Posted: May 17th, 2013 | Filed under: IIS & HTTP
The volatility in the current environment requires organizations to react very quickly to the changing business landscape. Consequently, this has to be done not only with speed but also under severe cost pressures. More and more IT teams are adopting third party packaged solutions as their answer to the challenge of providing quick solutions to business, as building proprietary solutions often satisfy neither time or budgetary requirements.
This trend is growing fast in all organizations. Business are signing strategic IT sourcing deals whereby they hand over the entire IT support to an external vendor, placing the vendor with the responsibility for infrastructure and personnel. Or, they are moving to outsourcing model where they buy and customize solutions from a third party vendor for their automation needs.
To cash-in on this trend, some IT consulting companies have built products which they customize according to the client’s requirements and implement them onsite. In this process the one piece that gets neglected the most is security.
Most organizations don’t have processes or checks in place to ensure the third party code is implemented securely. In our experience, while testing applications which have been provided by third party vendors experiencing security flaws, we have seen vulnerabilities that could have been easily exploited by the attackers to access highly confidential personal and financial data.
The story is no different in other verticals. In December 2012, an Egyptian hacker breached Yahoo!’s security systems and acquired full access to Yahoo! Database server. The SQLi attack was carried out on a Yahoo! Web application, which was a third party application.
So how can organizations protect against this? We mooted the idea of conducting regular Security Assessment to some of the firms who have many products. But given that there is extensive customization done of these products at the time of implementation, the best practice is to perform a periodic code review of the code deployed at the client end.
The argument against this is that very often clients feel helpless that they will not receive access to the code. Recently, though, there have been cases where clients have been able to get the vendors to agree to access to code for security code review. But no matter what, when deploying or integrating a third party application, ensure that you perform proper security checks and don’t just deploy the quickest and cheapest solution. Remember, you’re only as secure as your weakest link.
No Comments »
Posted: May 9th, 2013 | Filed under: IIS & HTTP
As discussed in a previous post on incident response, there really isn’t any form of authority one can call in the event of a hack attack. So, if we live in a world where we are left to fend for ourselves in cases of cyber criminality, what are we to do?
One potential course of action to take, in the absence of authorities or first responders, while under attack is to hack back. However, even in this regard there are not sufficient laws to help people and organizations defend themselves. In fact, if anything, there are laws that could land those who hack back in trouble.
For example, cybercrime laws in the US have extensive provisions for what is constituted as cybercrime. However, none have provisions that define exceptions to the rule for cases of self-defense. If an organization or individual were to attempt to stop such an attack by attaching the machine(s) where the attack originated, they may not be able to plead “self-defense.” In fact, their efforts may be categorized as an attack and they may face legal repercussions.
The issue of hacking back isn’t just one that has beleaguered technical people, it’s even become a debate for lawyers. To hear the legal side of things, the Federalist Society has a recorded discussion on the legality of hacking back between a group of lawyers.
Problems with Hack Back
Legality aside, there are other issues that arise when considering hacking back. For one, attackers often don’t just attack from their own machines, but from botnets or zombie machines (i.e. machines belonging to other unsuspecting individuals and organizations that they have been able to virtually own). In a case like this, hacking back would really mean attacking and shutting down or damaging machines belonging to people who otherwise have nothing to do with the attack. This would really just make life miserable for the person or organization in the middle of it all, and make the person who thinks they are defending themselves somewhat of a bad guy.
But it’s Kind of Like the Real World…
Criminal laws in most countries have express clauses defining what constitutes self defense and upholding the right of an individual to use force in order defend his/her body and property. So let’s take an example.
If some thieves came on a stolen bike to steal money from someone traveling in a car and in defending him or herself, if the individual in the car ends up damaging the bike, the owner of the bike cannot file a complaint against the person in the car. Isn’t this similar to what happens in the online world when the attackers hijack machines and use them to attack others? In the absence of any specific protection in the laws concerning cybercrime, shouldn’t provisions from the criminal laws come to the aid of the beleaguered organizations who when under attack, can attack back to control the damage?
It is strange that while laws don’t protect individuals and organizations, nations have already started using “hack back” as a strategy to strike back. Recently, stories came out about the United States attempting to hack back China after numerous state-sponsored hacks originating from the Chinese. This could be interpreted in two ways: there is a indeed a shadow cyberwar occurring, or it was a defensive technique.
So what can organizations do? In light of the confusion in the law and the fact that the business world is more globally connected, organizations need to focus on strengthening their own assets against attacks. Using a red team approach is a good idea to evaluate the preparedness to respond to any type of attacks. The red team approach is a concept of allowing a team of crack commando style infosec analysts to attack the corporate IT assets to gauge the preparedness of the IT assets to withstand the attacks and effectiveness of the incident response process. Preparedness and knowledge are traits that could better equip you to deal with hack attacks, in lieu of the existence of a dedicated cyber-authority.
No Comments »
Posted: April 25th, 2013 | Filed under: IIS & HTTP
Earlier this week, the Associated Press’s Twitter account sent out a tweet announcing a terrifying attack on the White House. The Tweet quickly spread throughout Twitter and sent the stock market spiraling.
However, as we now know, the Tweet was fake, the result of the @AP account being hacked. As web security professionals, what we’re most concerned about is: a) How did the account get hacked, and b) How do we prevent it from happening again?
No Comments »
Posted: April 23rd, 2013 | Filed under: Web and Application Security
If there’s somethin’ strange in your neighborhood, Who ya gonna call? If it’s somethin’ weird and it don’t look good, Who ya gonna call? Ghostbusters?
You could ask the same question when it comes to the web today: Who are you going to call when you get hacked? The local police? Well that’s not as easy as placing a call for a crime in the physical world. A recent piece by Eileen Sullivan of the Associated Press details how local police struggle with responding to cybercrimes.
There are numerous reasons local authorities cannot deal with hackers: For one, police have to act within their jurisdictions. Even if police had the technical capabilities to track down and stop a perpetrator, if they were acting from from thousands of miles away there would be little they could do because of jurisdiction.
No Comments »
Posted: April 4th, 2013 | Filed under: IIS & HTTP
Ask any CISO what his or her topmost concern currently and 7 out of 10 will tell you its bring your own device (BYOD). More than 70% of IT executives believe that companies without BYOD will be at a competitive disadvantage.
The importance of this topic can gauged by the fact that only in the last week, we have received calls from five Client CISO’s who have asked us for our opinion on the subject. During the same time we conducted a security review of two organizations on behalf of a client, and both these organizations had a BYOD policy.
BYOD surely has its advantages. Employees are happy as it gives them freedom to use their own device, which increases flexibility, convenience, and productivity. Companies are happy because it cuts the cost of deployment and management of sometimes hundreds of devices. It’s not surprising therefore that BYOD has become a natural favorite amongst both employees and employers. In fact our President Hiren Shah was a visionary in this regard as he implemented BYOD way back in 2006, when he released a policy of allowing select models of mobile phones access to corporate e-mail.
No Comments »