Security Concerns Regarding
Quality Web Design

Submitted to:
SE571 Principles of Information Security and Privacy
Keller Graduate School of Management
Submitted: April 20, 2014

Table of Contents

Executive Summary 1 Company Overview 1 Security Vulnerabilities 3 Threats Through Using VPN Tunnels 3 SQL Injections 4 Recommended Solutions 5 Threats Through Using VPN Tunnels 6 SQL Injections 8 Impact on Business Processes 9 Budget 10 Summary 11 References 12

Company Overview

Quality Web Design (QWD) is a web development organization that creates client side web application that distributes web content to a user in order to improve an existing web site. They have a basic Microsoft shop that uses a Visual Studio Team Foundation Service to host the image repository as well as Visual Studio to design, QA and develop their site. They are also utilizing Microsoft SQL Server and Microsoft Exchange.

Security Vulnerabilities

The two Security vulnerabilities that I am going to document are VPN Tunnel potential security breaches as well as SQL Injection attacks. These are the two areas that I believe the organization has not looked at as potential risks for issues.

Security Vulnerabilities

The first threat that I want to elaborate on is a hardware vulnerability that is inherent in the use of VPN Tunnels. The main threat mostly lies with users not utilizing the same security precautions that are used in the office. Often users are unaware that they have a direct link straight into their company’s network through these tunnels and will leave them unsecured.

Some of the possible threats are that of exposing data as well as company resources to those that should not have access to these details. This may cause system down time, corruption of data as well as data integrity problems.

Most of the threat is within the user’s control by implementing virus scan software as well as firewall settings. The other side of the equation is bringing awareness to the fact that terminals or phones and other mobile devises that are left logged in and unsupervised are the number one way that people gain access to resources. In a newsletter put out by Dell, “VPNs will likely continue to be the weakest link in an organization's security infrastructure for some time to come.” (Drew, 2004)

The second threat lays with the potential for SQL Injections into their web application. With any type of site that is hosted and connected to a database, there is a threat of dropping extra text into textboxes debilitating the entire database.

SQL Injections work by a user of the software putting in a terminating string inside a text box, then running their own query after that. This can be done to gain usernames and passwords as well as to drop tables all together.

Recommended Solutions

As for recommended solutions for securing a VPN Tunnel, it is to utilize only company granted equipment to access the VPN. The current model has the employees being able to log in from their own workstations and phones leaving them vulnerable. By limiting the type of machine as well as the software on the machine itself, we can eliminate the possibility of an attack from a virus or malware.

The second solution is to add in the policy the limitation where users are not allowed to access the network from public Wi-Fi access points. This will eliminate some of the risk of leaving the connection open as well as other people browsing into company resources.

When it comes to blocking against SQL injections, we are going to have to add two parameters into the software to prevent this. The first involves adding some check parameters in the code before a query is run. This is done at the variable level to check for key signatures of SQL.

As for the Impact of these changes on to the business model, the impact would be minimal. We could see blow back from users that want to use their own PC’s but as with any change, it would just take time to get used to it. The software changes that need to be made only have to be done once and then the software is secured.

Budget

In regards to actual Monetary budget considerations, the changes made require no extra money. The software should be done by the developers already being paid and the machine changes could be done as needed throughout machine upgrades.

Summary

Through securing their software and others accessing their network, QWD stands the chance of bettering their foot hold in the software world. SQL Injections are easy to prevent with minor code tweaks, and VPN breaches are controlled through disallowing unauthorized machines. These simple changes can be made quickly and inexpensively.

Solutions – SQL Injections

In this section I will explore the solutions involved with preventing a SQL Injection attack. We need to identify exactly what someone would look for before doing such an attack before we can prevent inevitable attack.

One method that a security threat would use to find a target is known as “Dorking”. This is a search run through Google that goes out and returns a list of potential targets. What they are looking for in a target is usually PHP related, dynamic content driven sites. These sites usually have open ended SQL and are vulnerable to attack. It is good to know that any database is vulnerable and not just PHP, but PHP is the easiest.

So after we get a list of sites, we will add a character to the end of the URL and launch the page. For example, let’s say that in Google, they ran a search for “inurl:play_old.php?id=” and this pulled up a site using this query. If you add, let’s say a hyphen to the end of the URL and press enter, you should not receive any errors or anything. If you do, then this site is corruptible.

So, what does all this mean? With this data, we can essentially build our own SQL query to generate whatever information that we want. Well, at this point, we can use an “ORDER BY” statement at the end and essentially begin finding out exactly what columns are accepting queries. By adding an amended query at the end of this URL stating “UNION SELECT 1,2,3…” all the way through to the number of columns to gain access to the table.

Another way to exploit a database is by simply entering in criteria that is true into one of the text boxes. In this sample we look at a username and password form and as we all know, this should only produce results when in fact logging into the system. If we were to modify the criteria by entering “something OR 1=1” into the password field. This produces a result because 1 = 1 and ignores the rest of the query.

So how do we prevent all of these scenarios from happening? It comes down to the source code that is used to design and implement query calls from within the site. We need to prevent certain procedures from being called.

One solution is to blacklist certain words from being used. This is not recommended for two reasons. First, it does not address the actual issue at hand, only masks it. Second, what if there is a need to actually use some of these key words in the data that id being transmitted. This could create a larger problem than it fixes.

Another solution is to use a profile on the database server that doesn’t have the abilities to delete or modify tables if there is no need to. We shouldn’t be using admin profiles to start with, but limiting the user’s abilities is a good way to start. This will prevent anything bad from happening to the database at least at a user level.

What I do personally is to build the query in pieces, then put the string together inside the PHP code. How this works is I might store the username and the password separately, then create a string of the SQL query before I run it. This groups all of the fields together so that if there were any extra data tagged to the end, then it will strip it all out. This option also would utilize a prepare statement that pre-runs the query.

Solutions – VPN Tunnel Issues

In regards to the VPN tunnel problems, this would require a twofold solution that is fairly simple. First deny access from any other systems than those designated by the office as safe, and two implement security procedures that outline reprimands for any unsafe or unsecured equipment.

The first threat looks into unsecured machines using our tunnel to access our systems. This change is done at the level of issuing out laptops that are pre-setup to allow for the VPN. These settings are done securely and without having the user enter in credentials preventing unauthorized use.

As with most VPN’s the connection is done locally to the server through an application. If the user attempts to connect let’s say from their home PC which has a virus, then that virus could potentially transferred to the server. By providing the users a machine that has company approved software, company policies as well as limited use, the risk of malicious attack can be mitigated.

The other aspect of security regarding VPN’s is the potential for someone to take the machine to a public place and leave it unsecured. This policy would just be to have penalties as well as a procedure for lost or stolen property, be it phones to laptops.

References

Drew, Steven. "VPNs (Virtual Private Nightmares)." Information Security Services, Managed Security Services. Dell, May 2004. Web. 04 Apr. 2014.

"How Can I Prevent SQL Injection in PHP?" Mysql. Stack Overflow, n.d. Web. 22 Apr. 2014.

"SQL Injection." SQL Injection. N.p., n.d. Web. 24 Apr. 2014.

"PHP: SQL Injection - Manual." PHP: SQL Injection - Manual. N.p., n.d. Web. 22 Apr. 2014.