AppSec Don’t Trust the Network

Long gone are the days when networks could be relied upon to provide security for your organization, old theories about applications and databases, and servers being behind the firewall and therefore safe is the ideology of those who refuse to act, or an aged theory that no longer applies. Data is valuable people make insecure decisions and applications are the gateway to the data would be adversaries so deeply covet. Application security is the final frontier and the last line of defense that organizations have to keeping their data ergo their clients, reputations and assets safe.

Pivot to Data

Causing an organization a massive DDOS internet outage or defacing an organizations website, disrupting the operations of an organization or government that you despise used to be prizes of serious cyber criminals. However as the Internet matured and more organizations started conducting business online and storing their information online, a mentality started to shift that rather than disrupting operations going after the real value was going after an organizations' data. This trend started a long time ago with agents of adversary governments going after data & designs. Nortel was one of the earliest victims of this new approach.

The Nortel case was significant because it was the start of a trend, a trend whereby serious cyber attacks weren’t just occurring government on government but rather going after businesses to gain a competitive advantage. The progression was a natural one, from adversary vs a major organization to gain a business advantage through the theft of data, the next logical step would be the cyber criminal going after an organization for the organization’s user information for theft and sale. We’ve seen numerous examples of these types of attacks happening time and time again.

1. 53 Million Home Depot Email Addresses lost
2. 56 Million Credit Cards
3. Target Breach
4. Bank Card Breach
5. Sony Breach
6. Bank / Credit Card PF Chang
7. Staples Credit Breach
8. FBI Reports 215M stolen in 14 Months

I could continue however clearly data is the prize of cyber criminals. Whether the intent of the data theft is to harm the business directly or to harm the businesses customers, the intent is there is an incredible amount of data that has a massive inherent value. All of this value is taken by an application, whether the application is the pinpad processing terminal at a POS system or the POS system back end that is processing that data and storing it in databases for reconciliation with the bank. Or if the data is engaging in an E-business transaction through a web platform the data this is being compromised in these breaches is created, stored and enters an organization through an application (Desktop, firmware, web, cloud, etc.). Applications are undoubtedly the gate keepers to the data, and like any gate, it can break down if not maintained, designed and operated correctly.

Don’t Trust The Network

There’s an adage that I still encounter today, and it blows me away, when I am talking to a technical person and they play down the risk of a security issue in an application because the application and its database are behind the firewall. “The application that has the risk is only accessible to employees internal to the network or it's protected by a VPN” I hear it all the time from young, old, managers, directors, VPs. If you consider yourself a strong technical person, you need to stop thinking like this – right now. Every adversary out there that would seek to do your organization harm, steal your data or bring your network down has heard the same thing time and time again and the sad reality is that they’ve developed many strategies to overcome network security policies. While the network has worked hard to keep up, network protection available has reached critical mass and cannot squeeze any more protection out of various strategies, it therefore behooves application architects, team leads, designers and developers to start taking application security far more seriously and to be honest, we suck at it right now.

Assume Network Breach

Liora R. Herman whom I respect writes an interesting piece that I completely agree with, in her article Assume you’ve been breached Liora summarizes the following reasons for assuming a network breach.

I would also add.

1. Given the massive amounts of information that organizations now collect on customers, employees, suppliers and more, there’s much more data for cyber criminals to try and steal.
2. The amount of complex technology and systems used today means that cyber criminals can choose from multiple attack vectors – including many that enterprises don’t know about or aren’t adequately defending.
3. Script kiddies of the past intent on wrecking systems and making noise have given way to highly sophisticated and well-funded hacking groups – some of which are nation states aiming for industrial secrets, military equipment blueprints, and so on.
4. BYOD – given the proliferation of BYOD in the tech sector, each BYOD device adds another end point and therefore another opportunity for a sophisticated phishing scam to provide a tunneled connection into your network
5. Sophisicated Social engineering scams – USB Breach
6. Similar to point 1. However vendor software can create exposures and organizations can be at the decision of the vendor when to patch these exposures.

This list will only grow as new technologies take hold. The scary part is, with each new vulnerability there seems to come a metasploit exploit module for it which allows individuals with very little technical knowledge to be king of the castle with your applications and your data & therefore your value.

When you’re network is infiltrated, is it game over? Do your applications just surrender and spit out their data allowing a potential attacker to run absolutely wild? I’ve heard folks say once on the network or the boxes the game is over. It’s a good thing that I am a security guy and not their manager I’d be tempted to fire them. The answer to how this problem is handled is evident in other high security environments outside of IT/software. Let's consider the bank.

The Bank

The interior of a bank is equivalent to the interior of your organizations network. Protecting the interior of the bank you have the network firewall (The doors), you might also have a proxy or a WAF (The security guard). Does the bank assume that once a patron is inside the bank they are completely legitimate because they’ve passed the firewall and the WAF/Proxy? Absolutely not, everything within the bank (even on the interior) operates under the principal of least trust/privilege. Once inside the bank, you’ll encounter a number security controls in place, firstly the bank will have video surveillance and possibly audio, which is the equivalent of appropriate audit logging. Once you get to the teller (an application) there are only certain things that teller can do for you, and there are controls on the limit of cash the teller can distribute. Sometimes the teller needs to go to a manager (elevate) their privilege to enable an action. Even still the money is contained in a vault, and other sensitive information is contained in a security deposit boxes.

If I was a nefarious individual, there are a number of security controls, I must defeat to totally own the bank, even once I am on the inside. Oh it if were only so for application security and organizations.

Your Attitude Needs to Change

So far cyber criminals are winning much in the same way that criminals won in the early days of the banks. Did the banks give up and say oh there is nothing we can do? No, they invented security controls to protect their cash even on the inside of the network. Data is your cash, you need to protect it. Attitudes like “I will not invest $10 million to avoid a possible $1 million loss” – Jason Spaltro, executive director of information security at Sony. Need to change! The only way these attitudes are going to change, is if the culture of the people surrounding them changes, you need to stop being afraid, see the risks and stand up for what is right! Protect your cash, protect your customers, even when the network is unreliable.

The post AppSec Don’t Trust the Network appeared first on Security Synergy.