When we think about computer forensics and incident response, it’s often in the context of workstations and servers -- items at the operating system level. Rightly so, as that’s where many Web security breaches take place. From malware infections to password cracking to lost or stolen laptops, there’s often plenty of information right inside the operating system to help create a forensic timeline. But there’s an area of Web forensics and incident response that we don’t hear about as much: websites and applications.
Why is this? There are several reasons:
1. The assumption that a firewall and Secure Sockets Layer for Web encryption are all that’s needed.
2. The assumption that your managed security services provider is taking care of things.
3. The assumption that your last Web security scan didn’t turn up anything, so all’s well.
4. The assumption that your business doesn’t have anything the bad guys would want.
In many cases, Web-based systems have remained out of the spotlight. Perhaps it’s because of the complexity of Web systems and all the components involved? When you experience a Web security breach, there are numerous systems that may need to be analyzed. These include routers, network firewall, Web application firewalls, Web servers and database servers. This shouldn’t keep Web systems off your incident response radar, however. Given vulnerabilities as prevalent as cross-site scripting, Web-based malware and weak passwords, you’ve got to ensure that your Web environment is not taken for granted. After all, you can’t respond to what you don’t acknowledge.
Let me expand on this. When I say Web environment, I’m not just talking about your main website and your public-facing Web applications. Instead, I’m referring to every critical Web system you have, both externally facing and on your internal network. In my security assessments, I often find the greatest risks are to internal Web systems such as financial applications, intranet portals and system management interfaces. Some common Web-centric vulnerabilities I find are in core processing systems and ATMs in banks, firewall and storage management systems, physical security closed-circuit television monitoring systems and Microsoft SharePoint systems.
The reality is, Web-based vulnerabilities -- both public-facing and internal -- are, more often than not, simple to exploit because no one’s watching.
The one thing that’s easy to forget is that it’s often easier to abuse these critical internal systems because, after all, everyone’s “trusted” if they’re on the internal network. There’s nothing to worry about, right? Nope. You do have stuff to worry about -- especially when it comes to the governance and compliance of critical business systems.
The reality is, Web-based vulnerabilities -- both public-facing and internal -- are, more often than not, simple to exploit because no one’s watching. There’s little to no logging, limited system monitoring and no real accountability. If something happens in such a scenario, who’s to blame? How are you even going to perform a forensics analysis when you don’t have any visibility into the environment or controls in place generating data to analyze?
Cast a broader net and expand your scope for incident response and Web forensics. Otherwise, your Web-based systems are sitting ducks and your hands are going to be tied when the unimaginable becomes reality.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and the newly updated Hacking For Dummies, 3rd edition. In addition, he’s the creator of the Security On Wheels information security audiobooks and blog.