Many organizations perform penetration tests on their computer networks (also called ethical hacking). These tests are attempts to breach network defenses from the Internet in order to identify security weaknesses and implement remediation measures. Ethical hacking usually covers the corporate Web site and other systems that are visible from the public Internet. Web applications, which are widely used in the financial services industry, are often overlooked and should always be included when external testing is scheduled.
The first step for an organization is usually to assess the
external network defenses and systems to ensure that they are
adequately protected against attacks. The corporate website for
example is a prime target for attackers. An attacker that is able
to break into the system that hosts the corporate website will then
attempt to leverage that access to gain further access to the
internal network and systems. Email, remote access nodes as well as
any server which are publically accessible should be included in
these tests.
Once the network has been tested as described above, organizations
should turn their attention to Web applications. Web applications
can be defined as applications that are usually accessed via a Web
browser such as Internet Explorer or Mozilla Firefox. They give
clients access to their portfolios, personal information and allow
them to perform a variety of operations ranging from trading stock,
changing contact information, paying various fees to purchasing
merchandise. Even if they normally require a username and a
password, Web applications can constitute a privileged gateway for
digital intruders because they are often linked to corporate
networks, databases and confidential data.
A hacker's strategy: Get legitimate access
A danger looms for organizations who grant online access to
customers: the rogue client! A rogue client is an individual, who
legitimately accesses a Web application and, once logged in,
examines, probes and tests the application's limits and
safeguards. For this, we offer an example: A rogue client logs in
the web application. They are able to view their personal data, the
status of their investments and perform transactions.
Up to here, there is nothing abnormal. The rogue client will then
most likely attempt to gain full access to the client database,
view data that belongs to other clients, gain administrative access
or perform unauthorized transactions. Possible motivations are
corporate espionage, retaliation or simply for bragging rights
within the hacker community. In our experience, these types of
breaches often go undetected. When a rogue client accesses
information they are not supposed to have access to, the
confidentiality and data integrity implications are enormous.
Test before launch
Always test the security of a Web application prior to it being
made available to clients. If weaknesses are identified, changes
can be made before the application is formally launched. When a web
application is being developed, the programmers should always test
for security weaknesses as part of their overall development
process. However, once testing by the developers is completed, the
web application should be formally tested for security by an
independent third party such as a quality assurance team or an
outside organization.
When the application undergoes changes or when a new version is
produced, security testing should be performed once again to ensure
that no new vulnerabilities were accidentally introduced with the
addition of new code and functionalities. Finally, web applications
should be retested on an annual basis, since previously unknown
weaknesses may be discovered by security researchers and expose the
web application to a breach.
Where to find help?
Unless an organization has a quality assurance team with
adequate skills that is independent from the web application
development team, a third party organization should usually be
hired to assist with this critical task. When hiring a third party,
organizations should meet with firms to clearly detail their needs
and objectives. It is important to enquire about what methodology
will be used and what reliance is placed on automated testing
tools. One of the widely used web application testing methodologies
is called OWASP, which is short for the Open Web Application
Security Project and is largely recognized in the information
security community.
A tried and true methodology will ensure that the tests cover an
adequate scope to identify weaknesses which may be present.
Furthermore, although automated tools are frequently used, web
application security testing requires a significant amount of
manual testing which must be matched with strong technical
knowledge by those executing the tests. Manual testing by highly
skilled web application testers will detect weaknesses that
automated tools may miss and which could ultimately lead to a
security breach.
The bottom line for businesses is that web applications offer
practical and timely online solutions to clients but they also
offer intruders a gateway into your network and confidential data.
To mitigate these risks, organizations should thoroughly test these
applications prior to their launch, when changes are implemented
and on an annual basis. With appropriate testing, organizations can
gain confidence that they are offering their clients a secure way
to perform online operations and thus both parties benefit from the
full potential of web applications.
Author information:
Micho holds a Masters degree in Information Systems as well as the titles of Certified Information Systems Auditor and Certified Information System Security Professional. Micho has ten years of experience in Information Systems security and was previously with KPMG in Montreal, Canada for seven years prior to joining the Cayman Islands practice in 2007.
For further information about IT Security please contact Micho Schumann on +1 345 949 4800.
© 2011 KPMG, a Cayman Islands partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.
KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative ("KPMG International"), a Swiss entity.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.