The Report on Cyber Security and Web Application Security, Baburam Bohora. The Nepalese Nature of the Internet exposes web properties to attack from different locations & different levels of scale & complexity.
Executive Summary
In this report, the cybersecurity issues and web application security are discussed. The major cybersecurity issues, breaches, and their impacts on individuals as well as the institution can be shown the emerging development of Information Technology with more advancement and vulnerabilities. As a time when data has become the most valuable asset the world over, and the level of cybersecurity threats has elevated for enterprises and personnel in Nepal.
Cyber threats are developed at rapid speed. It is essential to ensure that all business and people in Nepal have to be aware to secure from the attacks and threats. The last couple of years have seen increasing incidents of cyber-attacks in Nepal orchestrated by foreign hackers, mainly in banking and financial sectors, to steal the money from ATM and digital payment gateway.
Nepal government is aware of the security issues and challenges. Currently, the new IT BILL 2075 has been creating the new draft rule in the ICT sectors to regulate and maintain the emerging cyber threats, theft, social media crisis, and other incidents. We have to reduce the consequences of security vulnerabilities; ICT policy mainly focused on appropriate implementation of ICT policy to minimize criminal abuse.
Government is committed to secure all the government websites, different government bodies IT infrastructure and guide web application security for private organizations. The web application security must be asses by all the companies and utilized their resources to minimize the business risks. Each governmental institution and business in Nepal that uses ICT are encouraged to undertake an individual risk assessment, develop and implement a cyber-security strategy that helps to address the main risks for the management and create a secure environment.
Chapter I
Introduction to Cyber Security
1.1 Background
The exponential growth of internet interconnections in Nepal and all over the world has led to a significant increase of cyber-attack incidents risk and vulnerabilities with disastrous, grievous, and non-measurable consequences. Malware is the primary choice of weapon to carry out malicious intents and attacks to steal your data and information to get unauthorized access in cyberspace, either exploitation into existing vulnerabilities or utilization of unique characteristics of emerging technologies. Cyber threats are developing at very high speed in cyberspace that’s create more challenges and emerging issues in the cybersecurity community to manage the valuable data, information, and resources from the unauthorized party. It is essential to ensure that people and businesses in Nepal have access to regularly updated news about threats as well as best practices in defending against them. The new pattern of attacks and malware has developed from emerging technologies of Artificial Intelligence (AI), cloud computing, social media, mobile phone technology, and critical infrastructure. The development of innovative and effective malware defense mechanisms has been regarded as an urgent requirement in the cybersecurity community of Nepal and all over the world. Many of Nepal’s governance issues have been required robust countermeasures mechanisms to save from attacks. To support this goal first, we have to need speculative observations and research directions to exploit the software and hardware vulnerabilities and network layers.
1.2 Introduction
Nepal in the process of digital transformation and digitalization of all the government services and infrastructure. Our society, economy and critical infrastructures have primarily dependent upon the computer networks and information technology solutions. Today cyber-attacks are mostly transitional, and offenders act with a high degree of sophistication. Cyber-attacks become more attractive and potentially more disastrous as our dependence on information technology increases.
Cybersecurity becomes more flourish because it is cheaper, convenient, and less risky than direct physical attacks. The attackers and cybercriminals only require a few expenses beyond the computer and an internet connection. The cyber-attacks keep growing, and it is become more attractive to get unauthorized access to steal the valuable data and information that can be individual and organizational consists of vital records for their operations, and that is integrated with computer and internet. Each year many companies incurred a large amount of money to save from the cyber-attacks if the time lost by the companies trying to recover from cyber-attacks, the total cost of cyber-attacks would reach into the staggering point.
Malware is the crucial weapon of most of the cyber attackers to carry out malicious intends to breach cybersecurity efforts in the cyberspace. Malware may propagate from devices and equipment that contain embedded systems and computational logic; it can range from end-user systems, servers, and network devices. The emerging development of new malware creates more threats in social media sites, cloud computing, healthcare systems, information systems, and Gmail and computer infrastructures.
1.3 Cyber Security
Cybersecurity is the safety measures taken to protect a computer or computer system on the internet against unauthorized access or attacks. As in increasing of innovative and emerging technologies, their use and dependency, there is an equal number of possibilities of cyber threats and attacks by criminals. With an increase in the cybercrime, now people and organizations are more concerned about cybersecurity.
Cybersecurity concerned with the understanding of surrounding issues of diverse cyber-attacks and devising defense strategies that preserve Confidentiality, Integrity, and Availability (CIA) of any digital and information technologies. CIA is a guideline for information security of individual and organization.
Confidentiality:
It ensures the privacy of data and information by restricting access through authentication encryption.
Integrity:
It assures that the information is accurate, consistent, and trustworthy in a life cycle of data.
Availability:
It ensures that the information is available to the authorized party when it is required.
1.4 Cyber Security situation in Nepal
The government of Nepal defined key priorities about the development of ICT in the 2015 National Information and Communication Technology policy. The ICT policy highlights the importance of building confidence and security.
In Nepal, the digital platform has been developed rapidly with emerging technologies and innovative computer software and hardware. Nepal’s government is providing all services through computer and internet connections with the use of modern technology. The emerging development of Information Technology in all private and government institution that create the vulnerabilities and advancement in risk assessment to safe from attacks.
In developing countries like Nepal, three areas have been identified related to cyber-security threats: (a) poor digital access, (b) institutional instability, and (c) regime instability. However, the formulated cybersecurity policies in Nepal still cannot address the cybersecurity threats and issues in the country. The lack of proper cyberlaw and there is no effective implementation of formulated rules and regulation to regulate the committed cybercrimes.
Nepal faces a general lack of skilled workforce, IT knowledge, policy, awareness in security and up-to-date as well as legal software which has led to frequent spamming, fishing, and password piracy issues. It was found that the cost of risk minimization and security observation would occur very expensive, primarily the reason the Nepalese institution have not to invest in security issues. Companies and government institutions, banks, corporate houses are unwilling to fully invest in cybersecurity and the use of genuine software unless they can realize immediate benefits. And the lack of awareness about security for end user’s, parents and adult the risk of cybercrimes have frequently been increasing. Many parents are unaware of their children’s activities in cyberspace, which often include misusing social networks such as Facebook, Twitter, Instagram, Viber, tiktok, Whatsapp, etc. and sharing passwords, porn content, activities and statuses without understanding the consequences.
1.5 Cyber Security issues in Nepal
Cybersecurity has many problems which are not only limited within the system or hardware. The essential topics of cybersecurity in Nepal include various actions and practices that were due to lack of proper policy, and awareness people are falling as victims from online to offline activity in cyberspace where it is related to frauds, scandals, and theft, etc.
The widespread uses of the internet in global and Nepal cannot be untouched. In terms of the total number of internet users, Nepal ranks 73 in the world with the development and advancement of internet and technology. There are an enormous amount of data and information has been shared on the internet daily, a danger arises which does create threats to all internet user. Cybercrimes are committed against individuals and institutions to cause physical, mental, or financial harm using telecommunication networks such as the internet.
The significant issues of cybersecurity faced in Nepal are:
- Banking frauds
- Hacking
- Cyberbullying
- Copyrights issues
- Denial of service attacks
- Identity theft
- Online violence against women
- Spam email marketing
- Phishing
- Revenge porn
- Online threats, intimation and social media crisis
- Child online protection
- Lack of standardization and proper policy
- Lack of awareness
In most of these issues have arisen due to lack of adequate knowledge and internet core values to the users.
1.6 The need for cybersecurity
The systems, computer, and applications are not only concerns of cybersecurity, but it also concerns with mitigating and leads to aware of cyber-crime.
Your data
Any information about you can be considered to be your data. This data can be the pictures, messages that you exchange with your family and friends online. Other information, such as name, social security number, date, and place of birth, mother’s name or father’s name is known by you and used to identify you.
Your data and information can also be:
- Medical records
- Financial records
- Educational records
- Employment information
Individual, as well as each organization and institutions, have their own data and information that can be
- Traditional and historical data
- Internet of things and big data
1.7 Security breach in Nepal
Nepal had faced around 800 cybercrimes in 2017, and in last year the rates of crimes occurred have been rising. Nepal is very new with terms like cyber-attacks and cybercrimes, for much Nepalese threat regarding cybersecurity has been one of the significant issues. Almost all governmental and non-governmental organization is relying on digitals media to fulfill their regular tasks, but they unaware about cyber-attacks and measured to secured from it. So, some of the significant cyber-attacks in Nepal’s are
- Hacking NIC Asia Bank
The NIC Asia Bank hacking case has occurred on 18th October 2017 (1st Kartik 2074) has been revealed to be the carelessness of the staff and management. The cybersecurity of the bank has too weak and handled carelessly. Cracked OS being used in computers of banks create more hacking possibilities and threats.
- Pokhara university computer hacked
The computer of Pokhara university exam department has been hacked dramatically. The hacker hacked thousands of student’s data. This incident occurred on Tuesday, August 21, at 7 pm.
- Teenager who hacked 200 websites
The Kathmandu metropolitan police crime division has arrested a teenager Bikash Paudel(18) of Bandipur on the charge of hacking over 200 official websites of government and non-governmental organizations.
Paudel is hacking the websites of National Tuberculosis Centre, Nepal Telecom, Dairy Development Corporation, and other institutions.
- Hacker’s threat of government websites
After faced trouble and issues in government websites, hackers’ risk of attacks in 2017. The websites of the Home Ministry, Public Service Commission, and other critical governmental bodies faced the issues.
Consequences of a security breach
The monetary cost of a breach is much higher than just replacing any lost or stolen devices, investing in existing security and strengthening the building’s physical safety. The company and any institutional may be responsible for contacting all the affected customers about the breach and may have to be prepared for litigation. This causes employees Leave Company, and the company needs to repair its reputation.
1.8 Finding security and vulnerabilities
The software and hardware vulnerabilities can be detected by an attacker to exploit attacks. The goal of the attack is to gain access to a system, the data it hosts or to a specific resource.
Software Vulnerabilities
Software vulnerabilities are usually introduced in the errors of an operating system or application code. Microsoft, Apple, and other working system producers release patches and updates of software almost every day. The organization often updates applications such as web browsers, mobile apps, web servers, and operating systems. The goal of the software update is to stay current and avoid exploitation of vulnerabilities.
Google’s Project Zero is an excellent example of such practice of discovering the software vulnerabilities which is used by end user’s.
Hardware Vulnerabilities
Hardware design flaws can introduce hardware vulnerabilities. It was discovered that due to proximity, constant changes applied to any capacitors could influence neighbor capacitors. Hardware exploits are more common in highly targeted attacks, traditional malware protection, and physical security are sufficient protection for the everyday user.
Most software vulnerabilities have many categories as:
- Buffer overflow
- Non-validated input
- Race conditions
- Weakness in security practices
- Access-control problems
All access controls and security practices can be overcome if the attacker has physical access to target equipment
1.9 Types of Malware
Malware is short malicious software or any code that can be used to steal data, bypass access controls, or cause harm to a system. It can be
- Spyware
- Adware
- Bot
- Ransomware
- Scareware
- Rootkit
- Virus
- Trojan horse
- Worms
- Man-In-The-Middle(MitM)
- Man-In-The-Mobile(MitMo)
The attacks of malware create different types of infections and symptoms in the system as:
- Increase in CPU usage
- The decrease in computer Speed
- Computer freezes or Crashes often
- A reduction in web browsing speed
- Files are modified and deleted
- Presence of unknown files, programs or desktop icons
- Problems in network connections
The attacker can exploit the vulnerabilities by using tools as:
- Whois tool
- Nmap tool (port Scanner)
Like the malware, there are advanced persistent threats has been occurred to infiltration the system as
DoS Attack
DoS results in some interruption of network service to users. Device or applications.
- An overwhelming quantity of traffic
- Maliciously formatted packets
DDoS Attack
Distributed DoS attacks from multiple coordinated sources. An attacker builds a network of infected hosts, called a botnet. The infected hosts are called zombies. The zombie computer constantly scans and infect more hosts and create more zombies.
Chapter II
Web Application Security
2.1 Web application Security
Web application security is essential to any business. It is the central component of any web-based companies and institution in the global that can be accessed by a large number of user to access information and data. The attack from different location creates threats. Web applications deal with security surrounding websites, web applications, and API’s.
Some of the common web app security vulnerabilities are:
- Cross-site scripting(XSS)
- SQL injection(SQL)
- DoS and DDoS
- Cross-site request forgery (CSRF)
- Data Breach
The web application has been protecting from exploitation using up-to-date encryption, requiring proper authentication, continuously patching discovered vulnerabilities, and having a good software development process. Some of the techniques of protecting from attacks as:
- Web application firewall
- DDoS mitigation
- DNS security resolver
2.2 Web Application Security framework
As a web browser owner of each and institution has using web application security framework to scan the vulnerabilities to protecting from the attackers. We have used many open sources and commercial web vulnerability scanner to perform a security mechanism in web application. Some of the powerful web scanner as:
- Arachi
- XssPY
- W3af
- Nikto
- Wfuzz
- OWASP ZAP
- Wapiti
- Vega
- SQLmap
- Grabber
- Golismero
- OWSAP Xenotix XSS
Arachi
Arachi is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of modern web applications. It is multiplatform supporting all operating systems like Windows, Mac OS, and Linux and distributed via pcrtable packages which allow for immediate deployment. Some of the vulnerabilities can be detected by arachi as:
- NoSQL/Blind/SQL/code
- Path traversal
- Cross-site request forgery
- Response splitting
- Unvalidated DOM redirects
- Source code disclosure
W3af
W3af is a web application attack and audit framework. The main goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities. It is capable of detecting more than 200 vulnerabilities, including OWASP top 10.
2.3 OWSAP
The Open Web Application Security Project (OWSAP) is an open community dedicated to enabling an organization to develop, purchase, and maintain applications and API’s that can be trusted.
The insecurity of software undermining our financial, healthcare, defense, electricity, and critical infrastructure. As the complexity becomes increasing, that increase security risk and makes it more challenging to avoid them effectively.
The roadmap for future activities as:
- Don’t stop at top 10
- Constant change
- Think positive
- Use tools wisely
- Push left right and everywhere
2.4 OWSAP Top 10
The development of innovative technologies over the last few years, the underlying technology and architecture of applications has changed significantly. So, the change has accelerated, and the OWSAP Top 10 can be refactored to working with new processes and community to secure from risks.
Attackers can potentially use many paths through your application to exploit the vulnerabilities and risks to harming business or organization. It can be associated with the threat agent, attack vector, and security weaknesses.
Figure: The application risks paths.
The OWSAP Top 10 focuses on identifying the most severe web application security risks for a broad array of organizations.
- Injection
In injection flaws, such as SQL, NoSQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. It has vulnerable scenarios like:
(String query = “SELECT*FROM accounts WHERE custID=’”+request.getParameter(“id”)+”’”;)
- Broken Authentication
The authentication and session management functions of the application are often implemented incorrectly, that helps the attackers to exploits the passwords, keys, and session tokens to extract the user’s identity.
The attack scenarios:
When we use the list of known passwords, is a conventional attack. If an application does not implement automated threat or credential stuffing protections, the app can be used as a password oracle to determine if the credentials are valid.
- Sensitive Data Exposure
There are many web applications, and API’s do not adequately protect sensitive data, such as financial, healthcare, and PII. These data can be compromised by the attackers to steal credit card fraud, identity theft, or other crimes when there is no encryption and precautions.
The attacks scenarios as:
An application encrypts credit card numbers in a database using automatic database encryption. However, this data is automatically decrypted when retrieved, allowing an SQL injection flaw to recover credit card numbers in clear text.
- XML External Entities (XXE)
In XXE, the external entities can be used to disclose internal files using the file URI handler internal file shares, internal port scanning, remote code execution, and DOS attacks.
The scenario when an attacker attempts to extract data from the server
<!ENTITY xxe SYSTEM “file:///abc/password”?>]>
- Broken Access Control
The attackers can exploits these flaws to access unauthorized functionality and data such as access others user’s accounts, view sensitive files, change access rights, etc.
The attack scenarios like the application use unverified data in a SQL call that is accessing account information.
Pstmt.setSting(1, request.getParameter(“acct”));
ResultSet results=pstmt.executeQuery();
- Security Misconfiguration
It is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers and verbose error messages containing sensitive information. A scenario like:
A cloud service provider has default sharing permissions open to the internet by other CSP users. This sensitive data stored within cloud storage to be accessed
- Cross-site Scripting (XSS)
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a victim’s browser, API that can create HTML or JavaScript.
- Insecure deserialization
It leads to remote code execution; they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
Applications and APIs will be vulnerable. They deserialize hostile or tampered objects supplied by an attacker.
- Using components with known vulnerabilities
Such software components run with the same privilege, if a vulnerable part is exploited, such an attack can take over severe data loss and server. Application and API’s using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
The application is vulnerable if they do not secure the components configuration.
- Insufficient logging and monitoring:
It is coupled with missing or ineffective integration with the incident response that allows attackers to further attack systems, maintain persistence, extract and destroy data.
The vulnerable scenarios as:
When an attacker uses scans for users, a common password. They can take over all accounts using this password.
2.5 Damn Vulnerable Web Application (DVWA)
DVWA is coded in PHP/MYSQL. It is too vulnerable, and in this app, security, professionals, and ethical hackers test their skills and run these tools in a legal environment. It helps web developer to understand better the processes of securing web applications in a safe environment, to practice most common web vulnerabilities at different difficulties level. Benefits of DVWA as:
- For ethical hacking, it is the best platform to sharpen the skills for the advanced user.
- Simple to install
- It is running in your local environment, and it’s illegal
DVWA has many web vulnerabilities and four different levels of security that gives a challenge to the attacker. These security levels as:
- Impossible
- High
- Medium
- Low
In DVWA we can test various kinds of vulnerabilities
- Brute force
- Command inject
- File upload
- Insecure captcha
- SQL injection blind
- Weak session
2.6 KALI Linux
KALI Linux is a Debian-based Linux distribution for advanced penetration testing and security auditing. It is a successor of backtrack Linux and designed for digital forensics and penetration testing for better security.
KALI Linux is an open source project. It has over 600 preinstalled tool which is used for hacking, so we don’t need to install them.
Some of the favorite tools in KALI Linux are:
NMAP
Network Mapper is a security scanner. It helps in building a complete map of the network.
ARMITAGE
It is a free and open source. It is a Metasploit project contributing to red team collaboration allowing for shared sessions data.
WIRESHARK
It is a packet analyzer and CLI version. It uses pcap to capture packets.
JOHN THE RIPPER
It is a password cracker tool; it is also available in many flavors of UNIX, Windows, DoS, and OpenVMS.
BURP SUITE
It is an interception proxy tool while browsing their target application; a penetration tester can configure their internet browser to route traffic through the burp suite proxy server.
Now we know Kali Linux is loaded with some of the great tools in their arsenal, which can be used in the penetration testing as well as in hacking. So, Kali Linux has developed its framework with great responsibility.
2.7 Email and web browser privacy
Our daily messages, email, and communications are passed among different servers in a route. Anyone with physical access to your computer devices or router can view your websites and online activities from the browser history, cache, and log files. It can be minimized by using the private browser mode like an incognito, single window in a browser. That can be disabled the cookies and temporary internet files.
2.8 Firewall
A firewall is designed to control, or filter which communications are allowed in and which are not allowed out of a device or network.
Over the years, new types of firewall have been developed which serve different purposes in protecting the network.
- Network layer firewall
- Transport layer firewall
- Application layer firewall
- Context-aware firewall
- Proxy firewall
- Reverse proxy firewall
- Network address translation firewall
- Host-based firewall
Security appliances
Security appliances can be stand-alone devices like a router or firewall; a card installs into a network device or a module with its processor and cached memory. Some of the security appliances as:
Routers: Cisco integrated services router (ISR) includes IPS, VPN, and encryption
IPS: Cisco next-generation IPS devices
VPN: secure encryption tunneling
Malware/Antivirus: Cisco advanced malware protection (AMP)
2.10 NIST
The National Institute of Standards and Technology has been developed a cyber-security framework. The NIST Framework focuses on using business drivers to guide cybersecurity activities and considering cyber-security risks as part of the organization’s risk management processes. The NIST Framework provides a typical organizing structure for multiple approaches to cyber-security by assembling standards, guidelines, and practices that are working effectively in the current environment.
References
https://www.owsap.com
https://www.netcad.com
https://www.kali.org
Prepared By:
Baburam Bohora
Prime College, BIM 8th Semester