Hello again, sometime not long before; Defencely.com had described a series of posts how enterprise security risks are evaluated and how these security risks are determined in order to proactively close them in a responsible manner. This post would ensure the key-points which encircle the Enterprise Business Security Threats and is brought forward to spread business security centric awareness among the industries. In order for enterprise community to work according to it’s workflow, the business functional model should never overlap the data model. In case if it does overlap each other, a business logic threat could possibly be potentially present. This threat accessing model present three distinct risk factors, which are:
It’s also known by the C.I.A triad. A risk to the confidentiality would arise if a certain access control feature integrated to the business functional model is bypassed using certain different techniques and hence provides an intruder with confidential data which otherwise should not had been compromised. A risk to the Integrity would mean that data was modified during it’s processing or somewhere in-between it’s whole life-cycle. This again woudl be a threat to the business. A risk to availability is when certain business critical public data is restrained from access and hence financially depriving the company or a corporation from accessing resources thereby the intruder forcing the business model to consume more resources confining these resources to itself and making it unavailable.
Authenticity in business risk model is yet another concern due to which intruders coudl gain unauthorized access to critical business resources and hence compromise the company in certain ways. This in itself could be a tragic scenario to a company taking it’s toll in a tragic way and leading the company to losses. Consider the folowing intrusions for an instance:
- Uber Cab compromised with Github Security Key
- Staples compromised – the retail hack hijacking cards
- Home Depot email compomises – 53 email addresses exposed
- CNET – compromised by Russian Attackers
These were some of the haunting and threat-awareness-inspiring cases from some of the major giants around the buiness community and the industry. At past, Microsoft, Oracle, Sony, etc also had been attacked and compromised in a successful ways with business security and logical deduction of security. In these cases, the business security were comprmised in different ways but these were only possible keeping compromise in data in mind. The data compromised were all realted to the business assets and not in a way wherein a procedure was taken keeping business logic security in perspective. Certain types of application threat evaluation require these business data to be first realtively measured with proper processing. The evaluation process would then take certain test cases which the application should either pass or fail. These test cases are as described as follows:
- Identify threats to business protocols, if these could be violated in any way.
- Identify threats to business timing, if resources could be violated against timed access.
- Identify threats realted to compromise of data assets – if data is not segregated from un-essential workflow.
- Identify threats realted to financial assets of the company – if financial records could be compromised.
- Identify threats related to processing – if certain steps in the process could be bypassed.
Some of the common Business Logic Threats are:
- Autentication Failure and Escalation of Priviledges.
- Unauthorized Access to Resources via Parameter Manipulation.
- Business Process Logic Bypass via Cookies or Tampering Cookies.
- Bypass of Client Side Business Assets leading to Process Bypasses.
- E-Shop Lifting via Business Logic Manipulation leading to losses.
- Functional Bypass of Business Flaw leading to access of 3rd party limited resources.
- Service Availability based Denial of Service Attacks via Business Logic Threats.
There could be numerous other ways to access critical data and exfilter them with Business Logic Security. Recommendations are to test the application against these new techniques and build a proper segregation channeling for them in order to prevent intruders from harming the business working of a company. A prevention chart should be followed by enterprise developers during the development phases in the entire SDLC. This latter mentioned would securely deploy the applications and would restrict unauthorized use of data which otherwise could had been compromised by application level vulnerabilities or remains of business logic vulnerabilities. Either of them are fatal and could lead to lossess, sometimes ranging to reputation to financial losses.
Defencely provides services against these aforementioned threats along with long cutting edge reporting deliverables for it’s clients. The services enable it’s client to access potential threats and remedify them in order to patch them. Defencely provides an in-depth scope and individual deliverables for it’s clients which includes:
- Application Security Executive and Technical Reports
- Business Logic Threat Executive and Technical Reports
- Mobile Security Executive and Technical Reports
- Individual Mitigation Trackers for both Application and Business Reports
- A Monthly Mitigation Overall Record for all the Identified Vulnerabilities
Aside, Defencely.com also provides custom tailored services for Network Security and Code Audit. These deliverables are in focus with network security for server hardening and hence enables the clients to follow strict security policy rules and compliances. Contact Defencely for it’s amazing fast reliable services at email@example.com and make your web applications, servers, mobile apps, and code audits glitter with real sense of security.
About the Author
Shritam Bhowmick is an application penetration tester professionally equipped with traditional as well as professional application penetration test experience adding value to Defencely Inc. Red Team and currently holds Technical Expertise at application threat reporting and coordination for Defencely Inc.’s global clients. At his belt of accomplishments, he has experience in identifying critical application vulnerabilities and add value to Defencely Inc. with his research work. The R&D sector towards application security is growing green at Defencely and is taken care by him. Professionally, he have had experiences with several other companies working on critical application penetration test engagement, leading the Red Team and also holds experience training curious students at his leisure time. The application security guy!
Out of professional expertise at Application Security, Shritam Bhowmick utilizes his knowledge for constructive Red Teaming Penetration Test Engagements for Indian Top Notch Clients and has a proven record for his excellence in the field of IT Security. A Google search with his name would suffice the eye. Shritam Bhowmick has been delivering numerous research papers which are mostly application security centric and loves to go beyond in the details. This approach has taken him into innovating stuff rather than re-inventing the wheel for others to harness old security concepts. In his spare time, which is barely a little; he blogs, brain-storms on web security concepts and prefers to stay away from the normal living. Apart from his professional living, he finds bliss in reading books, playing chess, philanthropy, and basket-ball for the sweat. He wildly loves watching horror movies for the thrill.