Cristina DINU-CHIFA^

Protection against the dangers of cyber-attacks has become the key to success for any business. At least this is one of the conclusions highlighted by Safetech, a consulting company specialized in information security solutions at the Cyber Security Romania Congress, an event recently held in Sibiu, Romania.

The definition says that information security is a set of procedures and internal regulations of a company, designed to protect electronic information and real environment. Based on this definition, the success of a cyber-attack shows up from lack of political and security procedures, the existence of weak prevention schemes and the penetration of IT systems, as well as the installation of low detection-prevention in the companies.

“Currently, we are facing more and more challenges to protect the information within economic entities”, said Ionut Georgescu, Information Security Consultant at Safetech. “These challenges include the alarming increase in the number of vulnerabilities discovered, lack of adequate education in terms of information security in organizations, and the lack of people trained in the security of this information.”

The security tests, conducted by Safetech specialists during 2015, led to the identification of more than 700 vulnerabilities within the 57 in web applications tested. More than 50% of the applications tested have at least one critical vulnerability level which means that, through their exploitation, it can cause damage with destructive effects in the company (total system compromise and unlimited access to data managed by the application). “No matter the application is 99% sure”, says Ionut Georgescu, “the 1% difference can completely compromise the web application.”

“Every medium size company is attacked by hackers (not to mention the large companies)” says the official from Safetech. “The question is whether and how quickly someone from that company finds out about the attack. It may take years until the company victim realizes that someone steals money from his accounts or intellectual property within his company. Databases are stolen and resold daily without anyone in the company to ever know”.

Where the attacker finds conditions that favor his attack? In any vulnerability that technology has. Any system that includes technology is more or less vulnerable. Technology is built up for people to provide comfort, to enhance mobility and profitability, to process and store data, not necessarily to make life safer. Like everything made by human, technology is not perfect, but always perfectible.

Over 90% of web applications tested by Safetech have at least one high-level vulnerability, which by exploitation could result in financial loss, loss or destruction of databases, to restrict all or part of the information system. The most common vulnerabilities are “Cross-Site Scripting” (identification by ID attacker to the victim’s web session). Over 60% of the applications tested were identified with this vulnerability. By it’s exploitation the attacker could have access to the victims’ accounts without requiring prior authentication. Also, the attacker can use the vulnerabilities to inject worms and other malware, which will spread across the local network, thus creating the conditions for launching attacks more targeted and more effective.

Another critical vulnerability is SQLi (SQL Injection), one of the most common vulnerabilities exploited in the Internet. Almost 20% of web applications tested by Safetech experts are vulnerable to SQLi. Technical knowledge to exploit this vulnerability has increased dramatically; there are thousands of tutorials that describe in detail how to exploit a SQL Injection vulnerability. Also, there are known dozens of special programs that can run automatically SQLi attacks. By exploiting a SQL injection vulnerability, the attacker can have complete access to databases or remote access on vulnerable systems.

“There are countermeasures that every company should take to prevent unwanted situations caused by exploitation of such vulnerabilities,” said Ionut Georgescu. “One of these countermeasures is using the so-called dedicated frameworks (programming environments) – as they are already tested for a long time, and restricting the use custom development environments created by internal programs. Another measure is to implement a policy of patching, so that any critical vulnerability, newly discovered, to be resolved within a month of its inception. Unfortunately, in Romanian companies are working in a disorganized way and always on the run. There are few policies in place that can provide procedures to follow, with calm, at the emergence of such vulnerabilities. Finally, I insist on encrypting data within applications and databases used within the organization. In this case, is essential to use encryption widespread algorithms, not some custom made by internal programs, because there had been testing for many years and some of them end up becoming standards in the industry”.