A Framework for Systematic Classification of Assets for Security Testing

Sadeeq Jan,Omer Bin Tauqeer,Fazal Qudus Khan,George Tsaramirsis,Awais Ahmad,Iftikhar Ahmad,Imran Maqsood and Niamat Ullah

1National Center for Cyber Security,Department of CS&IT,University of Engineering &Technology,Peshawar,Pakistan

2Department of Information Technology,FCIT,King Abdulaziz University,Jeddah,Saudi Arabia

3Dipartimento di Informatica(DI),Università Degli Studi di Milano Statale,Via Celoria 18,Milano,Italy

4Department of Computer Science &IT,University of Engineering &Technology,Peshawar,Pakistan

5Department of Software Engineering,University of Engineering &Technology,Mardan,Pakistan

6University of Buner,Buner,Pakistan

Abstract:Over the last decade,a significant increase has been observed in the use of web-based Information systems that process sensitive information,e.g.,personal,financial,medical.With this increased use,the security of such systems became a crucial aspect to ensure safety,integrity and authenticity of the data.To achieve the objectives of data safety,security testing is performed.However,with growth and diversity of information systems,it is challenging to apply security testing for each and every system.Therefore,it is important to classify the assets based on their required level of security using an appropriate technique.In this paper,we propose an asset security classification technique to classify the System Under Test(SUT)based on various factors such as system exposure,data criticality and security requirements.We perform an extensive evaluation of our technique on a sample of 451 information systems.Further,we use security testing on a sample extracted from the resulting prioritized systems to investigate the presence of vulnerabilities.Our technique achieved promising results of successfully assigning security levels to various assets in the tested environments and also found several vulnerabilities in them.

Keywords:Security;security testing;privacy;asset classification

1 Introduction

Complex web-based systems either contain or utilize private and critical information which must remain secure from unauthorized access and tampering.Similarly,basic web applications may also process sensitive information and,are constantly at risk of being attacked.New and complex systems used in cloud computing for data crunching and information gathering may also be vulnerable to various attacks and threats.To ensure the security of these systems and applications,security testing is required.There are various types of security testing techniques that are used to find vulnerabilities.The most common form of testing is Penetration Testing also known as “Pen Testing”.Penetration testing is carried out by simulating real attacks on systems to identify exploitable vulnerabilities and the damage they would incur[1,2].Open Web Application Security(OWASP)is a well-known online community that provides various techniques and tools for securing web-based systems[3].The most common of these is the document titled as OWASP Top 10 Web Application Vulnerabilities published every 3 to 5 years[4].The document discusses the most common vulnerabilities that potentially exists in many web applications.It also describes how the vulnerabilities can be exploited by the attackers,along with identifying the key techniques that can be employed as safeguard against such attacks.The fundamental three features of security that are checked during any security testing process are[5,6]:

Confidentiality:is the assurance that information is not disclosed to unauthorized individuals,processes,or devices.

Integrity:is provided when data is unchanged from its source and has not been accidentally or maliciously modified,altered,or destroyed.

Availability:guarantees timely,reliable access to data and information services for authorized users.

These security principles make the CIA triad which is the most commonly used and oldest security standard around the globe.Over the years with the increase in the complexity and wide variety of systems and applications,more security features have been added such as:

Authentication:is a security measure designed to establish the validity of a transmission,message,or originator,or a means of verifying an individual’s authorization to receive specific categories of information.

Authorization:provides access privileges granted to a user,program,or process.

Non-repudiation:is the assurance that none of the partners taking part in a transaction can later deny of its participation.

The focus of providing security should be applied on the web application layer to protect it from unauthorized users by building security across the software development lifecycle security mechanism[7].The effectiveness of the testing process significantly depends on the tools used to support the process.Testing tools usually automate some of the tasks required by the process,such as test case generation,test case execution and evaluation of the test case result.Several testing tools support the production of useful testing documentation and provide a configuration and management of these tools[8].The existing approaches for mitigating threats to Web applications can be divided into client-side and server-side solutions.If we look at the server-side security,we can consider an application-level firewall offering protection in case of suspected cross-site scripting(XSS)attacks that attempt to steal a user’s credentials[9].Server-side solutions have the advantage of being able to discover a larger range of vulnerabilities,and the benefit of a security aw fixed by the service provider is instantly propagated to all its clients.These server-side techniques can be further classified into dynamic and static approaches[10].Dynamic tools and Perl’s taint mode try to detect attacks while executing the audited program,whereas static analyzers scan the Web application’s source code for vulnerabilities[11].Assessment or test of security risks both from outside and within the organization can include someone’s access to classified information and transferring it to a USB[12].

Security testing is often performed for a single System Under Test(SUT),however,there are usually more systems or components that needs to be tested in a complex web-based infrastructure.In such cases,it becomes a difficult decision for the tester/organization that which system/component should be tested first among the vast majority of systems[13–18].For such scenarios,a technique is needed to classify the assets of an organization.In this paper we propose an Asset classification system to assign priority levels to each system based on their security needs,for the web-based Information systems.

Our proposed technique verifies the quality of data that the system stores,analyses,processes and transfers,as well as the criticality of the system determined via a checklist that focuses on such aspect of the system.The technique utilizes information as collected and described during the planning and design stage of the Security Testing and the Software Development Life Cycle(SDLC).This information is further used to consider the exposure to various types of users of the system.All the collected information about various aspects of a SUT is then analyzed to calculate the criticality value of the asset and an appropriate category(High,Medium,Low)is assigned to it.For evaluating the effectiveness of our proposed approach,we performed testing on 400 web based information systems of the province of Khyber Pakhtunkhwa,Pakistan.Finally,we analyzed a sample of the categorized systems for the investigation of OWASP Top 10 vulnerabilities.

The rest of the paper is organized as following.Section 2 provides a succinct summary of the related work.Section 3 provides a background on the OWASP Top 10 vulnerabilities.Sections 4 presents our proposed approach for asset security classification in detail.Section 5 describes the details of our study design including the subjects’ selection and methods of analysis.The results are discussed in Section 6.Finally,the conclusion and future work is presented in Section 7.

2 Related Work

Attacks on web-based systems have increased significantly over the last few years.The number of attacks grew from 17 million to 50 million between years 2015 and 2016[19].Similarly,the number of new vulnerabilities found in web applications have seen an increase in 2017 by 212% as compared to 2016[1].In 2018,Google sent over 45 million notifications to various web administrators alerting them about possible problems with their websites that could affect their appearance in a search.Therefore,there is a dire need to take appropriate security measures to counter these attacks.

A web based platform is a complex system consisting several components,tools,devices,technologies e.g.,HTTP/S protocols,application development technologies like PHP,ASP and web clients(browser etc.).Further,almost all types of these systems are continuously being targeted by attackers and therefore organizations use intrusion detection/prevention systems(IDS/IPS)and firewalls to protect and monitors such networks[8].Although,a number of preventive measures are used to secure the deployed web applications,security testing has become a critical activity at the development phase.The purpose of security testing is to ensure confidentiality and authenticity of the data,as well as ensuring the availability of the services to the end user.Such security testing is used to verify if the web applications fulfills its security requirements in case of malicious user inputs[20].There are various challenges when carrying out security testing of systems and applications and the newly discovered vulnerabilities are making the task more complicated.Developers/testers need to understand the importance of all such issues/challenges when conducting security testing.

A framework for assessing the risk of vulnerabilities in e-government sites,has been discussed by Anastacio et al.[21].The authors discussed the benefits and risks of the e-government systems.As per the authors views,the value or importance of an e-government system depends on its difference from other systems and the interactions of the users with the system.Rjaibi et al.[22]provided an analysis technique for the security assessment of e-learning systems.Security requirements such as privacy,nonrepudiation,authentication etc.have been identified along with the types of possible attacks such as,buffer over ow,cross site scripting,insecure direct object referencing and information leakage etc.The authors considered the availability as the most important security requirement.Patel et al.[23]proposed a risk assessment modeling technique for modeling the possible attacks and their impact on industrial systems.The technique allowed them to determine financial loses that can occur due to the cyber-attacks on these types of systems.The authors implemented their technique to find the financial loss caused due to an attack on a SCADA based system and found an estimated $454,094 yearly loss possible based on their methodology.

Almadhoob et al.[24]performed a study to analyze cybercrimes and their effects in Bahrain.For this purpose,a survey was carried out by the authors among the different businesses and organizations working in Bahrain.Based on the survey an audit plan was created that if utilized would protect the businesses in Bahrain from cyber-attacks on their systems.The authors found that from 34 total participants,31 had been affected by phishing attacks.It was also found that most of the participants had not added important security controls to protect their systems.Of the total participants only 13 were found that had controls in place to track changes made to the data hosted on their systems.Saripalli et al.[25]propose a quantitative framework for the calculation of risk and impact on security of different cloud computing environments.The framework measures the security events and categorizes them from among six pre-defined categories.The framework utilizes the wide-band Dolphi method for calculating the measures in quantitative form.According to the authors,the framework would provide the different user types interacting with the cloud environment and regulating agencies with statically usable data.The authors point out that utilization of this framework would require input of risk knowledge and objectives in huge amount.

3 Background of OWASP Vulnerabilities

In addition to the asset classification,we also aim at security testing for vulnerabilities,especially for the web vulnerabilities that may exist in web-based information systems.Therefore,in this section,we provide an overview of the widely known vulnerabilities as listed by the Open Web Application Security Project[3]commonly known as OWASP.

OWASP is a platform developed by and for the IT community.This platform is used to share knowledge and tools for professionals and beginners alike in the pursuance of defending against attacks on web-based systems.OWASP provides open source tools as well as documents focusing on finding security related attacks and vulnerabilities,guard against attacks and further strengthening the security activities protecting the systems.OWASP ZAP[26]is one of the most widely used tool to discover vulnerabilities and attacks that can be used to affect a system.Similarly,OWASP Juice Shop[27],is an application which has been developed with the most common security aws that affect web applications in mind.It is used as a tool for teaching beginners and new comers to the field of security how various security vulnerabilities can be used by attackers due to the aws that remain unfixed in the system during the development phase.

Similar to using tools,OWASP also provide documentation for developers to learn about the various vulnerabilities and how to harden the systems against such vulnerabilities[28].The OWASP testing guide[29]is a useful resource for this purpose and provides detailed best practices for system hardening and security testing.Another documentation project by OWASP is OWASP Top 10 Vulnerabilities[4]that are found in most web applications and demonstrates how a slight coding habit can emerge into a security threat.Most recent OWASP Top 10 list was released in 2017 and lists SQL injection to be the most common and dangerous security.

Following are the OWASP vulnerabilities in the order of their severity.

3.1 Injection

An injection attack allows an attacker to insert malicious data into a program via input sources,e.g.,input fields.These attacks are commonly found in SQL,LDAP,XPath etc.In case of SQL attack,the attacker can read,modify,delete the database or execute other queries.In these types of attacks,the coding query handling methods affect the security of the program[30].

3.2 Broken Authentication

Often many web applications require users to login with their credentials.Typical cases require a username and password,that are used to generate a random session id that authenticates all actions as a legitimate user.Disclosure of these credentials occur due to reasons like transmission through insecure channels and security misconfiguration.Upon obtaining such credentials,attackers can impersonate a legitimate user.Therefore,authentication and session management must be managed properly to protect the users’ data from unauthorized disclosure or modification[31].

3.3 Sensitive Data Exposure

Data exposure occurs when a web application or program does not adequately protect its data and information.This data if accessed by the attackers can result in financial or business loss.An example could be,exposed data by an error message,weak crypto and lack of headers preventing browser caching.

3.4 XML External Entity(XXE)

XML is used to describe data.Two systems that are running on different technologies can communicate with each other using XML.XML External Entity attack takes place when a reference to an external entity is processed by weakly configured parser that may result in information disclosure,Denial of Service(DoS)attacks,port scanning[32].

3.5 Broken Access Control

In access control mechanism,also known as authorization,users are allotted access to resources according to their roles,e.g.,admin,employee or guests etc.Broken access control is one of the most common and highly exploitable vulnerability.Access controls are exploited by changing parameter values,giving direct access to unauthorized system object.Most common impact is privilege escalation—A practice of providing users more rights or access than required,hence weakening the system security[29].

3.6 Security Misconfiguration

Security misconfiguration vulnerabilities appear into systems due to the use of weak passwords,encryption,using default configured setting,incomplete or improper configuration of settings,outdated software’s or unpatched aws etc.

3.7 Cross-Site Scripting(XSS)

Cross-site Scripting attacks are a type of injection attacks.The attacker generally injects the malicious code through a browser site script.Nowadays,JavaScript is enabled in most web applications to provide rich functionalities to users.This also provides the attacker an opportunity to exploit and execute their attack.One of the main difficulties in stopping XSS vulnerabilities is proper character encoding where the web applications are unable to filter the character encodings for example there is a possibility that the web application might filter out