Over the last decade, a significant increase has been observed in the use of web-based Information systems that process sensitive information, e.g., personal, financial, medical. With this increased use, the security of such systems became a crucial aspect to ensure safety, integrity and authenticity of the data. To achieve the objectives of data safety, security testing is performed. However, with growth and diversity of information systems, it is challenging to apply security testing for each and every system. Therefore, it is important to classify the assets based on their required level of security using an appropriate technique. In this paper, we propose an asset security classification technique to classify the System Under Test (SUT) based on various factors such as system exposure, data criticality and security requirements. We perform an extensive evaluation of our technique on a sample of 451 information systems. Further, we use security testing on a sample extracted from the resulting prioritized systems to investigate the presence of vulnerabilities. Our technique achieved promising results of successfully assigning security levels to various assets in the tested environments and also found several vulnerabilities in them.
Complex web-based systems either contain or utilize private and critical information which must remain secure from unauthorized access and tampering. Similarly, basic web applications may also process sensitive information and, are constantly at risk of being attacked. New and complex systems used in cloud computing for data crunching and information gathering may also be vulnerable to various attacks and threats. To ensure the security of these systems and applications, security testing is required. There are various types of security testing techniques that are used to find vulnerabilities. The most common form of testing is Penetration Testing also known as “Pen Testing”. Penetration testing is carried out by simulating real attacks on systems to identify exploitable vulnerabilities and the damage they would incur [ Confidentiality: is the assurance that information is not disclosed to unauthorized individuals, processes, or devices. Integrity: is provided when data is unchanged from its source and has not been accidentally or maliciously modified, altered, or destroyed. Availability: guarantees timely, reliable access to data and information services for authorized users. These security principles make the CIA triad which is the most commonly used and oldest security standard around the globe. Over the years with the increase in the complexity and wide variety of systems and applications, more security features have been added such as: Authentication: is a security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual’s authorization to receive specific categories of information. Authorization: provides access privileges granted to a user, program, or process. Non-repudiation: is the assurance that none of the partners taking part in a transaction can later deny of its participation.
The focus of providing security should be applied on the web application layer to protect it from unauthorized users by building security across the software development lifecycle security mechanism [
Security testing is often performed for a single System Under Test (SUT), however, there are usually more systems or components that needs to be tested in a complex web-based infrastructure. In such cases, it becomes a difficult decision for the tester/organization that which system/component should be tested first among the vast majority of systems [
Our proposed technique verifies the quality of data that the system stores, analyses, processes and transfers, as well as the criticality of the system determined via a checklist that focuses on such aspect of the system. The technique utilizes information as collected and described during the planning and design stage of the Security Testing and the Software Development Life Cycle (SDLC). This information is further used to consider the exposure to various types of users of the system. All the collected information about various aspects of a SUT is then analyzed to calculate the criticality value of the asset and an appropriate category (High, Medium, Low) is assigned to it. For evaluating the effectiveness of our proposed approach, we performed testing on 400 web based information systems of the province of Khyber Pakhtunkhwa, Pakistan. Finally, we analyzed a sample of the categorized systems for the investigation of OWASP Top 10 vulnerabilities.
The rest of the paper is organized as following. Section 2 provides a succinct summary of the related work. Section 3 provides a background on the OWASP Top 10 vulnerabilities. Sections 4 presents our proposed approach for asset security classification in detail. Section 5 describes the details of our study design including the subjects’ selection and methods of analysis. The results are discussed in Section 6. Finally, the conclusion and future work is presented in Section 7.
Attacks on web-based systems have increased significantly over the last few years. The number of attacks grew from 17 million to 50 million between years 2015 and 2016 [
A web based platform is a complex system consisting several components, tools, devices, technologies e.g., HTTP/S protocols, application development technologies like PHP, ASP and web clients (browser etc.). Further, almost all types of these systems are continuously being targeted by attackers and therefore organizations use intrusion detection/prevention systems (IDS/IPS) and firewalls to protect and monitors such networks [
A framework for assessing the risk of vulnerabilities in e-government sites, has been discussed by Anastacio et al. [
Almadhoob et al. [
In addition to the asset classification, we also aim at security testing for vulnerabilities, especially for the web vulnerabilities that may exist in web-based information systems. Therefore, in this section, we provide an overview of the widely known vulnerabilities as listed by the Open Web Application Security Project [
OWASP is a platform developed by and for the IT community. This platform is used to share knowledge and tools for professionals and beginners alike in the pursuance of defending against attacks on web-based systems. OWASP provides open source tools as well as documents focusing on finding security related attacks and vulnerabilities, guard against attacks and further strengthening the security activities protecting the systems. OWASP ZAP [
Similar to using tools, OWASP also provide documentation for developers to learn about the various vulnerabilities and how to harden the systems against such vulnerabilities [
Following are the OWASP vulnerabilities in the order of their severity.
An injection attack allows an attacker to insert malicious data into a program via input sources, e.g., input fields. These attacks are commonly found in SQL, LDAP, XPath etc. In case of SQL attack, the attacker can read, modify, delete the database or execute other queries. In these types of attacks, the coding query handling methods affect the security of the program [
Often many web applications require users to login with their credentials. Typical cases require a username and password, that are used to generate a random session id that authenticates all actions as a legitimate user. Disclosure of these credentials occur due to reasons like transmission through insecure channels and security misconfiguration. Upon obtaining such credentials, attackers can impersonate a legitimate user. Therefore, authentication and session management must be managed properly to protect the users’ data from unauthorized disclosure or modification [
Data exposure occurs when a web application or program does not adequately protect its data and information. This data if accessed by the attackers can result in financial or business loss. An example could be, exposed data by an error message, weak crypto and lack of headers preventing browser caching.
XML is used to describe data. Two systems that are running on different technologies can communicate with each other using XML. XML External Entity attack takes place when a reference to an external entity is processed by weakly configured parser that may result in information disclosure, Denial of Service (DoS) attacks, port scanning [
In access control mechanism, also known as authorization, users are allotted access to resources according to their roles, e.g., admin, employee or guests etc. Broken access control is one of the most common and highly exploitable vulnerability. Access controls are exploited by changing parameter values, giving direct access to unauthorized system object. Most common impact is privilege escalation—A practice of providing users more rights or access than required, hence weakening the system security [
Security misconfiguration vulnerabilities appear into systems due to the use of weak passwords, encryption, using default configured setting, incomplete or improper configuration of settings, outdated software’s or unpatched flaws etc.
Cross-site Scripting attacks are a type of injection attacks. The attacker generally injects the malicious code through a browser site script. Nowadays, JavaScript is enabled in most web applications to provide rich functionalities to users. This also provides the attacker an opportunity to exploit and execute their attack. One of the main difficulties in stopping XSS vulnerabilities is proper character encoding where the web applications are unable to filter the character encodings for example there is a possibility that the web application might filter out <script> but won’t filter %3script%3e which is another encoding of tags [
Deserialization is the transformation of incoming serialized data from file, stream or network socket into an object. It is very common and regular process for any web application to serialize and deserialize data. Reserialization of untrusted data by an application can lead to an attacker launching DOS, authentication bypass, etc.
This vulnerability occurs when the system is not updated and patched on regular basis. In most cases, once a web application is developed and handed over to the customer, no proper maintenance is carried out afterwards.
This vulnerability may exist when there is inadequate/insufficient logging and monitoring facilities in the SUT. This may also occur due to a human fault that lead to vulnerability in the system, improper management of logs.
Our proposed approach consists of the following two phases: Asset Security Classification Framework Testing for OWASP Vulnerabilities in critical assets
We developed a framework for asset security classification that assigns an appropriate security level to assets based on various types of information, e.g., interfaces, dependencies, user access, exposure level. The framework consists of the following components.
For calculating the prioritization of assets, we collect various types of information. Our framework gathers information and categorizes it as shown in
This category consists of information being stored, processed or transmitted by the system. The type of information can be specified as personal information, financial information and system configuration information. Classification is made on the basis of the security level of the information. The information can be classified as either secret, confidential, internal or public information. This category also describes that in case of the information being secret or confidential, whether there exists a possibility for the information to be transferred to a removable device or communicated outside the system through electronic communication media such as email.
This category describes finding the access to the system that users may be depending upon for their authorization level in the system. This can include users such as the general public, subscribed customers, employees, third party and licensed system operators.
In this category, we consider the hardware and software specifications of the systems. This can include the portable devices, IT and network equipment, operating systems, other software and development tools that are used in the system.
Information such as the hosting location of the system, environments such as any testing and training environments are present etc., is gathered in this section. Also, any information about specific hardware necessary to access or run the system is collected here as well.
In this category, the information about any interfaces in the system for different Software Development Kit (SDK) and Application Programming Interface (API) libraries integration is gathered. Proper identification of interfaces is necessary as they expose the system to vulnerabilities when proper protection steps are not taken.
Information about the systems dependency on other systems, networks and services is gathered in this category. Often dependencies can have a major impact on the security/protection of the system.
In this category the information about how much an attacker would be attracted to the system is discussed. Gathering information about attractiveness of the system to attackers helps in the identification of weak points and possible defenses that can be put in place. Here questions, such as use of system capabilities to exploit other systems, are also discussed.
The CIA triad consists of confidentiality, integrity and availability of information. Confidentiality: As defined in Section 1, measuring confidentiality of the system information and data allows for creating safeguards against leakage of the data. Impact or loss of confidentiality and the likelihood of the loss is measured using this category. Loss of confidentiality can have an adverse effect on the reputation of the system and massive impact on system’s reliability. Integrity: Like confidentiality, here the effects of loss of integrity of the data is measured. Loss of data integrity can affect systems’ reputation and expose it to financial and legal repercussions. Availability: As described in the introduction section and like the above-mentioned confidentiality and integrity related problems, a breach of system availability will have a massive impact on it’s overall reputation and create a disastrous situation for the organization.
As previously described, the proposed technique utilizes basic information collected regarding each of the Systems Under Test to measure, in quantitative terms, the security requirements and sort the systems based on these values. For this purpose, we calculate the following three main variables.
This variable measure, in quantitative terms, the access of the system to the world. This refers to the interaction of users in its current security state. If the systems exposure level is high, its risk of becoming an attractive target for a threat agent increases as well as the potential of having more vectors for gaining possible entries into the system. If the threat agents gain entry into the system, the least they can do is to deface the system resulting in a long-lasting stain on the reputation of the organization to which the system or site belongs.
Mathematically, we can express the Exposure Factor as
Security triad is a globally accepted standard for measuring the security requirements of any digital system. The standard helps in identifying and measuring the criticality of the system to the organization. This also helps in assessing the amount of possible damage to inflict on the organization if any of the three security standards are breached.
We represent CCIA mathematically as:
The Asset Value Level (
By identifying and measuring these terms in quantitative values, we believe will increase the probability of correctly identifying the critical factors of the system for prioritizing them from the pool of systems that need to be assessed further.
To make the results easier to understand, a generalized approach is used to cluster the assets into 3 types based on their security requirements. For this purpose, we have defined custom ranges for each of the three parameters, i.e., Exposure Factor (
For evaluation of our proposed asset security framework, we used the questionnaire developed by KP CERC [
We evaluated the proposed framework for asset security classification on a case study consisting of 451 web-based systems related to various organizations of the province of Khyber Pakhtunkhwa, Pakistan. However, for confidentiality reasons, we anonymize the names of these systems in this paper.
Initially we collected the web related information about each system in a total of 451 links including some dual links that were still open after the system development period expired. Each of these websites were then individually examined and information was gathered by use of the questionnaire for all the links collected except duplicates. However, some of the information could only be provided by the administrator of the application. As we were not able to get access to the administrators, we assumed thresholds for such information under advisory of cyber security experts.
In this section, we describe our results in the following two parts:
We attempted to manually access all of the 451 links initially, however 38 systems (8%) were not accessible via the internet, and therefore our further investigation was performed on the remaining 413 (92%) of the systems. There are various reasons for the non-accessibility of these systems, e.g., power outage, no or limited public interface of the systems.
We tried to collect detailed information of the remaining 413 websites. However, there were some highly sensitive systems for which we did not have permissions and therefore they could not be classified into any category using the proposed technique. These “Not Classified” systems accounted for 30% (171) of the total 413 systems. The remaining 242 systems were analyzed in detail by collecting all information related to the categories defined in the proposed framework.
All the required data was collected, and those parameters were calculated for the 242 systems for their security classification. As shown in
As stated previously, our approach also includes security testing of web-based information systems. We picked a sample of 20 systems for vulnerability testing belonging to different organizations and categories as listed in
S. No | Category | URL | HTTP/HTTPS | #pages | Certificates | Certificate authority |
---|---|---|---|---|---|---|
1 | Health | Site 1 | HTTP | 8 | No | N/A |
2 | Management | Site 2 | HTTPS | 25 | Yes, Valid till… | cPanel, Inc. |
3 | Education | Site 3 | HTTP | 35 | No | N/A |
4 | Government | Site 4 | HTTPS | 46 | Yes, Valid till… | cPanel, Inc. |
5 | Welfare & Security | Site 5 | HTTPS | 40 | Yes, Valid till… | cPanel, Inc. |
6 | Finance | Site 6 | HTTP | 42 | No | N/A |
7 | Management | Site 7 | HTTPS | 43 | Yes, Valid till… | COMODO CA limited |
8 | Development | Site 8 | HTTP | 34 | No | N/A |
9 | Government | Site 9 | HTTP | 43 | No | N/A |
10 | Health | Site 10 | N/A | – | ||
11 | Education | Site 11 | HTTP | 21 | No | N/A |
12 | Education | Site 12 | HTTP | 27 | No | N/A |
13 | Finance | Site 13 | HTTP | 58 | No | N/A |
14 | Management | Site 14 | HTTP | 76 | No | N/A |
15 | Welfare & security | Site 15 | HTTP | – | No | N/A |
16 | Management | Site 16 | HTTP | 17 | No | N/A |
17 | Development | Site 17 | HTTPS | 43 | No | N/A |
18 | Development | Site 18 | HTTP | 14 | No | N/A |
19 | Development | Site 19 | HTTP | – | No | N/A |
20 | Education | Site 20 | HTTP | 45 | No | N/A |
It is important to mention here that the vulnerability testing was performed manually and we did not use any automated penetration testing tools to ensure that no damages/disruptions are caused to these systems.
Site | Injection | Broken authentication | Sensitive data exposure | XML external entity | Broken access control | Security misconfiguration | Cross-site scripting | Insecure deserialization | Using components with known vulnerabilities | Insufficient logging & monitoring |
---|---|---|---|---|---|---|---|---|---|---|
Site 1 | No | No | Yes | – | Yes | Yes | No | – | Yes | – |
Site 2 | No | No | Yes | – | Yes | Yes | No | – | Yes | – |
Site 3 | No | No | Yes | – | Yes | Yes | No | – | Yes | – |
Site 4 | No | No | Yes | – | Yes | No | No | – | No | – |
Site 5 | Yes | No | Yes | – | Yes | Yes | Yes | – | Yes | – |
Site 11 | No | No | Yes | – | Yes | No | No | – | No | – |
Site 12 | Yes | No | Yes | – | Yes | Yes | Yes | – | Yes | – |
Site 13 | No | Yes | No | – | Yes | Yes | Yes | – | Yes | – |
Site 14 | No | No | Yes | – | Yes | No | No | – | Yes | – |
Site 15 | No | No | Yes | – | Yes | No | No | – | Yes | – |
Site 16 | No | No | No | – | Yes | No | No | – | No | – |
Site 17 | No | No | Yes | – | Yes | Yes | No | – | No | – |
Site 18 | No | No | Yes | – | Yes | No | No | – | Yes | – |
Site 19 | No | No | Yes | – | Yes | Yes | No | – | Yes | – |
Site 20 | No | No | No | – | Yes | No | No | – | No | – |
In this paper, a framework is proposed for Asset Security Classification of information systems. The framework is based on the collection and analysis of a huge data about the System Under Test (SUT) and assigned a security level (High, Medium, Low) to the SUT to prioritize it for security testing. The framework calculates the confidentiality, integrity, availability, and exposure level of the SUT using the formulated mathematical equations before automatically assigning a security level to the SUT. The framework is evaluated on a collection of 451 web-based information systems. A total of 242 systems were assigned appropriate Security Level (High, Medium, Low) as the remaining systems were either not accessible or not allowed to be tested for security reasons. We further performed security testing on a sample extracted from the prioritized systems to investigate the presence of OWASP (Open Web Application Security) Top 10 vulnerabilities. Our results revealed the presence of several vulnerabilities in these systems.
The proposed approach is beneficial as it provides organization a detailed overview about the security requirements for their assets and to prioritize their assets for security testing.
Although, our focus in this work is to prioritize and test the web-based systems, the proposed technique is generic and can be applicable to other types of systems with little modification. In addition, automation of the proposed framework can also be performed in future to collect all the data automatically from the web based systems, analyze it and assign an appropriate security level.
We are very thankful to the team of KP CERC (Khyber Pakhtunkhwa Cyber Emergency & Response Center), an initiative of the KPITB, for providing the questionnaire and other resources to collect data about the web-based systems for asset classification. We are also thankful to our M.Sc. students Bilal Shahzad for data collection for assets classification and Syeda Warda Asher for vulnerabilities testing.