In discussions around web application security, SMEs and enterprises have always hogged the limelight. The private sector’s appetite for cybersecurity is ravenous, as enterprises battle to keep their profits out of the hands of grubby cybercriminals.
However, as private corporations battle malware on the cutting edge of cybercrime, it’s easy to overlook the lagging – often pitiful – defenses of the public sector. Despite the enormous amount that we depend on the police, fire department, education and healthcare bodies, the defenses these organizations have against cyber attacks is shockingly bad.
Parts of this problem stem from funding; others from a lack of awareness and adaptability.
A Persistent Socio-Software Problem
In the UK, the government recognized an extreme deficit in public cybersecurity in 2019.
As one small cog in the response, CyberAlarm was launched in mid-2020. In order to provide smaller council bodies and non-profits better protection, the free app installs data collectors around a network’s perimeter. These detect suspicious user activity and report it back to the local police body.
Paul Moore, a cybersecurity professional, heard about his local police force’s adoption of CyberAlarm in November 2021, and decided to take a closer look. At first, CyberAlarm provided him with an outdated file – test code that had been abandoned 2 years ago. This immediately set off alarm bells, and – once he was provided with current, live software – his suspicions appeared correct.
He discovered “20-something issues… to do with the live version”, chief amongst them a serious oversight that disabled TLS verification.
The governing body’s response was lukewarm – to say the least. Eventually, when he continued to insist that he was correct in his independent analysis – he was sent a cease and desist letter. Flexibility and proactivity are almost non-existent in the public sector’s cybersecurity. This is reflected in the US, too: exponential increases in malware attacks are symptoms of this outdated attitude.
Unfortunately, in a world where apps are kept in agile cycles of repeated bug-fixing and development, the habit of complacency is altogether too common – and incredibly dangerous.
What is a web app vulnerability and why is it important?
40% of malware attacks on public organizations stem from web-based application vulnerabilities. These are defined as an unintended weakness in an application, exploited to gain access to protected information.
OWASP is an open-source project that keeps an eye on the frequency and types of web application security faults over the years. Noticeably, since 2017, there has been very little change in the top 10 highest-occuring app vulnerabilities.
2021’s highest-occurring attacks stem from software vulnerabilities; broken access controls; and misconfiguration. The overall stagnation of the top 10 points to a chronic failure to adapt.
Though the throes of the pandemic are now fading, the impact it had on cybersecurity in both private and public sectors continues to be felt.
As the world scrambled to WFH, major oversites and misconfigurations were made; chief of which stemmed from a choice to facilitate remote working through VPNs. While VPNs can be valid forms of basic defense, VPN apps have opened wide vulnerabilities in the public sector.
March 2020 saw a major cybersecurity attack on the World Health Organization, originating from hacking group Dark Halo. The same group more recently launched a complex, multi-faceted attack on Chinese embassies through their VPN apps. The VPN app in question – SangFor – was the group’s attack vector of choice. When a SangFor client connects to the server, the client obtains an update – a configuration file.
However, the client-side VPN app had no checks or control for what file was downloaded in this process. Because of this, criminals were able to hijack the VPN session, and replace the updated executable with their own malicious code.
The code in question then moved to set up communication with a remote third-party (C2) server. It also downloaded shellcode for execution. This shellcode had a few functions: the first was to fingerprint the infected machine. It collects the IP/MAC address, system version, processes and other software information, before sending it in a neat package to the C2. Next, it installs a selection of malicious download libraries; these in turn load the core backdoor component, thinmon.dll. This backdoor component then cascades to a thread-starting or injecting process.
This one VPN insecurity therefore lends full device control to the malicious actor. When the attacker has access, the network continues to trust the compromised device, allowing for even greater damage.
82% of public sector applications contain security flaws.
Everyone has some degree of responsibility in the security and safety of their public organizations. Whether that’s internally – actively choosing higher levels of protection – or whether that’s forcing change from the outside as a vocal, knowledgeable voter.
Internally, change is brought about in small degrees. One example of a small but mighty software solution is a Web Application Firewall.
Web Application Firewalls (or WAFs) monitor the HTTP traffic flowing between an app and your server. These can be tightly configured to your organization’s needs; including whether you want a negative or positive security approach.
These entail black- or white-listing all traffic, and can prevent malicious actors preaching a perimeter.
A greater, more cohesive evolution of a WAF is a Runtime Application Self-Protection solution (RASP). This is a dual-software and hardware response to threats, incorporating an intrusion detection system for any app on your network – cloud-based or otherwise. However, the greatest barrier to the public sector’s cybersecurity is not the wealth of security options available for the private sector.
The true issue is budget, and this is where we are able to make a change.
The atrocious data visibility plaguing the public sector is a direct result of budget cuts.
The UK and US are finally shifting their approaches towards a more cohesive, data-sharing solution; the UK’s 2021 spending review details that an additional £37.8m has been allocated to improve security systems. This is a step in the right direction, but ultimately a drop in the ocean of the $132.94 billion private cybersecurity market.
Re-juggling your local government’s priorities is possible only through engaging with local elections. All of our data is at stake, and everyone must play a part in its defense.