sign in sign up
<<
Home , Security testing

• Cognizant 20-20 Insights

Application : Safeguarding Data, Protecting Reputations Assessing IT systems and network vulnerabilities in today’s interconnected digital world is a daunting endeavor. By embracing penetration testing’s best practices and procedures, organizations can proactively and affordably address security loopholes before hackers undermine customer confidence, brand reputation and financial well-being.

Executive Summary there is a grave concern about security, reinforced by recent events: In today’s connected digital ecosystem, applica- tions are center stage, influencing all the ways • In January 2016, a large Belgian bank was in which we interact and communicate. These attacked by cybercriminals that cost the bank applications contain sensitive data and deliver 70 million euros, although no customers were business-critical information services, and as affected by the breach. This type of attack is a result even the smallest security loophole is called a whaling attack or spear-.2 exploited by cybercriminals looking to wreak havoc. While numerous incidents have • In August 2015, the U.S. Internal Revenue occurred over the years that damaged customer Service reported that about 300,000 taxpayers’ confidence and brand reputation, solving inherent personal information was compromised when challenges remains a work in hackers cracked the agency’s multi-step progress for many organizations. process and were able to make fraudulent claims for tax refunds using stolen The hacking challenge is so steep, that born- identities.3 digital companies Yahoo and Google recently 1 • In November 2015, a Switzerland-based partnered to create an encrypted e-mail system encrypted e-mail provider’s Internet connection that allegedly cannot be decrypted even by the was held for ransom by hackers in what could companies themselves. Clearly, our lives are be described as a distributed denial of service increasingly reliant on digital devices, many of (DDOS) attack.4 which are prone to security hacks. As a result,

cognizant 20-20 insights | june 2016 • In October 2015, a UK phone and broadband While most organizations implement firewalls, provider’s website was hacked by cyber- SSL and secure policies, every now criminals who may have pilfered confidential and then they still become victims of cyber- banking details and personal information. attacks. The aforementioned incidents are This type of attack could be described as a proof that cyberattacks are not specific to any sequential attack or SQL injection.5 industry and can cause business distruption or, • In February 2015, a large U.S. health insurer’s worse, undermine brand confidence or unleash database was breached, and sensitive informa- financial damage that could challenge the very tion that affected about 80 million customer existence of any company. Attacks involving the records was stolen. This was described as loss of customer data and/or theft of important a sophisticated advanced persistent threat company information begin with the realization (APT), where a malicious user gains access to that the enterprise has been penetrated, followed internal networks primarily to steal data.6 by concern over what the breach has actually damaged. By then, it is often too late for the This white paper talks about the importance of company to protect itself and its customers. penetration in the digital arena and the process involved in preventing it. It also talks about the Incorporating security testing early in the types of penetration testing, testing strategy and development lifecycle can help orga- the costs involved in cybersecurity. nizations identify application and infrastruc- ture vulnerabilities before cybercriminals strike. Debunking Security Myths, Working Periodical penetration testing helps unravel the Proactively to Plug Vulnerabilities organization’s current security posture. Information plays a crucial role in every aspect of today’s modern digital world. Companies have Incorporating security testing launched more efficient ways to swiftly and safely early in the software development deliver information and application services to lifecycle can help organizations end users inside and outside their firewalls. Safe- guarding such high volumes of data from cyber- identify application and attacks is a cumbersome task for most organiza- infrastructure vulnerabilities before tions. Let’s start by debunking some myths that cybercriminals strike. surround the concept of security testing (see Figure 1 below).

Myth 2 Myth 1 Myth 3

• Myth 2: Our applica- • Myth 1: We have tions are internal and • Myth 3: Secure firewalls in place, which thus are not exposed to sockets layer (SSL) can protect our digital the Internet. technology protects assets from threats. • Fact: Many orga- a website from Fact: Firewalls can nizations prioritize intruders. protect the system at protecting the corporate Fact: Implementing the network level to a information jewels SSL is not enough certain extent, but an from external attacks, to protect websites attack could permeate but insider attacks are, from hackers as these through the application sadly, more prevalent. can be exploited by layer which cannot be Insiders have authorized forcing the browser tackled by firewalls. system access and to use low-encryption are familiar with the algorithms and network architecture decrypt the traffic, and policies. which leads to a “man- in-the-middle attack.” Figure 1

cognizant 20-20 insights 2 Defining Penetration Testing • Comply with industry standards and regula- In simple terms, penetration testing is an tions by ensuring that applications comply with in-depth security assessment that identifies the industry standards such as ISO 27001, PCI DSS, security loopholes in a system, from applications NIST, FISMA HIPAA and Sarbanes-Oxley. through infrastructure, which hackers use to • Enable an organization to avoid penalties exploit the system. It is an attempt to examine for noncompliance by demonstrating a and evaluate by safely exploiting the vulner- commitment to security due diligence and abilities that may exist in operating systems, compliance. services and applications due to improper con- The Penetration Testing Process figuration management, insecure coding, weak design elements and incorrect implementation Our security assessment methodology covers the of security policies and procedures. following security assessment guidelines: Penetration testing helps • OWASP top 10 vulnerabilities. customers protect company assets • OWASP Verification from cyberattacks. Standard (ASVS). • SANS top 25. Once vulnerabilities have been successfully • OSTMM. exploited on a particular system, the compro- • Web Application Security Consortium (WASC) mised system can be used to launch attacks on the guidelines. interconnected infrastructure to achieve higher privileges and take down the remaining portions These standards define the process of penetra- of the network and related systems. Moreover, tion testing using the following steps: preventive measures taken by organizations to Hackers who can compromise safeguard assets against such occurrences are a hallmark of effective penetration testing. the security of Web applications would gain access not only to sensitive Penetration testing helps customers protect company assets from cyberattacks. It helps define data but gain the keys to the enterprise the vulnerabilities as identified by Open Web information architecture kingdom. Application Security Project (OWASP), SysAdmin, Audit, Network, and Security (SANS) and Open Source Security Testing Methodology Manual • Manual inspections and reviews. (OSSTM) standards. In addition, it allows business • Threat modeling: leaders to understand the impact of those vulner- >>Breaking the application down into its com- abilities in the real world. ponents. Where Penetration Testing Fits >>Classifying the assets protected/contained Today’s technology-intensive world pivots around by that application. applications that are complex to build, and that >>Exploring vulnerabilities, threats and other must scale internally and externally to fit most issues. business needs. Though Web applications are Creating mitigating strategies. now the predominant means for delivering infor- >> mation services to customers and internal users, • Source code review (static application security there are many layers between the users and the testing): database that house critical data. Hackers who >>Manual and automated scans for trojan hors- can compromise the security of Web applications es, time bombs, backdoors, etc. would gain access not only to sensitive data but Procedures for deployment that may expose gain the keys to the enterprise information archi- >> vulnerabilities. tecture kingdom. • Penetration testing: To prevent this from occurring, penetration Web application penetration testing (dynam- testing can be applied to: >> ic application security testing). • Identify security breaches that could result in >>Infrastructure penetration testing. business loss.

cognizant 20-20 insights 3 Formulating an Effective Strategy • Worm, and other malicious programs. A comprehensive security testing approach can • Vulnerabilities in existing software. help uncover systems and network vulnerabilities. • Accidental or otherwise sharing of data by • Understand the security architecture and test staff. the architecture rather than focusing on vul- • Loss or theft of staff mobile devices. nerabilities as listed in OWASP or SANS. • Network intrusion or hacking. Verify whether the system has followed • The cost of a security breach will always be prohib- essential security principles such as: itive when compared with the cost of protection. >>Fail securely. Moreover, a constantly evolving threat landscape >>Defense in depth. adversely impacts the cost of security to be borne today and in the immediate future. >>Separation of privilege. >>Least privilege. Kaspersky also reported, “Roughly 90% of the companies with which we work or have spoken In the case of a multitier architecture, the • with confirm that they consistently confront approach should cover testing all tiers and all security incidents that vary from horizontal layers such as network, OS, server attacks, to DDOS, to targeted intrusion attacks.” container frameworks and the server container Given the variety, it is worthwhile to understand that houses the application. Required sample how common security attacks differ. tests include: >>Firewalking: Sending crafted network pack- • Phishing: This type of attack entails tricking or ets to predict the rules. attracting a user to reveal sensitive information for malicious purposes in electronic communi- Web application penetration tests. >> cation. The simplest example in this category is >>Web service tests. the “Nigerian e-mail” scams (where the sender >>Database penetration tests. asks for access to banking information). >>Network penetration tests. • Malware: Malicious software attacks occur with the insertion of small bits of code, or >>OS hardening tests. self-standing installable code, that will run • In an ideal scenario, it is a good practice to test according to a predetermined trigger or event, all the tiers and components involved, but in causing anywhere from a mild annoyance to reality there is hardly enough time and budget more sophisticated data/processing breaches. to perform all of these tests. In such situations, One of the most famous of these is the risk-based testing can be conducted to: “Dyre or Dridex Trojan” malware attacks that essentially is a redirection attack (sending Analyze the level of changes made to each >> the user to a spurious site rather than a real system. one, for example, during a banking operation) >>Analyze the risks from previous security that utilizes a Microsoft Office attachment scans on the same components. containing a poisoned macro. >>Assess a threat advisory issued on specific • DDOS: This is one of the most common to hit components. major sites. The modus operandi here is to • A risk-based comprehensive approach provides simply overwhelm a site by hitting external the desired level of security validation in a cost- facing IP addresses with a flood of service effective way. requests, to the point where the website infra- structure is unable to keep up, resulting in a The Cost of Security site outage. Banks and financial institutions The cost of security incidents depends on the face multiple such attacks on a weekly basis. type of incidents experienced and the number of Premeditated hacking: These advanced incidents that have occurred. Generally, security • forms of persistent threats include a com- incidents increase year on year. According 7 bination of attempts to maliciously target a to security software vendor Kaspersky, 8 website or application and steal/deface intel- the most expensive types of incidents involve:

cognizant 20-20 insights 4 Assessment of Potential Threats

Internal, External, Humanly Motivated, Ethical Hacks, Serious Hacks, APT, Accidental Arch., Design, Code, Application Front End, Database, Middle Web Services & Infrastructure, Social Media, Cloud Hosting and Mobile

Front Tier, Middle Tier, Back Tier

Lack of Encryption in External XML White Box Insufficient Sensitive Data, Technologies (Automated & Manual) Security Entity Attack Authentication Misconfiguration SQL Injections • Web Applications Parameter Handling Exceptions Database Server • Threat Modeling Manipulation • Mobile Apps • Cloud-Hosted • Code Review Web/App Server Integration Server Solutions Web Applications Black Box REST API • Social Media

Firewall Database (Manual & MQTT Integration Automated) Insufficient coAP Transport Custom • Network & Layer Security Infrastructure

• Application Scan Session Hijacking & Lack of Encrypting • Internet of Things Insufficient Cookie Replay Attacks, Flaws in DTD Entity or Hashing • End Point Security • Database Scan Cross Site Scripting Authenticating and Reference Sensitive Data • Infra Scan Invalidated Authorizing Identities Attack Inputs

Figure 2

lectual property. The attacker uses a combina- required to deliver and complete a successful test tion of measures including phishing, malware strategy. One such mode is IP-based testing. and DDOS attacks. Such attacks are usually successful if the attacker has insight into For example, more complex models of penetra- network traffic flows, has access to entry and tion testing require a detailed understanding of exit points via IP addresses and can exploit the workload or traffic flowing through inherent vulnerabilities to gain access to confi- specific IP addresses that pose a security threat. dential data that is not encrypted. Once the traffic workload has been calculated, based on services that are connected to the • Network “worms”: Network travelling worms external network, a price per testable service can are essentially virus attachments to traveling be determined. Penetration testing can then be packets of data, which are then either spread tailor-made to the requirements of an enterprise by launching remote copies of the same code and its budget. or are used to penetrate computer memory. Beyond these most common types of attacks, SAST and DAST Decoded a wide variety of application-based attacks are Over and above penetration testing, code and used which are equally effective, which include application level security testing – specifically attacking mechanisms such as SQL injection,9 static access security testing (or SAST, which password and hash cracking10 and cross–site is code-level security scanning) and dynamic scripting.11 Figure 2 depicts a sample of the items access security testing (DAST) – are usually that a vulnerability assessment should cover in budgets for application development and when looking at applications. deployment projects. As many testing efforts in SAST and DAST are tool-based, tool license Keeping Security Testing Effective and pricing forms a large part of the expenditure. Affordable Factors often looked at in pricing include Much of the cost for fighting cybercrime should but are not limited to: lines of code to be be contained within the overall quality assurance scanned or number of scans to be performed; budget. Genuine penetration testing, however, types of scenarios to be scanned; and checking depends on the complex scenarios identified by and rejection of “false positives” data and the organization with respect to its infrastruc- support available. ture and the amount of human or manual effort

cognizant 20-20 insights 5 Looking Forward: Security Questions Establish a standards-based Every Organization Must Answer development methodology and • Did your organization undergo a recent merger confirm security assurance through or acquisition? Chances are some of the appli- cations acquired through mergers could have vulnerability assessment. vulnerabilities that may not be protected by • Does your organization use custom applica- the existing perimeter defense’s rules. tions often developed under tight timelines? • Are your business-critical applications risk- Chances are your development team might rated or do they have enough protection have been forced to cut corners and develop against known threats? Have you evaluated vulnerable applications. Identify such applica- them against your organization’s risk appetite? tions and conduct a thorough vulnerability Evaluate your application’s security posture assessment of these applications to avoid mis- through a vulnerability assessment exercise adventures in the future. and ensure your business-critical applications • Even if the application has not undergone any stay within your organization’s risk appetite. change, has your organization thought about • Is your development team’s choice of how vulernable applications are to new or technology, framework and software develop­ emerging threats/vectors? Perform periodic ment guided by documented and approved security assessment to assess the security security standards? Establish a standards- posture and the frequency of assessment as based development methodology and defined by a risk score based on the criticality confirm security assurance through vulner- of the application. ability assessment.

Footnotes 1 Collins. Katie, “Yahoo and Google to collaborate on encrypted email,” August 8, 2014, www.wired.co.uk.

2 Zorz, Zeljka, “Belgian bank Crelan loses €70 million to BEC scammers, ” January 26, 2016,www.helpnet - security.com.

3 Ashford, Warwick, “More than 300,000 US taxpayers affected by data breach,” August 18, 2015, www.computerweekly.com.

4 Thielman, Sam, “ProtonMail: encrypted email provider held ransom by hackers,” November 5, 2015, www. theguardian.com.

5 BBC UK, “TalkTalk cyber-attack: Website hit by ‘significant’ breach” www.bbc.co.uk( , October 23, 2015)

6 Riley, Charles, “ Insurance giant Anthem hit by massive data breach” (www.cnn.com, February 6, 2015)

7 Batt, Tony, Kaspersky Lab, “Kaspersky Global IT Risks Survey Report,” October 31, 2013, www.media. kaspersky.com.

8 Batt, Tony, Kaspersky Lab, “Kaspersky Global IT Risks Survey Report,” page 15, October 31, 2013, www.media.kaspersky.com.

9 SQL injection is defined as the insertion of malicious SQL statements for execution primarily to exploit database or data storage content.

10 Hash cracking is defined as a tool or methodology used to recover encrypted or “hashed” passwords/ other security information.

11 Cross-site scripting is defined as the injection of client side scripts often of a malicious nature into web pages to overcome security features.

cognizant 20-20 insights 6 About the Authors Nagaraju Padavala is Associate Director of Projects within Cognizant’s Quality Engineering and Assurance business unit. He has more than 14 years of rich non- experience. Nagaraju has played various roles ranging from a performance test consultant to performance delivery head for major accounts across a wide variety of clients in all geographies. He currently leads the Security Testing Practice and other digital NFT solutions such as SMAC performance, IoT NFT and OAT within the company’s Non-Func- tional Testing Center of Excellence. Nagaraju holds a masters degree in engineering, power systems, has earned Project Management Professional (PMP) certification and is an HP LoadRunner Certified Product Consultant (CPC). He can be reached at [email protected].

Madhu Jatheendran is an Associate Director, Projects within Cognizant’s Quality Engineering and Assurance business unit. He has 19 years of experience in IT in a variety of roles from programmer to program manager with experienced running teams of 250-plus personnel for a variety of clients. Currently, Madhu leads non-functional quality assurance from a vendor perspective for a major retail banking client in the UK. He is also responsible for non-functional testing services in the UK/CE region, including security and accessibility testing. Madhu has a bachelor’s degree in electronics engineering from Bangalore University, an MBA from the University of Oxford and MSP certification in program management. He can be reached at [email protected].

Kavitha Jayaraman is a Senior Manager of Projects within Cognizant’s Quality Engineering and Assurance business unit. She has 12 years of experience in the IT industry, including 10 years of rich experience in information security. Kavitha has played various roles from security analyst/consultant to building security centers of excellence for various organizations such as Hewlett-Packard and Symantec before joining Cognizant. She has authored and presented application security white papers at various conferences such as Swiss Testing Day and ISQT, among others. Kavitha holds a degree in electronics and communication engineering from Bharathiar University. She can be reached at [email protected].

About Cognizant Security Testing A key component of Cognizant’s Quality Engineering and Assurance business unit, our Security Testing practice provides end-to-end security testing services and ensures our clients’ IT applications are pro- tected from security threats and their customers’ data and privacy is protected. The group is comprised of over 300 certified security testers who have successfully delivered security testing engagements to 100-plus customers. Our application security assessments focus on a benchmarked review of vulnerabili- ties against various standards including the OWASP (Open Web Application Security) top ten list, comple- mented by support for remediation and compliance management services. Our security testing solutions preempt security vulnerabilities of the modern digital ecosystem and improve organizational resilience. To learn more, please visit https://latestthinking.cognizant.com/quality-engineering-and-assurance.

About Cognizant Cognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process services, dedicated to helping the world’s leading companies build stronger businesses. Head- quartered in Teaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technol- ogy innovation, deep industry and business process expertise, and a global, collaborative workforce that embodies the future of work. With over 100 development and delivery centers worldwide and approxi- mately 233,000 employees as of March 31, 2016, Cognizant is a member of the NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world. Visit us online at www.cognizant.com or follow us on Twitter: Cognizant.

World Headquarters European Headquarters India Operations Headquarters 500 Frank W. Burr Blvd. 1 Kingdom Street #5/535, Old Mahabalipuram Road Teaneck, NJ 07666 USA Paddington Central Okkiyam Pettai, Thoraipakkam Phone: +1 201 801 0233 London W2 6BD Chennai, 600 096 India Fax: +1 201 801 0243 Phone: +44 (0) 20 7297 7600 Phone: +91 (0) 44 4209 6000 Toll Free: +1 888 937 3277 Fax: +44 (0) 20 7121 0102 Fax: +91 (0) 44 4209 6060 Email: [email protected] Email: [email protected] Email: [email protected]

­­© Copyright 2016, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners. Codex 1869