Do you have a dedicated Chief Information Security Officer? If not, the cost of implementing security may be up to 62% higher according to the Veracode Infrographic that discusses securing web applications. A CISO can help focus on the top 10 application security risks that are detailed in the infographic.
As audit season is finally over, (over 65% of all our assessments and audits happen in Q4) we finally have a chance to grab a cup of coffee and look back at a couple trends in 2011 that we think separate the best security teams from the worst.
First, we need to discuss how we measure the quality of a security team. At Savid, it is pretty simple. Since we perform ethical hacking to assess security programs at organizations, if we got access to something we shouldn’t have, it counts as an intrusion in our books.
Most reviews of security controls look at what went wrong because it’s harder to learn from the successes. So let’s get the major failures of 2011 out of the way and then let’s talk about what our best clients did to prevent us from breaking in. Overall, most of the security programs we assessed had application security issues. However, 2011 was the worst we have ever seen in terms of the depth and breadth of application security issues – even though the majority of the security programs we tested were in compliance with regulations such as HIPAA, PCI, and GLBA.
Ok, so with that out of the way, what did the best security teams do to prevent our ethical hackers from breaking in? One Thing: Defense In Depth. 2011 was the first year where we saw significant advancements in defense in depth deployments among our clients. For example, we saw a noticeable increase in proper system hardening (using standards such as CIS and NIST) and reduction of excessive permissions that stopped our attacks cold.
Properly deploying defense in depth can be the distinction between a data breach requiring notification or a simple documented incident. The difference between the two for some organizations could be millions of dollars. Oh, and it also has a side effect of making most malware non-functional by preventing the malware from creating temporary files, accessing DLLs, etc. Remember, an attacker can’t exfiltrate data if the exfiltration tools won’t run!
So, how did the defense in depth stop our hacking? Most of the time we were able to get entry into a server or application but because of defense in depth we weren’t able to leverage that entry for any gain (such as privilege escalation, intellectual property, or personally identifiable information). For example, if we got access to an application via SQL injection, we weren’t able to execute any commands on the server because the SQL server was hardened to prevent usage of xp_cmd and the SQL service account had no local permissions on the box to do anything other than access the database files and folders. Another example is when we got access to a Linux system running a custom PHP login system via an upload vulnerable and a PHP Shell script. The hardening of Apache and the file system prevented our low privileged web server service account from reading local files, creating files, etc. Essentially, the account we got control of was useless and the attack vector wasted our time and effort.
Wasting an attacker’s time and effort is exactly what you as the defender want to do. Every minute an attacker is stalled or delayed is more time for your detective controls such as IDS/IPS, Logging, or even Tripwire like defenses to detect an attack. We recommend that every security program have a simple theme: If You Cannot Prevent It, Detect It. Leveraging defense in depth provides additional detection points along the attack path. Every time a low privileged user attempts to access the Accounting Share – detect it. Every time a server in your DMZ attempts to connect to a server in the internal network (which should be blocked by the firewall) detect it and respond to it. These are all indicators that the server is doing something it shouldn’t.
Our number one recommendation when deploying defense in depth with proper detection controls is the use of fake records – commonly called “honeytokens”. For example, if you have a public web application that has access to an internal database server through a firewall, place a fake record in the database using a randomly generated 30-64 character value. This record has no value and should never be accessed via normal web application use. If your firewall, web filter, or DLP system ever sees this traffic move across the network – something went wrong and you need to find out why.
Every year Verizon releases their Data Breach investigations Report and year after year they mention the same problem: The time between a breach occurring and detection of the breach is too long, sometimes it takes years! So this year, add some more defense in depth controls to your security program and watch how quickly it helps reduce the impact of a vulnerability.
A new video from Tony Czarnik, our Security Practice Manager!
This two part video series will discuss what application security is, how to identify application security flaws and how to build an application security program specific to your organization while reducing operational costs and staff requirements.
Image via Wikipedia
You don’t need a 6th sense to detect when a fellow IT security pro is engaged in a hot project, like implementing a defense in depth strategy, DLP tool or a PenTest project, when for 10 hours a day they can role play as a nefarious, ethical hacker. They spring out of bed without an alarm, their ipod rocks as they think of their project on the way to work, and usually work while others sleep. And as they sense the success of their project is in reach, there is a gleam in their eye like Melvin Purvis knowing Dillinger will be at the Biograph theatre that night. Yes, that’s you. The details are different, but you act with the same focused purpose when you are engaged with a hot project.
Unfortunately, “productive you” has been dulled by the recession. You look at the clock. It’s 9:03- Your hot project lost budget. 9:07- You start to feel like you’re just hanging out at the office, daydreaming about the receptionist or what you’re going to do this weekend. 9:13- “Will I be the next budget cut?” Or maybe you’re forced into endless, mindless, maintenance and you begin to feel like the same worthless, infinite loop that “victim you” is attempting to debug. Maybe you’ve become a cash cow and you’ve lost touch with the leading edge you once steered like a snowboard. If you resent, but resemble this description, STOP. It’s time to wake up the “pro-active you”.
Learn and Grow. It even sounds healthy and positive, like water and sunlight to a plant. I’m not going to try and talk you out of investing in night school, but you don’t need money, homework and someone else’s schedule to learn. There’s a lot of negativity about our current economy. Want a silver lining? There has never been a time when you and I could take advantage of the plethora of free information for educational purposes as we can today. Think about it. “How would you like your free industry knowledge, miss? For here (seminar)? To go (white paper)? or delivered into cyberspace (webinar)?”
Complimentary subject matter expertise and contributing back to the community are key foundational components of the Savid Technologies business model. In my Security Practice Manager role, I am deep into developing an immense library of IT security and compliance literature. It’s already pretty solid. Savid’s Marketing team, in conjunction with our Web Development team, has created an easy and efficient self service system for your convenience. Just check it out at www.savidtech.com. Look for new, relevant and insightful information every month on technology, methodology and industry metrics. On our website, you can also view the upcoming complimentary, educational events, or download our informative whitepapers. If what you are looking for is not there yet, just contact Kelly or Angela in Marketing (877-307-0444). They’ll hook you up with free industry knowledge, for here, to go, or delivered into cyberspace. I will also make time to discuss IT security with you. If I don’t know it, I will connect you with the right resources.
One last note. Consider attending our monthly Chicago IT Security Meetup. Next meeting’s topic and registration can be found at: http://www.meetup.com/The-IT-Security-Group-of-Chicago/. I gotta go now and finish my week’s work; I’ve got a long list of research topics for Saturday morning.
Image via CrunchBase
I attended the RSA conference this year, as I always do, and spent most of the time talking with attendees and clients about what they were learning and trends they were seeing. Here is a summary of what we discussed.
Mobile Security
Although mobile security concerns seems to be a theme, I tried to dig deeper, and it seems that more than a few people are concerned about the upcoming changes to Facebook’s currency model. Facebook plans to force all users to use “Facebook Credits”. The worry is that since Facebook is on virtually every smartphone in the world, the digital wallet may come to the consumer faster than expected via facebook. The Facebook credits system is similar to PayPal or Google Checkout; however, since mobile phones don’t normally contain identity information they haven’t really been targeted. Once faceobok account can store credits, like a bank account, having a mobile virus or Trojan that steals your facebook login/password will be akin to stealing your bank account username and password. I think we have heard this story before…
Cloud
The cloud is always a hot topic but it seems as if nothing has changed. It is all about cost savings and whatever cost to security. As Dave, CSO from eBay put it. Vivek Kundra, whitehouse CIO, plans to save over 20billion by moving to the cloud and when you are saving 20 billion, who lets security get in the way?
Other people were more realistic and have conceded that the cloud will happen and they need to have data classification and risk management processes in place to ensure the *right* date moves to the cloud. A couple cloud vendors mentioned that they will need to educate their customers on how to do risk management and data management so that their customers can securely move to the cloud. This is a departure from the “We don’t talk or tell you about our security processes” stance the cloud vendors had last year.
Also, Symantec is making a big splash with their .cloud initative which is a marketing rebranding of all their cloud offerings including cloud based endpoint protection, cloud email encryption and filter, and cloud based web filtering. While the moniker may be funny and many have laughed at it, it is simple and effective. AV.cloud sounds much better than “cloud based anti-virus”. Marketing changes aside, not much has changed in terms of the technology behind the solution but Symantec is committed to heavily investing into .cloud and becoming the premier cloud security services provider in the world.
As I met with attendees and vendors, I asked if CIOs were adding cloud security services into their ROI analysis when moving their data to the cloud, almost everyone said no. Is this an indicator that cloud services don’t apply to the enterprise or perhaps the security CIOs want is ”real security controls” on the platforms, operating systems, and databases in the cloud rather than just moving their security tools from on-premise to the cloud? It seems to me the only people looking at cloud security services is the SMB.
According to the Wall Street Journal:
A 24-year-old living with his mother in France was arrested for ‘hacking’ into Obama’s twitter accounts in April 2009. Apparently he guesses the answer to a question related to password recovery in order to break into the accounts of famous people; he has no computer science training or financial motive. He posted screenshots to a few online forums and twitter found out within a few hours, either from a tip or from noticing when someone from France logs onto twitter as the President of the United States. (He did not actually tweet as POTUS, but just wanted to show he could break into the account.)
Now, this is news in and of itself but the interesting part is that the following academic paper, released about three weeks ago, told how easy this hack really is to implement. In this paper, Joseph Bonneau of the University of Cambridge and two colleagues from the University of Edinburgh show how hackers stand a 1 in 80 chance of guessing common security questions such as someone’s mother’s maiden name or their first school within three attempts.
According to the blog post announcing the paper’s release, Joseph Bonneau states:
There’s finally been a surge of academic research into the area in the last five years. It’s been shown, for example, that these questions are easy to look up online, often found in public records, and easy for friends and acquaintances to guess.
This is probably what happened to President Obama’s account. It would be interesting to know what the answer was to Obama’s secret question is, but it is very difficult to find the screenshots referenced in the WSJ article. The academic paper continues:
It turns out the majority of personal knowledge questions ask for proper names of people, pets, and places, and the rest are trivially insecure (eg “What is my favourite day of the week?”).
Which is why your system should never ask for things like that. Companies are starting to try and solve this problem. At RSA there was a new company, RavenWhite, which seemed to have a unique new approach which you can learn about at http://www.ravenwhite.com/iforgotmypassword.html
People really need to rethink the way they implement security to the end user. There is no way any automated technology could have prevented Obama’s account from being attacked simply because they were using the system in the perfectly intended way. It is what the user did afterword that differentiated the attacker from an actual twitter user.
Verizon Business Christian Moldes as a great post about Plane Crashes and Security Breaches and how they are very similar. He hits it right on the head! During our engagement wrap-up meetings where we explain the various potential scenarios an attacker can use to break into a client’s network we are always asked to put a specific ranking on a specific risk. I argue that that almost doesn’t matter because normally the big breaches are not from a single vulnerability but many chained together.
Christian quotes Malcom Gladwell, and says:
The typical [plane] accident involves seven consecutive human errors.
When we work with clients we normally see that breaches are caused by a chaining of at least three errors: exploitation of a vulnerability, then a mis-configuration is used to find a privileged account user name and password, and then data is found on the network somewhere it wasn’t supposed to be that the privileged account has access too.
Even with many controls in place you cannot always prevent a security breach. This is the exact reason why we recommend that incident response policies and processes (Which should be tested like you test your Disaster Recovery processes!) should be the FIRST THING you implement when building a security program at an organization followed by detective controls such as logging to detect a breach as soon as possible.
Just when I thought we were finally realizing that we need to protect our web applications from common SQL injections, an enormous bust proves that we still have a long way to go.
Albert Gonzales aka “soupnazi” has been indicted by a federal grand jury for allegedly hacking into retail and financial company computers and stealing more than 130 million credit and debit cards. According to the U.S. Department of Justice, this represents the largest data breach indictment ever brought in the United States.
How did “soupnazi” pull off the largest data breach indictment ever in the US? With a standard SQL injection attack, of course.
The indictment explains the simple, step-by-step process that Gonzales and his coconspirators used to hack the platforms, test and install malware, and finally erase their tracks. Breaking in was easy, but Gonzales used sophisticated techniques to avoid detection. They connected to corporate computers through proxy servers, and tested their malware against 20 different antivirus programs. After doing the dirty work, the malware attempted to erase signs of its presence. Despite all this, “soupnazi” and his Russian coconspirators were caught.
“This investigation marks the continued success of law enforcement in tracking down cutting edge hacking schemes committed by hackers working together across the globe,” said Acting U.S. Attorney Ralph J. Marra, Jr. in a statement.
Of course, it also marks the continued failure of corporations to protect their web applications.
It’s an extremely common form of attack. Attackers craft strings they can inject into an SQL database because user input is not properly filtered. You can actually wikipedia SQL injection to learn some of the common injection lines that will succeed against over half of all web applications, as well as how to configure your applications to only accept properly structured and expected input.
There’s really no excuse to be lazy here. It takes very little effort to make a web application resilient to these kinds of attacks. Of course, with prevention, we tend to only make the effort after we’ve suffered a breach.
Sometimes IT security budgets defy logic. Most companies blow their IT security budget on network security, even though most vulnerabilities actually come from web applications. I’m not sure what is behind the misconception, but this is another example of how awareness is often our best defense against attacks.
Cenzic just release a report about web applications with alarming statistics. At least 80 percent of all applications suffer from severe vulnerabilities. This would explain why at least 75 percent of hacker attacks occur through websites. It is unacceptable to ignore these numbers. Web applications are among the top assets with your customer information that need to be protected.
Cenzic tested hundreds of applications with thousands of pages. The vulnerabilities found in 80 to 90 percent of these applications include Information Leaks and Exposures, Cross-Site Scripting, and Session Management. This data is derived from the published vulnerabilities of both commercial off the shelf software as well as open source software.
According to the report, web technology vulnerabilities consist of about 80 percent of all vulnerabilities published in the latter half of 2008. This is an alarming trend, since the percentage is up from 70 in the first quarter, and only 73 percent in the second quarter. This is the highest percentage we have seen yet and Cenzic expects the percentage to continue growing into 2009 as more organizations get exposed to web application security.
Of the different types of web technology vulnerabilities, 79 percent are web applications while 12 percent are Active X & Plugins, 7 percent are web browsers, and 2 percent are web servers.
The problem seems to be that security requirements are just not considered in the system design of web applications. This makes it hard for vulnerabilities to be detected and eliminated while attackers find these vulnerabilities first. Security should always be considered in the software development lifecycle, and this should be obvious for webfacing applications.
This is old news to some but worth repeating because I think it needs to be banged into some security professionals and developers heads. Last year HackersBlog had an interesting blog post. This time they have angered multinational mobile phone operator and internet service provider, Orange, by publicizing a security vulnerability on their blog. With a simple SQL injection attack, “Unu” was able to dig up the names, email addresses, and passwords of over 245,000 members. Of course, now Orange prepared legal action against HackersBlog.
It seems like every time I hear about a hack, it is always done with an SQL injection. SQL injections breached Kapersky, Trend, Computer Associates, and even U.S. Department of Defense servers. I was not surprised to find out that over 60% of websites are actually vulnerable to SQL injection by some estimates.
SQL injection or insertion vulnerabilities usually come from poorly-designed web applications that allow for hackers to interact with a database because input is incorrectly filtered for string literal escape characters and then passed into an SQL statement. This gives control of your server to an attacker by giving them the ability to read, write and manipulate all data stored in your backend systems.
SQL injection attacks are incredibly easy to both execute and prevent. It’s astonishing that they still remain a frequent problem for webmasters. A simple search engine query will give you dozens of pages with detailed instructions on how to prevent or execute basic SQL injections – it’s even on wikipedia. There are expensive product packages out there that protect against SQL injection, but they are really only necessary to prevent against the most “advanced” attacks.
These kinds of attacks seem to be on the rise with the ubiquity of web applications. Cenzic was wise to remind us that 80% of web applications contain security vulnerabilities, most likely SQL injections vulnerabilities.
It’s all pretty inexcusable. Even someone with little or no background in IT security could check and correct the common vulnerabilities found in web applications that employ SQL. And if this were done, we would knock out a huge chunk of all overall security breaches on the web. The issue seems to not be a lack of education but a lack of prioritization by project managers and management to allow developers time to actually solve application security vulnerabilities instead of pushing them to get a release out.
