Abstract
"On average over 70% of IT Security
budget is spent on Infrastructure, yet over 75% of attacks happen at the
Application level." - Rob Labbe (Microsoft SDLC for IT)
POODLE, HeartBleed and
ShellShock. If there’s something to be learned from these vulnerabilities is
that they came from the applications side of things rather than network. As the
above quote states, organizations spend bulk of the budget in securing the
infrastructure yet majority of the attacks happen at the application level. Top
organizations follow best practices and comply to standards such as ISO 27*,
NIST and many other frameworks yet recent news have shown that despite all
that, organizations keep falling victims to hackers. Are we doing enough to
protect our systems? What have we done to ensure that our applications residing
in our systems now are not filled with holes waiting to be exploited? How well
do we ensure that our installed applications, be it in-house or third party
software are soundly checked before deployment? Do organizations have the
proper process when it comes to installation of third party software? This
paper will explore at two of the big organizations on how their policies and
processes play a part when it comes to third party applications into corporate
systems and what could possibly be the missing link that could potentially stop
the change of a secure corporate system to a gateway of heaven for hackers.
Background
"As a house is only as strong as its foundation, it's no wonder
cyber attacks are on the rise with reports showing 71 percent of software
contains components with critical vulnerabilities," – Rep Royce (
http://royce.house.gov/)
In my experience as a security
consultant and an ethical hacker, my primary role was to perform vulnerability
assessment and penetration testing to clients ranging from servers, web
applications, network and even workstations. Some organizations were repeated
customers and that allowed me to observe on the changes and remediation made
towards the vulnerabilities found via previous assessments reports. Most of the
vulnerabilities found during my experience were those assessments done on
workstations. It was quite surprising and at the same time shocking to see the
kinds of vulnerabilities found on these workstations. Much of these
vulnerabilities found were mainly from third party applications such as torrent
clients, FTP clients and servers, databases and many more. These observations
made me wonder on how these users were allowed to install such applications and
whether or not proper processes exist to monitor, verify and validate these
applications before being given the permit to install on corporate systems.
The Interview
To find out about how third party
applications are being installed on the machines, 2 personnel were being
interviewed from two different organizations. One is from a global bank and
another from a government agency. Two basic questions were asked: 1) Are end
users allowed to install 3rd party applications? 2) What is the
process involved for this? Below are the case studies.
Case Study 1 – A Bank’s Security Manager
Me: “So I understand that 3rd party applications can be installed
on end users machine. Is that true”
BSM: “Depending on the type of users. Usually they are not allowed to
install, however, some users, if they need to install will have to request for
it.”
Me: “Walk me through this process.”
BSM: “Well, we have a form that user needs to fill in and it will be
submitted to the relevant department for clearance and approval. Once approved,
a member of the IT team will install it for the user.”
Me: “Are the users allowed to install themselves?”
BSM: “No. Because they have limited privileges and only an IT personnel have
the proper rights to install it for them.”
Me: “So who will provide the binary for the installation? The user or the
IT team?”
BSM: “The user”
Me: “Are there any
security checks involved before the installation?”
BSM: “At most, we will
scan it against the AV scanner and ensure its not infected.”
The Process in Graphic
Case Study 2 – A Government CIO
Me: “So I understand that 3rd party applications can be installed
on end users machine. Is that true”
GCIO: “Depending on the type of users. Usually they are not allowed to
install, however, some users, if they need to install will have to request for
it”.
Me: “Walk me through this process.”
GCIO: “The user will have to log a ticket with the helpdesk using a remedy
system. The user will have to write down the reason for this request and why is
it necessary to be installed in the machine. This will then be approved by
their department’s manager to confirm if such request is necessary. Once
approved, the request will then be submitted to another level of management.
The application will be downloaded by the relevant IT team and installation and
proper packaging is involved before installation. Once its packaged, it will
then be committed into the SCCM and will be pushed to the users requested. The
installation will commence without the need for user to have system privileges”.
Me: “Are there any security checks involved before the packaging”
GCIO: “Yes. Our packaging team in the development lab is equipped with
endpoint protection systems and it is a standard to have new application be
scanned by the AV/AS before packaging.”
The Process in Graphic
Findings
As we can see from the above 2
case studies, in both situations, proper privileges are enforced and users has
the possibility to install third party applications if approved. In terms of
security, in both cases, there were only relying on scanning the applications
for infections or malware. There was no process or effort to check for
vulnerabilities in the applications at all.
Potential Issues and Impact
Based on the two case studies, we
can see that there are no proper checks to ensure that the applications are not
vulnerable before deploying or installing them onto the user’s machines. As
Anti Virus or Anti Malware products do not detect vulnerable libraries used in
these applications, these installed applications can be a gateway to hacker’s
heaven. If we look at previous hacking related events, the systems that were
compromised were not the servers but were started from the end users machines
before pivoting to another and eventually compromising the entire network.
Challenges in Vulnerability Scanners
In most, if not all policies and
standards require a section that concentrates on the need for organizations to
perform vulnerability assessments which include vulnerability scanning of a
network or a system. According to Qualys, (
https://community.qualys.com/docs/DOC-1068)
a typical vulnerability scanning processes in the following manner:
1) Check if the remote host is alive
2) Detecting if the host is behind a firewall
3) Scans for TCP/UDP ports
4) Scans and Detects for Operating System
5) Discover services through the TCP/UDP ports
6) Checks version of the services and detects if it is a known vulnerability
While vulnerability scannings detect vulnerabilities and are practiced in most organizations, we need to
understand that most of these scanners are able to detect for known vulnerabilities
based on the version of the services detected. These scanners, however, do not
detect for vulnerable libraries/components inside an application/binary.
Binary Analysis via Codenomicon’s Appcheck
AppCheck brings total visibility
to the digital assets that organizations of all sizes regularly use to build
and expand their digital infrastructure. Leaving no stone unturned and no
component unchecked, AppCheck performs a patent-pending, non-destructive static
binary analysis on your digital assets to provide a comprehensive and
up-to-date bill of materials (BOM). With AppCheck, you gain unprecedented
situational awareness and visibility to the risk posture an organization.
The following image is an example
of a popular firewall system manager of a vendor whose firmware was publicly
available and downloaded. Upon uploading the binary to AppCheck, we can see the
number of 3rd party components being used in this application and
how many components are vulnerable.
AppCheck’s dashboard showing the components, vulnerabilities and component
licenses.
AppCheck listing the list of 3rd party components
and the number of vulnerabilities associated to each component.
AppCheck listing the libraries using the vulnerable component
as well as the CVE number and CVSS score for the vulnerabilities associated
with the vulnerable component.
Compromise despite Compliance
Past reports have clearly shown
that even companies from the fortune 500, despite its maturity and compliance
to standards and/or following best practices were compromised affecting its
customers, its brand and its reputation and costs. With so many analyses on how
these hacks were done, from the exploitation of vulnerable application, the
holes in the network to cyber espionage caused from disgruntled employees to
political causes. If there is one thing that we can learn is that there are more
things that need to be done when it comes to cyber security.
Solution
As shown, performing just
vulnerability scanning as part of the assessment or management is insufficient.
Organizations need to relook at its policies and processes to ensure that
proper security checks are done both in the form of checking for malware and
vulnerabilities in the form of binary extraction and analysis. As organizations
do not have the source codes for these 3rd party applications,
analyzing from that angle will be almost impossible, however it has been shown
that analyzing in its binary form is possible, extracting the package and
reviewing the libraries used giving organizations the capability to identify
the vulnerabilities in its libraries thereby allowing them to understand the
risks involved before installing on to their systems.
Enhancing Desktop Application Software Policy
With the current policies only
look for malwares and scanning against existing Anti Virus applications before
installing on corporate machines, security managers must understand that this
is not enough as much of applications that are being infiltrated are not
through malware but through vulnerable components inside the application that
are not malicious at all. AppCheck allow organizations to have the transparency
of the inside of the binary, ability to view the components and understanding
the risks involved before deploying or installing them to corporate machines.
The Process in Graphic
Conclusion
With thousands of applications
being developed and uploaded online every day, it is time for organizations to
relook at its current vulnerability management policies and processes. Just
like the history of weaponry, with every evolvement of defense, so do to the
evolvement of attacks. Traditional security of securing from the perimeter is
no longer enough. If there’s one thing we can learn about the Trojan Horse of
Troy is that the perimeter defense will eventually be breached and if there’s
no proper strategy to handle and manage what’s inside the walls, then we,
unfortunately will lose the war.