Thinking Like a Hacker to Secure Enterprise Applications

By Lina Sorg

Society’s increasing sense of interconnectivity via the internet invites spikes in malicious online activity. Keeping one’s organization or institution protected from ever-present cyber threats is more important now than ever, especially as people continue to work remotely. During a minisymposium presentation at the 2021 SIAM Conference on Computational Science and Engineering, which is taking place virtually this week, cybersecurity expert Rachel Velasco embodied a hacker mindset to help companies defend their enterprise environments from internal and external penetration. She reviewed testing methodologies, explained common areas of vulnerability, and presented strategies for risk mitigation.

Velasco, who has worked in application security for the last several years, has experience with both the static and dynamic sides of application testing for financial institutions. She began by referencing the Open Source Security Testing Methodology Manual, which provides detailed procedures for security analysis and testing. Then she focused on the Open Web Application Security Project’s (OWASP) five phases of testing:

1. Reconnaissance
2. Post-discovery
3. Exploitation phase
4. Post-exploitation phase
5. Analysis phase

The reconnaissance phase involves information gathering. During this stage, hackers learn everything they can about their target. “Google is your best friend,” Velasco said. “You can find pretty much anything about the company or the target from Google.” Another search engine called Shodan utilizes a variety of filters to help users find specific types of internet-connected devices. It therefore focuses on the kinds of services, operating systems (OS), and devices that a target is holding. Unsurprisingly, social media posts often provide hackers with valuable information as well. “Employees of specific targets often go into too much detail about what they do on social media,” Velasco said. For example, employees sometimes post in online forums with questions about their work. Another user might request more information to better understand the question, then use that information to hack into the organization. Employees should consequently refrain from divulging too much information about their jobs on the internet.

Figure 1. Open Web Application Security Project’s ranking of the top 10 vulnerabilities.

The post-discovery phase is fairly straightforward and employs scanning processes that ascertain the targeted devices’ services and OS. Velasco shared OWASP’s ranking of the top 10 vulnerabilities (see Figure 1). During injection, a search field runs queries back to the sequel database. Broken authentication and broken access control allow hackers to exploit passwords, keys, and session tokens that are publicly available and floating around on the internet. Sensitive data exposure typically occurs when error messages reveal too much information about their applications and commands, thus permitting hackers to easily glean financial or healthcare-related data. XML external entities represent another vulnerability, as certain older XML processers can unknowingly disclose internal files. Security misconfiguration is much more common that people might think, namely because users often fail to realize that security software requires its own configuration to fit individual needs. Cross-site scripting occurs when hackers inject their own malicious scripts into otherwise trusted websites. Browsers accept this corrupted information and let it run, introducing the potential for hijacked user sessions. Insecure deserialization can result in remote code execution. “Even if the code execution doesn’t work, it can usually lead to exploiting other vulnerabilities, such as injection,” Velasco said.

Some companies choose to utilize components with known vulnerabilities, which is especially true of older components that have legacy or compatibility issues with other systems. Many of these outstanding vulnerabilities are well documented on the internet. Finally, insufficient logging and monitoring procedures make it easier for hackers to gain access to company systems. Velasco noted that in several recent cases, organizations only detected the issues 200 days after the initial data breach.

After identifying and manipulating vulnerabilities during post discovery, hackers gain access in the exploitation phase. They maintain this access throughout the post-exploitation phase, wherein they determine the types of data that their targets handle and the severity of potential exploits. The subsequent analysis phase is focused on the hackers’ findings, the severity of the damage, and ways in which the target can rectify the situation.

Figure 2. Risk mitigation strategies.

Velasco concluded her talk with a brief discussion of risk, defined as likelihood times impact. Risk refers to the likelihood of exposure and the seriousness of a prospective breach. She then offered six general risk mitigation strategies (see Figure 2). “Secure coding should be built into the systems development life cycle process,” Velasco said. “It should not be an afterthought.” Multi-factor authentication can lessen attacks on an institution’s applications, and the same is true of encryption. In short, all data— especially data pertaining to the Health Insurance Portability and Accountability Act—should be encrypted to ensure better confidentiality. Companies should also conduct frequent patching and enable a web application firewall.

Ultimately, Velasco reminded the audience to be aware of internal and external penetration testing methodologies. Thinking like a hacker, examining information gathering stages that precede attacks, and considering common application flows will help organizations mitigate the risk and potential damage of persistent cyber threats.

Lina Sorg is the managing editor of SIAM News.