It is the end of the year and, like all other pundits, here is another idea on what 2013 will bring in the way of security issues. After reading a lot of the other predictions out there, I tend to agree with those from Verizon Business Services’ Data Breach Investigation Report researchers. While everyone else is predicting cyber-Armageddon as the biggest threat, the researchers at Verizon Business Services see a lot more of the same for 2013.
The biggest threat Verizon identifies is more attacks on authentication systems. This is most likely because your vendor or your developers talked you into storing authentication information in your database that is Internet facing. We see this all of the time with eCommerce and Internet banking solutions. The external user credentials end up being stored in the database along with order entry, inventory and pricing data. This is typically done because using a directory system for such purposes is difficult and, at times, not as functional as when authentication data is stored in and used from a database. Given the prevalence of SQL attacks, all of that information results in being available for the taking through a SQL injection attack. As a result, the attackers compromise the authentication system, gain access to everyone’s credentials, including administrators, and it is likely ‘game over’ regarding the rest of your security measures.
I want to touch next on social engineering because it is typically directly related to compromising authentication systems even though the second place attack method most concerning Verizon researchers is application attacks. Social engineering is all about tricking your end users into giving up key information so that an attacker can compromise your environment. The most common piece of information an attacker tries to obtain is an end user’s credentials for logging onto the network. Hence the reason why I wanted to discuss this after the authentication system attacks. Social engineering is the most insidious of attack methods because it does not involve any of an organization’s security technology. And worst of all, if social engineering is successful, all or most of your organization’s security technology is effectively neutralized as a result. That is because most organizations have little or no security once someone is on the inside.
Now let us look at the second most concerning attack to Verizon which is application attacks. Verizon is saying that application attacks are more of a threat to governments and large applications. Regardless of the target, any organization with an application presence on the Internet is a potential target such as with eCommerce or Internet banking. A lot of these applications are based on on-line frameworks such as IBM’s Websphere or Oracle’s Application Framework. It is not that these frameworks are insecure, it is that they still require development effort and it is those custom development efforts that do not guarantee a secure application. The problem comes from the fact that a lot of people believe that using a framework means that little to no security testing even though the amount of custom development done in these frameworks can be more extensive than starting from scratch. As a result, we see a lot of organizations tossing Internet applications into production with little or no security testing and then ending up with breaches as a result.
In addition, there are third party applications served up by application service providers (ASP). A lot of small and mid-sized businesses (SMB) use these sorts of applications to have an online presence. As a result, a lot of SMBs believe that these solutions do not require any security testing because the vendor and the ASP do that for them. However, we are encountering more and more attacks on SMBs, particularly those that have wealthy clientele such as country clubs and exclusive financial institutions because their applications are notorious for not being secure. SMBs are constantly amazed that; (1) they were targeted and, (2) the application was not bettered secured. Yet attackers know that while the take out of SMBs could be significantly less than a large organization, an SMB is usually easier to compromise because they do not have the security and monitoring resources of a large organization. As a result, SMBs are becoming a larger and larger target for attackers.
Finally, something that concerns me as the previously discussed threats is mobile devices and devices not under the organization’s control, also known as ‘bring your own device’ or BYOD. I think these devices will surpass the other three threats over the next few years because most organizations have difficulty maintaining security on their servers, desktops and notebooks, let alone something like an iPhone or an Android tablet. The worst thing about mobile devices is that they are so easily lost and it fascinates me how many people lose their mobile devices. The bottom line about mobile devices and BYOD is that you must be very, very careful as to what you allow these devices to access and how you grant that access. And you must make sure that these devices are not allowed to download information, even if encrypted, as that information is highly likely to be lost.
So what should you be doing regarding these threats? Here are my top things organizations should be doing to minimize the risks presented by these threats.
- Trust no one. This is particularly true of mobile devices or BYODs, but it also applies to your own internal systems. Forrester has promoted this in their ‘Zero Trust Model’ as well as me in the ‘Fort Knox Approach’. This is not as easy as one might think, but the approach makes sense in these days of attacks on authentication systems and social engineering approaches.
- Classify your data. This is usually a difficult project, but they pay dividends at the end because everyone understands why certain information cannot be allowed out of the control of the organization. It also allows people to justify to others why data cannot be allowed to be accessed by people that do not need access as well as via mobile or BYOD.
- Require encryption on mobile devices and BYOD. Even if you do not allow data to end up on these devices, you do not even want the memory or other information that might be inadvertently stored on these devices out of your control. As a result, if you encrypt these devices, there is a high likelihood that, if they are lost, the person finding them will just wipe them and start over.
- When possible, use a directory system for authentication. This is always painful for systems that operate outside of the traditional control environment of internal users. Directory systems are usually designed to be more secure than any sort of database authentication system because they are assumed to be at risk from the start. However, just because they are designed to be secure does not mean they cannot be implemented in an insecure manner. Windows Active Directory takes a lot of heat for being insecure; however a lot of that heat is due to silly implementations to support insecure authentication methods for compatibility.
- Conduct security awareness training. The only thing that minimizes social engineering is consistent and regular security awareness training. However, do not kid yourself or management. Everyone has their ‘moments’ and does something they should not. That said there are always those that just never seem to get it which is why you need other controls and monitoring to ensure you maintain your security. However, to just throw up your hands and say it is pointless is also not a position to take.
- Secure your applications. This means conducting application code reviews and testing applications before they are put into production not after the fact. Unlike networks where you need to put them into production before testing them, applications can be tested before going into production. It amazes me how many organizations put their applications into production and, by the time they finally get around to testing them, they have already been compromised. And while automated application code testing solutions are all of the rage, we still find that the best results come from the more traditional human code review not automated tools.
- Monitor your network and applications. This is a double edge sword. You know what to look for, however, you have so many ports open that it is near to impossible to recognize bad traffic from good traffic. And it is not necessarily the fault of your IT department as most packaged applications require an inordinate amount of ports open to function properly. However, the key thing to monitor, more than anything, is any traffic going outside of your network to an unknown location. When you see traffic going to Eastern Europe, China or any unexpected IP address, your monitoring system should generate an alert as that is typically a key indicator that you have been compromised.
Have a happy holiday season and I will “see” you all next year.