One of the greatest issues I see affecting organizations today is the lack of corporate support for developer and administrator security education. So, I would like to provide you some useful information about security training and events to help supercharge your learning and keep your teams up-to-date with news about new threats and attack methodologies.

Unfortunately, training budgets are often the first area considered when attempting to reduce spending. This is nothing new in business, and is not simply due to the effects of “poor economic conditions”; it’s just a fact of life. I include below a few training considerations and several cost effective options (some are even FREE – we like free). But before we get there, why are many organizations not familiar with secure coding practices and common vulnerabilities, and why is proper training important?

Higher education such as traditional and online universities are often not adequately prepared to support students in understanding software vulnerabilities as a regular part of network administration or programming related degrees. Higher education often focuses on “educating” future software developers but lacks concentration on building security into applications and the System Development Life Cycle (SDLC). Many of the software engineering degrees offered at major universities do not focus on secure programming principles, but yet focus primarily on functionality and core programming principles. Ultimately, the goal at school is to “make it work” and too often the “don’t let it break” part is practically ignored. The lack of focus on building security into the SDLC causes many organizations to implement security as an afterthought instead of as a comprehensive approach to deploying application as services securely. Training and educating administrators and developers are key parts to understanding the risks and financial impacts that can be experienced. Failure to keep your staff up to date with the current trends in security can expose organizations to avoidable risks.

Some of the top security conferences listed below will allow you and your organization to learn about current trends, attacks, mitigation techniques, newly discovered vulnerabilities and their possible impact on your organization’s security.

DefCon – www.defcon.org

BlackHat – www.blackhat.com

Computer Security Institute (CSI) – www.gocsi.com

RSA - www.rsaconference.com

CanSecWest – www.cansecwest.com

Toorcon – www.toorcon.org

These are some of the most popular conferences to attend; however, many other national, international, and local conferences occur every year. All of the listed conferences can help augment the knowledge and skill sets your team needs to address today’s security concerns. Conferences are also great for a “snapshot in time” approach to the latest and greatest developments in the security field; however it is not a replacement for learning the principles of secure programming and how to avoid common mistakes.

Can’t make it to a conference? Here is a little tip: Google.

Many of the conferences occur on a regular basis and over the years it has become easier than ever to view the quality content of many presentations given at conferences for FREE.

At www.securitytube.com you can often view full length quality video of presentations given at these conferences at no cost. As I am writing this blog post there is a surge of new videos being released from this year’s BlackHat and Defcon conferences.

Defcon makes many of presentations from years past available as Podcasts. Other conferences such as Shmoocon also make content available for free after the conference.

Another great resource allowing you to get your weekly dose of security training is PaulDotCom’s weekly podcast. The team over at Hak5 also allows you to subscribe to podcasts or watch content on their web site (www.hak5.org).

Lastly, initiative such as US-CERT Secure Coding (http://www.cert.org/secure-coding/) and the learning tools provided by the Open Web Application Security Project (OWASP, at www.owasp.org) can also prove to be valuable for spotting and preventing the most common application development and deployment mistakes.

So, do we always need to pay conference or entrance fees to stay up to speed on security? No!

However, I for one enjoy going to the conferences because of the networking, insightful presentations, and or course, supporting the information security community.

In October, Paul Petefish (Solutionary Security Consultant) and I will be presenting “My Vulnerability Scanner Didn’t Find Anything: Now What?” at CSI 2010 on October 29 in National Harbor, MD; stop by and say “hi” if you see us!

 

I read an article last week that talked about how apps on your smartphone are grabbing and sharing personal information from your smartphone or other personal device without you really knowing. And realistically, paranoid security geek that I am, the only reason I really say "you" instead of "our" is because I don't use a smartphone.

According to the article, a security company testing these apps found that "nearly a quarter of the iPhone apps and almost half the Android apps contained software" that included unintended or unknown functions. This was, apparently, despite control exercised over the apps, and in some cases even without the knowledge of the actual application developer, since the functions were provided in third-party code. We are not just talking about software that grabs browsing habits; we are talking about this software taking much more detailed information from your phones, like full details about people in your contact list, your pictures, text messages and search histories.

I don't know about you, but this kind of scares me a little, as well as ticks me off. First of all, these third parties thought it was okay to grab this type of information from the devices. However, having access to that information does not mean it is okay. Just because there is no guard by the door at the airport that says "authorized users only" it does not mean it is okay to go through it. In the end, this was a conscious decision by the developer of the third-party software to violate the personal privacy of the device owner, because there is absolutely no way they did not know this was a violation of your privacy.

Second, the app developers were including third-party code without knowing exactly what that code does. Okay, the code was supposed to let the developer push out ads in a free sample version. Yet, it says something that it does not appear that many, if any, of these developers actually checked to see if what they were buying was a zebra or a painted donkey. At least this does not appear to be as malicious as the first problem, though it is, at best, lazy and sloppy.

Third, users would just install these applications without knowing what they were getting into. Admittedly, in some cases there was probably no reasonable way to know. Nonetheless, in some cases there is a little "terms and conditions" notice that you accept when you install the app, and some of them include language about gathering information from your device (now, we don't necessarily think that they are going to be grabbing information as private as they were, but that point is covered above).

And of the three, I do not know which really scares me the most. I was paranoid before I was bent over the hood of a car at the barrel of a machine gun (ah, story for another day) but I don't really find the first two points that surprising. But by now, we, as users really should know better. This is the biggest current and future trend that worries me - that people are becoming consumers without thinking of, or even knowing (or without even really caring, since they want the app), the security consequences. Social media and mobile devices magnify the problem because more and more people have access to more and more information without the experience to deal with “issues”. We cannot be complacent sheep led to the slaughter by our desire for mass consumption of media, powered by the coolest new app. We simply have to be better. 

In the end, I guess this does include me, since my kids have various smart devices, and I actually wrote this on my iPad. But then, I've had the thing for a couple months and still have very few apps. My kids tell me I am paranoid. I tell them that they are naive, and that a proper dose of paranoia is a good thing.

Smartphones. Phones. Cloud Based Services. Mobile security. Enterprise Security. All these topics are converging at an extremely fast pace. So fast a pace that the first four are outstripping the ability of the last in the list to keep up. Depending on which analyst report you look at, Smartphones account for roughly 20 % of the current cell phone market with estimates saying that by 2012, that number will hit 50%. If the trends and numbers hold true, Enterprise Security concerns and issues are likely to become bigger even faster.

So what's the concern? All the OSs (iOS, RIM, MS, Android, Sybmian, WebOS, etc.) offer similar degrees of what they call support for "Enterprise Security". This includes features like Remote Wipe, Security Policies, Data Encryption and so on. These devices are secure if your IT department deems them so. Not so fast! There is not a lot of information about platform security and companies don't have time to evaluate every OS to see if its platform architecture is secure enough for their data. Even if they wanted to, there is very limited data on this subject anyway. Look at Android, for example. Just this week two reports illustrated the dilemma of companies trying to support end users buying the latest and greatest tech, while making sure that their own company information, which might be integrated to that device, is still secure.

The first is a report from security firm SMobile Systems, which shows that a large percentage of apps in the Android Market have the ability to perform actions with permissions that most would deem sensitive. They estimate 20% of all apps analyzed request access to private or sensitive information. That's kind of scary. Even scarier is the statement that 383 current apps have the ability to "read or use credentials from another service or application". Read that again. Now ask yourself, if your company is putting your data into a Smartphone, and random Apps can "potentially" access that data, does this sound like a good thing? If the C in the CIA triad (Confidentiality, Integrity and Availability) is jeopardized based on any app an end user decides to download, how do companies push data to these devices in a secure fashion?

Google has already responded, saying that: a) all Apps must get users' permission before the app can access sensitive information b) Google performs billing background checks to confirm developer identities and c) any App that is deemed malicious can be remotely wiped from all phones in mass to prevent widespread damage. 

That's all well and good, but: a) Do users really understand what permissions they are granting an app when they run it, or what that App is going to do with the information it gets? b) Nice thought to check their "billing background", whatever that is. Yet it doesn't deter a developer from submitting a malicious app, or having a developer fake credentials like we've seen with several malvertising campaigns in the past, or just from something sloppy getting in and c) By the time they find out an app is malicious and remote wipe the app the damage is done.

Take for example Google recently wiping two apps that were created by security researchers that misrepresented their purpose. If they had been malicious in nature they might have been able to do serious damage. It seems that Google vets the devs, but not the app. Next time it could be a malicious developer writing a cute game that steals information off your phone.

I really don't mean to pick on Google; maybe iOS, MS, or WebOS sandbox their apps and permissions differently and are inherently more or less secure. Maybe iOS, with their restricted multitasking API, is more secure because it restricts their apps to only certain functions. Maybe iOS apps are more secure because Apple has a more stringent App review process, opposed to Google's Open Source system. Nonetheless, we are in a day and age where phone and cloud services are increasing at break neck pace, and new OS versions are constantly being released (hello iOS4 and Froyo). You have to wonder: when will touted "Enterprise Security" features stop being enough criteria for companies deciding which platforms to support? When will the base security in the Smartphone OS become understood well enough that companies will only allow certain certified platforms on their network?

 

Recent studies have indicated that up to 75% of all attacks conducted by hackers are occurring at the web application layer via port 80 and 443. The days of implementing a traditional firewall in front of mission critical web servers have long since passed. We've also seen organizations that are lulled into a false sense of security by enabling SSL encryption as a method for protecting their web applications. Today's hackers are sophisticated enough to connect to vulnerable web services via ports 80 and 443 just like any other web user, however with much different intentions.

Vulnerabilities exist in web applications

We all know web applications are released into production with vulnerabilities. Requirements and designs are incomplete, people make errors and prototypes get fielded. . With production budgets and deadlines being what they are, this is kind of inevitable. Hackers fully understand, and appreciate, this reality, and take full advantage. Our clients understand this cat and mouse game.

WAF used as a "Band Aid"

Organizations deploy web application firewalls (WAF) for a number of reasons, including PCI 6.6 compliance. We've seen a variety of WAFs deployed simply to protect the application against known vulnerabilities, until such time that the vulnerability can be remediated.

Where to allocate Resources? WAF management vs. fixing the web app vulnerabilities

So the issue becomes where to allocate resources to address the issue of web application vulnerabilities. Do you allocate resources to tune the WAF to protect the application, or do you identify the specific web application vulnerabilities, and then fix the vulnerability at the code level? Both methods are resource intensive, not to mention quite expensive. And, unfortunately, for reasons identified before, we don't always have resources, or time.

The truth of the matter is you need to discover all of the vulnerabilities in your web applications (before the hacker does), protect those vulnerabilities with a WAF, and implement a vulnerability lifecycle management program to remediate all discovered vulnerabilities.

Here are some things to consider as your organization addresses this issue:

• Do you know what vulnerabilities currently exist in your web applications?
• Have you considered deploying a WAF to protect against the exploitation of these vulnerabilities?
• Do you have the resources available internally to support the monitoring and management of the WAF?
• Do you have a vulnerability lifecycle management program in place to address the known vulnerabilities?
• Do you have tools in place to manage and track workflow in your vulnerability lifecycle management program?

All things considered, a WAF is not the "be all, end all" answer - but it should be one of the tools you use, since it can provide a very valuable service.

 

I read this article the other day, and wanted to throw in my perspective about APT (Advanced Persistent Threats).

APT was coined by Mandiant. Kudos to them for putting a name to something, but it's not REALLY new. What is, perhaps, new is that non-federal government agencies are seeing APT threats start to be directed at them. Having said that, APT is USUALLY directed at organizations for political, economic (think stealing IP), and technical (source code, process details, etc) motives.

Here are a few basic "motive" questions that your organization should ask. Doing business in or with China? Looking to? Do you have carefully guarded trade secrets or a disruptive new technology or process that needs protection? Are you involved in large financial transactions, M&A, etc?

APT is not about smashing and grabbing, it's about methodically reaching your objectives, establishing a beach-head within the organization, and exploiting as much of the organization as possible for as long as possible without being detected.

APT is:

· Advanced: Assumes everything from mundane attack attempts to sophisticated custom crafting of exploits.

· Persistent: Focused on an objective, so this is not just a "drive by" or "smash-and-grab." The threat will not go away, out of legal reach. "Persistent" means trying to maximize exploitation of information over a period of time, sometimes a long period of time.

· Threat: Targeting your organization for a specific REASON. This takes advantage of human ability and creativity, and is not a bot or worm, although those may be tools employed.

APT embodies and enhances what we were all thinking about 10 years ago when we talked about the "wily hacker." Hard core security knowledge, funded, motivated, and determined to not go away until he got what he wanted. The ONLY dimension that APT has added to that picture is really about the kind and level of motivation and sponsorship behind the hacker.

The "wily hacker" was a rare occurrence then, and APTs are thankfully somewhat rare among corporations today. The vast majority of threats that organizations face are of the mundane script kiddy, smash-and-grab variety that we continue to see inflict harm without the need for the accoutrements of APT.

So should you be concerned about APT? If you meet any of the mentioned criteria, yes, you should take a serious look at what a catastrophic breach of your organization's inner-most secrets could mean to your business and factor that into your cyber security and risk management programs.

I see Solutionary and our ActiveGuard platform as the ideal ally in this situation because identifying and evaluating threats is all we do - 24x7. We see new threats as they arise, we know about all the various ways that attacks can be perpetrated, we have the ability to see low-and-slow attacks, we have the digital forensics knowledge to dissect complex / advanced attack scenarios, and most importantly we see attacks across a large base of customers. We can quickly identify emerging trends, patterns, and anomalies because we see such a large volume of information from a variety of organizations around the world.

Also, we take log feeds from just about any source including applications, databases, servers and endpoints. Attacks that slip by anti-virus or IDS still leave a fingerprint on the firewall logs and system logs. Add to that the malicious host identification and detection capabilities that we bring to the MSSP cloud, and we can detect threats based off of who and where an attack is coming from.

It's difficult for most non-security organizations to match that.

The Wired article acknowledges this, saying, "‘By the time the government is telling you, you've already lost the stuff you didn't want to lose usually,' Mandia says, noting that it's generally not possible to ascertain everything that an attacker took."

Having multiple security layers, sufficient monitoring coverage and the requisite knowledge to identify complex attacks ensures that an APT can be identified as quickly as possible and that the highest level of evidence of the attack's depth are available during incident response.