Sri Lankan Website Security in 2019 — The Good, The Bad and The Ugly

The year 2020 is in the dawn with new hopes with the start of a new decade. This is a small look back on the websites from the perspective of information security for issues in the year 2019. Good, Bad and Ugly is an American idiomatic expression based on a movie released in 1966 (IMDB rating 8.8)¹. The respective phrases refer to upsides, downsides and the parts that could, or should have been done better, but were not.

Tip of the Iceberg — Numbers

Cybersecurity is a hot topic for news channels. However, it is not the priority always when there is a heavily political news build for elections. On 18th May 2019 which was the Wesak Poya day, news outlets gave hot news of ongoing cyber attack going on the Sri Lankan website with connection to Victory Day. This event was the main reported cybersecurity event in the year 2019 as the largest attack. But let’s get some statistics from publicly available such as zone-h² and compile the total picture. With the filters for “.lk,” we can find data and then plot as follows.

Reported Attacks on .LK Websites in Year 2019 (GOV.LKs are government websites, AC.LK & EDU.LK academic websites and rest .LK are considered as business websites)

Since then I only take ‘.lk’ domains and many Sri Lankan websites use ‘.com’, ’.net’ and other domains, the representation is the floor of the actual attack stats. But the data set would give a very good representation of the website attacks. Even only month of May made to media, the months of March and December are in total domination but not in news. With compared to the following graph of the year 2018, it is very clear websites are getting targeted and attacked despite it is government, business or academic website.

Reported Attacks on .LK Websites in Year 2018

Therefore, following an early conclusion can be derived about the number of website attacks.

What is under the tip of ice berg

The Ugly

With the analysis of the technology of the attacked websites and timelines, the following 3 causes can be outlined as motives.

  1. Attacks carried by politically motivated groups (E.g. May 2019 attack)
  2. Due to the public release of exploit codes to popular website components (E.g. April 2018 Drupal website mass attack)
  3. Cascade compromises due to insecure hosting

In all 3 cases, it is possible to take proactive security measures.

For Type 1, it is true we can not stop the attack, but we can prepare. Doing security hardening and conducting periodic vulnerability assessments & issue rectification will reduce threat levels heavily.

For Type 2, Regular patch updates and usage of free or commercial web application firewalls will save you.

For Type 3, Secure segregated hosting is required when one site is compromised the hosted server then other hosted websites are not compromised. CPanel is the simple software for this. Open source solutions like Apache MPM-ITK³, IIS App Pooling⁴ also goes here.

For all the above options, time and budget are required. In most cases, it is not due nonavailability but because of not caring or not knowing is the root of problems. This problem was there in the year 2018, but the trend continued.

The Bad

Many of Sri Lankan website developers build websites with proper End of Life planning. In practice, it is not possible to properly maintain a website or web app after 5 years of the initial release. The required platforms and framework often ends support about 5 years periods. If this is not conveyed in the early stages, so-called approval and procurement procedures would keep obsolete content forever. This issue was one of the major problems in the year 2019 just like the year 2018.

There is a set of web developers who offers websites without proper maintenance after releases. The customers may not aware of the risk they are taking.

The Good

There is a good trend in website security which is it is comparatively less number of SQL Injection vulnerabilities are available. Reasons may be the usage of inbuilt framework functions to carry out database queries that are secure.

The Authentications schemes also seem to be good in the year. Most likely developers are aware of Authentication and development frameworks that provide good support for it.

However Authorization in mobile and web apps is a total catastrophe. Total security meltdowns were seen due to this. A total separate story is needed be tell about Authorization.

As the end note, I wish you all a Happy New Year 2020. I hope all your endeavors in 2020 are successful and secure.

References

  1. The Good, the Bad and the Ugly (1966) — https://www.imdb.com/title/tt0060196/
  2. Zone-H.org — Unrestricted information — http://www.zone-h.org/
  3. Running Vhosts Under Separate UIDs/GIDs With Apache2 mpm-itk On Debian Etch — https://www.howtoforge.com/running-vhosts-under-separate-uids-gids-with-apache2-mpm-itk-on-debian-etch
  4. Application Pool Identities — https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities

InfoSec Engineer | Pokémon GO Player | Rocket Science Enthusiast