1. Preface

If you search the Internet with the key words "information leakage" in Japanese, you get "Results of about 4,100,000". It is no longer unusual to hear about information leakage incidents. The number of such incidents continues to be high each year, and a certain source reports*1 that the number of attacks targeting websites has increased significantly in 2008.

The range of business and services using websites has rapidly expanded and it has become the norm for a website to handle sensitive information such as private details, bank account, and credit card information.

On the other hand, attacks targeting such websites are increasing and becoming more diverse; unauthorized access incidents which exploit vulnerabilities which were previously overlooked, or deploy new methods by further developing existing methods are emerging. For example, there has been a trend where attacks are designed to evade measures in place such as detection and defense using security devices.

Continuing business on the Internet seems to be an endless battle against ever-emerging new attack methods. In such a situation, organizations who run a website must apply measures preemptively and cost-effectively to maintain a high level of security in their own websites.

This report explains issues with websites and security measures for organizations as well as the trend analysis of website security measures based on results of a security assessment service conducted by NRI SecureTechnologies, Ltd. (hereinafter NRI Secure) in the fiscal year 2008 and the results of the same services in the past.

• *1 (Source) NPO Japan Network Security Association "Fiscal 2008 Information Security Incident Survey Report Ver.1.1"

2. Research Outline

NRI Secure conducted a website security assessment service (web application security assessment) on 217 websites in the fiscal year 2008 (April 1, 2008 - March 31, 2009).

These 217 websites are operated by 64 organizations (corporations, government and municipal offices) of the business types indicated in figure 1. The business type is taken from the client organization, where the website development and operation are outsourced. Also, the number of business types is calculated with websites; in other words, the total number of websites has been summed into the business type when the security assessment was conducted on multiple websites in one organization.

3. Website Security Situation from the Results of the Security Assessment

3.1 Websites with critical flaws slightly decreased to 34%

By summarizing the results of the security assessment in the year 2008, we assessment team have confirmed that unauthorized access to sensitive information such as other users' private information was possible in 34% of websites. Also, while unauthorized access to sensitive information could not be confirmed, flaws which could lead to information leakage were found in 42% of websites. Figure 2 shows the annual change of the assessment results. The ratio of websites with critical flaws has decreased by 7% since the previous fiscal year, to below 40% for the first time since NRI Secure started analyzing the results of the security assessment. On the other hand, the ratio of websites with a possibility of information leakage has increased while the ratio of safe websites has decreased.

• *"Sensitive information" in this report indicates information whose access should be restricted to specific legitimate users with consideration to the website's features. For example, passwords and private information, the account balances for financial websites, and the credit card number and order history for shopping sites.

The decrease in the number of websites with critical flaws indicates that more organizations are taking security measures on their websites. The reason behind it is that the number of information leakage incidents continues to be high in recent years and the scale of such incidents is becoming larger every year. It is also considered that a sense of crisis is increasing in organizations as mass media is reporting the devastating impact on organizations which have suffered security incidents. Such situation may also have had an effect to force organizations with relatively less interest in security measures into investing more in security.

On the other hand, the ratio of websites with a "possibility of information leakage" has increased. This may be considered as a result of organizations' difficult situation where the reduced overall IT investment could only cover measures for critical flaws but could not pay for measures for all other issues.
This may be the reason for the result of the security assessment in the fiscal year 2008 that higher ratio of websites have applied incomplete measures while critical flaws are dealt with.

NRI Secure presented a proposal of specific measures with the assessment results to organizations whose websites contained security flaws, and strongly recommended that they apply the measures immediately. As a result, we assume that most of these websites have applied the appropriate measures and are now secure.

3.2 Three major security flaws directly leading to information leakage are decreasing

The proportions of the identified issues are unchanged from past results. Three types of flaws were comparatively often present where sensitive information could be illegally accessed; "spoofing by abusing insufficient checks (hereinafter spoofing)", "accessing administrative interfaces by privilege escalation (hereinafter privilege escalation)", and "database manipulation by SQL injection (hereinafter SQL injection)".

These flaws which allow unauthorized access to sensitive information have been decreasing each year. The frequency of detecting fatal vulnerabilities such as "spoofing", "privilege escalation", and "SQL injection" all came below 20%. This indicates that organizations are taking security measures against information leakage with a sense of crisis, and these measures against such critical flaws are showing good results.

However, "cross-site scripting" is still detected in more than 50% of websites which is only a slight decrease from the previous fiscal year. As of the previous year, many cases of this flaw were detected in only a few pages in a website as a result of being missed while measures were applied. The difficulty of correcting every single possibility may be one of the reasons for failing to achieve complete elimination of the flaw. On the other hand, results of measures against "SQL infection" are steadily improving, though this flaw is also often a result of an oversight. Though "cross-site scripting" is extremely well known, it is rare to see reports claiming this vulnerability being the cause of a critical information leakage. This may be why the effort for its elimination is not as thorough-going as for "SQL injection" which is more likely to cause major damage.

It is unlikely that "cross-site scripting" issues detected in a security assessment would be left uncorrected; however, costs incur for a correction and a check on the validity of the correction will also be necessary.

The reactive approach to correct only flaws detected in a security assessment will not always eliminate all the flaws because flaws in other parts which were not subject to the assessment may be overlooked; also similar flaws may likely be created in additional implementation. It may also result in cost-ineffectiveness due to the cost for additional correction.

While it is important to apply measures for the three major and highly dangerous vulnerabilities, measures to prevent flaws from being created in the first place are vital.

1. Spoofing by abusing insufficient checks

   This is a security flaw where a user, who has successfully logged in, is able to access other users' sensitive information by some means.? For example, assuming the case where a shopping site has a function to show the order history, and the internal "order ID" is transmitted from the web browser to the website when the user is displaying details of his/her order history. In such cases, it is common to see spoofing by manipulating the internal "order ID" and impersonating others to access unauthorized sensitive information (another person's order history, etc.).

2. Accessing administrative interfaces by privilege escalation

   This is a security flaw where privileged operations such as administrator functions become available by illegal operations, regardless of whether the intruder is logged in as a general user or not even logged in. Administrator functions often include access to confidential information such as to display a list of registered users' private information; therefore, such unauthorized access is highly likely to result in serious damage.

3. Database manipulation by SQL injection

   This is a highly dangerous security flaw where unauthorized acquisition of information in databases and execution of any commands on servers become possible by making a web application execute unexpected SQL statements. Attacks exploiting this vulnerability have caused numerous incidents since about 2005, and a public organization issued a warning in spring 2008 that many websites in Japan as well as overseas had been tampered with.

4. Execution of malicious scripts using cross-site scripting

   This is a security flaw where displaying false pages and acquiring Cookies become possible by executing malicious scripts on the user's web browser using a method called cross-site scripting. However, in order to abuse this security flaw, a few prerequisites must be satisfied such as tricking a user into accessing a forged URL. Therefore, websites where this security flaw was found are categorized into "Possibility of information leakage" rather than "Unauthorized access to sensitive information possible" in this report.

    

3.3 Privilege escalation detected in many business systems

This section divides the assessed websites into "member's site", "inquiry site" and "business system" based on the assumed users and presence of the authentication process, and compares detection ratios of major security flaws.

The detection ratio of serious flaws is higher in business systems than member's sites and inquiry sites. Unlike websites for general consumers, many business systems are accessed by limited users by restricting the user's network or not being on the Internet. Sufficient security measures are not considered necessary probably with the assumption that unauthorized access is unlikely since access is often restricted to employees and concerned parties.

However, business systems handle highly confidential information in many cases; therefore, serious damage to the business can be caused if the system is accessed illegally. The following lists a few examples of sensitive information in business systems where unauthorized access was possible in security assessment.

• Confidential documents including contracts
• Access privileges to internal main business systems
• Functions which can directly manipulate databases

Comparing detection ratios of major flaws between provided services reveals the fact that "privilege escalation" was detected in nearly half of the business systems.

Many business systems are implemented with privilege management for each user since accessible information and functions must be controlled depending on the user's position and department. As the privileges becomes greater, the importance and range of the accessible information are higher and wider; such as department managers having greater privileges than general users, and administrators having even more.

Considering the above mentioned characteristics of business systems, if a user with low privileges attempts to illegally access a business system using "privilege escalation", confidential information which should only be accessible by administrators may leak and the resulting impact on the business will be grave. Therefore, privilege management in business systems must be implemented with thorough and careful consideration.

1. Member's site

   These websites assume access from general consumers and are implemented with a user authentication function using passwords. These include Internet banking (banks) sites, shopping sites, etc. They are relatively large in size.

2. Inquiry site

   These websites assume access from general consumers and in most cases without user authentication. These include questionnaire sites, inquiry sites, etc. They have a simple structure and are relatively small in size.

3. Business system

   These websites assume access from the parties concerned such as trading counterparties and their own employees rather than general consumers. In most cases they are implemented with a user authentication function using passwords. These include call center systems, order management systems, systems on an Intranet, etc.

    

3.4 Issues in websites where credit card information are handled

We have extracted websites where credit card information is handled to analyze their trends. These websites are mainly shopping sites.

As a result, we have confirmed that unauthorized access to sensitive information was possible in 37% of the websites with credit card information handling. 52% of websites had a possibility of information leakage and only 11% of websites were confirmed secure. Comparing against the assessment results in 2008 on overall websites, the ratios of detecting critical flaws are almost the same as the result in 2008. This shows that security measures in those websites where credit card information is handled are no better than others.

Websites where credit card information is handled are targeted by unauthorized access due to the value of the information held, and information leakage will highly likely lead to financial damage. Therefore the required security level is higher than the rest of the websites, and their improvement is desirable.

Also, our research revealed that 52% of the websites with credit card information handling are storing credit card numbers without encryption.

The credit card information handling status was investigated through interviewing the person in charge of the given website. Cases where we were unable to obtain an answer were counted as "No answer".

Financial damage may occur if credit card numbers are stored without encryption, since card numbers may leak through insiders with database access privileges, or by external parties attempting unauthorized access using "SQL injection". Security assessment in 2008 confirmed websites where credit card numbers could be illegally viewed using "SQL injection".

According to the research conducted by VISA*2, 82% of people "frequently pay by credit card" in Internet shops where credit cards are accepted. On the other hand, 6.6% of them "feel very uneasy" about credit card settlement for Internet shopping, and 33.8% of them "feel uneasy"; this shows many users are paying by credit card with a sense of uneasiness.

It is desirable that credit card information is managed securely including credit card number encryption in order to clear such uneasiness of users and make Internet shopping secure and enjoyable.

Protection of payment card information (including credit card information) is regulated in Requirement 3 of the "PCI DSS", security standards for payment card information management developed jointly by international credit card brand companies such as VISA and JCB. The security level of websites where credit card information is handled is expected to improve as PCI DSS become widespread.

• *2 (Reference) Visa Worldwide Japan (May 2009)
  "Research in online settlement - Questioned 500 men and women who shopped on the Internet within the previous 6 months - " (Japanese only)

PCI DSS

PCI DSS is security standards for credit card information protection managed by PCI SSC (Payment Card Industry Security Standards Council) founded by 5 international payment card brand companies. The standards lay down 12 requirements for payment card information protection including rendering PAN(Primary Account Number) unreadable. They also define a wide range of security measures such as to restrict the scope of credit card information handling, web application security, regular vulnerability scan by approved vendors (ASV: Approved Scanning Vendor), patch management, access management, and log monitoring. PCI DSS describes the required levels for each item clearly and measures to be applied specifically. Some international payment card brand companies have set the PCI DSS compliance global deadline on some merchants. PCI DSS will become noteworthy security standards for security measures for credit card information handling in the future.

4. Security Measures with High Return on Investment

Results of 2008 security assessment confirmed that the percentage of websites with critical flaws has decreased and measures against specific flaws which directly lead to information leakage such as "spoofing" and "SQL injection" are steadily being implemented. However, the ratio of websites with a possibility of information leakage has increased and implementation of measures against "cross-site scripting" and similar attacks is slow-progressing.

One of the reasons may be because it is difficult to envisage the scale of damage and to measure the return of investment until damage is actually caused. However, there is no point taking measures after your own website has fallen victim.

Organizations which actively promote security measures generally include a security assessment of their website into the management cycle (PDCA cycle) of controlling security risks.
However, large correction costs may incur if many flaws are detected by the assessment.

What would be the effective approach to achieve measures with high return on investment while curbing the total costs?

We have analyzed flaws detected in 2008 security assessment to find out the phase in development processes where the flaw should have been corrected. The result indicated that more than 60% of flaws should have been corrected by the end of the design phase.

This indicates majority of flaws can be eliminated before the implementation phase by applying planned security measures at each phase in the website development cycle.

In the development cycle, it becomes more expensive to roll back as the system development progresses to lower processes. Therefore, it is more effective to apply security measures in upper processes.

For example, including source code analyzer in the implementation phase enables immediate correction of security flaws within the phase, which incurs less rollback costs than detecting flaws during an acceptance test.

Also, multi-layered checks in each phase such as establishing and referencing security design and development guidelines to define exhaustive security requirements in the requirement definition phase in the upper process and including a security design review in the design phase will reduce issues left for the lower processes.

By taking an approach where potential flaws are filtered and removed as development progresses to lower process, it can achieve secure website implementation with lower total costs since there will only be issues which have been overlooked in the previous phases which need solving immediately before the release.

In order to implement security measures with high return on investment, it is effective to develop and enforce security measures in each process rather than undergoing a security assessment just before the public release of the website.

 

5. Postscript

At the time of writing in July 2009, rapid recovery from economic stagnation originating from financial uncertainty proved difficult and many organizations are still struggling to get out from worsening business conditions. Not many organizations can spare a large budget for security in such an economic climate.

On the other hand, declining market conditions may foster Internet crimes for money and the threat of website attacks may further increase.

In such a hash economic climate, information leakage involving major damage is highly likely to be fatal to an organization and security investment should not be neglected.

Therefore, organizations must implement effective security measures within a limited budget. The first step towards effective security measures is to undergo a security assessment and precisely understand in which phase of the development cycle the existing flaws were created.

Ref."Web Application Security Assessment Trend analysis report 2008"