Image courtesy of Shutterstock.
From POODLE, Heartbleed, and Shellshock in 2014 to the Hacking Team breach, OpenSSL’s FREAK and a variety of zero-day vulnerabilities in 2015, we have seen a consistent ramp-up in security threats and successful data breaches, leading to a dramatic increase in media coverage.While this coverage has escalated the level of FUD (fear, uncertainty and doubt), overall, increasing awareness of the threat is a good thing because every company is vulnerable, every company is a target, and any compromise of your data will be expensive and bad for business.
Most large organizations understand this, but too many smaller companies think they are safe and won’t be targets. They’re wrong. And the increasing ubiquity of the Internet of Things (IoT) will likely make things much worse before they get better. It’s time for every small and medium business to take their collective managerial and accounting heads out of the sand and build security into every level of their products and processes.
Cost of Compromise
According to the annual Ponemon Institute 2015 Cost of Cyber Crime Study, sponsored by Hewlett-Packard, the average annualized cost of cybercrime in the U.S. is now $15 million, up 19 percent over the 2014 report. And according to the Ponemon Institute 2015 Cost of Data Breach Study, sponsored by IBM, the cost of data breaches due to malicious or criminal attacks has increased over the last year from an average of $159 to $174 per record. Considering that breaches can run to hundreds of thousands or even millions of records, a serious breach has the potential to destroy a small or medium business.
Understanding Your Attack Surface
The first step in protecting your information is identifying the potential attack points in your applications, systems, network and organization. Here are some of the more common vulnerabilities – this list is certainly not meant to be comprehensive.
Most web applications run on some form of engine or interpreter. For example, Java applications may run on Tomcat, while PHP may run through mod_php, fpm, fcid, etc. These engines and interpreters can have vulnerabilities, such as PHP’s hash collision (CVE-2011-4885), which could be used to trigger remote-dial denial-of-service attacks. As a result, database managers must keep up-to-date with patches not only for the OS, but also for these engines and interpreters. Vulnerability fixes are included in the Oracle Critical Patch Updates, which recently released an update for MySQL. It’s also essential to subscribe to updates for your web development framework, such as Drupal, WordPress, Joomla, etc. Joomla’s recent vulnerability disclosure was of weak cryptography in the framework, which may itself have ramifications for PCI compliance. There are also proof of concepts, such as the Wordpress XMLRPC brute force amplification attacks. The real takeaway here is to ensure you not only keep updated, but also subscribe to advisories for your respective application components to ensure you are deploying the most up-to-date patches and mitigations.
Many administrators think that if a database isn’t web facing, then security isn’t an issue – they’ll even use weak passwords without any real concern. But as a proof of concept (POC), I’ve used “grant all” on a web development framework to compromise a web application and then migrate and escalate the attack to a database server that wasn’t accessible via the Internet. I was able to deploy a utility that made it possible to run shell commands in the MySQL server and have the results returned as part of a select query, which could then be used and abused.
Another common vulnerability is created when organizations put their web applications on the same system as their MySQL server. This is bad not only for scalability, but also for security. When sysadmins and DBAs log into the system, often they will automatically log into the database root and neglect to ever set a password. If they do set a password, it is often stored in a ~/.my.cnf, which automatically logs in the user anyway. And even when this is not the case, there is complete access to the history files in which passwords may often be located.
Far too many companies make their databases accessible over the Internet for the convenience of their DBAs and rely on overly open access control lists (ACLs). These companies may also have little, if any, isolation, putting all their data at risk. It’s absolutely essential to determine what you can isolate and what can you remove from the Internet.
It’s also important to put security monitoring in place, preferably in the form of packet inspection using an intrusion detection system (IDS) sitting on a mirrored port to your firewall. That way, if nothing else, you can do a post-mortem analysis of threat activity. Also, if you have already purchased an intrusion prevention system, put it in IPS mode. It’s pointless having such a system if it’s not actually going to block traffic.
Your network may also be at risk of hardware-embedded OS vulnerabilities, such as Cisco’s IOS vulnerability through OpenSSL components. Cisco is continually providing updates, so once again, install patches immediately to keep your network current. You must consider all aspects of your network: firewalls, switches, IPMI / iLO devices, etc. Neglecting any one area could spell disaster.
Hardware threats abound when organizations and individuals don’t put sufficient security around their systems. For example, researchers at Berlin-based Security Research Labs (SRLabs) showed how a USB thumb drive connected to a computer can automatically switch its profile to a keyboard so it sends keystrokes to download and install malware, or even emulate the profile of a network controller or other device. Another example is USB plug-in LAN adapters designed for netbooks and laptops. A new product called the USB LAN Turtle looks like a USB plug-in LAN adapter but has another embedded micro-controller, a little processor that actually establishes a VPN connection back to an attacker's network. So an attacker who can substitute a LAN Turtle for a legitimate LAN adapter instantly has a persistent presence in the network to run man-in-the-middle and other attacks.
Biometrics and keypads, two strategies intended to increase security, have their own vulnerabilities. For example, MythBusters foiled a top-of-the-line biometric fingerprint lock by licking a photocopy of the fingerprint and sticking it to somebody else's finger. And some keypads have plastic keys covered in a metallic paint, so when they are punched regularly, they develop a visible wear pattern, exposing to an attacker which keys are actually being punched.
Further, the explosion of devices being connected to the internet, aka, the Internet of Things (IoT) – and the inconsistent security applied to these devices – is creating major security risks. Consider the recent hacking of a 2014 model Jeep Cherokee and some Chrysler models.
Finally, but perhaps most importantly, hardware vulnerabilities are regularly created by the failure to keep up with vendor updates, which leaves devices vulnerable to even well-understood risks.
In the age of free and inexpensive mobile downloads, software vulnerabilities are often created by modified binaries. Last year a hacker posted a proposed hack using a Flappy Birds clone that would download photos to the hacker’s server while the game was being played.
The list of other software vulnerabilities is impressive: Truecrypt, OpenSSL, poor isolation, the use of only Discretionary Access Controls (DACS) without Mandatory Access Controls (MACs), process injection, buffer overflows, etc. As with hardware, unpatched software and legacy software are two of the biggest attack vectors in corporate environments.
The internal threats that get the most publicity these days are: 1) Employees who fall prey to phishing or spear phishing attacks – clicking on links in spam email and increasingly on social media sites, often resulting in malware infection – and 2) Social engineering attacks – being tricked into providing private information to attackers.
There are several other ways employees are attacked or create vulnerabilities. Developers who are under time pressure might accidentally introduce flaws, such as SQL injection (SQLi), cross-site scripting (XSS), or cross-site request forgery (CSRF/XSRF). And system administrators who are under pressure to get a site back online may also make mistakes. To err is human, after all.
The surprisingly common practice of workstation sharing can enable a malicious attack: “Hey, sorry, I just need to reply to an e-mail. Can I use your workstation for a second?” asks a seemingly innocent visitor to the office. “Sure, cool, I’ll go have a cup of coffee.” But while the employee gets the cup of coffee, the attacker delivers a payload, such as using a malicious USB device, and then walks right out of the office, their presence on the network established.
Demonstrating that employees are vulnerable to implied trust, an attacker dressed in a uniform or “flashing” a badge is often assumed to be a member of law enforcement and is allowed into an office or onto a workstation without being contested.
Security Best Practices
As noted above, this list of vulnerabilities is by no means exhaustive. Still, I hope it will generate sufficient fear – maybe even panic – to spur you to take seriously the following security best practices that will help you build security into every level of your products and processes.
- Keep all hardware (firmware) and software, including development tools, up-to-date, installing updates and patches as soon as possible.
- Keep security top of mind across the organization and educate all employees on the security risks relevant to them – whether they are a database administrator, developer, or salesperson who just uses email and social media.
- Use prevention and detection strategies. An intrusion prevention system (IPS) is designed to prevent attacks by examining network traffic, detecting threats, and preventing them from launching. An intrusion detection system (IDS) detects and logs threats. The IDS monitors the network and systems to spot malicious activities as well as policy violations that could be an attack or create vulnerabilities to attack.
- Understand your organization’s real needs. Many vendors now sell IPS and IDS systems, but don’t assume that investing a lot of money on expensive appliances will automatically make you safe. Make sure you do your own due diligence when examining products. Overpaying for a rebranded Nessus scanner, for instance, is never good. Nessus is a great product, but there are a lot of companies that re-brand it, put a new face on it, and charge a 200 percent mark-up for the exact same product. You also want to make sure you will get ongoing support from your vendors, along with rule updates. And make sure, at the end of the day, that the security product you put inside your network is itself secure and being continually updated and patched.
- Maintain access logs and generate alerts. You and your staff know your organization and applications’ behavior better than any third party. Train on creating and maintaining your IPS / IDS rulesets. Your logs include what’s being blocked, so if you analyze them, you can best determine what is out of context. If you see a 10X increase in additions to the shopping cart for invalid items, someone may be attempting an SQL injection. If there’s a 10X increase in requests, someone may be launching a denial of service attack. Such conditions should generate alerts. Of course, there’s the human factor, and it’s important to talk to your marketing department to make sure they haven’t launched a campaign that would account for the alarms. It’s also essential to reduce noise. Your staff will become desensitized if there are constant false alarms, so you must filter the log data and alerts down to relevant, actionable information.
- Keep up! The threats are constantly evolving and so are the solutions. Interesting developments include:
- Suricata, driven by the Open Information Security Foundation (OISF), is an open source, high-performance IPS, IDS and network security monitoring engine.
- The FIDO Alliance is pulling together a number of large organizations to create a universal standard that describes what two-factor authentication should be and deploy a Universal Authentication Framework.
- Keybase.io is a directory of people based on socialized public keys that are designed to ensure that in a digital world people are who they say they are.
- Elastic Search’s Logstash and Kibana allow users to stream logs to a centralized area, easily index and visualize the data, and then drill down into it.
- Docker is an open “container” platform for building, shipping and running distributed applications, and the security around Docker has been constantly improving.
- Haka, an emerging technology, is an open source programming language that allows developers to describe protocols and apply security policies on live traffic.
- Vault secures, stores, and controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing.
- The USB armory from Inverse Path is an open source hardware design for implementing a flash drive-sized computer with advanced security features.