In 2007, world-renown security professional Bruce Schneier said in an interview that the convergence of security, where it’s built in vs. bolted on, could make our industry a fad. Has the adoption of the cloud and consumerization started to make this a reality in 2012? We think so, and while we don’t recommend you hang up your security hat to become a Starbucks barista just yet, infosec pros must adapt or risk extinction.
“The primary reason the IT security industry exists is because IT products and services aren’t naturally secure,” wrote Schneier in his blog. “If computers were already secure against viruses, there wouldn’t be any need for antivirus products. If bad network traffic couldn’t be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn’t have to spend billions every year making them secure.”
While Schneier may have been ahead of his time in 2007, the security industry has definitely changed in the past five years. In 2011, we saw executives starting to get involved, and security has become a topic on the tongues of consumers and enterprises alike thanks to hacker groups making headlines on the evening news. In the future Schneier envisions, product manufacturers “fold security into the underlying products, and the companies marketing those products will have an incentive to invest in security upfront, to avoid having to spend more cash obviating the problems later.”
Just look at the acquisitions: Intel bought McAfee, HP bought ArcSight, VMware bought PacketMotion. 2011 saw vendors begin to bake security into consumer and general IT products. The requirement for security in the cloud will accelerate this process. Here’s what you need to do to avoid extinction:
The built-in vs. bolt-on debate will continue to rage. But the fact is, more vendors will be promising built-in security, and while this will make the business decision to use certain products and services easier for management, it doesn’t mean you can let your guard down. Never assume that these products are more secure or won’t introduce risk into the organization. Rather, the risk will simply move from technical vulnerabilities to process and management—which, unfortunately, are some of the weakest areas in risk programs.
We all do it—open our email accounts and quickly fly through and delete the spam before settling in to sift through messages that have some value to us. But before you start clicking links or downloading files, are you certain that none of those seemingly valued emails is actually from a cybercriminal posing as someone else in a bid to install malicious software on your computer and steal your data and personal information?
There are some red flags that can help determine if an email is legitimate. Pass these tips on to others, so they can defend their information against cybercriminals, too.
Spelling and bad grammar: Legitimate companies employ copy editors to review content before circulation, so there should be no spelling or grammatical errors. Cybercriminals, on the other hand, tend not to worry about such niceties. Beware when you see misspellings or other grammatical inaccuracies.
Links in emails: Look before you click. Whenever an email contains a link that you want to access, before you click to open it, hover your cursor over the link to see if the addresses match. If not, refrain from clicking the link.
Threats: One sign that may indicate a phishing scheme is receiving a threat, such as, “Your account will be closed if you don’t respond by clicking the link below.” Another red flag is alerts that your security has been compromised.
Spoofing companies and websites: These are e-wolves in sheep’s clothing. Often, cybercriminals will place logos and other imagery belonging to the companies they’re impersonating into the message body, then link those images to their malicious scam sites. If you do click on an image and are brought to the supposed site, look closely at the URL. Some scammers will use an address that closely resembles the URL of the company they’re looking to imitate; an example would be http://www.applle.com. You can also use the hovering maneuver with images.
So now that you know what to be aware of, the next hurdle is determining what to do if you have been subjected to a scam. First, report it. If you’re a Microsoft Office Outlook user, attach a copy of the email to a new email and send it to reportphishing@antiphishing.org. Most importantly if you have been a victim, change all PIN numbers and passwords on any accounts that may have been compromised. Contact your bank or online merchant if threats were issued saying your account has been compromised. Call your financial institution and have a fraud alert placed on your credit reports. If your accounts have in fact been accessed, cancel those accounts and open new ones. Continue to closely monitor your account statements for unexplained transactions.
Passwords are a pain. The helpdesk hates resetting them. Security hates managing them. And users just plain hate them. The very term “password” reveals the fundamental flaw—we should be using pass phrases. Most modern operating systems, including Windows, OS X and Unix, support phrases with over 200 characters.
Uncle Sam has a better idea, which we’ll discuss. For now, let’s admit that security awareness trainers’ attempts to promote better passwords and our fancy policies to ensure complexity have failed. Part of the problem is that, to most organizations, a password of “Winter12” qualifies as complex. An analysis of the breached Sony accounts showed that while 93% of passwords were between six and 10 characters in length, only 1% contained an alphanumeric, and less than 1% were longer than 14 characters. The Top 3 passwords used: “seinfeld,” “password” and “winner.” Further analysis showed that 82% of passwords were found within rainbow tables.
So users make bad password decisions. We know this. But that isn’t the only reason they need to go. A problem just as significant as strength is that passwords and, for that matter, pass phrases provide authentication only once, when typed in or provided. There’s no mechanism for continuous re-authentication without interrupting user workflow. Think about the way attacks happen in the real world: ATM skimmers record PINs and reuse them later. The ATM has no way to know it was a fraudster who typed in the PIN. If a user walks away from a mobile device or PC, an attacker can jump on and take control of the session. Even metasploit, the open source exploit framework, has the ability to take control of RDP and VNC sessions from legitimate users.
This leads us to the requirement for continuous authentication in future system designs. Fortunately for enterprises, the U.S. government is putting our tax dollars behind R&D for just such a cause. The Defense Advanced Research Projects Agency (DARPA) has released a grant to promote development of “active authentication.” DARPA states: “The current standard method for validating a user’s identity for authentication on an information system requires humans to do something that is inherently difficult: create, remember and manage long, complex passwords. Moreover, as long as the session remains active, typical systems incorporate no mechanisms to verify that the user originally authenticated is the user still in control of the keyboard. Thus, unauthorized individuals may improperly obtain extended access to information system resources if a password is compromised or if a user does not exercise adequate vigilance after initially authenticating at the console.”
DARPA’s recommendation solution is to develop a “cognitive fingerprint,” which is government speak for biometric tests that will include keystroke-latency analysis, eye scans, how a user searches for information, eye tracking and the speed with which a person reads content. The key is to develop a profile of an individual so that once an authorized user is authenticated, each move can reauthenticate the person, at a frequency as great as every second. With this technique, even if someone’s password is “seinfield” and an attacker takes over a session, the cognitive fingerprint won’t match and the session can be shut down. If an action requires administrative privileges, the cognitive fingerprint can provide the authentication system with additional statistical confidence that the user is actually who he’s supposed to be.
While passwords may not be gone completely in our lifetimes, the way we use them will change dramatically as additional metrics are brought online to authenticate and then continually reauthenticate users as they access a system. As technology like that behind Microsoft’s Kinect makes it into laptops, desktops and even smartphones, be prepared for new behavioral biometric authentication frameworks to make a strong introduction.
As audit season is finally over, (over 65% of all our assessments and audits happen in Q4) we finally have a chance to grab a cup of coffee and look back at a couple trends in 2011 that we think separate the best security teams from the worst.
First, we need to discuss how we measure the quality of a security team. At Savid, it is pretty simple. Since we perform ethical hacking to assess security programs at organizations, if we got access to something we shouldn’t have, it counts as an intrusion in our books.
Most reviews of security controls look at what went wrong because it’s harder to learn from the successes. So let’s get the major failures of 2011 out of the way and then let’s talk about what our best clients did to prevent us from breaking in. Overall, most of the security programs we assessed had application security issues. However, 2011 was the worst we have ever seen in terms of the depth and breadth of application security issues – even though the majority of the security programs we tested were in compliance with regulations such as HIPAA, PCI, and GLBA.
Ok, so with that out of the way, what did the best security teams do to prevent our ethical hackers from breaking in? One Thing: Defense In Depth. 2011 was the first year where we saw significant advancements in defense in depth deployments among our clients. For example, we saw a noticeable increase in proper system hardening (using standards such as CIS and NIST) and reduction of excessive permissions that stopped our attacks cold.
Properly deploying defense in depth can be the distinction between a data breach requiring notification or a simple documented incident. The difference between the two for some organizations could be millions of dollars. Oh, and it also has a side effect of making most malware non-functional by preventing the malware from creating temporary files, accessing DLLs, etc. Remember, an attacker can’t exfiltrate data if the exfiltration tools won’t run!
So, how did the defense in depth stop our hacking? Most of the time we were able to get entry into a server or application but because of defense in depth we weren’t able to leverage that entry for any gain (such as privilege escalation, intellectual property, or personally identifiable information). For example, if we got access to an application via SQL injection, we weren’t able to execute any commands on the server because the SQL server was hardened to prevent usage of xp_cmd and the SQL service account had no local permissions on the box to do anything other than access the database files and folders. Another example is when we got access to a Linux system running a custom PHP login system via an upload vulnerable and a PHP Shell script. The hardening of Apache and the file system prevented our low privileged web server service account from reading local files, creating files, etc. Essentially, the account we got control of was useless and the attack vector wasted our time and effort.
Wasting an attacker’s time and effort is exactly what you as the defender want to do. Every minute an attacker is stalled or delayed is more time for your detective controls such as IDS/IPS, Logging, or even Tripwire like defenses to detect an attack. We recommend that every security program have a simple theme: If You Cannot Prevent It, Detect It. Leveraging defense in depth provides additional detection points along the attack path. Every time a low privileged user attempts to access the Accounting Share – detect it. Every time a server in your DMZ attempts to connect to a server in the internal network (which should be blocked by the firewall) detect it and respond to it. These are all indicators that the server is doing something it shouldn’t.
Our number one recommendation when deploying defense in depth with proper detection controls is the use of fake records – commonly called “honeytokens”. For example, if you have a public web application that has access to an internal database server through a firewall, place a fake record in the database using a randomly generated 30-64 character value. This record has no value and should never be accessed via normal web application use. If your firewall, web filter, or DLP system ever sees this traffic move across the network – something went wrong and you need to find out why.
Every year Verizon releases their Data Breach investigations Report and year after year they mention the same problem: The time between a breach occurring and detection of the breach is too long, sometimes it takes years! So this year, add some more defense in depth controls to your security program and watch how quickly it helps reduce the impact of a vulnerability.
As we all know, online shopping is nothing new but as its popularity continues to grow so does the malicious threats that can occur during your shopping experience. That is why we want to provide you with some reminders and tips on how to make you’re online shopping a safer experience. We also encourage you to share these tips with your family who may make online purchases too.
There are a few simple precautions you can take to further secure yourself before you make your online purchases. First make sure you have a web filter in place that will warn you of suspicious websites. Keep your web browsers up to date too. Often times the site you are shopping on is legitimate but if your computer is infected with keyloggers and other malicious viruses you can run the risk of your credit card data being stolen.
It is always best to shop at familiar websites but if you are looking at products or services from an unfamiliar sight do a little research before you begin; find out what other consumers have to say about the store or seller. Epinions.com and BizRate.com give customer evaluations that may help you determine the legitimacy of the company. It is also a good idea to review the website for the BBB and or TRUSTe approval icons. Be sure to click those icons to ensure that they take you to those accredited sites and that you can find the companies name within their listings. Often times harmful sights will display the graphic with no link so be aware.
Remember, before entering your personal data and credit card information check the connection of the website out to make sure it is encrypted. The URL will start with (http“s”) and also look for the padlock icon in the address bar or right corner of the window. Be aware of any warnings that your computer gives you regarding the security certificate of the site, when in doubt find somewhere else to shop.
Keep in mind when choosing a payment method it is always best to use PayPal if it is an option, that way your credit card and bank account information will not be shared with the merchants and sellers. PayPal will also protect you against fraudulent charges and if there are problems with your purchases. Once your purchases are made it’s always a good idea to check your bank accounts and credit card statements to ensure the proper amount was charged; if the charges are wrong contact the website where your purchases were made immediately along with calling your Credit Card Company to inquire about a “charge back”.
We hope that by keeping these tips in mind that you will continue to enjoy shopping online and are more secure in doing so.
