Scanning
a Content Management System
Samuel
Warren
IS468
– Tools and Techniques
Matthew
Pennington
March
10, 2012
Scanning a Content Management System
Executive Summary
The need to scan systems is
undeniable. As the Internet blossomed and grew, the vulnerabilities associated
with Internet technologies increased exponentially. While there are a number of
applications that need to be scanned, the Content Management System (CMS) is a
newer application that has grown by leaps and bounds. This explosion has
brought along with it a host of problems. Protecting the CMS is a task that can
be done internally, using tools like Nessus and SQLMap, or can be done
externally by using a service, such as WhiteHat Security. Ensuring the
developers of the website comply with standards and processes set up by the
organization, as well as keeping Sarbanes-Oxley and PCI (if applicable) should
be at the forefront of all compliance related efforts.
Introduction
In every great
Dark Ages’ legend, there is a story about a knight. Usually that knight wears a
suit of armor. The armor was typically made of steel and chainmail. There were
positives and negatives to wearing a suit of armor. The positive included
protection from arrows, swords, and other lightweight weapons of war. When the
soldier would fight, he would have a higher likelihood of coming home in one
piece. The biggest negative was the lack of mobility. In open combat, the
weight of all the armor slowed the knight to the point that he became easily
overtaken. However, the sheer number of attackers needed to defeat the knight
combined with their training and improved agility, while wearing armor, made
the knight one of the most feared tools in any commander’s war chest. In the
war on cyber-crime, the organization has a new knight. Corporate security, both
physical and virtual, creates the new armor to protect the corporate entity. Unlike
past suits of armor, the protection provided is not only about blocking
attacks, but also managing potential weaknesses in the armor.
The major issue
with the suit of armor is clearly explained in the 1991 film “Robin Hood:
Prince of Thieves.” When pressed, Kevin Costner’s character, Robin of Locksley,
says, “They’ve got armor Bull? Even this boy can be taught to find the jinx in
every suit of armor” (Reynolds). Armor for the
organization has “jinxes” in it. The jinxes come in all shapes and sizes, from
Cross-Site Scripting attacks to Man-in-the-Middle, to pure and simple espionage.
While there is no fool-proof way to completely secure an organization’s
information and remain business effective, there is a need to find a way to
mitigate the holes.
The Need to Scan and Protect Content Management Systems (CMS)
When the Internet
was first developed, its capability was very limited. Simple text was the name
of the game. As capabilities changed and bandwidth increased, developing what
is now called a “web page” was complicated. A special language was specifically
designed in order to code a web page. Adding a page was especially time
consuming and complex to get right. As that changed, the Internet began to grow
and transform at a tremendously rapid rate.
The Internet
continues to evolve, enabling people across the globe to communicate and send
huge files in real time. The lack of a central authority controlling it helps
the Internet to flourish rapidly, aided in great part by technological
advancements. (Fuller, 2011)
Unfortunately, the same thing that
helped the Internet grow also became the primary enabling factor for would-be
criminal hackers. Hacking is nothing new; the first hackers were those who
wanted to improve their device or system to make it work more efficiently or
enable them more control. Nevertheless, criminal hacking has proliferated in
the late 20th and early 21st centuries due primarily to
the lack of centralized control and authority. As the technologies expanded, so
too, did the methods of the criminal hackers. All the new systems that were
created to make publishing to the Internet easier, also created additional
loopholes. A great example is the Cross Site Request Forgery attack; it uses
the victims system to exploit the trust between the browser and websites the
victim recently visited.
One
of the more recent technologies is the Web Content Management System (CMS or
WCMS). Starting to grow in the mid 1990’s (Laminack, 2008), they grew very quickly to adapt to the
challenges and much needed flexibility of the Internet at the time.
This allowed
people to upload photos, write stories, and made web pages much more interesting.
In those days, everyone wrote their own. This was the dawn of the custom CMS.
Then some people started commercializing their CMSs and building businesses
that sold and supported CMSs. (Laminack, 2008)
Today, the number of CMSs on the
market is literally thousands. Everything from proprietary systems developed by
large organizations, such as Microsoft, to open source, community-driven CMSs
like “Drupal” or “Joomla.” Each of these CMSs has benefits and drawbacks. None
of them are completely secure. Their vulnerabilities are as different as their
coding languages. However, the need to secure them is very real. As CMS
platforms become more robust, allowing for form creation, forums, or
live-chat’s, the vulnerabilities to this middle layer application and
ultimately the databases it feeds into need to be scanned and protected with
increasing earnestness. As mentioned previously, there is no 100% foolproof way
to protect any system while remaining vigorous and flexible, although one can
limit the possible holes (vectors). By protecting what can be protected
completely, the security professionals are then able to focus only on those
areas that are known vulnerabilities. Therefore, a two front counter-assault
should be launched to find and eliminate as much vulnerability as possible. One
front should be tool-oriented, the second should be focused on changing the
processes and standards being used to publish and codify CMS platforms beyond
their base (vanilla) install.
Front One: Recommended tools
There
are several recommended tools that can be used to protect a system, as well as
companies that are trusted partners that will scan the system for the
organization and report back results.
Nessus Scanner by Tenable
Nessus is a
network and application-scanning tool that enables the System Administrator to
scan their network for vulnerabilities in three separate classifications, as
well as see the number of open network ports.
Nessus 5.0
features high-speed discovery, configuration auditing, asset profiling,
sensitive data discovery, patch management integration, and vulnerability
analysis of your security posture with features that enhance usability,
effectiveness, efficiency, and communication with all parts of your
organization. (Tenable
Network Security)
This tool is full-featured and easy
to use. After a network scan, it will give a comprehensive report on what the
vulnerabilities were, what classification they were, if they were high, medium,
or low, and how to mitigate, if available. Another very handy feature: Nessus
will provide a list of open ports. Open ports are as dangerous as having no
security whatsoever. Open ports give direct access into the network and provide
attackers with a staging point for any other application attacks. Using Nessus
in a CMS environment is simple. Just scan the host IP of the CMS platform and
it will give all the vulnerabilities of the applications associated with that
host IP.
SQLMap
SQLMap is an
open-source tool used to find SQL injection points. It enables the system
administrator to do some simple commands and completely exploit an SQL
injection point. According to SQLMap’s site,
It comes with a
powerful detection engine, many niche features for the ultimate penetration
tester and a broad range of switches lasting from database fingerprinting, over
data fetching from the database, to accessing the underlying file system and
executing commands on the operating system via out-of-band connections. (SourceForge)
SQLMap provides a platform for
adhoc scanning and, based on the vulnerability, will give varied levels of
injection into the database and varied levels of access to information. This
tool is especially helpful if the database(s) behind the CMS platform is using
SQL.
Scanning as a Service
Another
option is to use a 3rd party to scan the CMS platform for
vulnerabilities. One such service provider is WhiteHat Security.
Founded in 2001 by
Jeremiah Grossman–a former Yahoo! information security officer–WhiteHat
combines a revolutionary, cloud-based technology platform with a team of
leading security experts to help customers in the toughest, most regulated
industries, including e-commerce, financial services, information technology,
healthcare and more. (WhiteHat Security, 2012)
WhiteHat sets up a schedule for
when to run the scan, then gathers the results and provides a comprehensive
report of vulnerabilities that needs to be corrected within a specific
timeline. The best part of this service is also the provision of scanning to
maintain PCI compliance, so if the organization has the finances to spend on
WhiteHat’s services, the organization has a powerful ally to help fix the
“jinxes” in their armor.
Front Two: Processes and standards
Scanning
the CMS for vulnerabilities is just the beginning of correcting the problem.
However, if the processes and standards used in the organization cause a relapse
of the vulnerabilities then the tools are wasted resources. Beginning from the
managers, down to the Internet developer, there is a real need to follow
standards that remove as many of the vulnerabilities as possible. By following
such standards and taking the time to practice smart coding, an organization
can greatly limit the vulnerabilities that it produces. With respect to the
aforementioned Content Management System, this involves creating new templates,
modules, or plug-ins that follow the standards set forth. A good place to start
is using the World Wide Web Consortium’s (W3C) standards for web-development.
Most W3C work
revolves around the standardization of Web technologies. To accomplish this
work, W3C follows processes that promote the development of high-quality
standards based on the consensus of the community. W3C processes promote
fairness, responsiveness, and progress, all facets of the W3C mission. (World Wide Web Consortium)
By building standards that make
sense to the organization, the web-developers have the leverage to push back on
other groups who are asking for Internet related things that do not meet the
standards. Also, there should be an appeal process put in place to allow for
current standards to be revised as technology changes.
The Continuing Impact of Sarbanes-Oxley
For
a publicly traded organization, one major element to consider is the impact of
the Sarbanes-Oxley Act (SOX). Specifically, sections 302 and 404 deal directly
with web-development.
These sections
require that the CEO and CFO of an organization certify and assert to
stakeholders that the financial statements of the company and all supplemental
disclosures are truthful and reliable, and that management has taken
appropriate steps and implemented controls to consistently produce reliable
financial information to its stakeholders (Section 302). The company’s external
auditor must report on the reliability of management's assessment of internal
control (Section 404). (Imperva, 2009)
Where this comes in, especially for
web-based organizations, is ensuring the financials are clearly shown on the
website and easily accessible. Add to that the requirements of section 404,
which requires external audits to also appear on the web. Following the
aforementioned standards will make any audit less painful. Creating processes
and policies around a set of standards, as well as regularly evaluating any
changes to SOX will secure organizational compliance. As the Internet continues
to evolve and grow, the laws governing certain types of transactions will
change. It is, therefore, critical that the organization keep pace with the
changes in order to secure its place on the Internet.
References
Fuller, M.
(2011, June 09). The Evolution of the
Internet and its Meteoric Rise. Retrieved from Techwrench.com:
http://www.techwench.com/the-evolution-of-the-internet-and-its-meteoric-rise/
Imperva. (2009). Implementing
Sarbanes-Oxley Audit Requirements. Retrieved from Imperva.com:
http://www.imperva.com/docs/WP_SOX_compliance.pdf
Laminack, B. (2008, November 14). A Brief History of Content Management Systems. Retrieved from
Brent Laminack’s Personal Site: http://laminack.com/2008/11/14/a-brief-history-of-content-management-systems/
Reynolds, K. (Director). (1991). Robin Hood Prince of Thieves [Motion Picture].
SourceForge. (n.d.). sqlmap
automatic SQL injection and database takeover tool. Retrieved from sourceforge.net:
http://sqlmap.sourceforge.net/
Tenable Network Security. (n.d.). Nessus 5.0 is here. Retrieved from tenable.com:
http://www.tenable.com/products/nessus?_kk=nessus%20scanner&_kt=9b03f8a7-8e0a-4eb4-bcaf-fc0d14045e85&gclid=CLH3g5uM3a4CFQcFRQodTBjqWw
WhiteHat Security . (2012). About WhiteHat Security. Retrieved from Whitehatsec.com:
https://www.whitehatsec.com/abt/abt.html
World Wide Web Consortium. (n.d.). About W3C Standards. Retrieved from W3C.org:
http://www.w3.org/standards/about.html
No comments:
Post a Comment