However I had a great conversation with the guys over at Securus Global the other day and they mentioned a threat vector I hadn't thought of, whilst discussing a PCI-DSS interpretation/good practice query.
Back in the day, when I started in infosec more than 10 years ago, threat modelling was almost a waste of time. It was all webserver compromise, pivot to own other boxes in the DMZ, compromise database listener, exfiltrate database etc. etc. Most websites were static HTML content and there was no dynamic content and opportunity for SQL injection etc. etc. and the easy way in was compromising the web server software. It was more valuable to spend your time scrambling to patch web server software, set database listener passwords, tweak firewall configurations and drop in an Intrusion Detection System.
Now with the focus on client side attacks and web 2.0 it may be worth your while dusting off your threat models and "attack trees" to make sure you have covered all of your bases. That way the bad guys won't be all en.wikipedia.org/wiki/All_your_base_are_belong_to_us
Here's some examples of threat vectors for a stock standard website performing a password protected transactions and storing some sensitive information. The ones in bold you may not have thought of:
- Core web server software or web server software extension is compromised, a link to malware is hosted on your website or even worse you are used to host malware!
- SQL injection attack is undertaken, extracting the contents of the database via responses from the web server, or the attack drops out to the operating system of the database server and uploads the whole database up to their server.
- SQL injection or a persistent Cross Site Scripting attack is undertaken, linking your visitors to a site hosting malware, a web page looking like a windows screen lock screen to steal their password or simply stealing their session tokens
- You have a flaw in the implementation of your session management mechanism or encryption of session tokens is not performed consistently allowing an attacker to hi-jack sessions (probably requiring some recon before hand using their or a stolen account).
- You have an insecure direct object reference vulnerability allowing an attacker to cycle through information stored by users of the system
- Your advertisement service provider is compromised, resulting in malware being advertised on your website
- You don't have a split DNS set up and DNS poisoning redirects your intranet web page to a copy hosted externally (with some nasty malware hosted on it)
- Your system administrator is emailed a PDF (of interest to them) containing custom malware that downloads and installs a remote access trojan enabling the attacker to capture administrative credentials which work on an internet accessible administration interface
- Your system administrator is social engineered to visiting a website (hosting malware) by phone call, voicemail message, a letter or a flyer
- Your system administrator is sent malware on a USB key vendor freebie in a package addressed to them with vendor sales collateral
Controls you may want to consider to combat the above include:
- Security awareness training
- Secure development standards
- Automated Source Code Analysis by an application security professional
- Testing your application security to criteria
- Web and Email Content Management (maybe combined with PDF sanitisation if you are a high risk organisation)
- Restricting outbound internet access only to proxy servers from workstations
- Monitoring web proxy logs for unusual activity
- Restricting server initiated outbound internet access to web servers, application servers and database servers (remember the proper use of stateful inspection firewalls)
