhousesubstantialamountsofconfidentialinformationmust ensureitstaysprotected.Forexample,theinadvertentreleaseofpatientdatainCalifornia occurredatafirmprovidingservicestomedicalproviders;itwasnotamedicalprovider itself. Theneedtoprotectcreditcardinformationismorewidespread.Manyofususecredit cardsanddebitcardsroutinelyduringtheday.Thepaymentcardindustryhasestablished datasecuritystandardsthatcardprocessorsmustcomplywith.Thesearedesignedto protectbothcustomersandbanksfromfraudandabuse.Thepaymentcardindustryis builtonaweboftrust.Customersandvendorstrustthebanktopaythevendor,banks trustcustomerstopaytheirbills,bankstrustvendorstochargeaccurately,andtheyall trusteachothertomaintaintheintegrityofthesystem.
13
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
HowBusinessesCanRespondtoInformationLoss
Itisclearthatitisinthebestinterestofbusinesses,governments,andotherorganizations tomitigatetheriskofinformationloss.ThequestionisHow?Answeringthatquestionis thesubjectofmanybooks,articles,conferencepresentations,andotherresourceswhich isanindicationofjusthowdifficultthetaskis. Althoughwecannotgiveadetailedanswertothatquestion,wecanoutlinesomeofthe characteristicsoftheanswer.Firstandforemost,thereisnosinglesolution,nosilver bullet.Protectinginformationintodaysonlineecosystemrequiresawidearrayof securitycontrolsandmeasures,suchas: Reliableandtrustworthyauthenticationofpersonsanddevices Strongencryptionfordataatrestanddataintransit Accesscontrolsappropriatewiththeneedtoperformbusinessfunctions Separationofduties Malwareprotection Properlyconfiguredandpatchedoperatingsystems(OSs)andapplications Constantmonitoringandanalysis Vulnerabilityscanningandautomaticremediationtocorrectknownvulnerabilities Intrusiondetectiontodetectpotentiallymaliciousactivities
14
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
Summary
Businessesfaceadoublethreatfromcybercriminals:thelossofinformationandthelossof customertrust.YoudonothavetobeanITprofessionaltohaveanunderstandingofthe riskofdatalossesandthesubsequentfraudandidentitytheftthatcanfollow.Thesecurity landscapeisbecomingincreasinglycomplexandthreatening.Cybercrimeishighly professional,tothepointwhereundergroundmarketsfunctionmuchaslegitimate businessmarketsdo.Organizedcrimeandstateactorsarerealizingthebenefitsof informationtheft.Thepotentialpayoffsaresubstantialandasaresultorganizedentities arewillingtospendconsiderabletimeandmoneytolaunchAPTs.Meanwhile,thepublic catchesglimmersofwhatishappeningthroughafairlysteadystreamofnewsstoriesfrom aroundtheglobeaboutdatabreachesandhackattacks.Inadditiontosecuritymeasures, businessescanhelpmitigatetheimpactofcybercrimebytakingstepstobuildand preservecustomertrust.
15
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
HowSSLCertificatesWork
WhenwereceiveanSSLcertificatefromaprovider,wereceiveafile.Thatmayseemlikea bitofaletdownatfirst.Afterall,thisissomethingthatwillbeusedtoencrypt communicationsandprovideevidenceforidentityclaimsofservers.Thesearefairly importanttasks,andtheyareallenabledbecauseofonesmallfile?Well,yesandno.
16
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
ComponentsofanSSLCertificate
Figure2.1showthecomponentsofanSSLcertificate.SSLcertificatesusetheX.509 certificatestructure,whichincludesinformationaboutthesubject,suchasadomain,and theencryptionalgorithmusedtocreateencrypteddatathatcanuniquelyidentifyanentity (theseareknownassignatures):
Figure2.1:ThedatastructureforrepresentinganSSLcertificateisbasedonthe X.509certificatestandard.
17
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
TheversionnumberindicateswhichversionoftheX.509specificationisused. Newerversionssupportadditionalextensionsandauniqueidentifier. Theserialnumberisauniquenumberassignedbythecertifyingauthoritythat issuedthecertificate.Certifyingauthoritiesareresponsiblefortrackingthese numberssothatthecombinationofissuerandserialnumberisuniqueacrossall X.509certificates. ThealgorithmID(referredtoasasignatureintheX.509specification)isthe identifierofthealgorithmusedbythecertifyingauthoritytogeneratethe certificate. Theissueristhenameofthecertifyingauthoritythatissuedthecertificate.In additiontothenameoftheissuer,thisfieldcancontainthelocationoftheissuer andtheorganizationalunitwithintheissuingcompanythatwasresponsiblefor creatingthecertificate. Thevaliditysectionincludestwodates,onemarkingthestartperiodforwhichthe certificateisvalidandoneindicatingtheenddatethatitisvalid. Thesubjectfieldisthenameoftheentityrequestingthecertificate.Thisnameisin theformofadistinguishednamethatisuniquetothatentitywithinthecertifying authority.Liketheissuerfield,thisattributecancontaininformationaboutthe subjectslocationandtheorganizationalunitwithintheentitythatrequestedthe certificate. Thesubjectpublickeyfieldcontainsapublickey,whichisastringofcharacters,and thenameofanalgorithmwithwhichthekeyisused.Whydoweneedthisstringof charactersknownasapublickey?Thiskeyispartofthetechnologyknownas publickeycryptography.Wedonotneedtodelveintotoomanydetails,butitis importanttounderstandthebasics.Hereishowitworks:Whensomeonewantsto sendyouanencryptedmessagethatonlyyoucanread,thatpersonwouldgetyour publickeyfromyourdigitalcertificate.(Actually,shewoulduseaprogramsuchas PGPtodothis).Withthatkeyandthenameoftheencryptionalgorithm,theperson canthenencryptthemessage.Thepublickeyisnotlikeakeyusedtoopenandlock doors.Thepublickeyisaonewaykey.Itsonlygoodforlocking(thatis, encrypting)butitcannotbeusedtounlock(thatis,decrypt)themessage.Forthat, weneedaprivatekey. Theprivatekeyiscreatedatthesametimeasthepublickey.Youcanshareyour publickeywithanyonewhomightwanttosendyouanencryptedmessageandyou donothavetoworryaboutthemreadinganencryptedmessagesomeoneelsesent toyou.Theonlywaytodecryptamessageencryptedwithapublickeyistousethe correspondingprivatekey.Aslongasnooneelsehasyourprivatekey,theycannot readyourencryptedmessages.
18
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
WithEnoughTimeandResources Itisnottheoreticallyimpossibletoreadsomeoneelsesmessagewithoutthe privatekey.Ifyouhaveenoughcryptographicknowledgeandaccesstolarge scalecomputingresources(thinklargesecretgovernmentagencylevel resources),youcouldeventuallydecryptamessagewithouttheprivatekey. Unlessyouarepassingaroundstatesecrets,thevalueofthedecrypted messageprobablywouldnotjustifythetimeandexpensenecessarytotryto crackthemessage.Byoneestimate,ifyoucouldcheckabillion (1,000,000,000,000,000,000)AESkeyspersectionitwouldtake 3,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 totryallpossiblekeys(Source:Wikipedia,BruteForceAttack). Theissuerandsubjectuniqueidentifiersareusedtostoreidentifiersthatwould uniquelyidentifyanissuerorsubjectincaseswherethenameofeitherentityis reused. Extensionswereaddedinversion3oftheX.509standardandsupporttheuseof additionalattributesthatcanbeusedtostoreseveralcommonextensionsaswellas privateinformationusedwithinacommunityofusers. X.509CertificateSpecification ForamoredetailedandformaldescriptionoftheX.509certificate,seethe InternetEngineeringTaskForceRFCathttp://www.ietf.org/rfc/rfc2459.txt. AnSSLcertificatecontainsthreebroadtypesofdata: Informationaboutthesubjectthatownsthecertificateandisidentifiedbyit Informationaboutthecertifyingauthoritythatissuedthecertificate Cryptographicinformationsuchasthesubjectkeyandalgorithm
YoucanexaminecertificatesonyourWindowsdevicesusingtheMicrosoftManagement Console(MMC)andtheCertificatesManagementsnapin(seeFigure2.2).Evenifyou haventinstalledanycertificatesyourself,youcanstillviewcertificatesthatareinstalled withtheWindowsoperatingsystem(OS).Thesearetypicallyfortrustedentitieslike certifyingauthorities.Yourorganizationmayalsohaveinstalledadditionalcertificates. Resource IfyouarenotfamiliarwiththeMMC,seeMicrosoftManagementConsole3.0 atMicrosoftTechnet. NowthatwevecoveredwhatisinanSSLcertificate,letstakealookathowthis informationisused.
19
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
Figure2.2:TheMMCCertificatessnapintoolprovidesaviewerforreviewingthe contentsofSSLcertificates.
OverviewofHowSSLCertificatesSecureCommunications
SSLcertificatesplayakeyroleinestablishingsecurecommunications.Theyactually providetwoservices:identifyingapartyinthecommunicationandprovidingapublickey thatcanbeusedtoencryptmessagessentbacktotheserver.Aswewillsee,thepublickey isusedtosetupasecurecommunicationchannel,whichisthenusedtofurtherexchange informationandestablishanefficientandsecurechannelforexchangingdata. SSLandTLS:ARosebyAnyOtherName? TheSecureSocketsLayer(SSL)protocolisthepredecessoroftheTransport LayerSecurity(TLS)protocol.Theybothareusedforsecurely communicatingovertheInternet.Althoughtheyaredifferentprotocols,the generaldescriptionshereaddressconceptscommontoboth.SSL certificatesisacommontermusedtodescribedigitalcertificatesusedfor encryptionandauthentication,sothisguidewillusethetermSSLas synonymouswithTLS,asistypicallydone.
20
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
Whenyounavigatetoaserverusingasecureprotocol,suchasHypertextTransferProtocol overSSL(HTTPS),yourcomputer,whichwellrefertoastheclient,willperforma handshakingprotocoltosetupasecurecommunicationchannel.Thestepsareasfollows: Theclientrequestsasecureconnectiontoaserverandpresentsalistofsecurity mechanismsitsupports.Theseareknownasencryptionciphersuitesthathavefunctions thattheclientcanworkwith.Fromthelist,theserverchoosesthemostsecureoptionthat itisabletosupportandsendsitschoicetotheclient.TheserversendsitsSSLcertificate, whichincludestheserversname,publickey,andtheidentityofthecertifyingauthority. Next,theclientmightsendamessagetothecertifyingauthoritytoverifythatthecertificate isstillvalid.Thisoptionisavailablebecauseitispossibleforacertificatetoberevoked duringitsvalidperiod.RevokedSSLcertificatescanbecheckedusingeithertheOnline CertificateStatusProtocol(OCSP)orcertificaterevocationlists(CLRs). Atthispoint,theclienthasauthenticatedtheserverandagreedonaciphersuite.The servermayoptionallyrequestaclientscertificateformutualauthentication.Thisismore likelyincaseswheretheclientshouldbeknown,suchaswhenusingavirtualprivate network(VPN);mutualauthenticationislesslikelyincaseswheretheclientiscontactinga publicWebsitesetupforgeneralcommerce(seeFigure2.3).
Figure2.3:StepstoestablishasecureconnectionusingSSLcertificates.
21
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
Aftercompletingthesesteps,theclientandserverarereadytosecurelyexchangedata.
OverviewofHowSSLCertificatesSupportAuthentication PeterSteinersiconic1993NewYorkercartoonofacoupleofdogsinfrontofacomputer
withthecaptionOntheInternet,nobodyknowsyoureadogcapturesafundamental problemwiththeInternet:Howdoweknowwhoweareinteractingwith?Letsskipthe philosophicalissuesabouthowwecanknowsomethingandsettlefortrustingthat someone(orsomethinglikeaserver)iswhoorwhatitpurportstobe.
Wehaveabitofacircularproblemhere.Wewanttoknowhowwecantrustsomeone onlinewhenwedonttrusttheminthefirstplacewhentheyasserttobesomeoneor something.AnyofuscansetupaserverandputupaWebpageproclaimingtobeabank. Wemightevenproduceanauthenticlookingsitebycopyingpagesfromarealbank.How willcustomersknowthedifference?Theywillknowbecausewewillnotbeabletogetan SSLcertificatefromatrustedcertifyingauthoritythatvouchesforouridentity.Themajor browserschangethedisplayofthenavigationbarwhendisplayingcontentfromasitethat usesSSLforidentificationandencryption(seeFigure2.4).Locksareusedtoindicate encryptedcommunication.ThegreenbarindicatestheuseofaspecialtypeofSSL certificateknownasExtendedValidation(EV)SSLcertificate,whichwelltalkaboutabit laterinthischapter.
22
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
Figure2.5:AnexamplewarningmessagepresentedbyabrowserwhenanSSL certificateisusedbyacertifyingauthoritythatisnottrustedbythebrowser.
23
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
WebApplicationsWithoutandWithSSLCertificateProtection
Letsconsidertwoscenarios:WebapplicationswithoutSSLcertificateprotectionandWeb applicationswiththeirsecuritybenefits.Wellstartwiththeunsecuredexamples.
Scenario1:WebApplicationsWithoutSSLCertificateProtection
ConsideranexecutiveworkingwithaWebcollaborationapplication.Theapplication supportscommonfunctionsneededforgroupworkincludingtheabilitytouploadfiles, searchcollectionsofdocuments,andaddnotesandothermetadataaboutthedocuments. ThecollaborationapplicationdoesnotuseSSLcertificatesandinsteadreliesonother securitymeasures,suchasaccesscontrolsandnetworksecurity,toprotectitsusers. Theexecutiveinourscenarioisworkingonaproposalforanewclient.Thevalueofthe potentialcontractissubstantial,andtherearemultiplecompetitorsvyingforthework. Today,theclientdecidestogetawayfromtheofficetoworkontheproposal.Sheheadsto thecoffeeshopdownthestreetandsetstowork.Afteracoupleofhours,theexecutiveis readytouploadtheproposaltothecollaborationserver.Sheconnectstothecoffeeshops WiFi,startsthecollaborationapplication,anduploadstheproposal.Unknowntoher, someoneelseinthecoffeeshopwasmonitoringnetworktrafficinsearchofsomeuseful competitiveintelligence.Figure2.6illustratesthisscenario.
Figure2.6:Unsecuredcommunicationscanbedetectedandcapturedbyothers.
24
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
ThecommunicationwasnotencryptedbytheapplicationserverorontheWiFinetwork, sothedocumentwassentascleartext.Thisallowedathirdpartytopickupthenetwork trafficanddiscoverthecontentsofthedocument.Whatevercompetitiveadvantagethe executivesfirmhadcouldhavebeenunderminedbythisdataleak. Note Althoughthisexampleisfictitious,thiskindofattackisnot.See,forexample, cyberattacksonenergycompaniesforproposaldata. UnauthorizedmonitoringofcommunicationisonlyoneproblemwithnotusingSSL certificates.Anotherproblemisthepotentialforsomeonecreatingaserverthatappearsto belegitimatebutisactuallyonlymasqueradingasalegitimateserver.Thisisknownas spoofing. Consideranotherscenario.Oneofyourregularcustomersdecidestocometoyour companysitetoplaceanorder.Shehasdonethisdozensoftimesanddoesntthinkmuch aboutit.Shetypesinyoursitesdomainnameandseestheusualorderpage.Shetriesto startaneworderbutreceivesanerrormessage.Itseems,accordingtotheWebpage displayed,thatyourcompanyhaslostsomecustomerdataincludinghers.Sheisprompted toenterhernameandbankaccountinformation.Theproblemis,thisisnotyourbusiness siteandyourcustomerhasnowaytotell. Unknowntothecustomer,theservicethattranslatesdomainnamesintoInternet addresses(domainnamesystemDNS)forherhasbeencompromised.Itseemsher companyhasbeenthevictimofaDNScachepoisoningattack.DNSserverstranslate domainnames,suchaswww.example.com,intoanumericaddress,suchas192.169.0.1. WhenaDNScacheispoisoned,someonechangesthelegitimatenumericaddresstoone assignedtoanattackercontrolledserver.Yourcustomerstrafficisroutedtotheattackers serverwithnoobviousindicationsomethingiswrongasFigure2.7shows.
25
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
Figure2.7:WithoutauthenticationprovidedbySSLcertificates,userscanbeluredto usespoofedserversandapplicationsthatappeartobelegitimateserversand applications. Incaseyoumightbetemptedtothinkthateavesdroppingonyourcommunicationsor serverspoofingisonlyatheoreticalproblemthatisnotlikelytoaffectyou,considerthese additionalpoints: Sidejackingattacksinvolveusingunencrypteddatatoallowanattackertostealyour sessioninformationandinteractwithaWebsiteasiftheattackerwereyou.Seethe Firesheeptoolforademonstrationofhowthiscanbedone. AttackerscanfindwirelessnetworkswithtoolslikeNetStumbler,andevenifthe networksarenotbroadcastingidentificationdata,toolslikeKismetcanbeusedto getthatdata. Auditingandtestingtools,suchasDSNiffcanbeusedtoscannetworktrafficgreat fortestingweaknessinyournetworkbutthesetoolsarejustasusefultoattackers withmaliciousintent.
26
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
Scenario2:WithSSLCertificateProtection
Inthecaseoftheexecutiveworkinginthecoffeeshop,hadthecollaborationserverused SSLcertificates,theexecutivecouldsendsecurecommunicationstotheserver.Intheevent thatanattackerinterceptedthetraffic,itwouldappeartobearandomstreamofdata,nota valuableandconfidentialbusinessproposal(seeFigure2.8).
Figure2.8:WithSSLcertificatebasedencryption,datatransmittedoverwireless networkswillappeartobemorelikerandomdatathanwhatitactuallyrepresents. Thecaseofthecustomerwhomaliciouslyredirectedfromherintendedtargettoan attackercontrolledWebsitewouldturnoutdifferentlyaswellifSSLcertificateswere used.Oneoftheproblemsforthecustomerwasthattherewasnoindicationthatshewas atamalicioussite.WithSSLcertificateauthentication,shewouldhavereceivedawarning fromherbrowserthatsomethingwasnotconsistentwiththemalicioussite. IfthemalicioussitewasusinganSSLcertificate,itwouldhaveinconsistentinformation becauseeitherthecertificatesubjectentitywouldbesomethingtheattackercouldgeta certificatefor,whichwouldnotmatchthespoofeddomainname,ortheattackeracquired anSSLcertificatefromanuntrustedprovider.Ineithercase,theuserwouldbealertedto thefactthatsomethingwasnotasitusuallyis.
27
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
AuthenticationandTrust
Trustcannotbereducedtodigitalcertificatesorencryptedmessages.Trustisestablished overtimeandrequiresonepartytobeconfidentthatanotherpartywillfunctionas expected.Wecanthavetrustwithbusinessesorindividualswenevermetorhavenot heardof.Wecan,however,establishatrustrelationshipwithanunknownpartywhenwe trustathirdpartyandthatthirdpartyassuresusthattheunknownpartyistrustworthy. Thisroleoftrustedthirdpartyisplayedbycertifyingauthorities.Thesearecompaniesthat havebuiltabusinessandareputationaroundthebusinessofverifyingidentities.
28
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
HowCertifyingAuthoritiesAuthenticate
TheInternetcommunityhasdifferentlevelsofneedwhenitcomestoverifyingidentities. Forexample,wemightbereadytoputinformationaboutourcalendarintoasite establishedtoschedulecompanysoftballgameswithminimalverificationbutwearemuch morecarefulaboutouronlinebankingpractices.Certifyingauthorizeshavecreated differentproceduresforverification,dependingontheleveloftrustthatisneeded: Domainlevelverificationsareusedwhenthecertifyingauthorityneedstoestablish thattherequestorofacertificateistheownerofadomainname.Checkingthe domainregistrymaybesufficientforthis.(Seewhois.netoranyoneofmanyother servicesthatprovidedetailsaboutdomainowners.) Businessverificationisusedwhenacertificateistobeprovidedtoabusinessand moreevidencethandomainownershipisrequiredtoestablishidentity. Extendedvalidation(EV)certificatesrequirethemostcomprehensiveverification, includinglegaldocumentationandchecksonthephysicallocationofthebusiness.
DevelopingTrust
Businesseshavelongusedmarkstoindicateaproductorserviceistrustworthy.Marks rangingfromtheUnderwritersLaboratoriesULsymboltotheBetterBusinessBureau logohavebeenusedtoindicatethesafetyofproductsandthetrustworthinessof businesses.Withtheemergenceofonlinebusinessactivity,itwouldhelptohavetrust markssuitablefortheInternet.WehavetrustindicatorswithSSLcertificates,whichusea lockinthebrowseraddressbartoindicateasecurecommunicationschannel.Greenbar indicatorsareusedwithEVSSLcertificates.Businessescanhelppromoteknowledgeabout thesetrustmarksbyeducatingcustomersabouttheiruseandbyusingthemonbusiness sitesaswellaspromotingothersafeonlinepractices.Trustcanbefurtherreinforcedwith trustmarkssuchasatrustedsealfromacertifyingauthorityoranestablishedorganization suchastheBetterBusinessBureau. BusinessesshouldalsousetheappropriatetypeofSSLcertificatefortheirneeds.When lowtrustisrequiredbyusers,asimpledomaincertificatecanbeused.Sitesthatdonot collectconfidentialorprivateinformation,donotrequirefinancialinformationorcredit carddata,anddonotdealwithotherhighlyvalueddatamaybewellservedby conventionaldomainorbusinesslevelcertificates.Whenadditionalverificationis requiredtohelpassureusersthatthesiteislegitimate,EVcertificatesshouldbe consideredbecausetheyprovidehighlyvisibletrustindicatorssuchasthegreenbarand thedisplayoftheorganizationname.
29
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
Summary
SSLcertificatesenableencryptionandauthentication.TheseareessentialforsecuringWeb applicationsandprotectingcustomersfromeavesdropping,dataleaks,andspoofing attacks.SSLcertificatesenablekeyfunctionalityrequiredtobuildatrustrelationship betweenbusinesspartnersthatmightnothaveapreexistingrelationship.Thebest designedapplicationcanhaveallthefeaturesandcapabilitiesthatuserswant,butifusers donottrusttheapplication,thosefeaturesmaynotbeused.
30
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
PlanningfortheUseofSSLCertificates
TheplanningstageofdeployingSSLcertificatesconsistsoftwomaintasks:identifying applicationsandserversthatwillbenefitfromhavinganSSLcertificateanddetermining whichtypeofSSLcertificateisappropriateforeachusecase.
31
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
ProcessandAssetInventory
Thismaysoundstrange,butforthenextseveralparagraphsforgetaboutSSLcertificates. SSLcertificatesaretoolstheyareameanstoanend.Fortherestofthissection,weare notinterestedinhowSSLcertificatescanprotectourWebapplications.Instead,oursole focusisonwhatneedstobeprotectedandwhyitneedstobeprotected. Tounderstandourneeds,wewillstartwithafewbasicquestions.First,whatapplications andserversareaccessedbycustomers?Thesemightinclude: CompanyWebsite Onlinecatalog Customersupportservicesportal Customerfeedbackapplication Ashipmenttrackingapplication Productdocumentation
Thisisawidevarietyofapplicationtypesandeachhasadifferentpatternofcustomer interaction.Considerhowyouwouldworkwitheachoftheseifyouwereacustomer. TheobjectofthisexerciseistounderstandyourrisktolerancewithregardstousingSSL certificates.Insomecases,anorganizationmaywanttouseSSLcertificatesoneveryserver andworkstation.Thiswouldbereasonableincaseswhereanunusuallyhighlevelof securityisrequired.AmiddlegroundapproachistoinstallSSLcertificatesonallWeb accessibleservers.Anorganizationwithahightoleranceforriskmaypickandchoose whichoftheirWebfacingserverswarrantanSSLcertificate.Inthefollowingsections,we willconsiderfactorsthatmayinfluencesuchadecision. CompanyWebSite ThecompanyWebsiteistheonlinepublicfaceofthecompany.Itprobablycontainsthe usualinformationlikeadescriptionofthecompany,newsandevents,product descriptions,andifyouhavephysicallocations,servicessuchasstorefinders.Itwilllikely includelinkstoonlinecatalogs,customersupport,andotherapplications,butthosearenot consideredpartofthecompanyWebsiteforourpurposes.Thosearesubstantial applicationsthathavetheirowndesign,deployment,andmaintenancelifecycles independentofthecompanyWebsite.Forthisexercise,thecompanyWebsiteprovides therelativelystaticinformationaboutacompanyaswellaslinkstootherWeb applications,suchasanonlinecatalog.
32
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
Figure3.1:SSLcertificateprotectionisnotrequiredwhenprimarilypublic informationisexchangedbutthereisaneedtoauthenticatetheserverwhen collectingcustomerdata,suchasnamesandaddresses. OnlineCatalog Theonlinecatalogallowscustomerstobrowseandsearchforproducts,collectsetsof itemstobuy,payforthem,andthenhavethemshipped.Thereisprobablysometypeof databaseapplicationbehindthisWebsiteaswellaslinkstosupportingservicessuchas creditcardprocessingservices.Theusersinteractionswithanonlinecatalogare substantiallydifferentfromthosewithacompanyWebsite.Forexample,acustomeris likelyto: Browseaparticulartypeofproductorsearchforaspecificproduct Reviewmultipleproducts Readdescriptions,reviews,andothermaterialaboutproducts Selectitemsforpurchase Providepersonalinformationincludingnames,addresses,andcreditcardnumbers
Theinteractionsinthiscaseincludesbothgettinginformationfromtheapplication,similar towhatwesawwiththecompanyWebsite,andprovidinginformationtotheapplication.
33
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
Thefactthatthecustomerisprovidinginformationtothebusinessisafundamental differenceamongapplications.Whenitcomestopersonalinformation,suchasnames, addresses,andpaymentaccountinformation,itisprobablyagoodbettoassumethatthe customerwantstokeepthatprivate.Asyourcustomer,Imayhavenoproblemsharingmy creditcardnumberwithyou,butIdontwantanyoneelsetohaveaccesstoit. Dependingonthesizeofthetransaction(andthecreditlimitonthepaymentcard), customersmaybeparticularlycautiousaboutprovidingpaymentcardinformationtoan unfamiliarcompany.Ifthecustomerisshoppingattheonlinestoreforanationalretail chain,shemayfeelconfidentthatthesiteandthebusinessbehinditarelegitimate.Ifthisis thefirsttimethecustomerhasvisitedthissiteoritisnotwellknown,majorbrandthere maybesomehesitationabouttrustingthissite. Thisapplicationcollectsconfidentialinformation,sotheWebandapplicationservers supportingitshouldbeauthenticatedwithSSLcertificates(seeFigure3.2).Theywould alsobeusedtoenableencryptedcommunicationbetweentheapplicationandthe customer.ThebusinessshouldconsiderandExtendedValidation(EV)SSLcertificateto demonstratecompliancewithstricteridentityverificationstandards.
Figure3.2:Confidentialinformationisexchanged,sothereisaneedtoauthenticate theserverandprovidedencryptedcommunications.AnSSLcertificateisrequiredin thisscenarioevenforhighlyrisktolerantorganizations. CustomerServiceSupportPortal ThecustomerservicesupportportalisaWebapplicationdesignedtoallowcustomersto managetheiraccounts,reviewpastpurchasesandinvoices,andsetpreferences,suchas shippingandbillingmethods.Customerswillwanttokeeptheirinformationprivate,so accesscontrolsareinplaceandcustomerswillhaveaccessonlytotheiraccount information.Theseaccesscontrolswillkeepcustomerdataprivatewhenitisstoredinthe applicationdatabasebutdoesnothelpwhendataistransmittedfromtheapplicationtothe customer,soencryptionisrequiredforalltransmitteddata.
34
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
Thisapplicationcollectsconfidentialinformation,sotheWebandapplicationservers supportingitshouldbeauthenticatedwithSSLcertificates.Theywouldalsobeusedto enableencryptedcommunicationbetweentheapplicationandthecustomer. CustomerFeedbackApplication Thecustomerfeedbackapplicationcollectscommentsandemailsthemtoaspecialemail accountcreatedtotracksuchmessages.Thesecommentsshouldbeconsideredprivateand confidentialbecausethebusinesswouldwanttocollectfrankandclearcomments,whicha customermightnotwanttodisclosetoothers.Thisapplicationshouldbeprotectedwith SSLcertificatestoensuredataisencryptedduringtransmission.Theauthenticationservice enabledbytheSSLcertificatewillhelpassurethecustomerthatsheisworkingwitha legitimateapplication.Hereagain,riskadverseorganizationswilluseSSLcertificatesto authenticatetheircompanysapplications. TrackShipmentApplication Insomecases,atrackshipmentapplicationisarelativelysimpleapplicationthatactsasa frontendtoservicesprovidedbythemajorshippersusedbythecompany.Customers enteranordernumberandtheapplicationlooksuptheshippingcompanyforthatorder, contactsthatcompanystrackingWebservice,anddisplaystheresults.Inmorecomplex trackingsystems,customersmayprovidefeedback,whichshouldbeconsidered confidential,soSSLbasedencryptionshouldbeused. SSLcertificatesarenotrequiredforsimpletrackshipmentapplicationsinhighlyrisk tolerantorganizations,butformoderaterisktoleranceprofilesorincaseswhere confidentialinformationisexchanged,SSLcertificatesshouldbeused.Inaddition,the shippingcompaniesshoulduseSSLcertificatesfortheirserverssothatcompaniessuchas theonedescribedherecanauthenticatetheservertheyarecommunicatingwith. ProductDocumentation Aproductdocumentationapplicationallowscustomersandemployeestosearcha databaseofcontentofusermanuals,technicaldocuments,andothermaterialtohelp customersandemployeesuseproductssoldbythecompany.Productdocumentationis oftenconsideredproprietaryinformationandshouldbeprotectedassuch. Inthisscenario,thecompanyisconcernedaboutmaintainingtheconfidentialityand integrityofthedocumentation.Theyhaveestablishedstrictaccesscontrolstomitigatethe riskofincorrectdocumentationbeingplacedinthedatabase.Thereissomeconcernthatif amaliciouspranksterspoofedthesiteandluredcustomerstoafakeversionofthesite,the companysreputationcouldbedamaged.
35
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
36
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
MultiTierApplications
HavingcompletedtheapplicationbasedassessmentofourSSLcertificaterequirements, wenexthavetodelveintoserverlevelrequirements.Incasesofsimpleapplicationsthat runonasingleserver,onewouldonlyneedacertificateforthatserver.Manybusiness applications,however,requiremultipleserverssuchasWebservers,applicationservers, anddatabaseservers.
Figure3.4:Multitierapplicationsdependonmultipleservers.Iftheapplication requiresSSLcertificates,thenusuallyallserverswillrequireSSLcertificates. Figure3.4showsamultitieredapplication.Inthisscenario,confidentialdata,suchas paymentdataorcustomeraccountdata,movesthroughseveralservers.Thetrustthata customerhasintheapplicationhastobuildontrustintheserversthatimplementthe application.Insuchcases,themostsecureoptionistouseSSLcertificatesonallserversin themultitierarchitecture.Itisconceivablethattheremaybeaserverprovidingsome basicfunctionthatneverreceivesorprocessesconfidentialinformation.Insuchacase,one couldargueagainstauthenticatingthatserverviaanSSLcertificate;however,giventhat requirementsmightchangeandthatconsistencyofteneasesmanagementburdens,it mightbeworthwhileusingSSLcertificatesonallserversinthearchitecture.
37
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
DeterminingtheTypeofSSLCertificateRequired
AlthoughallSSLcertificatesarefundamentallythesameintermsofformandfunction, therearedifferences.Therearecertificatesforsingleservers,formultipleserverswithina domain,andthereareevensomethatworkespeciallywellwithemailservers.Letslookat criteriaforchoosingbetweenthese. Asingleservercertificateisappropriateforaserverthatismanagedanddeployed relativelyindependentlyofotherservers.Adomainwildcardcertificateallowsmultiple serverstousethesamecertificate.Theseserversuseasubjectssuchas*.example.com whichmatchesanyserverintheexampledomain.Thisisusefulwhenanumberofservers inadomainrequirecertificates.Usethesecarefully,though.Thiscertificatecanbecopied andusedonanyserverinthedomain,whichcouldresultineitherunauthorizeduse and/ordifficulttomanagecertificatesiftheyarenotproperlytracked. EVSSLcertificatesareappropriateforcustomerfacingWebsitesandapplicationsthatwill processhighvalueprivateandconfidentialinformation,suchasbankaccountinformation orpersonalhealthcareinformation.Businessesandorganizationsthatmaybetargetsfor cybercriminalsshouldconsiderthevalueofhavinganEVSSLcertificateandthe correspondingvisualcuespresentedtocustomers.Thisisonewaytohelpcustomers distinguishbetweenalegitimatesiteandafraudulentone. AttheotherendofthetrustspectrumfromEVSSLcertificatesareselfsignedcertificates. Thesecertificatesdonotinvolveatrustedthirdpartyasacertifyingauthorityinstead someonewithinacompanycreatesanSSLcertificatehimself.Thereisnotmuchpointin havinganSSLcertificatethatassertsTrustmebecauseIsaysoonapublicfacingWeb site.ExternalfacingapplicationsneedanSSLcertificatethatassertsTrustmebecausea trustedthirdpartyhasvouchedformyidentity.Selfsignedcertificatesareusedfor internalpurposessuchasdevelopmentandtesting.
38
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
KeyPointsAboutChoosingandDeployingSSLCertificates
Asyouareplanning,deploying,andmanagingSSLcertificates,keepinmindseveralkey pointsaboutchoosinganddeployingthem.SSLcertificatesareusedfortwosecurity operations:securingcommunicationsandauthenticatingsystems. Securecommunicationsarerequiredforwhenconfidentialorprivateinformationis exchanged.Thisiscertainlythecasewhendatasuchascreditcardnumbersareexchanged, butthisisnottheonlyscenario.Sometimesattackerscanpiecetogetherinformation incrementallyovertime.Theremaybenocasewhereasingletransactionhadallthe detailstheattackerneededtostealinformationorcompromiseasystem,butiftheattacker hasaccesstomultipletransactionsordataexchanges,itispossibletoculluseful informationtofurthertheattackersobjectives. AuthenticationwithSSLcertificatesallowsclientdevicestoverifythattheservertheyare workingwithpossessesacertificatefromatrustedthirdpartycreatedforuseononlythat server(orsetofserversinthecaseofwildcardorSANcertificates).Confidenceyouare workingwithalegitimateserverisabuildingblocktosomethingmoreimportant:building thetrustbetweenacustomerandabusiness. WeuseSSLcertificatestomitigatetheriskthatuserswillbeluredintousingillegitimateor otherwisemaliciousdevices.Customershavevisualcues,suchaslocksandgreenbar indicatorsthatreinforcetheideathatparticularsecuritymeasuresareinplacetoprotect thiscustomer.Ideally,customerswillunderstandthatlackofsuchcuesonsitesthat usuallyhavethemisanindicatorofapotentialproblem. SSLcertificatesarelikeanyITasset,theyrequiremaintenance.Fortunately,thisisminimal. Thekeythingsweneedtokeepinmindoncewehaveselectedtheappropriatetypeof certificateistomonitorthevaliddatesofuseandtotracktheuseofwildcardcertificatesso thattheyarenotusedonserversforwhichtheyarenotintended.Alsoconsiderwhether youhavespecialrequirementsthatmightnecessitateaSANSSLcertificate.
39
TheShortcutGuidetoProtectingAgainstWebApplicationThreatsUsingSSL
DanSullivan
Summary
WebapplicationsoftenrequiretheuseofSSLcertificatesinordertoenablebasic authenticationandencryptionservices.PlanninghowtobestdeploySSLcertificatesbegins withassessingthekindsofoperationsperformedbyapplications.Dotheyexchangeprivate orconfidentialdata,suchascreditcardinformation?Ifso,thenSSLcertificatesshouldbe usedtoenableencryptionandpreserveconfidentiality.Isthereariskofcustomersbeing luredtomalicioussitesthatappeartobeoneofyourbusinesssites?Ifso,thenSSL certificatesareneededforauthentication. DeployingSSLcertificatesisnotdifficult,buttheprocessisoftenspecifictoyourOSor application.Someapplications,suchasMicrosoftIIS,havespecializedtoolsformanaging SSLcertificates.Fortunately,onceSSLcertificatesaredeployed,theyhaverelativelylow maintenancerequirements.
40