Managing Both Acute and Chronic Web Application Security Issues

With WikiLeaks’ March 7 posting of what was purported to be some of the CIA’s cyber surveillance exploits, agencies are looking at the possibility of attackers turning intelligence gathering tools against government systems, devices, and websites.

Even more recently, a new, high-severity vulnerability emerged in the Apache Struts 2 open-source framework used to build Java web applications. The flaw allows hackers to inject commands into remote web servers. Within hours, organizations around the world reported attacks exploiting CVE-2017-5638 while Struts 2 users scrambled to apply a patch from the Apache Foundation.

What are the practical effects of these events, and what should government InfoSec leaders and practitioners do now?

The Struts 2 discovery requires immediate action, and the Vault 7 release should put security teams on an even more heightened alert. Each event, however, requires action by government IT teams as well as those in the private sector.

While most of the reports on the Vault 7 leak have focused on the tools that turn Internet-of-Things devices into surveillance units and the privacy risk that represents, the real danger for agencies is the potential for a tidal wave of zero-day attacks aimed at government web applications.

Agency security teams and software vendors will be working for weeks, months, or years to address the new exploits headed their way. Vault 7 and Struts 2 are not the first cyber events to point out a flaw in InfoSec planning and execution, nor will they be the last. While network security often gets the most resources in public and private sector organizations, web applications are the number one target for malicious attacks, according to the Department of Homeland Security, Verizon, and IBM, among other researchers. That’s because applications can contain known and unknown software flaws. Flaws in a major library like Struts 2 put an entire application at risk.

How to Be Prepared When (Not If) This Happens Again

With the known, immediate threat from Struts 2 and the potential for zero-day attacks from Vault 7 exploits, there are immediate actions and long-term considerations that agency security teams should take.

These are the tasks that should be addressed immediately:

• Determine the agency’s reliance on Struts 2 and its vulnerability to CVE-2017-5638, then apply the available patch.

• Ensure other critical patches on servers and end-points have been applied.  Ninety-nine percent of all successful breaches are related to unpatched software flaws known for at least one year, according to Gartner.

• Reinforce cybersecurity requirements among system users. Malicious hackers are a crafty lot and use every tool available to infiltrate an end-point, often with the unwitting help of users’ poor cyber hygiene.

• Tune up agency network and web application firewalls and intrusion detection systems.

• It is also important for IT teams to consider long-term action items to help ensure they will be protected from future vulnerabilities.

• Evaluate virtual patching technologies that allow for immediate protection from known vulnerabilities. A virtual patch can be applied immediately while the application continues to run — with no code changes and without restarting.

• Evaluate every part of the software stack  — not just the code written in house. Agency teams should be looking for and protecting against vulnerabilities in all software, including the platform itself. Finding the flaws is not the issue — protecting against them as fast as possible without service disruption is.

• Turn off unnecessary elements. Virtually every web application includes unused and unneeded application programming interfaces and other software code. By turning off the software elements that aren’t required, agencies can reduce the attack surface and improve defenses against any zero-day attack arising from Vault 7.

• Separate privileges and run agency software using the least privileges. In most cases, attackers damage compromised systems because after initial access they’ve been able to escalate their privileges and access restricted information/functionality. To avoid such scenarios the system must be compartmentalized, its trust boundaries and data flows identified, and separate privileges defined for each trust boundary. This usually requires an in-depth architectural analysis of the software system, but software tools can help automate this task.

Because of the highly sensitive information government agencies maintain, IT departments will always face cybersecurity challenges. However, putting the right protections in place will help significantly reduce these vulnerabilities and help secure vital systems before data gets into the wrong hands.