Protect Your SaaS from Cyber Crimes
Date: Tuesday , December 02, 2008
Cyber Crime refers to any criminal activity where "Software hosted as an Internet Service" (SaaS) is the source, tool, target, or the place of crime.
Criminals from any part of the world can use the free services of an email software hosted as an Internet service to exchange their plans about an intended attack. They can simply close their free email account after the attack is carried out. In such a case, the SaaS vendor has to provide whatever information is required by the Cyber Crime Police for investigation purposes.
Similarly, criminals can set up their own fake website that resembles a genuine one in totality and can send fake emails to the victims for harvesting their personal information such as, credit card number, card verification value (CVV) number, bank account password, etc., and use those personal information at the original website to get access to the victims' bank accounts.
This article focuses on the roles and responsibilities of SaaS vendors to prevent Cyber Crimes and also retain necessary information for the post-attack investigation purposes.
Website Identity and Phishing
SaaS based services are accessed by simply typing the services' website URL in the browser. This URL is the unique address and identity of the SaaS to the external world. For example, http://www.zohomail.com is the unique identity of Zoho Mail service. To provide safe and secure access to the customers, the SaaS has to be hosted as a https service and the website URL has to be certified by a reputed issuing authority, so that, the website identity verification is done by the browser itself.
To prevent users landing in some other fake websites (due to phishing attacks), the SaaS vendor has to book all possible typo vulnerable addresses. For example, book an alias http://www.zohomial.com to the correct website address http://www.zohomail.com, so that, even though the user types the incorrect address he will be automatically directed to the right website.
Also, during the authentication process, care must be taken to show user specific content (favorite images and phrases of the user) by accepting the username first and then ask for sensitive inputs such as password and credit card number from the user. This ensures that the users have landed in the correct website.
User Identity and Theft
IP address of the user's machine should be used to identify and trace the user. If the user is accessing from a browsing center, the browsing center owner will have the address details about the user. The information gathered from the browsing center owner can then be used to easily trace the user. Email address, screenname, or username cannot be used, as tracing the real user is not possible with these names.
Go for "Two Factor Authentication" based on the sensitivity of the information that the SaaS is dealing with. Verify identity by asking what the user knows or has created himself (as a “password") and what the user has (mobile phone), then send an SMS with a random secret code and ask the user to enter the same in addition to the password he knows.
Public and private contents should be hosted separately. This can be achieved by using different website URLs. This will prevent common Web vulnerabilities such as, XSS and CSRF.
Authorization check on accessing private information should be done. Authentication, which verifies the identity of the user, is not enough to allow the user to access private information. An authenticated user should not get access to other users’ data.
Auditing is used to trace the criminal user. The user access details known as "AccessLog" should contain the details about Who, What, and When. "Who" is the IP Address from where the user is accessing the website. X-Forwarded-For (XFF) http header should be logged on to identify the exact user machine that is placed behind corporate gateway IP Addresses. "What" is the particular resource (the HTTP URL path along with the query string) accessed by the user. "When" is the time at which the request was processed, usually in GMT.
In addition to this, the "AccessLog" should have the "data size" which is the number of bytes received as input and also the number of bytes the response contained, the browser and operating system details, session identifier to track subsequent requests initiated from the user, and the time taken to process the request.
Privacy and Data Retention Policies
The personal information of the user, such as, email address, credit card number, phone numbers, and the operating data that are stored in the SaaS database should be accessible only to the specific user. Even the employees of the SaaS vendor should not have access to such information. This is necessary to prevent email and phone number harvesting by criminals through vulnerable employees.
Customers may not want you to retain their data, but the government policy makes it obligatory to retain such data for a certain period of time. In Europe, there is a policy of retaining data for a minimum period of 6 months to a maximum of 2 years. The software service provider has to retain all the data created, modified, and deleted by the customer along with the "AccessLog" information.
Reporting a Suspicious Incident
The SaaS vendor should report incidents such as Phishing attack, Spamming attacks, or any other hacking attempts targeted at their website to the customers as soon as it is known. The incident should be published in the website itself. Publishing the information in the form of a dedicated blog post will be better. A complaint should be registered with the Crime Cell, besides informing the customers individually via email, phone, and the like.
Awareness and Education
The SaaS vendor should make the customers aware of the various types of hacking and other vulnerabilities, more importantly of those vulnerabilities that are likely to be utilized by criminals to attack their website. The customers should also be periodically educated about the safety tips on using the website.
SPAM Control and Moderation
In case of hosting public content, "Abuse Report" option should be provided. Otherwise, each entry posted by the users to the public content should be moderated before publishing.
Having a Human Interactive Proof (CAPTCHA) mechanism in place could help prevent SPAM content from automated software programs.
Any outgoing traffic from the website, on behalf of a user, should be monitored and controlled. For example, in case of an email service, it should not be possible for a user to misuse the service to send unsolicited bulk mails to other Internet users. Any possible misuse can be identified using the AccessLog details and the service can be denied to those black listed IP Addresses.
Other Best Practices:
The third party or open source packages used, if any, should be patched up-to-date. Further, security advisories from those package vendors should be closely monitored and should be acted on immediately to avoid zero-hour-attacks.
24x7 monitoring and incidents response team is a must to monitor each and every node (Firewall, Switches, Load Balancer, Web servers, App servers, Databases, and so on) in the website IDC (Internet Data Center).
Well-defined processes should be in place to manage incidents having different levels of severity. For example, if any confidentiality loss occurs due to an incident, the website should be immediately shutdown.
All nodes in the IDC should be properly configured, and changes to this configuration should be tracked.
The top management should be involved in any post-attack investigation, as they are responsible for any damage to the customers and the society.
And very importantly, the website should be compliant to the policy enforced by the government. To know about the policy enforced in India, the following websites can be referred to:
1. Cyber Crime in India: http://www.indianchild.com/cyber_crime_in_india.htm
2. Official website of Cyber Crime Cell of Mumbai: http://www.cybercellmumbai.com/
Disclaimer: The content in this Article is in no way related to my Employer.