Information Security Risks for Web Applications

The use of information systems and technologies is associated with a specific set of risks. Risk assessment is necessary to monitor the effectiveness of information security activities, to take appropriate protective measures and to build effective, economically sound protection systems.

The basis of the risk is formed by possible vulnerabilities and threats to the organization; therefore, the identification of potential or actual risks of breaching the confidentiality and integrity of information, spreading malicious software and financial fraud, classifying information security threats is one of the primary tasks in protecting a web application.
')
Risks must be monitored constantly, periodically reassessing them. It should be noted that the first assessment carried out in good faith and carefully documented can significantly simplify the follow-up. Risk management, like any other information security activity, needs to be integrated into the information system life cycle. Then the effect is the greatest, and the cost is minimal. We can distinguish the main stages of the life cycle of an information system:

• initiation, according to the company's business processes;
• installation;
• exploitation;
• decommissioning.

Information system and its components

The first step in the risk assessment process is to determine the object of assessment, that is, the boundaries of the analyzed information system, as well as the resources and information that form the IS. About the system you need to collect the following information:

• IP architecture;
• used hardware;
• software used;
• system interfaces (internal and external connectivity);
• network topology;
• data and information present in the system;
• support staff and users;
• the mission of the system (i.e., the processes performed by the IP);
• system and data criticality;
• sensitivity (i.e. required level of security) of the system and data.

Actions: assessment of the technical specification of the system functional and its actual components.

Management of risks

Risk management includes two activities that alternate cyclically:

• regulatory risk assessment;
• selection of effective and cost-effective protective equipment (risk neutralization).

In relation to the identified risks the following actions are possible:

• risk elimination (for example, by eliminating vulnerabilities);
• risk reduction (for example, through the use of additional protective equipment or actions);
• taking risk (and developing an action plan in appropriate conditions).

Risk management can be divided into the following steps:

• inventory of the analyzed objects;
• choice of risk assessment methodology;
• identification of assets;
• analysis of threats and their consequences;
• defining security vulnerabilities;
• risk assessment;
• selection of protective measures;
• implementation and verification of selected measures;
• residual risk assessment.

To identify the main risks, you can follow the following chain: source of threat> factor (vulnerability)> threat (action)> consequences (attack) .

• The source of threat is potential anthropogenic, man-made or natural disasters of a security threat.
• A threat (action) is a possible danger (potential or real) of the commission of an action (action or inaction) directed against the object of protection (information resources) that causes damage to the owner, owner or user, who is at risk of distortion and loss of information.
• Factor (vulnerability) is the inherent in the object of informatization reasons that lead to the violation of the security of information on a particular object and due to the shortcomings of the process of functioning of the object of informatization, properties of the automated system architecture, exchange protocols and interfaces used by software and hardware platform, operating conditions.
• Consequences (attack) - these are the possible consequences of the threat realization (possible actions) in the interaction of the source of the threat through the existing factors (vulnerabilities).

Actions: Implement a company's information security policy.

Source of threat

Anthropogenic sources of information security threats are subjects whose actions can be qualified as intentional or accidental crimes. Methods of counteraction directly depend on the organizers of information security.

As an anthropogenic source of threats, one can consider a subject having access (authorized or unauthorized) to work with the standard means of the protected object. Or, in simple terms - this is either a hacker-attacker or their group, or company personnel, motivated by one or other factors on illegal or unlawful acts. The subjects (sources), whose actions may lead to the violation of the security of information can be both external and internal.

External sources may be accidental or deliberate and have different levels of skill. These include:

• criminal structures;
• potential criminals and hackers;
• unscrupulous partners;
• telematics service technicians;
• representatives of supervisory organizations and emergency services;
• representatives of power structures.

Internal actors (sources), as a rule, are highly qualified specialists in the field of developing and operating software and hardware, are familiar with the specifics of the tasks, structure and main functions and principles of operation of software and hardware information protection tools, have the ability to use standard equipment and network hardware. These include:

• core staff (users, programmers, developers);
• representatives of the information security service.

Actions: drawing up a probabilistic scale of sources of threats.

Threat Analysis

The main source of information security threats to web applications are external intruders.

An external intruder is a person who is motivated, as a rule, by a commercial interest, who has access to the company's website, does not have knowledge of the information system under investigation, is highly skilled in matters of network security and has extensive experience in implementing network attacks on various types of information systems.

Based on this, we need to take measures to identify the maximum possible number of vulnerabilities to reduce the potential attack surface area. To do this, it is necessary to carry out procedures for identifying technical vulnerabilities. They can be both one-time and regulatory, and affect various infrastructure facilities.

In the context of a web application, they can be divided into the following steps:

• Search for server component vulnerabilities;
• Search for vulnerabilities in the web server environment;
• Checks resource for the possibility of open receipt of confidential and secret information;
• Selection of passwords.

Actions: drawing up regulations for the identification of vulnerabilities, patch management.

Identifying technical vulnerabilities

Technical vulnerabilities are identified for the external and internal perimeter of the corporate network. The outer perimeter is a collection of all network entry points. The inner perimeter includes hosts and applications that are accessible from within.

Traditionally, there are two main methods of testing:

• black box testing;
• white box testing.

Testing using the black box method implies that the testing party does not have any knowledge about the configuration and internal structure of the test object. At the same time, all known types of attacks are implemented against the test object and the stability of the defense system against these attacks is checked. The testing methods used emit the actions of potential intruders trying to crack the security system.

The "white box" method involves the preparation of a testing program based on knowledge of the structure and configuration of the test object. During testing, the availability and operability of the security mechanisms, the compliance of the composition and configuration of the protection system with the safety requirements are checked. Findings on the presence of vulnerabilities are made on the basis of the analysis of the configuration of the used protection and system software, and then checked in practice.

Also, there is a testing method called “gray box”, which combines the above methods when partial information about the test object is known.

A separate point of the study is the ability of the infrastructure to operate at peak loads and resist the large volume of “junk traffic” generated by hackers or malicious programs.

To study the response time of the system at high or peak loads, “stress testing” is performed, at which the load generated on the system exceeds the normal usage scenarios. The main purpose of load testing is to create a certain expected load in the system (for example, through virtual users) to monitor the system performance indicators.

Actions: information security audit, including routine (for example, according to the requirements of PCI DSS).

Risk treatment

When combining asset values ​​with threats and vulnerabilities, consideration should be given to creating a combination of threats / vulnerabilities to the confidentiality, integrity and / or availability of these assets. Depending on the results of these considerations, suitable values ​​of the assets should be chosen, i.e. values ​​that express the consequences of a breach of confidentiality, or integrity, or availability.

Using this method may result in one, two or three risks for a single asset, depending on the particular threat / vulnerability in question.

When determining the actual threats, the expert-analytical method determines the objects of protection exposed to a particular threat, the characteristic sources of these threats and the vulnerabilities that contribute to the realization of the threats.

Based on the analysis, a matrix of the relationship of the sources of threats and vulnerabilities is compiled, from which the possible consequences of the realization of threats (attacks) are determined and the hazard ratio of these attacks is calculated as the product of the hazard coefficients of the corresponding threats and the sources of threats identified earlier. It is assumed that attacks with a hazard ratio of less than 0.1 (experts' assumption) may not be considered in the future because of the low probability of their occurrence at the object under consideration.

Actions: compliance management, consolidation and control of compliance with the requirements of IT and IS policies.

Neutralization and countermeasures

Neutralization of risks includes the identification of priorities, the assessment and implementation of countermeasures that reduce risks and recommended by the results of risk assessment.

Since the complete elimination of risks is impossible, the organization’s management should follow the principle of minimum sufficiency, implementing only the necessary, most appropriate safety controls to reduce risks to an acceptable level with minimal negative impact on the budget, resources and mission of the organization.

An essential element of risk management is an assessment of economic efficiency, the purpose of which is to demonstrate that the costs of implementing additional countermeasures are paid off by reducing risks. When calculating the cost of implementing safety regulators should be considered:

• the cost of acquiring hardware and software;
• decrease in the operational efficiency of the IP, if the performance or functionality of the system falls as a result of increased security measures;
• the cost of developing and implementing additional policies and procedures;
• additional staff costs involved in the implementation of the proposed safety regulators;
• staff training costs;
• maintenance costs.

As security measures, the following solutions can be implemented (both individually and in aggregate), prepared by in-house specialists and / or with the help of information security outsourcing:

• Systems of protection against attacks at the application level (WAF);
• Information Security Incident and Event Management Systems (SIEM);
• Compliance Management;
• Identity and Access Management Systems (IAM);
• Systems of one-time and multi-factor authentication in corporate networks;
• Security systems against confidential information leakage (DLP);
• Information Access Control Systems (IRM);
• Public Key Infrastructure (PKI);
• Network security solutions;
• Anti-virus protection systems;
• Email protection systems against spam, viruses and other threats;
• Content filtering systems for web traffic;
• Access control systems for peripheral devices and applications;
• Software Integrity Monitoring Systems;
• Cryptographic protection systems for storing information.

Actions: implementation of technical measures to ensure information security; introduction of administrative measures; increase staff awareness.