Identifying and Defeating Cybersecurity and Compliance Vulnerabilities
Part of the cybersecurity community has considered this last incident (OPM) the equivalent of a cyber-9/11. In it, millions of data points belonging to US Government personnel were compromised, and there is a concrete threat that the stolen data could be used by threat actors in further cyber-attacks against additional Government agencies and individuals.
The Office of Personnel Management (OPM) hack must serve as a wake-up call for reorganizing the cybersecurity posture of the country. To do this it is essential to profile the threat actors, understand their motivation, learn the way they operate and adopt the necessary countermeasures to stop them. A very simple strategy to theorize, but very difficult to achieve.
But first try to understand the possible motivation of a potential attacker/malicious insider. Hackers act to steal sensitive data (i.e. corporate secrets, personal information, and intellectual property) for profit, or for sabotage. Recent events demonstrate why cyberespionage is still considered the most dangerous threat for Governments; APT groups and nation-state intelligence agencies worldwide constantly search for vulnerabilities to exploit on a large scale in order to gather sensitive data and to cause mischief and mayhem.
We cannot underestimate the action of cyberterrorists and cybercriminals. Financial firms, retailers, and companies in the health care industry are constantly under attack both from within and without. The financial damage alone to the world economy due to cybercrime exceeds $575 billion dollars. A figure especially disconcerting if we consider that it is greater than the GDP of many countries.
Another danger posed by group of hackers on a global scale is represented by the possibility of cyber-attacks against critical infrastructure, such as gas pipelines, water facilities, and power grids. The majority of the processes in modern infrastructure are controlled by SCADA systems that have been exposed on the Internet for maintenance purposes without the necessary attention to the cybersecurity, as well as missed security updates and upgrades. It is not just a problem of the maintenance of SCADA components, but instead the lack of security by design for these systems which exposes the entire infrastructure to the risk of cyber-attack.
Cybersecurity / Compliance Vulnerabilities
Insiders are passing on information to the bad guys, frequently in the form of proprietary and otherwise sensitive data. We can consider mobile devices as the modern day equivalent of Brink’s trucks – out and about all over the map, and operated by users whose practices lead to exposure. The alarm system is now a cybersecurity program which too often depends upon an inadequate hodgepodge of firewalls and patches, transforming the IT network into a susceptible “vault” ripe for the modern version of the inside job: More than one-half of organizations overall have experienced an insider cybercrime incident, according to the 2013 U.S. State of Cybercrime Survey from the CERT Insider Threat Center at the Carnegie Mellon University Software Engineering Institute. That’s up significantly from 41% in 2004.
As with prior generations, the insiders are still disgruntled, yet they’ve armed themselves with intimate knowledge of an enterprise’s business practices, systems and applications. Assuming they’re in good standing, they’re considered “trusted” members of “the team.” Which means they’re capable of causing far, far greater damage than their counterparts of yesteryear, over an indefinite stretch of time. They don’t require a liaison from the underworld to initiate action either; many of the lowest of staffers are technologically proficient enough to steal funds and/or proprietary data on their own. They can create more losses than external threats because they have full access to systems with minimal – if any – restrictions to overcome.
Nearly one-quarter of security professional say that abuse on the part of internal employees or contractors presents the biggest source of security concerns within their organization (ranking it #1 among all risks), and a mere 16% feel “very” prepared to fend off intrusions. Malicious insiders perpetrate the most cases of fraud, and the second most in IT sabotage and theft of intellectual property, according to CERT. In addition, there are the users who introduce risks inadvertently, through ill-conceived behaviors which external parties readily exploit. These users can be “tricked” into clicking on a malware-containing URL, and infecting the network. Or they’ll lapse into sloppy habits, such as sending corporate materials to their home computers on vulnerable, private email accounts. In fact, the majority of professionals admit to emailing business documents from their workplace to their personal email, and most of them never delete the data after transferring it, further inviting risk.
Injection vulnerabilities occur every time an application sends untrusted data to an interpreter. Injection flaws are very common and affect a wide range of data solutions with the most popular affecting SQL, LDAP, XPath, XML parsers and program arguments. As explained in the OWASP “Top 10” guide, the injection flaws are quite easy to discover by analyzing the code, but frequently hard to find during testing sessions when systems are already deployed in production environments.
The possible consequences of a cyber-attack that exploits an Injection flaw are: data loss and consequent exposure of sensitive data, lack of accountability, and/or denial of access. An attacker could run an Injection attack to completely compromise the target system and gain control of it. The business impact of an Injection attack could be dramatic, especially when the hacker compromises legacy systems and gains access to sensitive internal data.
Even though SQL injection vulnerabilities are among the most exploited flaws, and the high level of awareness of the various techniques of hacking these exploits, this category of bugs remains extremely prevalent with the impact of such attacks remaining very serious.
A study released by the Ponemon Institute in October 2014 titled “The SQL Injection Threat Study” investigated the response of organizations to the SQL injection threat. The study revealed that despite almost one-third believing that their organization has the necessary technology to detect and mitigate the cyber-threat, the success rate of SQL injection attacks remained very high.
Injection vulnerabilities affect various software and their impact depends on the level of diffusion of the vulnerable application.
A classic example of an injection flaw is the critical vulnerability dubbed Bash Bug affecting the Linux and UNIX command-line shell. The flaw, coded as CVE-2014-6271, is remotely exploitable and potentially exposes websites, servers, PCs, OS X Macs, various home routers, and many other devices to the risk of remote acyber-attack.
The vulnerability has existed for several decades and it is related to the way bash handles specially formatted environment variables, namely exported shell functions. To run an arbitrary code on affected systems it is necessary to assign a function to a variable, as trailing code in the function definition will be executed.
The critical Bash Bug vulnerability, also dubbed Shellshock, affects versions GNU Bash ranging from 1.14 through 4.3. A threat actor could exploit it to execute shell commands remotely on a targeted machine using specifically crafted variables.
Such vulnerabilities could have a dramatic effect on a large scale. Think, for example, of the dangers to Internet-of-things devices like smart meters, routers, web cameras and any other device that runs software affected by this category of flaws.
A buffer overflow vulnerability condition exists when an application attempts to put more data in a buffer than it can hold. Writing outside the space assigned to buffer allows an attacker to overwrite the content of adjacent memory blocks, causing data corruption, crashing the program, or the execution of an arbitrary malicious code.
Buffer overflow attacks again are quite common and very hard to discover, but unlike the injection attacks they are more difficult to exploit. The attacker needs to know the memory management of the targeted application, the buffers it uses, and the way to alter their content, in order to be able to run the attack.
In a classic attack scenario, the attacker sends data to an application that stores it in an undersized stack buffer, causing the overwriting of information on the call stack, including the function’s return pointer. In this way, the attacker is able to run its own malicious code once a legitimate function is completed and the control is transferred to the exploit code contained in the attacker’s data.
There are several types of buffer overflow. The most popular are the Heap buffer overflow and the Format string attack. Buffer overflow attacks are particularly dangerous as they can target desktop applications, web servers, and web applications. They can also corrupt the execution stack of a web application by sending specifically crafted data.
Buffer overflows affecting widely used server products represent a significant risk to users of these applications. In recent years, many buffer overflow vulnerabilities were discovered in a number of SCADA components. Considering that the number of cyberattacks against SCADA is increasing, it is even more likely that these buffer overflow vulnerabilities will be exploited with increasing frequency. A specially targeted crimeware kit could be sold in the underground ecosystem to attack this particular category of targets, causing catastrophic damage.
Sensitive Data Exposure
Sensitive data exposure refers the unauthorized access of data at rest, in transit, included in backups, as well as user browsing data. Sensitive data exposure occurs every time a threat actor gains access to sensitive data. Data could be stored (at rest) in the system or transmitted between two entities (i.e. servers, web browsers). In every case exposure occurs when the data lacks sufficient protection, re: unencrypted. The attacker has several options. Examples of which are the hack of data storage by using a malware-based attack, intercept data between a server and the browser with a Man-In-The-Middle attack, or by tricking a web application to do things like changing the content of a cart in an e-commerce application, or elevating privileges.
The principal sensitive data exposure flaw is the lack of encryption for sensitive data. However, even if encryption mechanisms are implemented, other events can occur which lead to the exposure of information. The adoption of weak key generation and management, and weak algorithm usage is very common in many industries and applications, not to mention the use of old and compromised encryption schema.
A number of recent incidents have demonstrated the criticality of this category of flaw, highlighting the wrong implementation of encryption algorithms and the lack of encryption for mobile and cloud solutions. In September 2014, the CERT Coordination Center at Carnegie Mellon University (CERT/CC) published the results of the tests conducted by its experts on popular Android applications that fail to properly validate SSL certificates. The failure of the certificate pinning procedure exposes users to the risk of MitM attacks and consequent theft of sensitive information.
The CERT confirmed that the problems is widespread, which was confirmed by another study conducted by security experts at FireEye that evaluated the level of security offered by 1,000 of the most popular free apps offered on Google Play. FireEye provided shocking results. 68% of the apps don’t check server certificates and 77% ignore SSL errors. According to the CERT, the applications are using vulnerable libraries, such as the Flurry and Chartboost ad libraries. For this reason, Android users are exposed to the risk of attacks. Despite the fact that FireEye notified the developers about the flaws, the CERT pointed out that only a few companies took steps to secure their products.
As highlighted by the numerous studies of the topic, attackers typically don’t break crypto directly; they opt instead to exploit a sensitive data exposure flaw. This means that threat actors operate to steal encryption keys, run man-in-the-middle attacks, steal clear text data off the server while in transit, or from the user’s web browser. In short, they use the path of least resistance.
The exploitation of the sensitive data exposure flaw could be dramatic for every organization in every industry. The monetary losses for these data breaches are directly related to the business value of the compromised data, and the overall impact to the reputation of the victim organization.
Flaw exploitation attacks could be run by any category of attacker, including insiders, cybercriminals, state-sponsored hackers, and hacktivists. In the majority of case this kind of attack is part of a first stage offensive that involve also other hacking techniques, with the goal being to open the network to unauthorized access and control.
Since every organization manages sensitive data in one form or another, ALL industries are threatened: healthcare, financial, manufacturing, and infrastructure are all potentially exposed to attacks that could involve the theft of a large number of users personally identifying data. Millions of users have already had their PID stolen… and millions more are still open to the threat.
Broken Authentication and Session Management
The exploitation of a broken Authentication and Session Management flaw occurs when an attacker uses leaks or flaws in the authentication or session management procedures (e.g. Exposed accounts, passwords, session IDs) to impersonate other users.
This kind of attack is very common; many groups of hackers have exploited these flaws to access victim’s accounts for cyberespionage or to steal information that could advantage their criminal activities.
As explained by the OWASP, one of the main problems is related to the custom implementation of authentication and session management schemes. In the majority of cases these schemes are in fact flawed and hackers are able to compromise them. This category of flaws affects web applications, with the majority of cases affecting functionality such as the logout, password management, ‘remember me’, timeouts, secret question, and account update being affected by broken authentication management schemes.
The bad news is that once this kind of flaw is successfully exploited, the attacker can impersonate the victim, doing anything they could do with the privileges granted to their account.
Unfortunately, the exploitation of a broken Authentication and Session Management scheme is hard to mitigate due to the large number of schemes implemented by each victim. Not all authentication and session management systems are equal, complicating the adoption of best practices on a large scale.
There are several ways to bypass authentication mechanisms, including “brute-forcing” the targeted account, using an SQL Injection attack, retrieving a session identifier from an URL, relying on the session timeout, reusing an already used session token, or compromising a user’s browser.
The most popular attack scenario relies on the session authentication mechanisms which are usually based on tokens associated with each session on the server side. An attacker that is able to retrieve the session identifier could impersonate victims without providing login credentials again.
The possible business impact of broken authentication and session attacks is severe because an attacker could takeover users account and impersonate him to conduct various malicious activities.
Such practice is very common in both cybercriminal ecosystem and state-sponsored hacking.
This category of vulnerability is considered the most common and thus, the most dangerous. It is quite easy to discover web servers and applications that have been misconfigured, resulting in openings for cyber-attacks. Below are some typical examples:
- Running outdated software
- Applications and products running in production in debug mode or that still include debugging modules
- Running unnecessary services on the system
- Not configuring problems the access to the server resources and services that can result in the disclosure of sensitive information or that can allow an attacker to compromise it
- Not changing factory settings (i.e. default keys and passwords)
- Incorrect exception management that could disclose system information to the attackers, including stack traces
- Use of default accounts, passwords, and usernames
The exploitation of one of the above scenarios could allow an attacker to compromise a system. Security misconfiguration can occur at every level of an application stack.
In many cases, it is quite easy for an attacker to search for this kind of vulnerability. The availability of automated scanners on the market allows the detection of systems not correctly configured or correctly patched.
Security misconfiguration vulnerabilities could have a dramatic impact when systems targeted by hackers are widely adopted. For example, the presence on the market of routers with hardcoded credentials or network appliances using default SSH keys that allow an attacker to establish remote and unauthorized connection to the device allow attackers free reign over the networks, bypassing all but the most meticulous layered defense.
These kind of vulnerabilities could have a severe impact for the new paradigm of the Internet of Things. Poorly configured IoT devices could be exploited by hackers to compromise the software they run and recruit them in large “thingbot.”
Recovery cost could be very expensive and the impact on the organizations that are using flawed devices could be severe. Security misconfiguration is very insidious for any organization and cause incident difficult to mitigate that can have catastrophic impact.
As for an answer, there is an “easy button” to press, and many companies are doing just that, by going out and buying some prevention/detection product from some vendor. Plug it in, play and forget about it, right? Unfortunately, they soon discover that the easy button no longer suffices in today’s environment.
That’s because an exclusively tech-driven approach will always fall short. Certainly, IT solutions matter, as does the tech department’s valued input. But both must align with business-side executives and users to address all entry opportunities for the insider threat while not disrupting productivity and/or diminishing brand reputation/strength.
Indeed, a successful insider threat program thrives upon a step-by-step, multi-layered execution strategy. The strategy should be so embedded within daily activities, that it’s perceived as part of the corporate culture as opposed to a “necessary evil” forced upon users from IT. When the program reaches this level of internal acceptance, it fosters a universal awareness about not only what needs to get done, but why it needs to get done. Such awareness is in short supply today: A staggering 38% of the SANS survey participants don’t know how much of their IT budget is spent on security. Keep in mind that these participants were CIOs, IT security managers, security analysts and other key tech-side professionals. One can expect the percentage to be far lower outside the IT department.
Without augmented awareness, enterprise and financial institutions increase their exposure. To avoid this, they have to go beyond the traditional standards of assigning privileges, controlling authorization and targeting outside threat vectors. They have to engage in more than solely post-event audit controls. Leadership has to enact policies and processes that demonstrate a realistic understanding of people’s behavior. Without the human factor, the solutions will remain woefully lacking. While technology introduces new threat vectors, the technology itself doesn’t initiate the problems. Human behaviors do.
A fully integrated, enterprise security environment reigns supreme here, and support must come from the very top leadership levels. The CEO announces the program launch, and C-suite members give top-down direction for immediate and long-term goals. A business case will determine any expected metrics-based ROI outcomes. All stakeholders – board members, the legal department, HR and, of course, IT – will be brought on board in the very beginning stages.
Conclusion: Greater Confidence, Greater Trust
Ultimately, a comprehensive program builds confidence throughout an organization. Users will go about the business of serving customers by opening checking accounts, offering low-interest credit cards, managing retirement portfolios, etc., entirely certain that the program team is proactively safeguarding the company from all internal rogue activity. They know that – should a colleague unwittingly download malware which could disrupt operations – the team will swiftly spot the compromise and stop it in its tracks. This cultivates a welcome sense of trust enterprise-wide, with managers and employees comforted that any data for which they’re responsible – including everything generated by proprietary documents, fiscal reports and customer products – is protected. And they realize that none of the added measures will interfere with their ability to do their jobs.
For more information on how to address cybersecurity and compliance vulnerabilities, CLICK HERE.