Image used from www.shopcatalog.com, all credit goes to its author.
On September 28th, Facebook announced it suffered an attack that affected almost 50 million users. The hack required the chaining of multiple vulnerabilities, being one of them in the “View As” feature, that help users control their privacy by previewing how other users see their profile.
These vulnerabilities provided the attackers with Access Tokens that could be used to access other accounts. You can think of these Access Tokens as something your device/app automatically sends to Facebook instead of your credentials. This prevents you from having to type your login and password everytime you open the Facebook app or other applications that use Facebook for authentication (e.g. Instagram).
What exact information was breached is yet to be determined, as well as the real number of affected users: as a precaution, Facebook reset Access Tokens for over 90 million users (almost twice the number of affected users).
Now imagine this happening to your company: you would have to tell the world you failed at protecting your users and be subject to fines under the GDPR, just to name a few consequences.
So, how do you protect your company from being hacked just like Facebook was?
There are strategic steps you can take to greatly improve the security of your company, especially if your company develops web applications, either for internal use or as a product.
I’m not saying that Facebook did not take appropriate measures to protect their users: I know that they have a good application security team, that they implement a lot of security controls and do a lot of testing. But some vulnerabilities are really hard to find, especially those that can only be exploited when combined with other vulnerabilities.
Automate application security testing as much as possible
Test your web applications constantly, every day. Your developers will change the application code frequently, as they keep improving it with new features or just fixing small functional problems. Even if most of the changes are invisible to whoever is using the application, a single character might introduce a vulnerability.
In the rare case where your applications don’t change frequently, you still have to deal with new attack techniques being reported every day by security researchers.
The only way to keep up with this fast pace is to provide your developers with tools to test the security of the application as they change it. These tests need to be performed on a daily basis and integrated into a Continuous Integration (CI) pipeline. The idea is to have all changes subject to testing and to find issues as soon as possible (at least before they can be abused by hackers).
Complement automation with manual security testing
Automated testing has limitations (but it is tireless!) that can only be overcome by the human brain. Security professionals tend to be very creative at finding highly complex vulnerabilities and broken business logic. A security professional will have a better understanding of the semantics of the data on the application and will be able to look for situations that cannot be tested automatically, for instance by calling a call-center to try to get hold of customer data.
You should hire a manual test at least once a year. These are very costly both in price and time so it is hard to do them frequently.
To learn more about penetration testing, bug bounties, and automated security scanning, check out our blog that discusses the different approaches.
Do not ignore small, low risk, vulnerabilities
The Facebook hack took advantage of 3 vulnerabilities chained together. If you look at some of them isolated, you might consider them low-risk and harmless. But hackers have the skills to combine them into a successful attack.
It might require a trained eye to properly evaluate how a single vulnerability, apparently innocuous, might be combined with other, yet to be discovered vulnerability.
So, do not focus only on high-risk vulnerabilities and avoid accumulating a pile of low-risk ones. Add them to your roadmap and fix them.
Build an application security team
Depending on the size of your company and on how much your business is dependent on web applications, you might consider creating an application security team. By application security team, I mean having people whose function is solely to handle web security.
Facebook has a good application security team, and that is why in its 14 years of existence, this was the first time that they were compromised. And it is also why they handled the breach so quickly.
The main responsibilities of a typical application security team are to deliver security awareness and secure coding best practices training, to be active in the software development life-cycle of projects, to answer questions from developers on how to design features in a secure fashion, and to teach them how to fix and avoid vulnerabilities. And of course, to provide them with tools to automate security testing.
These are the main pieces for an application security program. If your revenue depends on your website, shouldn’t you have someone focused on its security?
Manage communication and be transparent
If your company is hacked, the likelihood that it becomes public is high. Some regulations already make it mandatory to disclose customer data breaches.
Facebook managed communication and PR very well so far. They are being transparent both with regards to what happened and to what measures they are taking to handle the hack. This avoids speculation, false information and minimizes bad press, basically putting Facebook in control of what is being said about them.
It is a tough call to publish that you were hacked, but if you show the world you are actively taking measures to fix the problem, it is much easier to earn the trust of your users again.
It is also important to be transparent and cooperate with law enforcement or any legal or supervisory body that you must report to. For instance, one of the 10 criteria used to determine a fine for GDPR infringement is cooperation. This could affect you, even without being under GDPR law. Uber was fined for lack of cooperation after a recent data breach.
Implementing all of these steps at once might look like a lot of work and seems overwhelming, but you have to start somewhere. My recommendation is to start with the first step and then improve your security strategy through the other steps.