This action might not be possible to undo. Are you sure you want to continue?
BT Ethical Hacking Center of Excellence Issue 1
The BT Assure Ethical Hacking Center of Excellence is pleased to introduce the first in a series of quarterly newsletters. In this first issue of the newsletter, you‟ll be able to read about the following: Best practices for making the most of audit data and protecting private information in unsuspecting places Ethical Hacking consultant, Stephen Jensen discussing the rapid evolution of the threat in a world full of powerful mobile devices, motivated adversaries, and explosive growth in malware. The most common vulnerabilities found in real world environments and some simple policies which can help combat them A review of top security news topics in the first quarter of 2012 including some of the most incredible malware ever discovered.
Who are we?
Part of the BT Assure suite of managed security services, the Ethical Hacking Center of Excellence is a specialist team of Ethical Hacking professionals who provide comprehensive network analysis, application testing, code analysis, ISO 27002, HIPAA, PCI, and HITECH compliance audits, wireless, mobile device, and web penetration testing and advisory services to leading global companies including members of the Fortune 500. The quarterly newsletter was created to provide decision makers with a quick and concise source for the latest trends and news direct from the practitioners „in the trenches‟ of vulnerability discovery and management. We hope that you find the newsletter enjoyable and informative.
SECURITY BEST PRACTICES
Managing Audit Data
Getting a firm grip on audit trails is an enormous challenge. With so many systems generating so much information, it can seem impossible to manage. Once generated, using that trove of information to detect and react to security issues can be equally challenging. Here are some guidelines to help make the most of audit data resources: Consider what information is valuable to log, and set policies for what is logged. Audit systems can log only the minimum or absolutely everything. Find the middle ground that ensures important events are captured. Suggested events include logon/logoffs, file activities (renames, overwrites, copies, deletions), privileged command use, application faults, and any other events deemed important based on a system's role. Implement a log collection capability that enables administrators to gather audit data from all systems to point(s) of aggregation. Collecting information in a centralized way makes it much easier to assure proper backups and reviews are performed. Back up log data often, and keep it secure. Some attacks can go unnoticed for years, and it's important for both detecting and repairing intrusions to be able to review the attacker's footprints. It can also help prevent future attacks and provide valuable evidence for legal proceedings. Backups of audit data should be made separately from general backups and stored for at least a year, preferably at an offsite location. Establish policy for review of audit data and provide resources to enforce it. Professional intrusion analysts, armed with the right tools for sifting through audit data are critical to situational awareness and adaptive network defense. Today's sophisticated attacks may bypass detection by automated means like Intrusion Prevention Systems and Antivirus; a trained analyst's review of audit data may be the only way to detect these attacks.
Source Code Information Leaks
Application developers often use comment lines in source code to jot down notes for other programmers (or themselves) to ensure that the code is re-usable. These notes and even the code itself may contain sensitive information including names, private server addresses, or account numbers. Without proper policy, source code can be a source of information leaks which can benefit hackers or disclose private data. To protect private information in source code: Control access to source code using repositories which have access control capabilities. Ensure that only users with legitimate access to source code can check-out data from the repository. Ensure access control lists are up to date. Source code access lists should be re-evaluated every three months or whenever anyone with access has a change of employment status. Set policy for kinds of information which may not be included in source code or comments. This list may be similar to the list of prohibited content in a content publishing guide or other existing policy, but should always include account numbers or private operations information.
WHITE HAT SPOTLIGHT
“I saw first-hand the „worst case scenario‟ of a hacking attack. How simple programming mistakes could leave a company vulnerable, its clients reputations publicly damaged, and its employees left without jobs. It showed me how devastating these attacks could be and how many real people‟s lives are directly affected by them.”
Stephen Jensen, Principal Consultant Stephen is a principal consultant at BT and has specialized in cyber security for over ten years. Stephen got started in the security field after witnessing a catastrophic hack at a software company. In the aftermath the hacking incident, that firm was ultimately driven out of business by its own customers. Stephen went on to study security principles and hacker culture, eventually becoming a senior application tester with BT, leading up test events to help identify application risks so that their owners can prioritize and remediate them before they are found by hackers. We spoke with Stephen about some of the critical issues facing those application owners and the technology industry. 1. What is the most interesting thing in your opinion that the „bad guys‟ are doing tactically in the last year and how has it changed the threat? Mobile malware has increased exponentially in the past year. Malware targeting the Android platform alone has increased 3,325 percent. The bad guys are constantly changing up their tactics and looking at new vulnerabilities in these platforms and the applications that run on them. Anyone with a smartphone is now a potential target for attack. 2. What do you think is the most serious or common misconception about Information Security today?
I think one of the biggest misconceptions is that you‟re not a target. We tend to think that only the big companies get attacked. Truth is, everyone is a target, whether you‟re a bank, an insurance company or a social media site. If you store data that suits the agenda of the attacker, you‟re a target. 3. What is the biggest security misstep (or steps) that you notice when analyzing an organization? The false sense of security that comes with never having been a victim of an attack. Security is like insurance. Youspend money on it, but don't truly appreciate its value until something bad happens. Companies aren't always willing to spend the money on security related expenditures, because the ROI isn't always clear. Until you become a target, you never really appreciate the time and money invested into securing your assets. 4. What technology or process do you think is being most overlooked right now for security threat? I think there are several areas that could to be looked at, including mobile application development, Near Field Communication (such as MasterCard Pay Pass and RFID hacking), and cloud computing. Anything that is computer-based or engages in remote communication with another entity, ranging from cars to phones, is a potential target for an attacker. We live in an automated and computerized world; no technology is out of bounds for an attack.
Ethical hacking tests conducted across a wide variety of leaders in the financial industry yielded interesting statistics regarding the frequency and type of vulnerabilities commonly faced. For instance, in this quarter across the industry the most common vulnerability by far was the marking of session ID cookies. These marks ensure that client browsers are restricted from using cookie information for unauthorized purposes, as is commonly done in client side attacks. Cross Site Scripting, or XSS, was the runaway leader in high risks detected. Another story told in the commonly found risks across industry is the prevalence of (potential) nontechnical sources of information leakage, in documentation or in choices of content published. Information privacy is a uniquely heavy burden for the financial sector; customer private data such as account numbers and balances must be highly confidential and available, and the means including technological data for storing and processing that information securely must also be kept private. Across the industry there were several unsuspecting issues which have the potential for information loss. Among them: •Showing user account names on the screen
Average Risk Levels
High Medium Low
•Showing too much information in error messages •Giving away too much information in cookie files •Leaving private data in programmer code files
Risks Per Application
5 On average, applications tested across the industry this quarter were found to have just over one high risk, two or three medium, and four low risks. When considering an application portfolio, it may help to consider these averages when assigning resources or setting urgency for remediation of systems which greatly exceed the median of peer systems. 4 3 2 1 0 High Medium Low
Good policies for information content publishing and retention in proprietary or public documentation can help ensure this information remains confidential.
SECURITY NEWS AND NOTABLE ATTACKS
“Flame” Cyber Espionage Tool Strikes Middle East
The Iranian National Computer Emergency Response Team has publicly confirmed the existence of highly sophisticated malware designed for espionage which is being called “Flame”. Flame has been discovered in computer systems in Egypt, Israel, Saudi Arabia, Iran, and other Middle Eastern nations which has much in common with the StuxNet virus that famously targeted Iranian industrial control systems last year. Researchers have found evidence that Flame has existed in stealth and has actively infected systems since early 2010 or possibly as early as 2007, but to date Flame is still undetectable by any commercial anti-malware product. Flame spreads via networks or removable devices, affecting all recent versions of Microsoft Windows including 7. Unlike StuxNet, Flame does not appear to target specific equipment but rather captures intelligence of all kinds including emails, passwords, audio recordings, screen captures, and documents.
FBI Investigating Expansion of Wiretap Powers
As communication moves away from traditional phone lines, with robust wiretapping laws and procedures, to web sites, messaging, and social networking, it has become increasingly difficult for law enforcement to perform investigative functions. Companies which provide these services, unlike the established telephone industry, have no common framework for servicing a court ordered information request for surveillance. Accordingly, the FBI is investigating proposals to congress for legislation which would require major companies with internet presence to build in government surveillance capabilities. Appearing at Capitol Hill for questioning, Director Robert Mueller assured a Senate panel that law enforcement needs the powers to cover the expansion of communication technology. He also addressed privacy concerns by ensuring that the requirement for court orders in place today should remain unchanged regardless of the media.
“.secure” Top Level Domain Preparing to Launch
Set to join the 21 global domains such as „.com‟, „.org‟, and „.net‟, the new internet top level domain „.secure‟ is nearing readiness and ICANN approval. The new secure domain, coined a “safe neighbourhood” by its creators, intends to give clients a sense of baked in security for sites within the domain, as each site or application which applies will be required to maintain certain advanced security features. Security requirements will include: DNS Security signing for all zones, TLS encryption for all web and email sessions, and recurring verification and authentication from the domain registrar. Domain members which violate security rules will be held accountable and could be removed altogether. CTO Alex Stamos says that, “We're not trying to tell people to throw away your .com. You can create a namespace where you can do more secure things, so if you are a bank that runs hundreds of websites and have some website for users who do billion-dollar transactions, that site could go to the .secure domain.” The application to ICANN is still pending but has picked up key support from backers including PayPal. Critic‟s claim that a secure domain would confuse end users or give them false senses of security when no site can be %100 secured, as well as being a costly burden to small sites which could not afford the registration and compliance costs.
The telecommunications services described in this publication are subject to availability and may be modified from time to time. Services and equipment are provided subject to British Telecommunications plc’s respective standard conditions of contract. Nothing in this publication forms any part of any contract. © British Telecommunications plc 2012 Registered office: 81 Newgate Street, London EC1A 7AJ Registered in England No: 1800000 bt.com/globalservices
Dollars for Denial of Service
New research suggests that being effectively hit with a Distributed Denial of Service attack costs firms between $240K to $2M per day due to lost transaction revenue and more importantly, negative impact to customer experience and the brand. Other impacts can be seen in helpdesk and customer support services which can be overwhelmed when primary services are disrupted. Retail and financial services companies are most frequently targeted by DDoS, but criminal denial of service teams also threaten telecommunications, travel, and IT companies.
Corporate Malware Spreading on Android
Mobile malware growth accelerated at a shocking pace in 2012, and a new Trojan affecting the Android platform has been found which specifically targets corporate network assets. The virus, named “NotCompatible” is the first known malware for Android devices to spread via compromised web pages; most Android malware is hidden in seemingly normal apps downloaded from the official market. NotCompatible installs itself by tricking users into authorizing a phony security update. As corporate security departments adapt to demand for “bring your own device” policies, user training and awareness is paramount for combatting the growing mobile malware threat.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.