The popular social news site Reddit was breached with an XSS exploit. Of course, the article does not indicate what, if any, protection methods Reddit was using to prevent this most popular of web site exploits. I wonder how they would do if an auditor showed up tomorrow using CSIS's Twenty Critical Cyber Security Controls (I previously posted) as a reference.
Every consultant and vendor has a theory about the top cyber security risks. But what's really going on? SANS has the answer. Last week they released their analysis of threat and vulnerability data collected from 6,000 organizations and 9 million systems during the period from March 2009 to August 2009.
SANS says that two threat types dominate the analysis, both of which are tied to Web 2.0:
- Threats associated with people using Web 2.0 applications, i.e. their workstations' vulnerabilities that are not patched and are exploited when they visit web sites.
My take: While the hype around NAC has definitely waned, the importance of comprehensive and continuous end point discovery, vulnerability analysis, configuration compliance checking, and patching at the application level as well as the operating system level is increasing.
- Organizations' Internet-facing web sites remain vulnerable to threats like SQL Injection and Cross-Site Scripting.
My take: It's clear that using a rigorous Software Development Life Cycle process is just not getting the job done. Web application firewalls are a must have.
Marketing and Sales teams can benefit from using Web 2.0 social networks like Facebook to reach new customers and get customer feedback. It's about conversations rather broadcasting. So simply denying the use of Facebook due to security risks and time wasting applications is not a good option, much as in the 90's denying access to the Internet due to security risks was not feasible.
IT Security 2.0 requires finer grained monitoring and control of social networks like Facebook as follows:
- Restrict access to Facebook to only those people in sales and marketing who legitimately need access.
- Facebook is not a single monolithic application. It's actually a platform or an environment with many functions and many applications, some of which are pure entertainment and thus might be considered business time wasters. Create policies that restrict usage of Facebook to only those functions that are relevant to business value.
- Monitor the Facebook stream to detect and block incoming malware and outgoing confidential information.
Palo Alto Networks, which provides an "Application/User/Content aware" firewall (is that a mouthful?), appears to be able to provide such capabilities. Perhaps we might call it a Web 2.0 network firewall.
Is anyone aware of another firewall that can provide similar functionality?
McKinsey's just released report on its third annual survey of the usage and benefits of Web 2.0 technology was enlightening as far as it went. However, it completely ignores the IT security risks Web 2.0 creates. Furthermore, traditional IT security products do not mitigate these risks. If we are going to deploy Web 2.0 technology, then we need to upgrade our security to, dare I say, "IT Security 2.0."
Even if Web 2.0 products had no vulnerabilities for cybercriminals to exploit, which is not possible, there is still the need for a control function, i.e. which applications should be allowed and who should be able to use them. Unfortunately traditional security vendors have had limited success with both. Fortunately, there are security vendors who have recognized this as an opportunity
and have built solutions which mitigate these new risks.
In the past, I had never subscribed to the concept of security enabling innovation, but I do in this case. There is no doubt that improved communication, learning, and collaboration within the organization and with customers and suppliers enhances the organization's competitive position. Ignoring Web 2.0 or letting it happen by itself is not an option. Therefore when planning Web 2.0 projects, we must also include plans for mitigating the new risks Web 2.0 applications create.
The Web 2.0 good news – The survey results are very positive:
"69 percent of respondents report that their companies have gained
measurable business benefits, including more innovative products and
services, more effective marketing, better access to knowledge, lower
cost of doing business, and higher revenues.Companies that made
greater use of the technologies, the results show, report even greater
benefits. We also looked closely at the factors driving these
improvements—for example, the types of technologies companies are
using, management practices that produce benefits, and any
organizational and cultural characteristics that may contribute to the
gains. We found that successful companies not only tightly integrate
Web 2.0 technologies with the work flows of their employees but also
create a “networked company,” linking themselves with customers and
suppliers through the use of Web 2.0 tools. Despite the current
recession, respondents overwhelmingly say that they will continue to
invest in Web 2.0."
The Web 2.0 bad news – Web 2.0 technologies introduce IT security risks that cannot be ignored. The main risk comes from the fact that these applications are purposely built to bypass traditional IT security controls in order to simplify deployment and increase usage. They use techniques such as port hopping, encrypted tunneling, and browser based applications. If we cannot identify these applications and the people using them, we cannot monitor or control them. Any exploitation of vulnerabilities in these applications can go undetected until it's too late.
A second risk is bandwidth consumption. For example, unauthorized and uncontrolled consumer-oriented video and audio file sharing applications consume large chunks of bandwidth. How much? Hard to know if we cannot see them.
In case we need some examples of the bad news, just in the last few days see here, here, here, and here.
The IT Security 2.0 good news – There are new IT Security 2.0 vendors who are addressing these issues in different ways as follows:
Database Activity Monitoring – Since we cannot depend on traditional perimeter defenses, we must protect the database itself. Database encryption, another technology, is also useful. But if someone has stolen authorized credentials (very common with trojan keyloggers), encryption is of no value. I discussed Database Activity Monitoring in more detail here. It's also useful for compliance reporting when integrated with application users.
User Activity Monitoring – Network appliances designed to
monitor internal user activity and block actions that are out of
policy. Also useful for compliance reporting.
Web Application Firewalls – Web server host-based software or appliances specifically designed to analyze anomalies in browser-based applications. WAFs are not meant to be primary firewalls but rather to be used to monitor the Layer 7 fields of browser-based forms into which users enter information. Cybercriminals enter malicious code which, if not detected and blocked, can trigger a wide range of exploits. It's also useful for PCI compliance.
"Web 2.0" Firewalls – Next generation network firewalls that can detect and control Web 2.0 applications in addition to traditional firewall functions. They also identify users and can analyze content. They can also perform URL filtering, intrusion prevention, proxying, and data leak prevention. This multi-function capability can be used to generate significant cost reductions by (1) consolidating network appliances and (2) unifying policy management and compliance reporting.
I have heard this type of firewall referred to as an Application Firewall. But it seems confusing to me because it's too close to Web Application Firewall, which I described above and performs completely different functions. Therefore, I prefer the term, Web 2.0 Firewall.
In conclusion, Web 2.0 is real and IT Security 2.0 must be part of Web 2.0 strategy. Put another way, IT Security 2.0 enables Web 2.0.
CSO Online Magazine has an article about IBM ISS Security Strategist Joshua Corman's concerns with the security industry. While I agree with much of what he says, I disagree with his core premise, expressed in Dirty Secret 1. Here are my comments on each of Josh's eight dirty secrets.
"Dirty Secret 1: Vendors don't need to be ahead of the threat, just the buyer – This is the problem that leads to the seven "dirty secrets" that
follow. In essence, Corman said, the goal of the security market is to
make money, not to ensure the customer's security."
I find it surprising that a representative of one the largest and most profitable enterprises in the world attacks other vendors for wanting to make money, as if making money is bad. Is he serious about attacking capitalism? Is security some special market where profits are bad? From my perspective, making money is the result of solving client problems and helping them meet their objectives.
"Dirty Secret 2: AV certification omissions – While AV tools detect replicating malware like worms, they fail to identify such as [sic] non-replicating malware as Trojans."
Aside from the grammar issue, I agree that some vendors are having difficulty keeping up with the constantly evolving threat landscape. However, this creates opportunities for new vendors. Joseph Schumpeter called this "creative destruction."
"Dirty Secret 3: There is no perimeter – Corman said those who truly believe there's still a network "Perimeter" may as well believe in Santa Claus."
There has never been a perimeter in the sense that if you just protect the edge of your network, you are safe. I do agree that it can be difficult to know where that edge is. However, there is still an important role to be played by a perimeter firewall that understands applications, users, and content. Beyond that, good security has always been about "defense-in-depth."
"Dirty Secret 4: Risk management threatens vendors – Risk
management really helps an organization understand its business and its
highest level of risk, Corman said. But a company's priorities don't
always map to what the vendors are selling."
Again, this allusion to disreputable vendors. At any point in time, there surely are disreputable vendors. But they don't last long. Of course any IT Security control being deployed should be in the context of how risk is being reduced.
"Dirty Secret 5: There is more to risk than weak software – Corman
said the lion's share of the security market is focused on software
vulnerabilities. But software represents only one of the three ways to
be compromised, the other two being weak configurations and people."
No argument here, but not really new. The issues around security awareness training, for example, are much deeper than lack of money being spent on it. Regarding configuration management, has the issue been lack of attention or lack of good products to deal with the issues? It's a hard problem.
"Dirty Secret 6: Compliance threatens security – Compliance with such laws and industry standards as Sarbanes-Oxley and PCI DSS
drives companies to spend far more on security than they might
otherwise. Security vendors have obviously seized upon this fact,
offering products that do everything from offer PCI compliance out of
the box to ultimate cure-alls for healthcare entities coping with the
demands of HIPAA. Of course, this too leads to companies buying security tools that fail to properly address the particular risks they face."
I surely agree that compliance threatens security and there surely are cases where vendors have been successful by focusing on compliance rather than on reducing risk. When an organization "only" focuses on compliance requirements it falls short of what it can and should be doing to protect its assets. In fact, compliance represents a floor or bare minimum level of security.
Put another way, if you only focus on compliance, you will surely not be maximizing the value of your security investment. At the very least, there is no way that regulatory bureaucracies can keep up with the changing threat landscape.
"Dirty Secret 7: Vendor blind spots allowed for Storm – The Storm botnet, as an archetype, is being copied and improved. The Storm era of botnets is alive and well, nearly two years from when it first appeared, Corman said."
As I said in my comment on Dirty Secret 2, some vendors may not be responding to the changing threat landscape, but there are others who are. If you feel your vendors are not responding, look for new ones. There is a lot of innovation in the IT Security industry.
"Dirty Secret 8: Security has grown well past "do it yourself" – Technology
without strategy is chaos, Corman said. The sheer volume of security
products and the rate of change has super-saturated most organizations
and exceeded their ability to keep up."
Any actions or tactics that are not part of a strategy is obviously chaos. First Corman says that vendors are not keeping up and now he is saying that enterprises cannot keep up (without his help). With all due respect, let's remember that Corman is part of IBM's consulting organization. On the other hand, there is no harm in repeating that technology by itself is not the answer. It's people, process, and technology, as it has always been.
The recent Goldman Sachs breach of proprietary trading software highlights the risk of insider fraud and abuse. RGE, Nouriel Roubini's website, has the best analysis I've read on the implications of such an incident.
Here is the money quote, "What is troubling about the Goldman leak is how unprepared our infrastructure is against active measures. We already have good security practices, defamation laws and laws against market manipulation. What we don't have is a mechanism for dealing with threats that appear to be minor, but where the resulting disinformation is catastrophic."
I cannot imagine any better proof of the need for better user, application, content, and transaction monitoring and control tools.
Read the whole article.
Last week, I highlighted the Methods of Attack data from the Verizon Business 2009 Data Breach Investigations Report. Today, I would like to discuss an equally important finding they reported about Attack Vectors (page 18).
The surprise is that only 10% of the breaches were traced to network devices. And network devices represented only 11% of the actual records breached. The top vector was Remote Access and Management at 39%. Web Applications came in second at 37%. Even more interesting is that 79% of all records breached were the result of the Web Application vector!
Clearly there has been a major shift in attack vectors. While this may not be a total surprise, we now have empirical evidence. We must focus our security efforts on applications, users, and content.