Security done wrong and blowing the budget...how not to secure your business

By -


The State of Cyber Security:

We don't want a 15 year old breaching our systems, stealing data and taking 13% off our share price as a result.....hmm I think not. If I wanna be hacked the hacker has got to be elite and like an uber hacker right!!

 It is strikingly obvious that security is still weak for both the large enterprise and smaller organisations alike. Take TalkTalk hacked by 15yr old for example...

 We live in a world where multi-million euro businesses can be drastically hit by ANYONE with the will, determination and curiosity, I sh*t you not!!.

Poor practices we accept in the industry


 Yearly security testing on sites & systems that change frequently

 We perform annual testing of our systems, in a time limited manner. Our systems are in a constant state of flux (for the below reasons) but we still only do the annual security test. 

 See anything wrong here? 3 words  for you...Window Of Exposure
  • Changes in code

Happen more frequently, we are more "Agile" than ever. We push code frequently and spread the risk of dev failure as opposed to hoping everything works at the end of the project. The more we change the less valuable our previous security report is. Within days of a security test the value of the report is degraded due to the system having changed since the report was written. With this in mind, as change occurs and no security verification is done our window of exposure grows.

  • Changes in supporting environment. 

We patch systems where we can as per our patch management policy but this is never as easy as it sounds. Patching live systems can result in negative effects to the hosted systems. Patches can break stuff!!  So we don't patch as often...On a day to day basis we are secure one day the next we have a vulnerability because it has just been discovered and made public knowledge. Annual testing does not scale to the dynamic nature of the systems we manage and own.

Automate everything

  • Highly automated is weak there are many aspects of web data flow which breaks automation and reduces coverage.
  • Highly automated solutions can result in impacting/harming live systems such as submission of 1000's of emails/tickets, impacting performance, exhaustion of system resources.
  • Highly automated solutions can submit sensitive webforms and corrupt data or system state.
  • Many vulnerability scanners can submit invasive attacks which appear idempotent but in the context of the system they are very destructive.
  • Un-tuned automation can result in DoS (Denial of Service) issues. Many scanners use excessive aggressiveness when scanning. 


 Risk is not linear

  • Automation does not understand risk.
  • Risk is a human concept and needs to be assessed by humans
  • Not all vulnerabilities are equal and depends on logical context and where a given type of vulnerability is situated.

Secure the WebApp
  • Developer Code Only

Is a web application only Developer Code? It appears from various studies that circa 90% of an average web application is framework/component code and not written by the developer at all. - focusing on developer written code alone is not application security!!
  • Component Security

As an industry we don't talk much about the 90% of code running our web applications which we did not develop...funny that. - without component security you are not doing application security

 Like do we maintain components/frameworks as we patch OS's??  - No hope. 
Do we have a component security policy the same way we have a patch management policy?  - Nope

  • OS Security

65% of vulnerabilities are due to poor patching, misconfiguration or deprecated services. Yep 65% of vulnerabilities - edgescan vulnerability stats report 2015. "Hackers don't give a Sh1t" so if you have focused on web app security only they shall come in via the OS! Make sense?
  • We use SSL - (yes I've said it) - People still say this - No idea why given SSL V2 and V3 is broken!!


  • We use a WAF - (again more bullsh*t). Logical vulnerabilities, Behavioural wekanesses thats where the money is anyways!! Your WAF don't mean diddly on its own as it only detects technical attacks, not logical weaknesses.

edgescan is a cloud-based continuous vulnerability management service. It is a highly accurate SaaS (Security-as-a-Service) solution which helps clients to discover and manage application and network vulnerabilities (full-stack information security) on an ongoing basis. All vulnerabilities are verified by our security analysts which results in accurate, false-positive free vulnerability management. edgescan has been recognised by Gartner as a “Notable Vendor” in the Magic Quadrant for Managed Security Services 2015.

Comments

Post a Comment

Popular posts from this blog

Edgescan, why we do what we do.....

By -
Image
  The cyber security industry is full of solutions to make you more secure. Some are unproven and other approaches work if deployed properly. Our industry is very fragmented. for example a recent "Cyber Defense" award I noticed has 195 categories!  I suppose we need to ask ourselves as companies from time to time why we do what we do?  So, the following post is, I guess, the reason we developed Edgescan and why we believe its a decent solution to help organizations improve and be more resilient in relation to cyber security and system protection.... Vulnerability scanning alone did not work. The idea of software testing software for vulnerabilities is a good one but both sides of the equation may have bugs. Bugs in one side (The target) may result in vulnerabilities, whilst bugs on the other side (Scanner) may result in false negatives and false positives.  Accuracy : To that end we built edgescan as a combination of automation to discover vulnerabilities at scale but  when c
Read more

20 years of Vulnerability Managment - Why we've failed and continue to do so.

By -
Image
Cyber Security: Keeping Pace with Change. Getting breached can really ruin your day. Actually it normally happens on a friday evening as you are about chill for the weekend. The cause of must breaches is not rocket science, its more to do with the poor approach we have accepted because we underestimate the threat actor.  - An attacker does not scan your website/network once a quarter with a commercial or open source scanner or perform an annual penetration test against your systems to see if there is any low hanging fruit, so how do we expect to defend against such an advisory using that approach? Systems change now more frequently than ever due to the ease of cloud deployments and the speed of software deployments due to iterative development techniques. The rate of change increase results in exposures quickly manifesting and the organisation not even being aware of the exposure in the first place. Many organisations dont know what they have exposed on the public Internet. We need t
Read more
By -
Image
The HSE Data Breach and the State of Irish Cyber Security Many years ago, shortly after I founded the Irish chapter of OWASP ( http://www.owasp.org ) (in 2007??) we were delivering free application and software development classes to anyone who wanted them. It was a local low key affair but every class we delivered was "sold out". We have 60-80 folks mostly developers willing to spend 4-5 hours on learning the fundamentals of secure application development and testing. I suppose we felt cyber security was an important issue because that's what we did. At the time many folks in business felt cyber security was an overhead or a "tax" and did not give it much time. A few years later (late 2010) when the the foundation of the NCSC (National Cyber Security Centre) was announced, a few of us (local OWASP Ireland leaders) wrote a number of emails to the Irish government offering free cyber security training. As we were working for a non profit (501.3c) charity (OWA
Read more