Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Top Information Security Threats - Redspin


Published on

Knowing your enemy is just as important in security as it is in traditional warfare. Understanding the specific incidents and process breakdowns from the past and being prepared for the future is helpful in moving your security program forward. Our hope is that you find this report equally valuable in coming to terms with planning and implementing your security program.

Published in: Technology
  • Be the first to comment

Top Information Security Threats - Redspin

  1. 1. Top Information Security Issues and Threats Knowing your enemy is just as important in security as it is in traditional warfare. 6450 Via Real, Suite3 Carpinteria, CA 93013 WHITE PAPER 800-721-9177 805-684-6858
  2. 2. TABLE OF CONTENTS 1 Executive Summary 2 Lack of Security Visibility with Virtualization Infrastructure 3 Ineffective Policy 4 “Drive-By-Downloads”; Web Malware 5 Web Application Threats 6 Botnets, Keyloggers and Other Malware 7 Poor Choice of Identity and Access Management Systems 8 Lack of Attention to Protecting High Business Impact Data 9 Poor Procedures for Patching and Configuring Infrastructure 10 Social Engineering Threats 11 Lack of Encryption and Centralized Key Management 12 Change Management Procedures for Applications 13 Partner Information Access Page | 2009 | White Paper
  3. 3. Executive Summary Knowing your enemy is just as important in security as it is in traditional warfare. Understanding the specific incidents and process breakdowns from the past and being prepared for the future is helpful in moving your security program forward. Our hope is that you find this report equally valuable in coming to terms with planning and implementing your security program. In our review of security threats and issues over the past year, we have broadened our outlook to consider threats that breakdown the information security fabric that protects your information. Our unique view of emerging issues and threats gives us the basis for these 2010 projections. We believe these security issues are the result of the following important trends: • The increasing velocity of application deployment (primarily due to virtualization). • The rate of growth in corporate data to a point where it is not clear that all data can be protected nor even identified. • Increasing network, application and system complexity has resulted in policy, On the threat front, process and procedure breakdown. direct attacks against On the threat front, direct attacks against applications in various forms lead the way. Our belief is that this is because the aim of the attacker is monetary gain and the web applications in application presents the largest attack surface while being easiest to exploit. Botnets remain widespread but have become a more significant threat because of their ability various forms lead to tunnel over common transport protocols. Thus, outdated firewalls offer no protection nor do IPS or IDS systems. the way. Let’s now examine some of the threats and security issues we have identified: Lack of Security Visibility with Virtualization Infrastructure Ineffective Policy “Drive-By-Downloads”; Web Malware Web Application Threats Botnets, Keyloggers and Other Malware Poor Choice of Identity and Access Management Systems Lack of Attention to Protecting High Business Impact Data Poor Procedures for Patching and Configuring Infrastructure Social Engineering Threats Lack of Encryption and Centralized Key Management Change Management Procedures for Applications Partner Information Access This research was conducted by the Redspin security team, during hundreds of security assessments nationwide in 2008/2009. For questions and comments please email Redspin at Page 2 | 2009 | White Paper
  4. 4. Lack of Security Visibility with Virtualization Infrastructure Customers have rushed to take advantage of the economic benefits of server consolidation. An initial decrease in capital equipment expenditure and ongoing increases in management efficiency lead to significant operating cost benefits. Often lost is that the network has been absorbed into the infrastructure. There is a much higher ratio of virtual NICs and switches than the physical counterparts. No longer can security teams easily plug a sniffer or IDS into an appropriate SPAN port to troubleshoot an issue. Perhaps more importantly, the firewall now resides between a cluster of virtualized machines and an external switch, making configuration much more difficult and fraught with hazard. There are alternatives such as VM firewalls and tools directly aimed at virtual infrastructures. The first step is often an infrastructure assessment to get a clear view of the best known methods for tackling these issues. Perhaps the most Ineffective Policy Perhaps the most significant issue a security organization can face is lack of policy or the significant issue a breakdown of existing policy. Often this happens when security policy becomes stale, thus what’s happening with the infrastructure is no longer a reflection of the policy. In security organization other circumstances the security team is faced with policy “creep”, where the reality of infrastructure security drifts away from intended policy. In both cases, businesses have can face is lack lost an effective method of managing complexity and managing security issues. of policy or the The team at Redspin has found this situation time and time again in our assessments over the years. For corrective action, we recommend a policy review as well as a process breakdown of change to assess policy effectiveness on a quarterly basis. Equally important is to create a mechanism for automating the connection of what’s happening with your infrastructure existing policy. and with the requirements of your policy. Often event logs or the correlated output of Security Event and Information Management systems (SEIM) can be an effective approach. Nevertheless, customers must also make the security conscious decision to review and take action on a regular basis. “Drive-By-Downloads”; Web Malware A drive-by-download occurs when a user visits a web page and malicious code is automatically and silently downloaded and installed on the user’s computer with no interaction with the user. Once the virus is on the user’s computer, the hackers have remote access to the computer and can steal sensitive information such as banking passwords, send out spam or install more malicious executables over time. A typical way for hackers to compromise a web site is to use widely known web flaws such as Cross-Site Scripting (XSS) or SQL injection. Malicious ads (also known as “malvertising”) may also be a way for a website to experience malware attacks. Rather than infecting a website directly, hackers infect an ad network (perhaps even by simply creating an ad that looks legitimate, but actually serves malware to the user). Once their malicious ad is in the ad network, it can be presented to users on various websites by the ad network simply rotating through its inventory of ads. This is often a difficult attack to detect on a website because malicious code may show up intermittently on various user requests. Unless you happen to observe the malicious ad being served, you will not be able to detect the malicious code on the website. Page | 2009 | White Paper
  5. 5. A further implication with profound consequences results from website “blacklisting.” When a website gets infected with web-based malware, it is at risk of getting blacklisted by browsers, search engines, and desktop anti-virus companies. Internet users are prevented from accessing blacklisted sites. For example, Google’s crawlers encountered a website while it was indexing the web. The crawlers detected that the site was infected with web-based malware, and subsequently Google applied a warning saying, “This site may harm your computer.” in the search results. Firefox users were blocked from accessing the site completely. As a result, traffic to this site plummeted. Microsoft’s Internet Explorer and Live Search, Symantec Norton, McAfee Site Advisor, and many other browsers, search engines, and desktop anti-virus companies also blacklist websites. Once a site is blacklisted, it can take days or even weeks for the site to clear its name from the blacklist. During this time, the website is experiencing significant business losses: • Customer Loss (visitors are blocked from accessing the site; the site is “off the air”) • Brand Damage (the blacklisting hits the blogosphere and Twitter; the site loses confidence and trust of existing and new users) • Support Costs (site has to engage in emergency technical fixes while fielding concerned calls and emails from their customers) Certainly, this is a strong illustration of the need for web-facing businesses to take advantage of web application security assessments. Web Application Threats Web application threats have continued to increase and we expect this trend to continue in 2010. This has been the conclusion of both our own customer observations and several other security organizations. A number of underlying issues that drive this trend are as follows: • Business units are placing a great degree of pressure on their IT and security groups to support commercial social networking systems. Not only do these systems have web application flaws that are beyond the customers’ control, but they present a much larger attack surface. Further, they provide excellent reconnaissance vehicles for directed attacks. • Composite of mash-up applications provide another class of web applications where it is difficult to determine who is really in charge from a development and security point of view. Has a component of the application gone through a secure Software Development Life Cycle(SDLC)? Has any security testing taken place? The business believes it has benefited from rapidly developed, feature- The rate at which rich applications. Have they accomplished this by overlooking the security threats and the risks to their brand? applications are The rate at which applications are being updated has increased sharply since 2007. being updated has It is clear that the customer investment in application security and change management processes has not kept pace. Redspin finds that when we have tested a customer’s increased sharply application, the customer acknowledges our findings, makes the necessary changes and enters production with a secure application. However, when we return several since 2007. months later, the application is on its fifth iteration and is far from secure. In these cases we recommend that customers look at both their application security and change management procedures with greater scrutiny. Page | 2009 | White Paper
  6. 6. Botnets, Keyloggers and Other Malware When reviewing these classes of information until it is signaled by the threats we find our customers are in controlling botnet to stream back the what is called asymmetric warfare. An information encrypted over a port sure to attacker need only find one flaw in the be open (such as port 443). information security system, whereas the customer must defend all layers of their Customers must also be mindful of the infrastructure at all times. Compounding security of partners with which they the problem, attackers are highly-skilled, do business. In the past year we have well-compensated and constantly seen several instances of our financial evolving the nature of their attacks. service provider customers running a highly secure program, yet using third- Keyloggers are a good demonstration party partners for wire transfers. These of the damage that can be done. The partner web applications are insecure attack in question arrives unnoticed, and provide an attacker with the ability begins logging keystrokes until it has to break into the system and send discovered valuable data such as credit unauthorized wire transfers or steal card numbers or complete account customer information. information. The malware stores this Poor Choice of Identity and Access Management Systems Additional areas where ongoing challenges are experienced among our customers are in the area of identity and access systems. This has been the case across most of the industry segments we serve, but has been most dramatic in the healthcare sector. We believe this is due to the diverse set of constituents and the vastly different set of requirements across them. For example, the IT and security at several healthcare organizations should make appropriate identity and access management choices across user groups such as physicians, insurers, healthcare administrators and patients. Clearly, this is not a one- size-fits all choice in terms of identity and access management. Our continuing approach is to consider a range of factors such as the most typical use case, security strength required, client side requirements, portability, multiple uses, system requirements, and cost and distribution requirements. In the case of our customers, we recommended software based One-Time Pad Encryption (OTP) for mobile devices for physicians, that payers use hardware tokens, and that healthcare administrators also use hardware tokens and patients use risk-based authentication. Lack of Attention to Protecting High Business Impact Data The imposition of legal and regulatory obligations, such as the need for adequate information security controls to protect personal data and enforced breach disclosures has clearly been an important threat in the past year within the customer bases with which we work. Interestingly, customers are not feeling the most sting from fines, but from the cost and brand damage associated with organizing a notification campaign to their customer base. Page | 2009 | White Paper
  7. 7. The customer has a number of risk mitigation options ranging from, broad scale data loss prevention systems to encryption of data at rest and data in transit. Similar to the previous problem of managing identity and access systems properly, we recommend solutions that solve the need of a particular group of constituents well, rather than one- size-fits-all choice of technology and supporting processes. A good starting point, most often, is a data classification exercise where the customer seeks to identify High Business Impact data (HBI), Medium Business Impact data (MBI) and Low Business Impact data (LBI). In this manner, the customer can focus security efforts where they have the most value and impact risk reduction to the greatest degree. Poor Procedures for Patching and Configuring Infrastructure During the last year many of our customers an image or taking a “snapshot”. While transitioned to virtual infrastructures. useful, this tends to lead to a great many As we noted before, this transition has unmanaged VMs in the data center demonstrated financial benefits but often (known as server sprawl). Because brings security issues along, particularly IT has lost sight of these systems, they in the case of inventory management and tend to be highly dangerous in that they patching and configuring infrastructure. are not patched and can become likely In our view (which largely consists of targets. working in VMware environments) there are many ways to administer a Virtual Lastly, configuration within virtual Machine (VM), namely through SSH, environments is remarkably easy — but web access and a VMware vCenter not so in VM mobility. Machines move server. This leads to flexibility on the from one trust domain to another and part of the customer but presents major often a security breakdown is close at challenges for the security team and hand. We recommend strong policy auditors. review for virtualized environments, automation of inventory management Another benefit of virtualized and highly frequent process checks that environments is the ease of duplicating policy matches reality. The scope, depth and Social Engineering Threats motivations behind The scope, depth and motivations are after passwords and other account behind social engineering threats have information. Customers can eliminate social engineering continued to grow through 2009. We passwords as authentication methods believe this has much to do with the through the use of hardware of software threats have more directed efforts of organized tokens. Customers must also invest in crime. Malicious organizations that are security awareness training. Our own continued to grow economically motivated can afford to experience shows that this dramatically hire the staff to mount these offensives reduces attack effectiveness. Customers through 2009. en masse. need to ensure that effective policies are in place and that everyone in the Customers have some options however. organization carries them out. For the most part, organized attacks Page | 2009 | White Paper
  8. 8. Lack of Encryption and Centralized Key Management Encryption is the most powerful method known to protect sensitive data. This can be done by each application and applied to data stored in data bases or in file systems. Encryption can also be applied in the storage area network while data is in transit (generally in the switch). In end user scenarios such as nomadic workers carrying laptops, whole disk encryption can be used to render the data stored on lost laptops useless to a thief. Encryption has another benefit with respect to regulatory requirements. For example, for healthcare organizations, the regulations state that disclosed data that has been compromised, yet is protected by encryption, is not subject to notification requirements, thus saving the customer significant costs and brand damage. In theory, customers have found the benefits of using encryption attractive but have backed down when trying to organize a key management approach. We recommend that key management be centralized rather than the domain of a business unit or outside IT organization. Policies should be well-documented and describe the management of We recommend that the operations and procedures such as key rotation, auditing and backup procedures. key management be centralized rather Change Management Procedures for Applications than the domain In discussions with our customers, the rate of application change (both for feature and scalability reasons) has increased at a rapid pace throughout 2009. Yet, often of a business unit development and quality assurance organizations struggle with complex build and test systems. In this case, the virtualized environments that have created security issues can or outside IT work in your favor to safeguard your environment. For many of our customers the server consolidation ratios that they have been able to achieve have led them to create VMs organization. for many different reasons. We would advocate that the security and IT teams insist that a sufficient portion of VMs are allocated to the staging environment so robust functional and security testing may be performed. This includes checking for proper behavior in the disaster recovery process and that the applications are fully integrated as they will be in production with system and performance management tools. Partner Information Access Organizations should be vigilant of the of your internal network, it is best to security implications likely present from route these connections into a restricted the partner networks they connect to security domain. and, more importantly, those from whom they allow inbound connections. This risk Accepting partner network connections began to emerge with more frequency implicitly grants trust to everything on the in 2009 and it is of particular concern other side of that connection. To what because most people do not even extent has your partner addressed the realize that it’s an issue of which to be issues raised in this paper? Do they have cognizant. A sever room or data center disgruntled employees? How is their virus would have multiple and completely protection process and policy? What independent layers of security in order are their processes and procedures for to gain physical server access. Why remote access? In effect, by connecting are these same practices not applied your organization to a third party, you in reference to partner networks? Best expose yourself to a far greater range of practices state that instead of terminating risk. Despite your organization’s efforts to the connection directly into the core decrease your security footprint, utilizing Page | 2009 | White Paper
  9. 9. a third party is working in the opposite of that connection. The minimum controls direction. that should be deployed are a firewall between you and the partner network One particular dimension of partner as well as adequate segmentation to information access is the dangerous ensure that connections terminate in a assumption on the part of a well- specific area of the network where little intentioned and security-conscious damage could occur given a worst-case organization that the partner network scenario. Most crucial is awareness in from whom they allow connections must the first place that these connections be secure simply because it is a widely are transpiring and that they could very recognized, global entity. This is the well represent the weakest link in your intuitive and natural way to think about network. security, but our research indicates the opposite: the bigger, more prominent, The above cited research was conducted and more complex a network the more it by the Redspin security team, during the is increasingly targeted and at risk. course of hundreds of security assessments nationwide in 2008/2009. Regardless of whether or not a connection from a partner network or service provider For questions and comments email is accepted from a globally recognized Redspin at vendor or a local business, best security practices state that you should never trust Or call 805-684-6858. “by default” whatever is on the other side About Redspin Redspin delivers the highest quality Information Security Assessments through technical expertise, business acumen and objectivity. Redspin customers include leading companies in areas such as healthcare, financial services and hotels, casinos and resorts as well as retailers and technology providers. Some of the largest communications providers and commercial banks rely upon Redspin to provide an effective technical solution tailored to their business context, allowing them to reduce risk, maintain compliance and increase the value of their business unit and IT portfolios. Penetration Testing Page | 2009 | White Paper