Web security vulnerability and penetration testing often focus on large enterprise applications, e-commerce sites,...
electronic health record systems and the occasional marketing website. After all, that's where the money -- or at least the low-hanging fruit -- is located. Interesting and easily accessible web resources and vulnerable web systems make for easy targets, so why not look there?
In my security work, I take the Pareto principle approach and focus on the 20% of security issues that are creating 80% of the security problems.
In the context of web security, it's easy to assume that big websites and applications represent the 20% of things that need to be addressed. That's not true. Some of your biggest vulnerabilities representing your greatest business risks are in other areas of your network -- areas that may not have received the proper security scrutiny and systems you may not have thought about at all, such as vulnerable web systems.
Vulnerable web systems and interfaces
It seems that every piece of technology has a web interface on it today. These web interfaces are creating conduits into systems that attackers -- and curious insiders -- may not have had access to in the past. They also provide access to other systems and network segments that, in a perfect world, should not be accessible.
There's a good chance that you have many more web-based systems on your network than you ever thought possible. Also, odds are near certain that these systems are filled with security flaws that could be used against you. These vulnerable web systems include:
- default installs of Windows Server;
- development, test, and staging sites and applications;
- internet of things devices, including things as seemingly benign as meeting room booking systems and random building sensors;
- network infrastructure systems, including switches, firewalls and wireless apps;
- physical security access controls;
- web proxies;
- web service endpoints;
- lesser-known microsites that serve up niche web resources; and
- storage systems.
These are legitimate business systems installed by IT, as well as legitimate and questionable systems installed by other departments and users, such as those in marketing or corporate security. They're physical and virtual and accessible both inside and outside of your network.
Most importantly, they're creating risks that you might not be prepared to take on. After all, you cannot secure or respond to the things you don't know about, such as those that fall outside the scope of your security oversight.
Addressing overlooked systems and applications
Whether or not you think these web resources are of any value, or if they may or may not be secure, they need to be validated. It could be that everything is fine, or it could be that you have vulnerable web systems that are facilitating SQL injection or spreading malware.
If this is the case, and you find these flaws, then at least you'll know that something needs to be done, such as fixing the vulnerabilities or setting up compensating controls via access control lists, an intrusion prevention system or a web application firewall.
Take an inventory of your web environment. All it takes to get started is a few simple scans to see what is alive. Look for standard web ports like TCP 80, 443 and 8080 for starters. Then you can decide which systems to scan with vulnerability scanners or perform additional manual analysis. Beyond that, you can look for more obscure web systems that are not listening on default ports.
The important thing is to show that you are making the effort. In the event of an incident, breach, subsequent lawsuit or investigation, if the other side can show a lack of due care, then you're probably not going to have much of a defense. It could be that management decides it simply cannot support the resources to test your entire web footprint for web-specific security flaws. As Stein's law says, if something cannot go on forever, it will stop.
Uninformed decisions are a recipe for bad things, so document your efforts. Do what you can to find and fix -- or do something with -- these vulnerable web systems. They're out there.