The IBM X-Force report this quarter opens with a discussion of ransomware. The media tends to cover data breaches more often than ransomware incidents, but ransomware presents a growing threat.
According to the Federal Government, the demand for cyber security skills will grow by more than 20% – that’s 9,100 jobs – over the next five years. The problem is, there’s already a shortage. Veteran security professionals are in high demand, and recent university graduates do not have the practical experience required to reduce risk in a complex and growing IT environment.
Wired, Kim Zetter: For a site that touted itself as the premier cheating site for married people seeking partners for infidelity, Ashley Madison was relatively unknown until hackers broke into its servers and released more than 30 gigabytes of customer and company data this week, propelling it into the spotlight.
In the wake of reports today that incidence of cybercrime attacks in Australia have increased 20 per cent to 1131 last year, the Insurance Council of Australia (ICA) said business could no longer ignore the threat, estimated to cost the nation $1 billion a year.
White House officials are under fire over a new hack attack that exposed financial information of 20+ million of current and former OPM federal employees.
The worlds largest home improvement retailer was hit by a massive Data Breach impacting Debit and Credit Cards with over 56 million cards impacted by the incident.
This latest data security incident at Home Depot is right on the back of Target data breach earlier this year that saw the details for 40 million credit cards stolen and put up for sale on the black market.
While there is no evidence that debit card PINs were compromised in the Home Depot data breach the investigation is still ongoing.
Home Depot have stated that the breach is worse than the Target breach making the Home Depot breach the largest in history.
The security firms hired by Home Depot to investigate have discovered a variant of the same Malware used against Target however since the discovery Home Depot has stated that the attackers "used unique, custom-built malware to evade detection. The malware had not been seen previously in other attacks, according to Home Depot’s security partners."
The cost so far is $ 64 million and likely to increase as the investigation continues.
For the full story
Photo Credit: Folkert Gorter
Have you given much thought to how you choose a security consulting firm?
You have no doubt lots of options available to you but beyond the hype and marketing, how do you identify the right organisation to team up with? I have some thoughts to share with you on the right questions to ask which can help you make a great choice to ensure a successful engagement.
Whether you are needing a penetration test done, a security audit complete, a web application security assessment or development of a complete security strategy, the questions you need to consider apply across the board.
By its very nature, finding the right security consulting firm can be challenging given you need to place a great level of trust in the capabilities and integrity of the organisation. As a result, it is critical to know who will actually be doing the work which assists you in understanding their capabilities. In addition, knowing what the actual deliverables will be will ensure you can assess the value they bring to you. Finally, that you can actually trust them with your sensitive security information.
Here are some critical questions to ask when considering who will become your preferred firm -
1. Who are the individuals who will be completing the work?
All proposals, whether it is a straightforward penetration test or the development of a complete security strategy, should include a list of the individuals who will be working on your project. You need to know what sort of experience they bring to the table and how they add value to the engagement. We have always found that clients see value when we explicitly list who will be responsible for our engagements and their previous experience with similar projects.
2. What are the deliverables you will receive at the end of the engagement?
Before you make your decision, know what you are going to get at the end of the engagement. And what I mean by know is actually SEE a sample report. If you are getting a penetration test done, ask to see what the final output looks like – will it be suitable for the various stakeholders eyes? In particular -
What sort of language is used? Will it be suitable for your technical team or is it better suited for auditors or regulators? What about board members? As you can see here, each one of these audience members have differing needs – some may overlap, others not so. So make sure you know your audience and that the final report will reflect this.
Are the recommendations realistic and take into account your level of risk appetite? Reports written with unrealistic dramatic recommendations are hardly going to be helpful in improving your security posture.
On the flip side, technical audiences need a deeper dive into the specifics to allow them to remediate appropriately. So I think there is a fine balance there and will be determined by the reason for the engagement of the service in the first place. From our experience, we are explicit in our questioning of clients on projects to understand how they plan on using the deliverables so the format of the deliverable is suitable for their purpose. We will always provide one so don’t be shy in asking for one next time you are evaluating a proposal!
3. What are their security practices like?
This question has become particularly poignant with the recent arrest of the self proclaimed leader of lulzsec in Australia who was actually working for a local security consulting firm working on various government and enterprise accounts. This sent shivers down the collect spines of all the leading security firms – hopefully prompting them to take a closer look at their staff and their backgrounds. Just be sure to check who is privy to your sensitive security information. We have made a point of ensuring our principal security consultants have security clearances to the Highly Protected level under the Australian Government Attorney-General’s Department security classifications.
4. Understand the final price
You were wondering when I was going to get to this weren’t you? My thoughts on this revolve around value – that is, what are you getting for your money? Are you comparing apples with apples when assessing various proposals? Lets take an example of a basic penetration test being done on a new web application launch. We all know that a good penetration test involves both manual and automated testing so given different security firms use different tools and techniques, how can you compare on price alone? Well, a good place to start is you need to look at the experience of the person who is doing the test to understand the level of expertise they will employ with the manual side. This goes back to the first point I made about the individuals working on your project – are they bringing expertise which is reflective in the price? Next, look at the automated tools they are using – some are free whilst others are significantly more expensive per engagement but will reflect in the thoroughness of the final deliverables. From here you can reflect on what delivers greater value to you. No matter how you measure value in this instance, ask for a clear list of charges which make up the proposal.
In summary, security firms all differ in their capabilities and finding the right one for you will depend on matching your expectations, the nature of the engagement with a firm that has the capabilities to deliver with the integrity that provides you with piece of mind.
Thanks for stopping by.
Another day, another data breach.
It is an all too familiar scenario but have you ever stopped to think about how it happened and what could have been done to prevent it?
In 2012, a spokesperson for the professional social networking website LinkedIn, wrote in a blog post “We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts.” As it turns out, through further media releases that in fact, hackers downloaded files containing 6.5 million LinkedIn users passwords. What’s worse, it is reported that LinkedIn’s initial investigation did not uncover any information security breach in its information system that corresponds to or explain the reported theft of these LinkedIn user credentials. This was contrary to various individuals who reported they found their own LinkedIn passwords published and freely available online. This position of not knowing whether LinkedIn had been breached was confirmed by an official tweet which stated ”our team continues to investigate, but at this time, we’re still unable to confirm that any security breach has occurred”.
You may be wondering, “so what?”, well there is both financial and non financial costs to an organisation when such a breach occurs. The most obvious financial loss was seen on the day the news broke of the breach with LinkedIn seeing a fall in trading with a drop in their share volumes despite the tech markets rallying. Next, the LinkedIn CFO, Steve Sordello, stated to the market that the forensic work completed on the breach cost the organisation roughly $1 million. In addition, security upgrades needed to patch up the vulnerabilities which led to this breach was quoted at costing between $2 million and $3 million (considerably more than if security was designed into the system when it was originally built). The non monetary costs are harder to ascertain but nevertheless are just as costly. Most organisations today understand the value of their reputation with their various stakeholders – customers, investors, suppliers and employees. There are untold studies out there linking trust and customer loyalty so I don’t need to rehash this here but an organisation operating a social network site such as LinkedIn has a business model which relies on its users trusting it with information – after all – they are all about sharing information!
So what actually happened? LinkedIn has not been particularly forthcoming about when and how the compromise of its users’ passwords occurred. It may be that LinkedIn does not know all the details itself. It transpired that LinkedIn had indeed been subject to an information security breach and almost 6.5 million hashed passwords were found to be stored in text files, hosted on a server in Russia. It was discovered that the file hosted on the Russian server was made up of 6,458,021 40 hexadecimal character strings consistent with passwords that had been put through the SHA1 hashing algorithm. In other words, 6.46 million hashed passwords found. So LinkedIn were only hashing their users’ passwords and not salting them. For those of you not familiar with the term “hashing” or “salts” – it refers to a cryptographic technique (code making and code breaking) where a password chosen by the user is then manipulated with the addition of random characters so that it does not in any way resemble the actual password chosen therefore cannot be traced back to any particular user if the database was breached. The hash then becomes a digital fingerprint for an individual user.
We now know that there are some issues with SHA1, meaning that the intention of its purpose can be undermined. SHA-1 has documented vulnerabilities and while these vulnerabilities are quite academic in argument, most of LinkedIn’s users’ SHA-1 hashed passwords were leaked and made available on the public Internet. Technically, someone can use what is called a ‘massive pre-computed lookup table’ or “rainbow table” to crack password hashes. These tables store a map and legend between the hash of a password, and the correct password for that hash. In doing this, it becomes possible to read the hashed password values in plain, usable text. Having said that, It is an incredibly involved process involving a lot of mathematical functions, some ingenuity and computer science and this simplified version does not in any way truly reflect the true effort required to crack and view hashed content in any form but you get the drift. This type of captured, personally identifiable data and real-time information is bound for an underground market where data and information is sold to the highest bidder to use for further illicit gain.
In the case of this LinkedIn breach, of the 6.46 million stolen passwords posted on the Russian Hacker Forum, 3.7 million were already cracked through brute force hacking techniques – the cracked passwords were more than likely the simpler and predictable passwords which are generally included in password cracking software used by hackers.
What could have been done differently?
What LinkedIn did not do was take it one step further and salt its users’ passwords. Simply put, as already stated, SHA1 hashing is a cryptography technique which turns a phrase (such as a password) into a random collection of characters using a set formula and it is a good starting point. The other cryptography technique is the use of salts which is where the hashed output is then treated with the addition of random data. So you first randomise the password using the hashing technique which you then salt by randomising the output again so it is even further “scrambled so as to be completely unrecognisable. If a hashed password is salted with a cryptographically sound algorithm, then it becomes much harder to crack. Also the use of SHA256, a more cryptographically sound algorithm, which can be implemented into code, and onto operating systems could have mitigated the risk of password compromise. A combination of a cryptographically sound hashing algorithm, together with a salted value would have made users’ passwords much more difficult for unauthorised users (the bad guys) to decode. This is considered good security practice because it means that unauthorised users cannot use the common password-cracking techniques – such as Rainbow Tables – to discover the original password value.
We also know that poor choice of passwords chosen by users which are weak to start with are also asking for trouble. Password hygiene is critical in protecting from these brute force attacks. Examples of weak passwords include the following -
Foul language – passphrases that contain foul language are weak and are near the top of any brute force dictionary used in these attacks
Bad relationship – users who make up passwords related to a website. So in the case of LinkedIn, the use of “link”, “work”, “job”, “connect” are up there in obvious choices
Religious terms – terms such as “jesus”, “god”, “angel” are also considered obvious and very weak on their own or in a phrase
The word “Password” is an incredibly common password and is considered an obvious and weak password
Number trails – the use of “12345″, “654321″ and any version of these are all in the top 30 phrases
Knowing this information, companies like LinkedIn need to be more proactive in how they manage and secure user passwords by considering instituting a password policy which mandates what can and cannot be used as a password on their site. If you are curious about what you should consider when selecting a password, make sure your passwords are a minimum of 11 characters, contain upper- and lower-case letters, numbers, and letters, control characters and aren’t part of a pattern.
How about on the database side of security? The first thing to do is configure the database in view of your security requirements. Once the database has been configured according to security requirements, system administrators should ensure auditing tools are installed to compare configuration snapshots that immediately alert whenever unauthorised changes are made. Presuming System Administrators review their logs regularly, this could have assisted LinkedIn in knowing a breach had occurred instead of not knowing what had actually happened until much later. A change management process is a very useful business process that can be used to determine whether the security of infrastructure, such as a database has been subject to a security breach or compromise. Controlling access to data and information on a “least privilege” basis is essential to ensuring full accountability, integrity and confidentiality. Further, system administrators should periodically review user entitlement reports as part of a formal audit process. Encryption of the database, or the operating system at a disc level renders data and information unreadable to those that do not have the key to unencrypt. This means that unauthorised users are not able to access data and information that they do not have legitimate access to. Encrypting the operating system at disc level also helps businesses satisfy PCI-DSS section 3.3.
Finally, my favourite security topic – securing web applications. Identifying and remediating web application vulnerabilities helps to enhance online security and this must be one of the top priorities for any security savvy online business. Today, most organisations, LinkedIn included, depend on web-based software and systems to run their business processes, conduct transactions with suppliers and deliver sophisticated services to customers. Web-based systems can compromise the overall security of an organisation by introducing vulnerabilities that unauthorised users can use to gain access to business, or a users’ personal data and information. The idea that a business can address their web application vulnerabilities by using a “secure by design” approach, testing security defects and vulnerabilities is not new, but having the ability to keep up to date with the most recent trends and hacker techniques is something that security professionals are all too aware of. Testing the security of a login page, or the ‘back-end’ process that serves business logic is crucial to realising a good security posture.
Take home message
Companies like LinkedIn need to be more proactive in how they manage and secure their systems. It is alway worthwhile keeping in mind that it is not enough to use whatever is the latest security solution available on the market and tack it onto systems without looking at the whole technology ecology with security in mind. As we have seen time and time again, internet security is something that companies and users need to be proactive about.
Whilst it is easy to blame companies for not securing user information, particularly if the company was negligent in how it took care of the information, remember security is also a collaborative effort. As a user, assume a defensive stance and presume that your information valuable, potentially vulnerable and do everything in your power to protect it.
Thanks for stopping by.
Today IBM has released it's X-Force® 2013 Mid-Year Trend and Risk Report.
This X-Force® report provides insights into some of the most significant challenges facing security professionals today.
- Social media has become a top target this year and black markets have cropped up to trade on compromised and fabricated accounts on social media sites
- Number of SQL Injection (SQLi) security incidents in 2013 continues to rise.
- The Watering Hole attack category has been used by attackers to successfully breach several high tech companies and government groups by exploiting trust
- More than half of all web application vulnerabilities reported publicly were cross-site scripting (XSS) vulnerabilities. However, the web application vulnerabilities category only represented 31 percent of overall vulnerabilities and improvements on previous years has been reported.
- Content Management Systems (CMS) vendors are doing a better job of keeping their products patched as 78 percent of all vulnerabilities in CMS software have been patched in the first half of 2013.
Many of the breaches reported in the last year were a result of poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice. Attackers seem to be capitalizing on this "lack of security basics" by using a model of operational sophistication that allows them to increase their return on exploit.
Watering hole attacks, which have continued, are a great example of how operational sophistication is being used to reach targets not previously susceptible with several high tech companies, as well as government agencies have been successfully breached in past months.
Attackers have demonstrated enhanced technical sophistication in the area of distributed-denial-of service (DDoS) attacks. DDoS methods per se are not advanced, but the method for increasing the amounts of capable bandwidth is a new and powerful way to halt business by interrupting online service.
Mobile devices are still a lucrative target for malware authors. Although mobile vulnerabilities continue to grow at a rapid pace, IBM X-Force researchers still see them as a small percentage of overall vulnerabilities reported in the year.
For more findings on web trends, spam and to understand the challenges so many enterprises face when it comes to vulnerability management download your copy of the IBM X-Force® 2013 Mid-Year Trend and Risk Report here
Thanks for stopping by.
Have you ever wondered what a company does when they do a penetration test for you?
How about effectively preparing to get the most out of your engagement? Well, read on, you may find a few tips to get you thinking about how you approach your next test as well as get a basic understanding of penetration testing.
This is the first in a series of discussions on the topic.
What is a penetration test?
Lets start by looking at what a penetration test is – it is an unbiased security assessment of your product. The key thing here is that it is unbiased so it needs to be performed by someone outside the team who developed it. This can mean that you engage an external vendor to complete this for you or if you work in a large organisation you may have security experts in other teams who may be able to complete this for you. A penetration test is a type of security assessment that stimulates a real-world attack against one or more of your targeted assets. These assets can be networks, web applications, devices, infrastructure or anything else you think is important enough. These days with web applications being the target of more that 75% of attacks, we are seeing more and more penetration tests being done on web applications.
All good penetration tests, at a minimum, will ensure they cover the OWASP (Open Web Application Security Project) top 10 vulnerabilities which are a list of the current top vulnerabilities seen in the security community. For those of you who are curious of what these are, the 2013 OWASP top 10 can be found here. No matter what sort of penetration test you engage in, or any security service for that matter, choosing your provider will be key in how effective your engagement will be. Some of the things to consider when deciding who you choose for your penetration test are who will actually be doing the test for you – do they have strong security knowledge? What are the techniques they will be using? What are the tools they will be using? They need to have a deep technical knowledge of testing environments and an innate knowledge and curiosity for breaking software security. If you are interested in more information on effectively choosing a security provider, you may be interested in reading my article on Choosing a Security Firm which you can find here
Back to penetration testing….
There are three broad types of penetration tests -
Black Box Testing – This is where penetration testers have no knowledge of how an application works or have been given any insights into its structure
White Box Testing – In this instance, the penetration tester has full knowledge of the source code and are able to test the application at that level. Knowing the source code allows testers to design test cases based upon this knowledge
Grey box testing – In this case, penetration testers have partial knowledge into the internal structure of the application.
What type of penetration test your application needs will depend on the scope of the project. In our experience, by far the most popular form of testing is white box testing as this allows you to specify what area of the application you would like to have the penetration testers focus on. There is also the reality of not being comfortable with having complete exposure of your applications to third parties and effectively giving penetration testers the green light to go their hardest. When considering what type of penetration test you need, think about why you are doing one in the first place and make it clear what your objectives are when scoping the project with your chosen security firm who should be able to provide you with recommendations to best achieve your objectives.
Why are penetration tests conducted?
So that brings us to the next question – why do organisations ask for penetration tests to be completed on their applications? In our experience, the most common reason organisations come to us for penetration tests are:
Meeting regulatory requirements (PCI being the main one in Australia)
Meeting their customers requirements ( given our lack of regulation enforcement of information security in Australia, in our experience, this is the main reason we find penetration tests are requested)
Validating a risk or vulnerability management program’s effectiveness
Building a case for the importance of security by demonstrating the consequences of unaddressed vulnerabilities.
In Australia, there currently is very little by way of regulatory requirements calling for increased information security through vulnerability assessment or penetration testing however, there is a possibility that this is set to change. At the time of writing this article, the Australian Federal Government has introduced mandatory data breach notification law into parliament in a move which could see the policy enforced by March next year. You can read more about this development here. This could see organisations start to tighten their own security policies around penetration testing and security policies. Time will tell.
Another point considered by organisations when thinking about penetration tests as part of their overall security strategy is where they are in the supply chain. This helps them work out how much of a target they actually are. Whilst technically any web application is open to attack, considering this point assists in working out how attractive of a target they are. Obviously the closer you are to cash, the closer you’ll be to getting attacked. The importance lies not in what you are doing but in qualifying the risks you face.
Another point to consider is whether your customers will be performing penetration tests on your products as part of maintaining and improving their security posture. What are the implications to your business if your customer finds a vulnerability in your product through their testing? We have had several cases where this has occurred on our engagements and it was never a good look for the upstream provider.
Of course, beyond what has been touched on here, there are many additional reasons for performing a penetration test, but whatever the driver, the test should fundamentally the question of whether the security of the system can be breached.
Stay tuned for my next installment where I will go through the practical side of what you need to have in place prior to starting your engagement and what to consider throughout the engagement to ensure you get the most out of each penetration test you complete.
Thanks for stopping by.
Photo Credit: Folkert Gorter
Top 3 Application Security Principles
Tim Vernum takes us through his top 3 application security principles – a must for development teams.
- Code Reviews
- Threat Modelling
- Vulnerability Assessments
When I’m doing security consulting to development teams one of the things we stress is that it’s important to start taking the first steps towards improving your security posture. Moving your development team so that it’s performing at the highest levels of maturity can take a lot of work (although I still recommend it), but the first step is … well … to take the first step.
Read more on Tim’s Secure by Design blog.