Beware: if the same vulnerabilities remain unpatched for years, this is what most attackers are targeting. “Attackers are utilizing well known, well documented vulnerabilities in externally facing applications,” says Swearingen. You must patch eventually, or expect to become a statistic.
The best place to secure web applications is at the start, in development. When developers follow coding standards that address the riskiest vulnerabilities that an application can have, they greatly mitigate the potential for successful attacks. “In any custom application, ensure that your developers are referencing the OWASP Top Ten,” says Swearingen.
The OWASP Top Ten application security risks include injection flaws, poorly implemented authentication, cross-site scripting flaws, direct object references, insecure configurations, sensitive data, PII exposure, missing function level access controls, cross-site request forgeries, known-vulnerable components, and unvalidated redirects. In each case, the security hole permits an attacker to insert or access data or components, leading to a broader compromise.
By checking and closing each vulnerability as they create an app, developers can deal the greatest blow to attacks before the app even sees the light of day.
As with the OS, there are vulnerability scanners tailored to CMS and web applications. “If you’re running a Word Press site, there is an application called WPScan that can test it,” says Swearingen. HackerTarget makes multiple web and CMS scanners available. OWASP has a WordPress scanner. There are also scanners that can check the source code.
Of course, once you find a vulnerability you will have to either patch it or find some other solution such as a WAF to secure around it.
“You’ll want to implement security best practices including a backup strategy that you can test and confirm works to restore the system in the event that an attacker does encrypt it and hold it for ransom,” says Swearingen. If someone else has provided the server and the enterprise is in charge of the application layer, you should backup the application and perhaps the database, depending on your circumstance, he explains.
To ensure that backups as an approach in general will really counter a Linux ransomware attack, keep the backups on a different system at a different location with different credentials, so that a compromise of the server is not automatically also a compromise of the backups. “Whether you are using server snapshots for backups, make sure the backup system is not mounted from the original server that is subject to compromise,” says Swearingen.
Security best practices will lead the enterprise to segment web servers from any externally exposed server and from other networks, and to use highly restrictive access controls, says Swearingen. You should always use all applicable layers of defense that are available to you.
Sign up for CIO Asia eNewsletters.