Security audit from REG.RU - what is it and why is it needed?

Introduction

The modern world is characterized by extremely rapid growth of information, globalization and computerization of all sectors of society. Information technology is firmly rooted in our lives - most of the world's population is almost always using Internet access for work, education, games, entertainment. This naturally entails the monetization of all possible services. Consequently, the total amount of time spent on transactions using plastic cards increases linearly: cashless payments for purchases of goods, transactions in online banking systems, currency exchange and other payment transactions with service providers. Accordingly, the “web space” is expanded, in which there is information about cardholders and other authentication data.

The increase in the number and variety of services available to the end user via the Internet is directly proportional to the expansion of the field for fraud. In the context of the problem under consideration, the main types of malicious attacks can be defined as:

• Attack on the service provider
• Attack on the end user

In the event of an attack on the end user, the fight against cybercriminals is conducted mainly by installing client software that meets the security requirements and informing the user about possible threats. When an attack is aimed at a vendor, complex protective measures are necessary, a special stage of which is to prevent intrusions. This important role of intrusion prevention can be explained by the fact that even part of confidential data leaks and its use by hackers leads to significant financial losses for both the service provider and the end user. Therefore, to reduce the risk of hacking service, interruptions in work, data leakage, as well as to preserve the reputation of the resource, it is recommended to conduct an information security audit.

What is an information security audit?

')
The concept of "information security audit" appeared relatively recently. Nevertheless, at present, information security audit is one of the most urgent and dynamically developing areas of strategic and operational management in the field of information systems security and is of constant interest among specialists. Its main task is to objectively assess the current state of information security (IS) of the company, as well as its adequacy to the set goals and objectives of the business to increase the efficiency and profitability of economic activity. Therefore, the information security audit of a corporate system is usually understood as a systematic process of obtaining objective qualitative and quantitative assessments of the company's current status in accordance with certain criteria and safety indicators. It is believed that the results of a qualified audit of the information security company allow you to build an optimal in terms of efficiency and cost, a corporate protection system that is adequate to the current goals and objectives of the business.

Thus, it is possible to give a brief definition of information security (IS) audit:
Information security audit is a test of the ability of a resource to successfully counter information security threats.

Who needs an information security audit?

All companies aiming for success. Successful business does not build on sites subject to hacking. The level of user confidence is instantly falling and the attendance of the resource is reduced. As a result, sales are falling, the number of customers is falling, and financial losses occur. Considering that now absolutely all Internet resources are of interest to intruders (fraudsters are equally interested in hacking resources containing information on plastic cards, passport data, passwords, accounts, etc., and hacking sites used later for dubious purposes: sending out spam, using for black SEO, creating a botnet, etc.), an IS audit is not a waste of money, but an investment in stability.

Why not popular?

In most cases, due to the banal misunderstanding of the real need for services. Most companies are not ready to give a lot of money for “just” checking for the possibility of the system being compromised. That's because the owners are not informed about the number and extent of hacker threats. Often using the principle “Not in any cloud thunder; but even thunder shall not burst; but it does, but not for us; but it’s not for us to kill us! ”, companies start thinking about security only when the system has already been compromised and has been seriously damaged. But to learn and draw conclusions better on the mistakes of others, therefore, below are a few real-life examples where an information security audit could save nerves and money.

Site of one of the ministries of a certain country

The story happened 3 years ago during a state penetration penetration test. At the first inspection of the site, a vulnerability of the type PHP-injection was discovered - that is, all the links were organized by the inclusion of other PHP pages whose name was transmitted by a GET request. Server settings also could not be called secure — there was access to important system files mq = off, allow_url_fopen = On, which was enough to read important information and then get full access to the server.
Such a request made it easy to read the web server logs:
www.xxx.gov/main.php?query=../../../proc/self/fd/2%00
As it turned out later, the fault is the plain PHP code:

 <?php ... $query = $_GET['query']; if(isset($query) && !empty($query)) { require($query.»php»); } ?> 

To eliminate the vulnerability, it was recommended to check the variable for the existence of a file, use the strpbrk function to identify special characters - “ /. \? ", A ban on reading from under the web / proc / self / , installation in php.ini: magic_quotes_gpc = on , allow_url_fopen = Off.

It would seem that protection should be one of the first priorities, because it is not difficult to imagine what a hacking state site entails. Penetration into a local network, access to computers on which information is stored, for example, about licensed testing of specialists (keys of answers to the CRIC, external independent assessment, etc.). Then, perhaps, the authenticity of certificates that all higher educational institutions require, and hence the competence of future doctors, etc., will be questioned.

E-commerce

More and more entertainment resources use their own game currency, which can be converted into real money. During the test for the penetration of one of these sites, a SQL injection was discovered with an error based output.

The essence of the site was that you have a car, you arrange races, improve cars, etc. Some of these operations required an investment in the account balance. During the test, the entire database structure was obtained via SQL injection, the old or test versions of the site with the installed Joomla content management system were detected by the directory scanner. To simulate the actions of intruders, all through the same vulnerability were obtained password hashes from Joomla, successfully picked up by a brutal brute force, access to the server via the "php-shell" download in the Joomla administration center. As a result, passwords for accessing the database were also obtained, which made it possible to manage the balance of accounts without actually transferring funds. The balance sheet was organized very simply:



In addition, passwords were stored in clear text.

The recommendations for resolving the vulnerabilities were as follows:
• Process the input parameters of the function mysql_real_escape_string ;
• Disable error output;
Do not leave "useful" directories accessible from the web (old versions, dumps, test scripts, and the like);
• Even on test versions of sites do not put passwords that may be in dictionaries;
• Process passwords with an irreversible encryption algorithm.

Invisible threat

When analyzing one of the hacked servers, the introduction of i-frame code to sites without a specific source was noted. The files on the server maintained integrity, their contents were not changed, but malicious code was “thrown out” by users of the sites. A characteristic feature was the accidental appearance of malicious code absolutely on all server sites:



It was all about the malicious Apache module, DarkLeech, which distributed malware, “transparently” adding a couple of lines of code to the web server’s returned pages. The physical names of the modules were: mod_spm_headers.so, mod_spm_mem.so, mod_log.so, and mod_security.so.
There was a line in httpd.conf :
LoadModule spm_headers_module modules/mod_spm_headers.so

On the server behind the access logs, vulnerable scripts were discovered through which hacking occurred, malicious modules were disabled, and the operating system kernel was updated, due to the suspicion that intruders were using local root exploits.

This once again confirms the importance of the comprehensive protection of a web resource, and not only the protection of the source code, which is provided by a full IS audit.

How much is it?

The cost of an IS audit in most cases is impossible to determine right away - it all depends on the nature of the work (which vulnerabilities are determined - from programmer errors to social engineering). In addition, some companies calculate the cost of the service depending on the number of problems found, the number of lines of the analyzed code and the form for presenting results (report, video report, recommendations for elimination, additional consultations). But on average, prices start at $ 100. At the same time, such a cost of work is typical either for companies that have just entered the market and work without certified specialists and auditing standards, or for amateur teams, which mainly consist of former black-hat or non-professional information security specialists. Of course, one cannot argue that when contacting such companies, work will be done poorly, but when it comes to confidential information and security, it is better to trust professionals.

In this case, the prices will already be very different - from $ 300-500 to $ 5000, depending on the tariff. For example, in REG.RU prices for these services are as follows: 25,000 rubles. for the "Budget" rate and 150 000 rub. for "Corporate" (https://www.reg.ru/web-sites/security-audit/#prices). Such a high price is explained by conducting a multi-analysis of all parts of the system in order to identify critical points and introduce comprehensive protection measures, as well as the high qualifications of specialists with certificates of Offensive Security Certified Professional (OSCP) and Certified Professional Penetration Tester (eCPPT).

findings

What gives the order of the service " Site security audit in REG.RU "?

• Description and assessment of the current level of information system security;
• Analysis of risks associated with the possibility of internal and external threats to the resources of the information system;
• Drawing up a model of a potential intruder;
• Recommendations on the technical, organizational component of information security (eliminating vulnerabilities in code, developing information security policies)
• Getting the maximum return on investments in information security systems;
• Confirmation that the internal controls used are consistent with the organization’s objectives and allow for efficiency and business continuity.
• Justification of investment in information security systems.

Most owners of hacked sites did not suspect an invasion of their resource. Part of the system administrators in identifying the invasion did not take any action if there were no visible violations of the site, due to lack of knowledge on this issue. Security audit is able to provide objective information about the security of the site, which will allow the resource owner to not jeopardize their business and business reputation. After all, trusting their personal data to any organization, users and partners are confident that it will be able to ensure their confidentiality.