Managing both acute and chronic web application security issues

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By James E. Lee
 

Connecting state and local government leaders

By James E. Lee

|

Immediate actions will help agencies protect the health of their systems, but they must also address their long-term vulnerabilities.

With WikiLeaks’ March 7 posting of what was purported to be some of the CIA’s cyber surveillance exploits, agencies are looking at the possibility of attackers turning intelligence gathering tools against government systems, devices and websites. 

Even more recently, a new, high-severity vulnerability emerged in the Apache Struts 2 open-source framework used to build Java web applications. The flaw allows hackers to inject commands into remote web servers. Within hours, organizations around the world reported attacks exploiting CVE-2017-5638 while Struts 2 users scrambled to apply a patch from the Apache Foundation.

What are the practical effects of these events, and what should government InfoSec leaders and practitioners do now? 

The Struts 2 discovery requires immediate action, and the Vault 7 release should put security teams on even heightened alert. Each event, however, requires action by government IT teams as well as those in the private sector.

While most of the reports on the Vault 7 leak have focused on the tools that turn internet-of-things devices into surveillance units and the privacy risk that represents, the real danger for agencies is the potential for a tidal wave of zero-day attacks aimed at government web applications.  

Agency security teams and software vendors will be working for months, weeks or years to address the new exploits headed their way.  Vault 7 and Struts 2 are not the first cyber events to point out a flaw in InfoSec planning and execution, nor will they be the last.  While network security often gets the most resources in public and private sector organizations, web applications are the number one target for malicious attacks, according to the Department of Homeland Security, Verizon and IBM among other researchers. That’s because applications can contain known and unknown software flaws.  Flaws in a major library like Struts 2 put an entire application at risk.

How to be prepared when (not if) this happens again

With the known, immediate threat from Struts 2 and the potential for zero-day attacks from Vault 7 exploits, there are immediate actions and long term considerations that agency security teams should take.

These are the tasks that should be addressed immediately:

Determine the agency’s reliance on Struts 2 and its vulnerability to CVE-2017-5638, then apply the available patch.  

Ensure other critical patches on servers and end-points have been applied.  Ninety-nine percent of all successful breaches are related to unpatched software flaws known for at least one year, according to Gartner.

Reinforce cybersecurity requirements among system users.  Malicious hackers are a crafty lot and use every tool available to infiltrate an end point, often with the unwitting help of users’ poor cyber hygiene.  

Tune up  agency network and web application firewalls and intrusion detection systems.

It is also important for IT teams to consider long-term action items to help ensure they will be protected from future vulnerabilities.

Evaluate virtual patching technologies that allow for immediate protection from known vulnerabilities. A virtual patch can be applied immediately while the application continues to run -- with no code changes and without restarting.

Evaluate every part of the software stack  -- not just the code written in house.  Agency teams should be looking for and protecting against vulnerabilities in all software, including the platform itself. Finding the flaws is not the issue -- protecting against them as fast as possible without service disruption is.

Turn off unnecessary elements. Virtually every web application includes unused and unneeded application programming interfaces and other software code. By turning off the software elements that aren’t required, agencies can reduce the attack surface and improve defenses against any zero-day attack arising from Vault 7.

Separate privileges and run agency software using the least privileges. In most cases, attackers damage compromised systems because after initial access they’ve been able to escalate their privileges and access restricted information/functionality. To avoid such scenarios the system must be compartmentalized, its trust boundaries and data flows identified and separate privileges defined for each trust boundary. This usually requires an in-depth architectural analysis of the software system, but software tools can help automate this task.

Because of the highly sensitive information government agencies maintain, IT departments will always face cybersecurity challenges. However, putting the right protections in place will help significantly reduce these vulnerabilities and help secure vital systems before data gets into the wrong hands.  

NEXT STORY: Social media screening pilots lack metrics, DHS IG says

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.