Application-Centric Security
This section describes an overview of assets in Domain 5 on application-centric security. It includes an overview of assets and threats that span the full spectrum of applications. Major sources of information for this study are OWASP[1] and SANS[2] reports. It is important to note that this section does not consider applications providing functionalities for infrastructure/system/network management.
Threats
In this section, we discuss the threats that can be mapped to the application asset taxonomy. Our review was driven by the OWASP and SANS generic risk assessment. In general terms, threats, such as injection and application malfunctioning, may strongly affect IT in general. In fact, current IT systems are heavily based on applications/services composed at run time and therefore exposed to attacks and breaches. Also, attacks to hosting platforms (deliberate and intentional), failures/malfunctions (e.g. malfunction of the ICT supporting platform) can be important sources of risk. We introduce the major characteristics of the threat taxonomy, with a special focus on cyber-security threats; that is, threats applying to information and communication technology assets. We also consider threats not related to ICT and caused by humans during their activities.
A threat to application assets can be considered as “any circumstance or event that affects, often simultaneously, services and applications distributed over the Web”. The threat taxonomy is a consolidation of threats previously considered in other documents/reports [3][4] and is composed of the following category.
- TG5.1 – Unintentional damage: This group includes all threats causing application malfunctioning or loss of confidentiality/integrity/availability due to human errors.
- TG5.2 – Interception and unauthorized acquisition: This group includes threats introduced by alteration/manipulation of the communications between two parties. This TG, depending on the circumstances of the incident, could, also, be linked to TG5.4.
- TG5.3 – Nefarious activity/abuse: This group includes threats coming from nefarious activities. It requires active attacks targeting the platform of the victim, as well as public interfaces of the hosting platform and applications.
- TG5.4 – Legal: This group provides for threats resulting from violations of laws and/or regulations, such as the inappropriate use of Intellectual Property Rights, the misuse of personal data, the necessity to comply with judiciary decisions dictated with the rule of law.
- TG5.5 – Organizational threats: This group includes threats to the organizational sphere.
Threat Group TG5.1: Unintentional damage
Threat T5.1.1: Security Misconfiguration
Security misconfiguration is one of the most exploited threats. Cyber attackers often try to exploit unpatched software, use default accounts, or unused pages to gain unauthorized access to systems. The problem can target systems at any layers and become then critical giving to the attacker the possibility of compromising the system and bypassing access control checks. This threat is related to threats in other domains: Threat T4.1.1 and Threat T4.1.2 in Data-Centric Security Threat T3.1.1 in System-centric Security, Threat T1.1.1 in Device/IoT-Centric Security.
Assets: “Interfaces”, “Security Techniques”.
Threat Group TG5.2: Interception and unauthorized acquisition
Threat T5.2.1: Interception of information
The interception of information is another important threat that plague the application domain. This threat is horizontal and targets all domains involving weaknesses in network communications, system components and devices, data exchange, and users’ activities. In this domain, the interception of information is mainly due to weaknesses and flaws in the protocols for communication encryption (e.g., SSL). This threat is related to threats in other domains: Threat T4.1.1, Threat T4.2.1, and Threat T4.2.2 in Data-Centric Security, threat T3.2.1 in System-Centric Security, Threat T1.2.1 in Device/IoT-Centric Security.
Assets: “Data”, “Interfaces”, “Security Techniques”.
Threat T5.2.2: Sensitive data exposure
Sensitive data exposure is a major plague for applications and is often the result of misconfigurations or weak security protection. Many web applications and APIs do not properly protect sensitive data.[3] Rather than trying to decrypt an encrypted communication, cyber attackers try to intercept it, steal keys, access the cleartext.[3] The most common weaknesses concern, not surprisingly, the store/exchange of sensitive data in plain text, as well as how crypto is employed (e.g., weak key generation and management, weak algorithm). This threat results in common sensitive data leakage and breaches both for data in transit and at rest. This threat is related to threats in other domains: Threats T4.1.1, T4.2.1, T4.2.2, T4.4.4 in Data-Centric Security, as well as T5.1.1 and T5.1.2 in this section.
Assets: “Data”, “Security Techniques”, “Roles”.
Threat Group TG5.3: Nefarious activity/abuse
Threat T5.3.1: Broken authentication and access control
Broken authentication and access control allow an attacker to compromise an application and often the entire system hosting it. As a consequence, a bug in the application functions implementing authentication and session management, as well as access control, result in catastrophic consequences, allowing attackers to compromise passwords, keys, or session tokens, assume other users’ identities.[3] Restrictions on authorizations are also not properly enforced. Access control weaknesses are similar and permit unauthorized operations affecting the confidentiality and integrity of data and applications.
Assets: “Data”, “Security Techniques”, “Roles”.
Threat T5.3.2: Denial of service
Denial of service has been extensively discussed in both device/IoT-, network-, system-, and data-centric security. One of the main targets of denial of service is applications for a variety of reasons, economic, political, ideological, and the like. This threat is related to threats in other domains:
Assets: “Data”, “Interfaces”, “Security Techniques”, “Roles”.
Threat T5.3.3: Code execution and injection (unsecure APIs)
Code execution and injection are common threats to applications. Unsecure APIs are supporting criminals in their malicious activities since the advent of the Internet and are increasing in importance since the advent of distributed services. This threat is related to threats in other domains: Threat T4.4.2 in Data-Centric Security, Threat T3.4.3 in System-Centric Security, and Threat T1.4.3 in Device/IoT-Centric Security.
Assets: “Data”, “Interfaces”, “Security Techniques”.
Threat T5.3.4: Insufficient logging and monitoring
This threat supports criminals in going undetected. It reduces the performance of intrusion detection and attack identification, decreasing the response and remediation effectiveness.[3]
Assets: “Data”, “Interfaces”, “Security Techniques”.
Threat T5.3.5: Untrusted composition
This threat subsumes many other threats in this deliverable focusing specifically on composite services. Composite services, in fact, orchestrate atomic services to provide advanced functionalities. This composition, however, introduces new risks that go beyond the risks of atomic service[5][6]. First of all, composite services could result in a compromise due to the combined information they have access to. Then, the composition of strong atomic services does not result in a strong composite service. Afterward, the strength of a composite service is the strength of the weakest atomic service. Finally, multiple communications and storages need to be protected at the time.
Assets: “Interfaces”.
Threat Group TG5.4: Legal
Threat T5.4.1: Violation of laws or regulations
Taking, also, into account the discussion above on violation of applicable laws, it can be argued the most relevant laws, in this case, are the GDPR and the Regulation on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (eIDAS). National laws of Member States can certainly apply, but those are, essentially, left outside the scope of this deliverable.
Assets: All assets.
Threat Group TG5.5: Organizational threats
Threat T5.5.1: Malicious insider
The insider threats are among the most critical security threats to be faced and can be distinguished in unintentional or malicious insiders[7] It is quite shared the view that insider attacks may inflict larger damages than outside attackers[7][8][9][2]. Their impact is also increasing due to the fact that, on one side, no effective security solutions exist for this threat and, on the other side, the value of data is increasing exponentially. Insiders are in fact authorized users with legitimate access to sensitive/confidential documents, possibly knowing existing vulnerabilities[7]. Malicious insiders have therefore multiple incentives to carry out an attack that ranges from revenge to revenue when sensitive data are at their disposal.
Assets: “Roles”, “Data”, and assets “Platform Security”, “Application Security”.
Emerging Threats in COVID-19 Era
The advent of COVID-19 generated the following new Application-centric threats:
Threat T5.1.2: Inadequate design – COVID-19
Design is a fundamental step in every application development process, having a great impact on the final outcome. Design should take into account all the functional aspects of the application, as well as non-functional aspects such as scalability, user experience. Furthermore, design must take into account security aspects from the beginning, by thoroughly evaluating all the threats the application will be subjected to, and subsequently implement the proper mitigation. Compliance with existing regulations must be considered from the beginning, since they often require specific activities and guarantees to be offered. If the design phase does not consider all these factors properly, the resulting application will be weak, opening for many of the threats listed below, including possible law violations. This threat is related to Threat T4.1.2 in Data-Centric Security.
Threat T5.3.6: Supply-Chain Security – COVID-19
Supply-Chain Security refers to the security of all the components (e.g., hardware, third party software) involved in the realization of a software application or, more generically, of an ICT product.[10][11] In fact, should one of such components be insecure, or even infected by a malware, the final outcome will be compromised as well. This aspect is exacerbated by the complexity of existing systems.[12] In fact, supply-chain security is connected with the concept of trust, since at a certain point there is no alternative than trusting a certain subject whose products are being bought. This threat encompasses several aspects, in particularhardware security and application installation and update. Hardware security refers to hardware defects, which are extremely difficult to fix in software, and can even be intentional. Application installation and update refer to all the activities involved in installing and updating an application. Threats can come from, among the others, i) fake applications miming the real applications users want to install, ii) vulnerabilities in the installation/update process (e.g., bypassing code signing or servers compromise), iii) vulnerabilities in third parties software the application being installed/updated depends on. This threat can result in application tampering, malware installation, or in backdoors on users’ devices. Furthermore, supply-chain attacks do not target only the final consumer, but can impact on critical infrastructures, such as power grids.[13]
Threat T5.3.7: Virtualization – COVID-19
Virtualization is used to consolidate physical machines, allowing many applications, or even operating systems, to coexist in an isolated way on the same host. Since virtualization is often used for multitenancy, it opens to new threats specifically aimed to exploit this aspect, gaining, for instance, access to other tenant’s data. At the same time, a threat affecting the underlying virtualization technology can have a great impact on the overall system security. Within this context, hardware vulnerabilities such as Meltdown and Spectre [14] have gained high visibility. Finally, the situation can be further exacerbated by new lightweight virtualization technologies based on a less strict isolation.
Threat T5.5.2: Skill shortage – COVID-19
Systems are becoming increasingly distributed and complex, and threats are constantly evolving. As such, they demand new expertise, both for developing and managing these systems, and for keeping them secure and safe from novel and sophisticated threats. Skills and education are required also for other people engaging with systems, e.g., employees. This threat is related to Threat T4.6.1 in Data-Centric Security and is also related to most of the threats highlighted in this Section.
[1] OWASP™ Foundation – the free and open
software security community, https://www.owasp.org/index.php/Main_Page
[2] SANS Institute, https://www.sans.org/
[3] Cybersecurity – the Human Factor: Prioritizing People Solutions to improve the cyber resiliency of the Federal workforce. FISSEA. 2017. https://csrc.nist.gov/CSRC/media/Events/FISSEA-30th-Annual-Conference/documents/FISSEA2017_Witkowski_Benczik_Jarrin_Walker_Materials_Final.pdf
[4] ENISA, Cyber Security Culture in organizations. February 2018. https://www.enisa.europa.eu/publications/cyber-security-culture-in-organisations
[5] Sametinger e J. W. Rozenblit, «Security Challenges for Medical Devices,» Communications of the ACM, vol. 58, n. 4, pp. 75-82, 2015.
[6] T. Moore, «The Economics of Cyber Security: Principles and Policy Options,» International Journal of Critical Infrastructure Protection (IJCNIP), vol. 3, pp. 103-117, 2010.
[7] IPACSO Project, «Innovation Framework for ICT Security,» Available: https://ipacso.eu/.
[8] M. Brzoska, R. Bossong e E. van Um, «Security Economics in the European Context: Implications of the EUSECON Project,» Economics of Security Working Paper Series, vol. 58, 2011.
[9] App economy to grow to $6.3 trillion in 2021, user base to nearly double to 6.3 billion https://techcrunch.com/2017/06/27/app-economy-to-grow-to-6-3-trillion-in-2021-user-base-to-nearly-double-to-6-3-billion/
[10] ATTACK LANDSCAPE H1 2019 https://s3-eu-central-1.amazonaws.com/evermade-fsecure-assets/wp-content/uploads/2019/09/12093807/2019_attack_landscape_report.pdf
[11] F-Secure IoT threat landscape – Old hacks, new devices, https://s3-eu-central-1.amazonaws.com/evermade-fsecure-assets/wp-content/uploads/2019/04/01094545/IoT-Threat-Landscape.pdf
[12] BitSight, “FBI alerts companies of Cyber Attacks Aimed at Supply Chains”. https://www.bitsight.com/blog/fbi-alerts-companies-of-cyber-attacks-supply-chains
[13] Trey Herr, June Lee, William Loomis, and Stewart Scott, ”Breaking Trust: Shades of Crisis Across an Insecure Software Supply Chain”, 2020, https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf
[14] ENISA Threat Landscape and Good Practice Guide for Smart Home and Converged Media https://www.enisa.europa.eu/publications/threat-landscape-for-smart-home-and-media-convergence
Università degli Studi di Milano
Via Celoria 18, 20133 Milano MI - Italy
+39 02 503 16333 - sesarlab@unimi.it