It is a well known fact that 80% of all attacks come from the inside. But in the world of Web2.0 and online applications, the back-end of the system is usually forgotten.
Let's analyze a common web application design
- The web application is designed to be used by a very large number of users, the users are kept inside the database. The actual web application communicates with the back-end database using a fixed database identity with very high privileges, simply to accommodate every possible function of every user role of the web application.
- The front end is an advanced web site which can be target to a significant variety of attacks. Since it is a web app, most companies do an adequate job of closing obvious and less obvious holes on the front end.
- And yet, once you look behind the isolation layer of the front end, security becomes lax. The same database identity is used for all transactions, and in most cases it's password traverses the internal network unencrypted. Also, access to the back end may be relatively easy from within the corporation.
The risk can be described as "Nobody looks at the cab driver". Actually, nobody (or very few companies) think about the corporate users which work behind the isolation layer of the front end.
Any person with corporate role can know or gain access to the back-end identity. This can be achieved by different methods, ranging from simply reading the config file, network sniffing to social engineering to coerce someone into revealing the identity.
Once the identity is gained, the internal attacker can authenticate as the back end identity and effectively impersonate any front end identity by simulating the proper queries into the database.
In an inside attack, there will always be two attackers:
- The technical person - one that knows how to write the proper queries
- The technology person - one that knows how to manipulate the business information within the database as if using the front end interface.
While the single back end identity will probably remain as the solution of choice for all web applications, all providers of such services need to pay special attention to the security of their back end. This security should include:
- encryption of internal communication channels, especially between the front end and the back end
- physical and network controls that prevent access to the back end even if the back end identity is stolen
- independent audit systems which are not controlled by the administrators that control the front end or the back end
Talkback and comments are most welcome
3 Controls to Secure Corporate Offline Computers
Control Delegated Responsibility
8 Tips for Securing from the Security experts
4 Controls to Avoid Risks of Fully Trusting a System