Internet and Web Application Attacks - an Overview of Protection Measures

Due to reliance upon online services for our day-to-day activities, higher emphasis is placed on various layers of network, server, and application security to protect against attacks that may impact an application's availability to users. From a high-level perspective, we will list and review various security strategies that may increase the likelihood of protection should an application attack launch on a company. We need to understand that technologies are constantly evolving, new and improved techniques are always available to add to your strategy. However, attackers tend always to be a step ahead. This article will cover a general rule of thumb, assuming that patching and routine maintenance is practiced, disallowing stale, aged, unsupported operating systems, applications, and services from participating in production-grade networks and datacenters.

Physical Security

As usual, all IT core equipment should be contained in a dedicated service room, which most call a "data closet" or a "data room," whereas larger circuits and compute resources are included in a "datacenter." Social engineering may lead to an attack attempt or a way to fool security guards or front desk receptionists to allow unauthorized personnel to access equipment. Such data or network closets/rooms should be protected with a lock and keys, only access to authorized personnel. Network equipment is also housed in its racks/cabinets, and access to wiring is controlled by wiring or "patch panels" that extend circuits to other devices. Access to equipment can compromise security.

1. Keep equipment locked in their cabinets, allowing authorized personnel only!
2. Isolate cables such as electrical and circuits in wiring management troughs, eliminating the ease of tracing lines to/from devices.
3. Keep Power Distribution Units (PDU), and all electrical connections and circuit breakers locked to eliminate the potential accidental or malicious electrical socket disconnect from network equipment; if  PDU's are managed, strong security practices should also be implemented.
4. Secure both electrical and network circuits connected to equipment to eliminate an "easy tug" of cables to unplug or disconnect cables from network equipment.
5. Leverage surveillance cameras, alarms, and alerts when activity is detected in the data room.
6. Leverage an "out of band" management server to allow yourself access to a console management port.

Internet Service Provider (ISP) 

The "border router" security is often the first layer of connectivity between a private organization and the public Internet, often participating in a particular type of routing redundancy and circuit availability. 

1. Protect the network border from allowing traffic that should not exist on the Internet. Networkers usually call this a "bogon or bogus" Access Control List (ACL). Its intended purpose is to filter fake or private IP addresses and allow only publicly routable traffic to and from the Internet.
2. Filter routes by allowing existing routes only to be announced to the service providers. Non-existent paths may never leak or accidentally become reachable to your organization's circuits and routers.
3. Reverse Path forwarding inspection, where traffic is evaluated for a reverse path existence before it is allowed entry, so that you may prevent spoofing.
4. Protect routing protocol process peering with encrypted/hashed passphrases so that routing may not be highjacked, altered, or misrouted by rogue devices and actors.
5. Filtering abnormal packets in either direction. Inspect traffic to ensure IP packets are within the range of specifications for their existence. Some IP packets may be smaller than their respective range, known as "fragments," which should be denied entry.
6. Protect the "Control and Data Plane" of routers and switches by disabling IP redirects, restricting Internet Control Message Protocol (ICMP) or "ping" reachable messages for ICMP probing, limiting, or restricting IP options (record-route, timestamp, source record, etc.).  Disable proxy address resolution and IP redirects (where a better route may exist for a target host) and limit the scope of Time to Live (TTL) limits for your internal network. Unless necessary, IP-directed broadcasts should also be disabled to deter traffic amplification broadcast messages on a target network.

Firewall Security

Most used firewalls today are called the Next Generation Firewall (NGFW). This platform adds additional layers of security for "type of traffic" in a particular application or a subset of a specific type of traffic for visibility and policy control. For example, there are so many types of web traffic, and the NGFW can perform an Application ID (AppID) assignment for certain types of web traffic, such as file storage sites, webmail, chat, to list a few. Let's review a few firewall best practices.

1. Associate each firewall interface with "zones," then apply specific network interfaces and networks behind the zone so that you may prevent spoofing or access through a firewall from a new or spontaneous unauthorized network. It's also a good idea to avoid "free-flow" traffic from different interfaces that are assigned to the same firewall zone so that you may control such traffic with explicit rules.
2. Leverage specific Network Address Translations (NAT), both inbound or outbound, as necessary. Don't automatically create "two-way NATs unless driven by a business case.
3. Use explicit ports for all inbound or outbound traffic rules for either TCP or/and UDP segments. Avoid unnecessary ports and IP ranges, eliminate guesswork. Examine the firewall logs during validation, determine necessary, and apply as needed.
4. Leverage AppID in your rules for an additional layer of security. Specifically, add the type of application IDs to specify a specific sub-type of applications, allowing that extra layer of precision for traffic types under your ports.
5. Prevent Internet access from servers or peripherals, network devices, or appliances that do not need Internet access. If necessary, allow such devices access to the Internet with specific rules that leverage URL whitelists, destination IP addresses, specific ports, and application ID. Always apply a Data Leakage Prevention (DLP) policy so that you may prevent unauthorized data from leaving the organization.
6. Always apply threat profiles that include anti-virus, malware, Universal Resource Location (URL) filtering, intrusion detection to all the rules you create. Some organizations may relax threat rules for internal types of traffic, applying the most rigor to Internet-based and Demilitarized Zone (DMZ) traffic.
7. Subscribe to threat definitions, such as anti-virus, malware, intrusion detection, URL filtering, and other offered services, so that you may obtain the latest version of updated threats available to apply to rules. In today's fast-paced networks and new methods for breaching, "zero-day" exploits reported to your vendor's security repository become available to subscribers to install within minutes, giving you an instant protection profile against such vulnerabilities.
8. Encrypted traffic is inspectable. We don't know what's in the payload, so decrypting traffic allows us to review threat contents and evaluate other compliance parameters. Decrypt all traffic for inspection, create exceptions where you must. Exception typically applies to an application that is sensitive to decryption and re-encryption, in which case you should work with the application vendor to find a way to use decryption/re-encryption. Other exceptions may apply to compliance and privacy, defined by your organization. Once inspected and allowed, traffic is re-encrypted and submitted to the intended target host, otherwise, blackholed.
9. Apply DDoS protection to both inbound and outbound rules. Should your organization become a target for an attack, inbound flood traffic may be rate-limited, or the best-case scenario dropped from legitimate traffic. Suppose users launch an attack from a compromised computer on the internal network. In that case, you may also stop such traffic flood to other networks, even preventing establishing an attack outbound to new targets, potentially compromising the organization's public IP space as a source of the attack to other entities.
10. Apply URL filtering to all types of traffic. Internal, DMZ, Internet, all zones should be subject to URL filtering so that either category is used or allow lists are created. Along with URL filtering, develop a good policy that identifies what needs to be blocked and allowed. This type of policy may vary from department to department, so work with business leaders to see what best fits their requirements.

Load Balancer

Security considerations for application scaling and security are often found in load balancers. Organizations invest in Load Balancers (LB) to increase their hosted applications' availability, safety, and customer experience. Not all LBs are equal; however, an enterprise-grade load balancer may address most of the attacks we face. Let's review a few best practices we may take advantage of to stop an attack.

1. Use Transmission Control Protocol (TCP) host headers for your web application. It will assure you have explicit hostnames for your apps, increase the ability to host more apps per service, and reduce the possibility of creating rouge/false domain names that resolve your websites.
2. Implement HTTP to HTTPS redirects. Web apps over port 80 are frowned upon in today's computing world. It's always a good idea to redirect web app sessions to an encrypted web session.
3. Eliminate the need for weak ciphers and old, deprecated Secure Sockets Layer (SSL). Apply Transport Layer Security (TLS) to your SSL sessions. The world is moving toward TLS versions 1.2 and 1.3, respectively.
4. Enable rate limiting and traffic throttling on high volumes of new requests, indicating an attack. Alerts and notifications may engage the appropriate team members to take additional steps to mitigate such activities further.
5. Enable "bot" protection so that you may mitigate a wide array of threats such as scripts, toolkits, scans, scraping, password attacks, and misuse of your API gateways.
6. Use content switching technologies to apply some logic to identify all app traffic patterns, sending them to the web farm. In contrast, unidentified source traffic requests may be redirected/forwarded to a different web farm, acting as a sinkhole or a deterrent for a potential attacker.

Application Layer Firewall or Web App Firewall (WAF)

Webapp firewalls are a relatively newer technology that permits organizations to add an extra layer of security to protect applications. Applications may present vulnerabilities from various complex logic or simply human error/oversight. We may be able to prevent some attacks with a WAF by implementing the following web app defense protection mechanisms, by examination of traffic for the following inconsistencies:

1. Start URLs, Cookie consistencies, hijacking,
2. Buffer overflows,
3. File upload types,
4. Form field consistencies, field formats, tagging,
5. HTML cross-site scripting, forgery, SQL injection, command injection,
6. An array of XML, JSON, URL Encoding, Multipart form content types of inspections to drop attacks and vulnerability exploitations.

Domain Name Service (DNS) security

A simple yet effective layer of defense may add a security layer to your organization. Because of the nature of computer communications from IP address to IP address, names are implementations for helping humans remember various resource names on the Internet.

1. For Internet DNS, subscribe to a "scrubbed" or "cleaned" DNS service offered by Open DNS, where malicious hostnames are denied resolution, stopping attacks immediately as unaware clients attempt to access links with a high level of confidence.
2. Host applications in your DNS service with DNS Security (DNS Sec). This service will ensure valid name lookups arrive from authoritative, authentic domain servers.
3. Because attacks are predominantly initiated through email phishing, leverage Sender Policy Framework (SPF) records to tighten down allowed email servers, preventing email server hijacking, relaying, blacklisting, etc.
4. Use domain keys to authenticate services, further assuring a certified, verified service between vendors and organizations.
5. Where possible, structure your name records correctly with IP address records to names, and correct Canonical Names (C-Names) to hosts, for redundancy and proper IP address resolution.
6. Control forwarders, cache-only, advertisers, resolvers, and protect against cache pollution and zone transfers.
7. Additional due diligence and proper DNS architecture may add an extra layer of protection against DNS DDoS.

Web or URL filtering 

Universal Resource Locator (URL) or "Web Filtering" is available to both enterprise and home networks.  URL filtering implementations deliver a comprehensive strategy to quickly stop rouge, uncategorized, malicious site access on computers, which may provide harmful content to your protected assets. Web categorization may span a global consensus. However, web filtering service providers may modify/re-classify websites to further refine accuracy, adding additional clarity. Consider filtering/denying the following categories from your organization:

1. Compromised – sites that may have been compromised.
2. Criminal Skills/Hacking – sites describing criminal behavior "how-to." Download, peer-to-peer networking sites (file sharing) may distribute malicious files and programs that are altered, illegal, and may damage your company systems and reputation.
3. Gambling – as much as these sites may hinder productivity, gambling sites are usually hosted outside the US. Due to loose regulations, such sites may spread malicious content that deploys spyware and malware.
4. Adult/Pornography/Sex – aside from harassment, such sites may also distribute spyware and malware.
5. Spam – sites associated with collecting user data and targeting with pop-ups, irrelevant content,
6. Spyware and Malicious – software deployment may ham your computer operation and compromise your data.
7. Web-based email – such sites leak organizational protected files, introduce malware and spyware.

Apply a "whitelist" or "allowlist" when you have a group of servers or computer users who are denied access to everything except an explicit list of web applications. Very useful to have absolute control of what's accessed and when, if timed-based access control lists are implemented.

Service Provider DDoS

Distributed Denial of Service attack protection is available from various Internet Service Providers (ISPs). This extra add-on for your Internet circuits offers a professional level of advanced traffic inspection and scrubbing that prevents malicious traffic from reaching your applications. Keep in mind, an attack on your applications during peak, critical, or seasonal business seasons may render losses that will never be recovered, including the reputation and credibility of your brand that may continue to cause loss of revenue. Often, credibility may be tough to rebuild, in some cases, resulting in "cease of business" operations.

Endpoint Computer Protection

User and Server compute protection mechanisms with software agents that perform classic security measures against unauthorized files, programs, and user behavior.

1. Anti-virus/malware protection on each computer node.
2. Process “whitelisting,” allowing approved software execution in the computer environment. Should unauthorized software spawn and attempt to run in memory space, it would automatically be disabled and quarantined.
3. Data leak prevention, a service tailored to information loss and using such information to exploit ransom, threats, and other criminal behavior against an organization.
4. Servers should be "hardened" and "tuned" to serve their intended purpose only. Work with application developers to identify application verbs in use and further configure your web servers to only explicitly allow what's necessary.

Security Operational Activities

Create a committee or working group to address security policies, governance, and oversight of an organization's security framework and activity. Maintain a set of recurring work meetings, review action items, and delegate various security roadmap projects and activities to IT team members. By testing and validating potential attack scenarios, running simulations or "what-if" scenarios will empower your organization’s confidence in your action plans.

1. Routinely scan your network and applications for vulnerabilities. Such scans can be performed by professional services as an anonymous user, even an authenticated user, gaining a deeper security insight into the application's operating system.
2. Periodically emulate an attack by utilizing a professional security service vulnerability scanner, and work through your action plan. Escalate, notify, engage with proper team members, run through your drill, and validate that the correct individuals will be available to "react" and "work “ the defense plan, further preparing, should an actual attack occur.
3. Hire a professional "Red Team" ethical hacking company, who will be tasked to launch an external attack or even breach your organization. The attack can also be internal, so be sure to focus a “Red Team” professional on your internal infrastructure. Should they successfully breach your systems and gain access to data, these vulnerabilities will be discussed confidently and remediated with the urgency it deserves.
4. Review security metrics at least once a month, report on attack attempts, abnormal traffic patterns, availability, application performance, incidents, and review the root cause of such problems. Engage organization's departments to discuss abnormalities and irregularities in their IT responsibility domains.
5. Conduct periodic security training using videos, speeches, interactive training and make it mandatory. Security is everyone’s job, and the weakest link may open a path to your organization’s applications and data; therefore, focus on training!
6. Maintain a running list of security-related vulnerabilities, incidents, and exceptions you must oversee for your organization’s IT infrastructure. Routinely reviewing these ticket items will assure you have delegated responsibilities for remediation to completion and carefully track exceptions that remain an area of oversight and work to be done.

We emphasized several protection mechanisms, and while it’s essential to know your organization’s security team is responsible for security structure and leadership, employees, vendors, contractors, and senior management members also play their part. We all need to use common sense, good judgment, and if we notice suspicious behavior with information security, always report it to your IT hotline. A good security program with participating members who are trained, educated, and diligent forms the extra layer of the security barrier that may prevent the most unsuspecting attack.