Caught in the web

Enterprises still lack an understanding of the various security mechanisms that need to be in place in order to ensure that their online presence does not cost them their business.
Caught in the web
By Sathya Mithra Ashok
Mon 02 Mar 2009 04:00 AM

While internet usage rates are still fairly low in the region, industry experts believe it is set for rapid growth. However, enterprises still lack an understanding of the various security mechanisms that need to be in place in order to ensure that their online presence does not cost them their business.

Over the last year, internet penetration in the various countries of the Middle East grew by leaps and bounds. Currently, there are more people connected to the web and interfacing with it than ever before in the region.

In spite of this massive spread of broadband, and more potential customers coming online everyday, not many regional enterprises have willingly taken to e-commerce.

The majority of organisations in this region are not taking care of the security aspect of their web applications. We hear lots of stories every day about organisations that got hacked.

"In reality our experience is that they are not doing it as fast as other regions. There might be a number of areas where organisations in the region are using web services, but these are mostly the case when it is being dictated by global structures and IT functions as a remote entity. While the actual take-up is not as much as say Western Europe, the awareness levels remain high," says Mike Smart, senior product marketing for EMEA at McAfee.

In a region where shopping is considered a recreational activity, it is not surprising to note that not many customers are eager to turn to internet purchasing, and not many companies have ventured into the field.

Most of the work in web services in the region has been done by governments which have enabled online services, and banks and financial institutions which encourage the customers to use the web as a convenient way to manage their finances.

Apart from this, online applications in enterprises have remained in the realm of a few internal processes, and only when it is absolutely necessary, though many in the industry believe this is soon set to change.

"Yes, the whole internet adoption for commerce in the region is a bit behind the curve compared to Europe and the US, but the market is growing very quickly indeed and actually faster than anywhere else in the world," assures Ian Cochrane, marketing manager, southern emerging markets at Trend Micro.

While enterprises that adopt web services may remain in the minority, the question is whether they are putting in the right security measures to guard their online applications, and this question is likely to take on priority as more organisations adopt e-commerce applications.

"I believe this is the sad part of the story. The majority of organisations in this region are not taking care of the security aspect of their web applications. We hear lots of stories every day about organisations that got hacked or went out of service for some time.

Obviously, with the trend of running a business over the internet, this makes it a prime target for internet criminals and sophisticated hackers," points out Ala Al'Khalil, F5 team leader at network distributor SecureWay.

Getting ideal

"While security measures vary according to organisations it's important to remember that web services open up a potentially big hole to the outside world by their very nature.

So people are very much closer to sensitive data than they were when they used to have to actually visit a physical office. This has meant a re-evaluation of how sensitive data is treated and what discipline needs to be applied to it," states Nigel Ashworth, technical director, Middle East and Africa at F5 Networks.

"The rapid introduction of web services has led to a sporadic security response. We have seen organisations design well thought out security strategies around web services, however the level of implementation has been varied.

As web services provide relatively transparent interoperability between business functions, the skills required to validate web services specific security measures becomes more specialised," adds Mark Hammond, lead principal consultant at major Symantec.

Whether an enterprise decides to build, maintain and monitor online applications internally or it chooses to outsource these activities to a service provider, it needs to ensure that the security environment is maintained as close to an ideal state as possible.

"If you are having your stuff hosted by someone else then you will need to conduct regular reviews of your provider's security and make sure that they meet your security criteria rather than their own security criteria.

When offering online apps internally, the number one duty is to make sure that you keep any of your internet facing systems patched and up to date. Many companies have been compromised due to weaknesses in their patching regimes," says Rik Ferguson, senior security advisor at Trend Micro.

"Number two is that you have to keep your stuff regularly tested and that means vulnerability scanning and penetration testing, from the internal perspective obviously, but it is also very important that you scan the service from the outside, from the internet, as well. This is probably more important than internal scanning. You also need some kind of strong authentication, like two-factor, token based systems, to validate your customers," he adds.

McAfee's Smart emphasises the need to rely less on traditional, physical, appliance-level security, since it is incapable of catching the modern-day threats.

"The way we see this taking off in a secure way is to focus much more on the user, what the users are doing, where they are going, what types of apps they are using, and looking at doing risk assessment around those apps. Any system that is able to understand that it is not just web traffic here, but a specific app within web traffic, is really where we are able to provide more control over the users and protect them," he says.

Premchand Kurup, CEO of Paramount Computer Systems encourages organisations to consider the implementation of web application gateways, a web application vulnerability assessment, an application process security review as well as multi-factor authentication.

Judhi Prasetyo, Middle East consulting manager at Fortinet recommends periodic testing of apps by an independent team supported by the deployment of tools that can detect malicious activities. Apart from these considerations, security while transferring data needs to be kept in mind.

"All sensitive information needs to be transmitted securely via technology such as Secure Socket Layer (SSL) encryption. Digital signature technology needs to be used to assure customers are interacting with the legitimate servers, and finally all network traffic needs to be monitored by devices such as IPS/IDS (Intrusion Prevention/Detection Systems)," points out Ahmad Kamali, director of network and information security development at ISP Etisalat.

Ferguson adds, "Encrypt all messages that go out and encrypt critical data on disk. This means that even if a hacker gets into your systems he will find only protected information.

Use coding best practices for your website and make sure you use the right techniques to avoid SQL injections, which account for a majority of attacks on sites. Also, put in place simple database security measures like providing access only on a need-to-know basis with least privileges. So if a user accesses a system for only reading a document, he cannot change it."

"A dedicated web application firewall (WAF) has to be adopted as a core part of these measures, as it is a proven technology that protects against new types of threats, which any web application will face almost daily.

Recent studies show that cross-site scripting, SQL injection and information leakage constitute more than 82% of these new threats, so critical action has to be taken to prevent these threats. Organisations have to do regular reviews of their security policies to ensure they are up to date and tuned to get optimum results," says Al'Khalil. Coding principles

Experts emphasise that security of any online application should not be an afterthought, but an element that is considered from the very inception of the project. This is all the more crucial during the development phase of the particular application.

"Most of the successful attacks on web sites and servers are successful because the applications are not written securely. Unfortunately, there are organisations that believe that by having a firewall, they have taken care of all security issues. This perception needs to change," points out Etisalat's Kamali.

Most of the successful attacks on web sites and servers are successful because the applications are not written securely. Organisations believe that having a firewall takes care of all security issues.

Smart adds, "App developers are not necessarily security experts and the reason we are in a mess globally is because of the sheer number of vulnerabilities found in websites today. It is because these apps and websites are developed primarily to generate revenue and to increase productivity. That is the key goal and very rarely does security actually make it into the planning or even the development phase."

Hammond says, "Securing the software development lifecycle (SDL) is key to improving the overall security posture of any web services architecture. This starts with ensuring that the processes and tools are in place, engineers are appropriately trained and a rigorous security testing cycle is implemented and executed by credible application security professionals. This includes a security code review, design review and also web service specific application penetration testing."

Experts point out that ensuring apps are built to be more secure not only improves the strength of any website, but can also prove to be much more cost effective in the long run for the organisation in question.

"Building security in the intial stages of an app's development can save huge amounts because this is essentially a much smaller percentage of cost than having to secure the same app retrospectively," says Smart.

Ferguson agrees, "It is actually far cheaper to build in security during the design phase rather than later, when you get a lot of time wasted and extra cost., Enough time should be given to the development of the app and the security elements, and it should not be a rushed process. When it is rushed to a deadline, the app comes online insecure.

Regional status

General apathy to better application coding principles remains a global problem, though many believe that it is changing. However, the region suffers from its own set of problems when it comes to enforcing an ideal security environment for web services.

"People in the Middle East still tend to trust physical level or physical premises type of security, which includes equipment. If they can see it, if it is there, they feel better; it is a very visible level of security. And if it is there, they feel they are protecting their users and apps," says Smart.

This remains one of the key reasons why security appliances sell more in the region than many other places in the world. Vendors however, believe that this attitude needs to change.

"At Trend Micro we have actually taken a step and started to migrate away from hardware-based appliances to virtual appliances, which are cheaper and easier to manage and give better performance in terms of facing new threats. Whether virtualisation, cloud computing, hosted services or security-as-a-service, enterprises need to really think about what they are moving out to the cloud.

While I can understand their concern in moving what they might consider as their crown jewels outside their environment, the best place to stop a threat is outside a particular network environment. There is no reason why you would let an intruder into your house if you can stop him before he gets in," explains Ferguson.

Smart also emphasises the need for regional organisations to consider security elements that analyse web traffic more minutely and detect application-based characteristics in the traffic, rather than remain satisfied with the current outdated traditional security mechanisms.

"One of the other real dangers to securing web apps remains complacency. People are finally beginning to understand how web threats work, organised crime is big business. However, organisations have to constantly keep on top of their game and promote awareness internally and among the customers that use their web services. Education put in place today is the strongest and best weapon that can be put in place against future attacks," states Ferguson.

The final say

Today's set of technologies enable organisations to develop stronger applications, build intelligent security layers on top of it and allows them to keep an eye on users and apps at all points of the network at all times.

However, as more enterprises catch onto the advantages of having an online presence and interacting with customers through the web, we are likely to see wider adoption of security methodologies and better formulation of policies to protect data and networks, a trend that will likely take off in 2010. provided the recession eases.

Points to consider with web services1. Get apps regularly scanned - Subscribe to a service that will regularly scan and give you reports and make sure that people who are doing the scanning are also capable of understanding the constantly evolving threat landscape.

2. Encrypt data - If you store any customer data in any form make sure that it is encrypted on disk. So if you do get compromised then the only data that the attacker will find is encrypted data.

3. SQL aware - One of the most common compromise techniques that is used is SQL injection attacks. So review your SQL and website code and make sure it passes through a very thorough security review cycle and testing before it gets released. Make sure you peer review the code internally and test it for security flaws in terms of SQL coding before it goes live.

4. Encrypt communication - If you are communicating sensitive info with customers as an automated response out of your online system or as a human action based on transaction from the online system, then again make sure that that communication is encrypted.

5. Authentication - If you are handling people's personal, private or financial information one of the most important things that you can do as a company is prove that you can be trusted and generate a feeling of security around your business. And if you can offer your customers the comfort of two-factor or strong authentication then you should be doing that.

6. Build securely - If you choose to build apps internally then use coding best practices and give developers enough time in order to ensure that security is built into the app and that it is completely secure by the time it goes online.

For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.

Subscribe to our Newsletter

Subscribe to Arabian Business' newsletter to receive the latest breaking news and business stories in Dubai,the UAE and the GCC straight to your inbox.