Rory Alsop, Vice-President of ISACA Scotland and chairman of the Scottish branch of the IISP chaired a session titled "Key Security Risks and Practical Remediation." Audit Scotland hosted the session, and we had a good turnout representing the financial and government sectors as well as law firms and retail.
A quick introduction from round the table did confirm that the problems faced were common - low resource or budget, escalating security and risk requirements, ever increasing threats, targets spreading - not just large financial organisations any more, so the opportunity to outline some simple, effective activities which any organisation could carry out was highly appropriate.
For our regular readers, some or all of the following should be old news, however we still see so few organisations carrying out basic remediation activities that we would recommend reading and looking to see where you can improve the security in your environment through these simple steps. The risk areas were taken from OWASP, Verizon and WHID work to identify the most common issues.
We would stress that nothing here is a magic bullet to cure all ills, but if you can take some of the actions listed you will be improving your security baseline without incurring too high a cost:
Input ValidationVery old news, but:
- The top two web application security risks (OWASP top 10 list) are Injection and Cross Site Scripting, both of which can be successfully mitigated by strong input validation
- The 2010 Data Breach Report by Verizon lists the top two causes of breaches as use of Stolen Credentials and SQL Injection
- Examples include Worldpay from 2008 (over $9.4Million stolen) and the Royal Navy this week - this is still an issue
This is a relatively easy area to improve on:
- Popular frameworks have input validation modules – why not use them
- With modern applications, a call to an input validation module is often straightforward
- Never trust the client – validate all input at server side
- White listing or black listing - both are acceptable and have their own pros and cons
Also think about output encoding – providing strongly validated output will also help prevent SQL Injection and Cross Site Scripting attacks, although it typically requires more effort to accomplish.
Brute Force and Dictionary attacksMore old news, but:
- The 2010 WHID Report by the Web Application Security Consortium lists Brute Force attacks in the top 5
- Tools to carry out brute force or dictionary attacks are simple to use, prevalent and free
- Humans are still pretty bad at choosing strong passwords
Remediation should be in a number of areas:
- Brute forcing shows up in logs – typically it generates a high network load and can usually be spotted by simple statistical analysis tools
- Utilise exponential delays - eg 5 seconds after 1 failed attempt, 10 after the second, 30 after the third etc. This rapidly makes brute forcing unusable, without requiring account lockouts (which often require helpdesk resource)
- Awareness training works – for a few months at a time. Combined with regular password strength audits this can have lasting effect
Prevalence of 0-day exploitsFor organisations with significant assets that are targeted by organised crime (FS, Government, Pharmaceuticals etc.) there's an increasing likelihood that 0-days will be part of the attack. This throws an interesting light on defensive controls other than patching and configuration, as you can only patch for weaknesses you know about.
Use of IDS/Log monitoring becomes more important - you won’t necessarily catch the initial attack (no signature available) but you may be able to catch the attacker doing things afterwards. At the very least detective controls can help the incident response and clean up.
Defence in depth – another old mantra, but it helps. While a 0-day can get an attacker through a security device, or an application control, multiple layers require more work, or a longer time frame – during which time the issues may be patched.
Client-side AttacksKrebs reported on the increasing wave of attacks targeting Java (not javascript) on client PCs. It's a common mistake for client patching not to touch Java (especially as some applications require specific older versions).
Microsoft and Qualys have both confirmed the scale of the issue with over 40% of all PC’s being vulnerable, and over 90% of all successful exploits in the Blackhole toolkit and over 50% of those in the SEO Sploit Pack being through Java. The Crimepack and Eleonore exploit packs also show Java flaws to be the leading exploit vectors.
The simple answer is to remove Java from machines. Most do not need it!
For those that do need it, keep it up to date. Very few developers update their code with the latest revisions, which can hinder user uptake of the latest Java update, so ensure your developers are kept up to date.
As part of audit look at the budget assigned for product maintenance or ongoing development
The CloudMoving to ‘The Cloud’ is popular – it can save money on hardware costs, it is flexible, it can save power and is generally considered a good thing™ for business.
- Unfortunately it tends to break security structures, as layers which used to be in different environments, such as DMZs, may now be on the same physical platform, and may no longer have firewalls or other access control devices present
- The volatile and dynamic nature of virtual environments can mean asset registers and licensing are difficult to manage
- The tasks which used to be separated out to network, system, database and platform administrators may now be carried out by one team
Good practice includes the following steps:
- Model the new architecture on existing good practice
- Be aware of the requirements of a highly volatile asset register, and licensing requirements for dynamic assets
- Understand segregation of duties needs between administrators
Widespread DDoSWHID and Verizon indicate a dramatic increase in Distributed Denial of Service attacks:
- Blackmail, especially of internet gambling sites is on the increase
- Punishment DDoS (for example ACS Law) removing web sites from the internet in response to an action
- Bot net slots available for hire at cheap rates
(update - the DDoS against Burma last week shows the traffic levels which can be generated: at 10-15 Gbps this was significantly larger than the 2007 Georgia attack at 814 Mbps)
It is very difficult to resist a Distributed Denial of Service attack – even a small bot net can overwhelm a company’s Internet connection
Concentrate instead on resilience – do you have a fully tested business continuity plan or IT disaster recovery plan which can cope?
Does your ISP have mechanisms to mitigate such an attack?
IPv4 Address Space ExhaustionLittle bit more off the wall –
Whilst some of the stories around at the moment are probably more scare mongering than anything else, it seems likely that 2011 is going to see a greater restriction in IPv4 address and subsequently a big push to IPv6.
The interesting part is that a lot of security controls are dependent on IPv4 ways of thinking and there's also a big risk that new IPv6 implementations will require different ways of implementing network security and will be buggy early on.
- Review your networks to understand the security structures in the infrastructure and protocol stacks
- Work with your telecommunications and network service providers to ensure you are prepared
More GenerallyI would remind auditors that they need to not only ensure that each security management process is in place but that it works works.
A modicum of technical assurance work (vulnerability analysis by an experienced person) will go a long way.
Work in partnership with IS specialists to:
- Add value to audits and gain a more holistic picture of the current state of security
- Understand new threats and risks
- Always take a holistic look – what are the threats to the business, not just to IT
- Improve your security testing process – we have demonstrated over 30% savings through managing security testing and assessment efficiently
Threats will continue to develop – aim for resilience!
ReferencesOWASP Top Ten
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_ProjectVerizon Data Breach Report
http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdfKrebs Java Security Report
http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/WHID Security Report
https://files.pbworks.com/download/loBVUfSYDp/webappsec/29750234/WHIDWhitePaper_WASC.pdfPotaroo IPv4 Address Report
http://www.potaroo.net/tools/ipv4/index.html