Cryptography is often thought of as secret messages used by bad guys to hide their nefarious plans from good guys. Imagine the scenes from Sneakers (1992), Skyfall (2012), or The Imitation Game (2014) where the heroes need to crack the code and save the day. In real life, cryptography, by way of encryption, is used by businesses and organizations every day to protect sensitive and personal information. Because of this, cryptographic failures are one of the most common ways for businesses to be hacked.
Cryptographic Failures moves up to #2 on the OWASP Top 10 List
In the cybersecurity world, whether you’re a small business or large enterprise, web application vulnerabilities are always a hot topic of discussion. Whenever the topic arises it’s usually not long until the OWASP Top 10 is discussed as well. OWASP, officially known as the Open Web Application Security Project, has been cranking out their Top 10 list since 2003. This list contains the 10 most critical types of vulnerabilities affecting web applications at the time of writing.
With web application security making its way to the forefront of the cybersecurity world recently it’s great timing that OWASP released an updated Top 10 list in September 2021. The list organizes and succinctly displays the most relevant and prevalent web application threats we face today.
The OWASP Top 10 for 2021 has undergone some changes since the previous list, released in 2017. Three new categories, four categories with naming and scoping changes, and some consolidation was done in the 2021 list to focus on root causes over symptoms. Cryptographic failures, formerly known as “Sensitive Data Exposure” is one of these such cases.
What is a cryptographic failure?
Cryptographic failures detail the risk of exposure of sensitive data such as personally identifiable information (PII), passwords, financial information, health records, and more.
Common configuration deficiencies fall under the category of cryptographic failures. For example:
- The application or service is configured to use deprecated algorithms for data integrity or authentication processes.
- Utilization of services which transmit data in clear text or insufficient use of TLS/SSL encryption. Commonly seen services include HTTP, FTP, TFTP, etc.
Proper use of cryptographic functions, such as encryption, are required for privacy laws and security standards like Payment Card Industry Data Security Standard (PCI DSS). By not utilizing these features, an attacker may leverage the vulnerabilities to expose the confidentiality of an organization.
Scenarios that can lead to cryptographic failure
There are many types of data that require extra protection while in transit or at rest. Any information that could be used by attackers to gain access, steal identities, or perform another form of cybercrime should be stored and transmitted using encryption. Common examples include passwords, credit card numbers, health records, and business secrets.
When looking to prevent cryptographic failures, data protection professionals should consider the following:
- Is any data transmitted in plain text? External internet traffic is hazardous and all internal traffic should be verified.
Protocols & Validation
- Are there old or weak cryptographic protocols in place? This could be by default or used in older code.
- Is encryption enforced? Are there any browser security directives or headers missing?
- Are received served certificates and trust chains properly validated?
- Are default crypto keys in use? Are weak crypto keys generated or re-used?
- Is proper key management or rotation missing?
- Are keys checked into source code repositories?
- Are passwords being used as cryptographic keys instead of a password base key derivation function?
- Is randomness designed to meet cryptographic requirements being used?
- Are initialization vectors ignored, reused, or are those generated not sufficiently secure for the mode of operation?
- Is encryption being used when authenticated encryption would be more appropriate?
- Are deprecated hash functions such as MD5 or SHA1 in use?
- Are non-cryptographic hash functions used when cryptographic ones are needed?
- Are outdated cryptographic padding methods like PKCS number 1 v1.5 being used?
- Is error messages or side channel information exploitable?
How attackers can leverage cryptographic failures
An example of this could be an attacker connecting to an open wireless network. Once connected, wireless network traffic can then be analyzed for services not utilizing proper encryption. These services may then reveal sensitive information in clear text like passwords or even session cookies. Using the passwords or session cookies can allow for an attacker to further exploit an organization. If the data held within the affected application is important, your organization may suffer significant harm or damages due to these being exfiltrated. Because of this, it is extremely important to regularly test for and remediate cryptographic failures.
This is where Foresite can help. To test for these types of vulnerabilities Foresite takes the approach of emulating the attacker and attempting to exploit many of the above vulnerabilities to gain a better understanding of the actual security posture of the application. This process begins with information gathering and enumeration to determine which parameters are vulnerable. From here, the consultant will begin exploiting found vulnerabilities with the goal of attaining confidential information, control of an application or network, and security gaps. The consultant will then generate a detailed report of their findings including any vulnerabilities found along with exploitation notes.