What C-Level Executives Need to Know about Application SecurityInterview with Security Expert Jeremiah Grossman on Online Banking Services and Their Inherent Vulnerabilities
The recent release of a University of Michigan study on the security flaws of online banking websites brings attention to the often overlooked area of web application security.
In this exclusive interview, Jeremiah Grossman of WhiteHat Security shares his insights on the importance of web application security for financial institutions -- analysts estimate that 75% of attacks against web servers enter at the application, not the network level. Grossman is a security industry veteran, and prior to founding WhiteHat Security was an information security officer at Yahoo.
Q: Why do C-Level banking executives need to be concerned with web application security. Isn't it just a technical problem that can be easily solved?
Jeremiah Grossman: Web application security is a brand new subject for many financial institutions' executives, but despite it being new it only takes one criminal to break into a bank's website and liquidate accounts and take money. The firewalls aren't going to block it, SSL isn't going to stop it, and scanners aren't going to catch it. It's a brand new space. They first hear those words, "web application security," and they are confused, but it's not just a technical problem that can be easily solved.
Q: In the language of C-level executives, how would you want to describe the next generation of online banking services?
Grossman: Web 2.0 gets all the attention and the hype because it's so responsive to the user, but all the problems with Web 2.0 were there with Web 1.0 -- they just got exacerbated a bit. Where firewalls allow traffic through to a website, they don't block it, so by extension the bad guys (hackers) can get into a website just like anybody else, with or without the firewalls being there. With Web 2.0 technology, new web application code is being pushed out there constantly. Any single line of code can reduce security. and unless you're looking at every single line of code on the site, the bad guys will find those flaws. We're seeing more and more web hacks all the time.
It is becoming harder to attack individual users directly via spam or phishing emails and instant messaging. Websites are easy targets. Hackers are turning to attack the websites and then infect the users as they come to the site. It is much easier for a hacker to break into a website and plant malware onto a trusted website than to try and infect just one user. The problem is a great many websites are vulnerable to this kind of attack.
Q: With the emphasis on moving customers to online banking, what are some of the vulnerabilities that might hold banks and credit unions back from moving their customers to the hip, new way to access their account information and services online?
Grossman: I don't think there is a bank that isn't online right now. I can't think of one. It sounds weird coming from a security guy, but I don't think that security (or the lack thereof) will stop users from using their bank's online services, despite the fact that the majority of them (eight or nine out of every 10 banking websites) have major vulnerabilities on their sites. Where Web 2.0 plays in is that when a customer goes to the average bank website, all the services they're using from wire transfers to online bill pay, those all don't belong to the bank. Sometimes they are sourced in by partnerships. For example, a wire transfer provider is paid to do the wire transfers on behalf of the bank, but the security and all the technology behind those transactions don't exist at the bank, so the bank has to trust the security of their partners to protect their customers' data. That is actually a big deal because the bulk of banking websites aren't being developed internally, they're sourced in from outsiders. The bank's website is interdependent on all of its business partners, so a bank's security is only as good as its weakest vendor.
Look at it this way: A lot of big banks tend to host their own website infrastructure, but the smaller banks and credit unions will use a hosting provider to host their website and develop its software. The hacker gets into one application service provider (ASP), and instead of just getting into one banking website they're now able to get into hundreds of other bank websites that are hosted by that ASP. This means while a bank thinks it is outsourcing its online website's security and technology requirements, it is actually increasing the risk at the same time.
There is kind of a push and pull game going on between the bank and the ASP. When the bank asks the ASP to increase its security around customer logins, for example, the ASP asks "Why do I have to, the bank has already paid me." They're not actually wanting to increase the security of their infrastructure after the fact.
Q: Where is the industry headed with this need to improve web security? Is it going to be a moot question 10 years from now, or will it getting worse?
Grossman: The security and compliance initiatives are usually several years behind what the cutting-edge bad guys are doing. We've got standards out there now that are dictating strong SSL and strong two-factor authentication such as the site key tokens and anti-brute force mechanisms. While they all address a certain problem, they don't address what is actually going on out there on the web. I think the problem is going to get worse before it gets better. The bad guys are going to show us the way they're breaking into systems, and then the industry is going to have to fix it. The industry must realize that the standardized best-practices approach isn't going to get it done.
Q: Give C-Level executives a picture of what could happen to their online websites that have existing vulnerabilities. What would be the worst thing that could happen to their online banking website?
Grossman: The worst case would be the loss of trust that customers feel when they bank online. Should attacks get worse and worse and people lose more money, the banks will become less willing to compensate people for their losses. When banks start down that path because they can't afford to pay the losses, then those customers will either stop banking online or move to another bank that offers them full compensation for their online losses. I have friends and colleagues that this has already happened to, and that is a very real consequence of these types of attacks. When I analyze a bank's website, this is exactly what I am working to prevent.
Q: What percentages of online banking websites are vulnerable to criminal hacks?
Grossman: Nearly all of them are vulnerable to criminal hacks. A lot of times, we'll look at a website and we do "speed hack" challenges on the website to see how fast someone can break into the website or find a vulnerability on the site. It rarely takes us more than 20 minutes to find one.
The aspects of a web hack are different than a network attack. In a web hack, the hacker doesn't have to use many tools, because they only have to find a single vulnerability. Conversely, the good guy who is charged with protecting the website, they're more compelled to use tools because they have to find all of the vulnerabilities, all the time. For financial institutions it is very difficult to find, hire, train and keep skilled security experts such as these, so that's why they turn to outside companies for help.
Q: In terms of best practices, what are some you'd recommend all institutions take when it comes to securing their websites?
Grossman: Institutions need to do asset tracking for their websites. They need to find them on their website and rank their importance. If an institution has more than five websites, they have a difficult time doing this task. And because they don't know what they own, it's difficult to secure it.
Perform continuous vulnerability assessments, as often as every week. Remember, just because the website didn't change, it doesn't mean the industry didn't. This has to be done with both technology and humans -- you need both sides to complete the work. Lastly, once you have identified where your weaknesses are, then build a proper game plan to fix those issues. This also must be done to your service providers websites as well.
Q: If you were a C-Level executive at a financial institution, where would you rank web application security as a risk management priority?
Grossman: It would have to be top three in terms of a risk management priority, just behind network security and host-based security. What gets a lot of play these days are SSL and two-factor authentication, and what needs to be realized is that these solutions do not protect the website. Of all the different types of hacks I've seen, I've rarely seen a hack through an authentication application. It's much easier to go another route offering less resistance.