Acceleratedlulzsec

SecurityTrends2012Hackingisinherentlyinnovative.
Thismeanssecurityteams,likeMr.
Gretzky,needtokeeptheireyeonwherethingsaregoing–notjustonwherethey'vebeen.
As2012approaches,securityhasevolveddramaticallyfromjustoneyearago.
Theword"hacktivism,"forexample,isalmostahouseholdterm.
Likewise,thegroupAnonymousisanythingbut.
Indeed,cybersecurityremainsoneofthemostdynamicandfluiddisciplinesworldwide.
Imperva'sApplicationDefenseCenter(ADC),ledbyImpervaCTOAmichaiShulman,isexclusivelyfocusedonadvancingthepracticeofdatasecuritytohelpcompaniesshieldthemselvesfromthethreatofhackersandinsiders.
For2012,theADChasassembledacomprehensivesetofpredictionsdesignedtohelpsecurityprofessionalspreparefornewthreatsandattacksincyberspace.
HackerIntelligenceInitiative,MonthlyTrendReport#6December2011Trend#9:SSLGetsHitintheCrossfireTrend#8:HTML5GoesLiveTrend#7:DDoSMovesUptheStackTrend#6:InternalCollaborationMeetsItsEvilTwinTrend#5:NoSQL=NoSecurityTrend#4:TheKimonoComesOffofConsumerizedITTrend#3:Anti-SocialMediaTrend#2:TheRiseoftheMiddleManTrend#1:Security(Finally)TrumpsComplianceAgoodhockeyplayerplayswherethepuckis.
Agreathockeyplayerplayswherethepuckisgoingtobe.
–WayneGretzky2Report#6,December2011HackerIntelligenceInitiative,MonthlyTrendReportTrend#9:SSLGetsHitintheCrossfireWhileagrowingnumberofwebapplicationsaredeliveredovertheHTTPSprotocol(HTTPoverSSL),attackersareincreasinglyfocusingtheirattacksagainstthevariouscomponentsofSSL.
WeareseeingariseinattackswhichtargettheworldwideinfrastructurethatsupportsSSL.
Weexpecttheseattackstoreachatippingpointin2012which,inturn,willinvokeaseriousdiscussionaboutrealalternativesforsecurewebcommunications.
Ironicallyenough,whileattackersarekeepingbusyattackingSSL,theyarealsoabusingitsprivacyfeaturesinordertoconcealtheirownmischievousdeeds.
WethereforeexpecttoseemoregeneralpurposewebattacksbeinglaunchedoverSSLconnections.
First,alittlebackgrounder.
TheSecureSocketsLayer(SSL)1cryptographicprotocolisthedefactostandardforprovidingdataintegrityandconfidentialityforwebtransactionsovertheInternet(sometimesSSLisusedinterchangeablywiththetermHTTPSwhichistheapplicationofSSLprotocoltoHTTPtraffic).
SSLencryptspiecesofapplicationlayerdataoverTCPconnectionsprovidingconfidentiality.
Itcanalsobeusedtotestfortheidentityoftheserver,theclientorboth.
SSLusesanefficientcryptographicalgorithmforencryptingdataandacomputationalintensiveprotocolforauthenticationandkeyexchange(thekeyisusedbytheencryptionalgorithm).
ThekeyexchangeprotocolemploysasymmetriccryptographyamethodologythatrequirestheexistenceofaworldwidePublicKeyInfrastructure(PKI).
PKIdefinesaprocedureforbindingdigitalcertificateswithrespectivewebsitesbymeansofachainofCertificateAuthorities(CA).
Thebindingisestablishedthrougharegistrationandissuanceprocessthatensuresnon-repudiation.
Inthelastcoupleofyears,wehaveseenagrowingawarenessforattacksagainstconfidential(e.
g.
Firesheep)andauthenticity(ManintheMiddleattacks,Phishing).
Asaresult,webapplicationownersareconstantlyextendingtheuseofSSLtomoreapplications,andtomorepartsoftheirapplications.
AgoodexampleistheevolutionoftheGoogleinterface.
Atfirst,onlytheloginpagewasencrypted.
Inthenextstage,thewholeGmailservicesupportedencryption–bydefault.
GooglehasnowevenaddedthesearchfunctionalitytobeaccessedviaHTTPS.
WiththegrowingusageofSSL,attackersareincreasinglytargetingtheSSLlayer.
Unfortunately,mostoftheresearchcommunityisfocusedonpointingoutinherentprotocolvulnerabilities,orcommonimplementationmistakesthatcouldpotentiallybeattacked.
While,theattackercommunityisfocusedonother,morepracticaltypesofattacks:AttacksagainstPKI.
Overthepastyear,attackershaverepeatedlycompromisedvariousCAorganizations.
Theseinclude,DigiNotar,GlobalSign,StartSSL,ComodoandDigicertMalaysia.
Theseattackswereadirectconsequenceofthecommoditizationofcertificates,wheresmaller,lesscompetentorganizationshavestartedtoobtainabiggershareintheCertificateAuthoritymarket.
Asitstandsnow,anyCAcanissueadigitalcertificateforanyapplication–withoutanyrequiredconsentfromapplicationowner.
Ahacker,whogainscontrolonanyCA,canthenuseittoissuefraudulentcertificatesandimpersonateanywebsite.
Additionally,thereareconcernsthatsomerootCAs(whosetrustishardcodedintobrowsersoftware)areinherentlydubious(e.
g.
controlledbyunfriendlygovernments).
SomeeffortsaremadetoamendPKIissuesbuttheyarefarfrombroadacceptance2.
Thetheftofissuedcertificates.
Webelievethisattackwillprevailoverthenextyearasapplicationcertificatesarenolongerlimitedtobeingstoredbytheapplication.
ThisistheconsequenceofthemonolithicnatureofSSL.
WhileSSLpreventsaccesstotrafficbyattackersithasnobuilt-inmechanismsthatrestrictaccesstoitbycollaborative3rdparties.
Forexample,proxies,loadbalancers,contentdeliverynetworks(CDNs)needtoaccessthecertificate'sprivatekeyinordertoaccessapplicationdata.
AlsoDLPandWAFsolutionsrequiresimilarkeyaccess.
Inthesecases,itwouldbepreferablethattheintermediateproxieswouldbeabletolookatmessageheaders,ortobeabletoreadtrafficwithoutchangingit.
However,thisgranularityisnotsupportedbySSL.
Asaresult,thedigitalcertificateisnowstoredinmanylocations–someresidingoutsideofthesite'sphysicalenvironmentandoutoftheapplication'sownercontrol.
Theseopenupadditionalattackpointswhichprovidehighersuccessratesforattackers.
1SSLperseisnowobsoleteandreplacedbytheTransportLayerSecurity(TLS)protocol.
HoweverSSLisstillthecommonlyusedterm.
2Anotherworthyexampleistheconvergenceprojecthttp://convergence.
io/3Report#6,December2011HackerIntelligenceInitiative,MonthlyTrendReportDenialofServiceattacks.
TheheavycomputationalburdenincurredbytheSSL-handshakeprocessleavesSSL-protectedresourcesprimecandidatesforeffectiveDenialofService(DoS)attacks.
Togetherwithanincreasedconsumptionofcomputerresourcespersession,amultitudeofsimpleattackscanbedevisedveryefficiently.
InadditiontotheattacksagainstSSLanditsinfrastructure,hackerswillleverageSSLtocarryouttheirattackswithincreasedconfidentiality.
Forexample,intermediateproxiescannotaddheaderstoindicateoriginalsenderIPaddress–leadingtothelossoftraceability.
AnotherproblemisthelossofinformationwhenfollowingalinkfromanSSLpagetoanon-SSLpage.
AnattackercanexploitthisimplementationinordertocoverthetracksofvariousWebattacks.
Furthermore,manysecuritydeviceswhichrequireinspectionoftheWebtrafficlosethissortofvisibilityduetotheencryptionofthetraffic.
Trend#8:HTML5GoesLiveOverthelastfewyearsvulnerabilitiesinbrowsers'add-ons(thirdpartycomponentssuchasadobe'sFlashPlayerorOracle'sJava)werethemaincausefor"zero-day"exploits.
Theseareun-patchedapplicationvulnerabilitiesthatareexploitedinordertoinstallmalwareonwebusers'machines.
Wepredictin2012hackerswillshifttheirfocustoexploitingvulnerabilitiesinthebrowsersthemselvesinordertoinstallmalware.
Thereasonisduetorecentlyaddedbrowserfunctionality–mainlydrivenbytheadoptionofHTML5standard.
TheHTML5standardwascreatedtoenablebrowserstosupportaricherenduserexperienceinastandardizedway.
Mostnotably,HTML5addssupportforaudio,video,2Dgraphics(SVG),3Dgraphics(WebGL)thatpreviouslyrequiredtheendusertoinstalladedicatedadd-on.
(e.
g.
AdobeFlashPlayertowatchonlinevideo).
Whilethenewfeaturesareattractivetowebdevelopers,theyarealsoverybeneficialforhackers.
Weseesecurityrepercussionsforthefollowingreasons:1.
Newcodeisgenerallymorevulnerable.
Whenyouwritecodeyouaredoomedtocreatebugsandsecurityvulnerabilitiesalongwithit.
Whenyouaddalotofnewcode–youaredoomedtocreatealotofnewvulnerabilities.
2.
Compressedmediatypesaremorevulnerable.
Modernmediatypes(suchasvideo)areusuallyhighlycompressedandoptimizedtoensuretheefficiencyoftheirtransmissionanddisplay.
Decompressinginvolvesalotofbuffermanipulationswhicharenotoriouslyvulnerable.
3.
Hardwareaccess.
Manybrowsersusetheassistanceofhardwarecomponents3–mainlyforJavascriptandgraphicsacceleration–inordertoachievehigherefficiencyandcreateasmootheruserexperience.
Sincehardwareisrununderhighpermissionaccesslevels,andusuallycannotbeprotectedbytheoperatingsystems,exploitstargetingthehardwarecomponentsareveryattractivetoattackers.
Thistypeofprivilegedaccessprovidestheattackerswithamethodtoexploitbuggyhardwaredriversstraightfromawebpage.
4.
Enduserscontrol.
Currently,mostbrowserscontainamechanismwhichturnsoffavulnerablebrowseradd-on.
InthecaseofHTML5,theimplementationisembeddedwithinthebrowsersothatavulnerableadd-onmightnotnecessarilybeturnedoff.
Attheveryleast,itchangesthesecuritymodelfrom"optin"model(activelydownloadanaddon)to"optout"(disableanexistingcomponent.
)5.
Javascriptcontrol.
NewHTML5featurescanbecontrolledandmanipulatedviaJavascript.
ThisgivesrisetonewvectorsofJavascript-relatedattacks(mainly,buttonotlimitedto,XSS).
Thesenewattackvectorswillusethenewelements,andtheinteractionsbetweenthem,inordertobreakthealreadyfragileSameOriginPolicy(SOP).
FormoreonSOP,clickhere.
6.
Ubiquity.
It'smuchmorecost-effectivetocreateacrossbrowserexploitthantocreateanexploitaimedataspecificone.
TheubiquityofHTML5providesthemwithjustthat.
3MicrosoftAnnouncesHardware-AcceleratedHTML5http://www.
microsoft.
com/presspass/press/2010/mar10/03-16mix10day2pr.
mspx4Report#6,December2011HackerIntelligenceInitiative,MonthlyTrendReportTrend#7:DDoSMovesUptheStackDistributedDenialofService(DDoS)attacksaregainingpopularityandwerepartofhighprofilehackingcampaignsin2011,suchastheAnonymousattacks4.
Wepredictthatin2012attackerswillincreasethesophisticationandeffectivenessofDDoSattacksbyshiftingfromnetworklevelattackstoapplicationlevelattacks,andevenbusinesslogiclevelattacks.
ADenialofService(DoS)isarelativelyoldattackaimedatdataavailabilitybyexhaustingtheserver'scomputingandnetworkresources.
Consequently,legitimateusersaredeniedservice.
ADistributedDenialofService(DDoS)isanamplifiedvariationoftheDoSattack,wheretheattackerinitiatestheassaultfrommultiplemachinestomountamorepowerfulandcoordinatedattack.
Today,DoSattacksrequiretheattackertoinvestinamassivelydistributednetworkwhichcancreateenoughtraffictoeventuallyoverwhelmthevictim'sresources.
AttheotherendoftheDoSspectrum,there'stheSQLshutdowncommand.
Anattackerexploitinganapplicationvulnerabilitycanusethisparticularcommandtoshutdowntheserviceusingjustasinglerequest,initiatedfromasinglesource,which,fromtheattacker'sperspective,provescheaperandisjustaseffective.
Historically,wehaveseenDoSattacksgraduallyclimbuptheprotocolstack.
FromthemostbasicNetworklayer(layer3)attacks,suchastheUDPFlood,throughtheTransportlayer(layer4)withSYNfloodattacks.
Inthelastyears,wealsosawtheHTTPlayer(layer7)beingtargetedwithsuchattacksastheSlowloris5(in2009)andRUDY6(2010)attack.
Wepredictthatin2012wewillseehackersadvanceonemorerung.
ThismeanscreatingDDoSattacksbyexploitingwebapplicationvulnerabilities,oreventhroughwebapplicationbusinesslogic7attacks.
Indicationsforthistrendarealreadyemerging.
Forexample,the#RefReftool8,introducedinSeptember2011,exploitsSQLinjectionvulnerabilitiesusedtoperformDoSattacks.
Thereareseveralreasonsattackersaremovingupthestack:1.
Decreasingcosts.
Inthepast,attackershavetakenthe"brawnoverbrains"attitude.
Thismeantthattheysimplyinundatedtheapplicationwithgarbage-likerequests.
However,thesetypeofattacksrequirealargeinvestmentontheattacker'sside,whichincludedistributingtheattackbetweenmultiplessources.
Intime,hackershavediscoveredthattheycanadd"brains"totheirattacktechniques,significantlyloweringtheheavycostsassociatedwiththe"brawn"requirements.
2.
TheDoSsecuritygap.
Traditionally,thedefenseagainst(D)DoSwasbasedondedicateddevicesoperatingatlowerlayers(TCP/IP).
Thesedevicesareincapableofdetectinghigherlayersattacksduetotheirinherentshortcomings:theydon'tdecryptSSL,theydonotunderstandtheHTTPprotocol,andgenerallyarenotawareofthewebapplication.
Consequently,theattackercanevadedetectioninthesedevicesbymovinguptheprotocolstack.
3.
TheubiquitousDDoSattacktool.
WorkingovertheHTTPlayerallowstheattackertowritecodeindependentoftheoperatingsystem.
Forexample,byusingjavascript.
Theattackerthengainstheadvantageofhavingeverywebenableddeviceparticipateintheattack,regardlessofitsoperatingsystem–beitWindows,MacorLinux.
Moreso,itallowsmobiledevices-runningiOS,Android,oranyothermobileoperatingsystem–toparticipateinsuchattacks.
Thegoodnewsisthatenterprisescanpreparethemselvesagainsttheseapplication-targetedDoSattacks.
HowByaddingapplication-awaresecuritydevices,suchasWebApplicationFirewalls(WAFs).
ThesedevicescandecryptSSL,understandHTTPandalsounderstandtheapplicationbusinesslogic.
TheycanthenanalyzethetrafficandsiftouttheDoStrafficsothateventually,thebusinessreceives–andserves–onlylegitimatetraffic.
4http://thelede.
blogs.
nytimes.
com/2010/12/08/operation-payback-attacks-visa/partner=rss&emc=rss5http://ha.
ckers.
org/slowloris/6http://www.
slideshare.
net/AlesJohn/owasp-universalhttpdo-s-92072897Webapplicationlogicattackcanbeperformedbyprofilingthevictimwebapplicationforresourceconsumingoperations(suchassearchingalargedatabase)andthenconstantlyapplyingthatoperationtodepletethevictimserverresources.
8http://www.
refref.
org/5Report#6,December2011HackerIntelligenceInitiative,MonthlyTrendReportTrend#6:InternalCollaborationMeetsItsEvilTwinWeexpecttoseeagrowingnumberofdatabreachesfrominternalcollaborationplatformsusedexternally.
WhyInternalcollaborationsuitesarebeingdeployedin"eviltwin"mode,i.
e.
,thesesuitesgetusedexternally.
Asaresult,organizationwilllookfortoolstoprotectandcontrolaccesstosuchplatforms.
Weestimatethatin2012thenumberofInternetsitesbasedonsuchplatformswillincreasedramatically.
Asaconsequence,thenumberofsecurityincidentsduetoinadvertentpublicexposureofconfidentialdatawillgrow.
Thepastcoupleofyearsbroughtupanextensiveincreaseintheuseofcollaborationsuiteswithinorganizations.
PlatformssuchasMicrosoftSharePointandJivearenowusedbymanyorganizationstoshareinformationandmanagecontent.
Whilemostenterprisesusetheseapplicationswithintheorganization,somehavealsoextendedtheusetopartnersandeventothepublicthroughaninternetfacingwebsite.
Infact,basedonForresterresearch,SharePointislistedasthenumberoneportalproduct(source:http://www.
topsharepoint.
com/about)andwiththelatestreleaseofSharePoint2010,italsooffersagreatplatformforbuildingcollaborationsiteswithexternalpartnersorrobustexternally-facingsites.
Extendinganinternalplatformtoexternalusealwayscomeswithapricetagtobepaidinsecurity.
AnexampleofsuchsecuritybreachtookplacewhentheMississippinationalguardaccidentallyexposedpersonalinformationofnearly3000soldiersontheirexternalMicrosoftSharePointwebsite(source:http://www.
itbusinessedge.
com/cm/community/news/sec/blog/national-guard-data-exposed-in-accidental-security-breach/cs=43893)Therearetwomajorfactorsthatimpacttheriskofextendinganinternalplatformtoexternaluse:1.
Datasegregation.
Datasegregationhastwomanifestationswithrespecttoexternalizinginternalsystems.
Ensuringthatthestoredsensitivedatadoesnotbecomeaccessiblethroughthelessrestrictedinterfacesoftheplatformisnotaneasytask.
Fortheentirelifetimeofthesystems,controlsshouldbeputinplacetoallowcollaborationandsharingofsensitiveinformationwithintheorganizationwhilekeepingitoutofthereachofthegeneralpublic.
2.
Threatprofile.
Threatprofileisrelatedtothedifferencebetweeninternalandexternalthreats.
Thesizeofpotentialattackerpopulationincreasesinstantaneouslyaswellasthetechnicalandhackerskillsofit.
Atthesametime,theimpactofadisclosureorabreachincreasesdramaticallyoverthatofaninternalbreach.
Tomakethingsevenworse,searchengineslikeGoogleconstantlycrawlandupdatetheirindexingpoliciessothatthepublicinterfaceoftheapplication,aswellasanybreachesormis-configuredentrypointsarequicklyapparenttothewholeworld.
Forexample,anupdatedGooglepolicytoindexFTPserversresultedinabreachaffecting43,000Yale-affiliatedindividuals.
Googlehackingtools,suchasSharePointGoogleDiggityandSharePointURLBrute,caneasilybeusedtoidentifyinsecureconfigurations.
Organizationsaimedatreducingtheriskofmassiveexposuresshouldstartbudgetingandplanningforthenextgenerationofcollaborationsuitemonitoringandgovernancetools.
Someofthecharacteristicstolookforare:Policiestomonitorandprotectinternetandintranetfacingsites.
Flexibledeploymentthatdoesn'timpacttheuseofapplicationorthenetworkarchitecture.
Theabilitytoidentifyexcessiveuserrightstocontent.
6Report#6,December2011HackerIntelligenceInitiative,MonthlyTrendReportTrend#5:NoSQL=NoSecurityTheITworldisquicklyembracingBigData.
Hugedatastoresarethenextbigstepinanalyzingthemassiveamountsofdatathatisbeingcollectedinordertoidentifytrends.
Forexample,newstartupsusethesesystemstoanalyzetrillionsofDNAstripstogainanunderstandingofourgenealogy.
Towell-establishedcompanieswhoareadoptingthetechnologytomapandtimetransportationsystemsacrosstheworldtomakeourtravelingeasierandcheaper.
WhileBigDataisbecomingabuzzwordininformationsystems,therehasnotbeenmuchinvestigationintothesecurityimplications.
Manypredictthatin2012we'llseeagrowinginterestinBigDataandit'sunderlyingtechnology,NoSQL.
Wepredictthattheinadequatesecuritymechanismsofthesesystemswillinhibitenterprisesfromfullyintegratingthesesystemsasthirdpartycomponentswithinthecorporation.
NoSQLisacommontermtodescribedatastoresthatstorealltypesofdata–fromstructuredtounstructured.
Duetothisdiversity,thesedatastoresarenotaccessedthroughthestandardSQLlanguage.
Upuntilrecently,wecategorizedourconceptionofdatastoresintwogroups:relationaldatabases(RDBMS)andfileservers.
Thenewkidintown,NoSQL,openedourmindstoadatabasethat,unliketheconventionalrelationalconcepts,doesnotfollowastructuralform.
TheadvantageScalabilityandavailability.
Withatechnologywhereeachdatastoreismirroredacrossdifferentlocationsinordertoguaranteeconstantup-timeandnolossofdata,thesesystemsarecommonlyusedtoanalyzetrends.
Thesesystemsarenotsuitableforfinancialtransactionsrequiringareal-timeupdate,butcouldbeemployedatafinancialinstitutiontoanalyzethemostefficientorbusiestbranch.
However,asapplicationsusingNoSQLarebeingrolledout,littletimehasbeentakentothinkorre-thinksecurity.
Ironically,securityindatabaseandfileservershaveseentheirshareofproblemsovertheyears.
Andthesearesystemsthathavegainedmileageovertheyearswhichallowedthistypeofsecurityinspection.
WecannotsaythesameaboutNoSQL.
ManymayclaimthatthedevelopersofdifferentNoSQLsystemshavepurposefullypushedoutsecurityaspectsfromtheirsystems.
Forinstance,Cassandrahasonlybasicbuilt-inauthenticationprocedures.
Thislackofsecurityisconsideredtheirfeatureandbuiltinmindthatdatabaseadministratorsdonotneedtotroublethemselveswithsecurityaspects.
Security,then,shouldbeanoffloadedprocesstobedealtwithbyadedicatedteam.
WebelievetheNoSQLsystemswillsufferfromanumberofissues:Lackofexpertise.
Currently,therearehardlyenoughexpertswhounderstandthesecurityaspectsofNoSQLtechnologies.
WhenbuildingaNoSQLsystem,thereisnoobvioussecuritymodelthatfits.
Thelackofsuchamodelmakestheimplementationofsecurityanon-trivialprocessandrequiresextensivedesign.
Asaresult,securityfeaturesthatneedtobeconsideredgetpushedoutoverandoveragain.
Buggyapplications.
Untilthirdpartysolutionsrollouttoprovidethenecessarysecuritysolutions,itistheNoSQLapplicationsthatwillcarrythesecurityload.
Issuesinclude:Addingauthenticationandauthorizationprocessestotheapplication.
Thisrequiresmoresecurityconsiderationswhichmaketheapplicationmuchmorecomplex.
Forexample,theapplicationwouldneedtodefineusersandroles.
Basedonthistypeofdata,theapplicationcandecidewhethertogranttheuseraccesstothesystem.
Inputvalidation.
OnceagainweareseeingissuesthathavehauntedRDBMSapplicationscomebackandhauntNoSQLdatabases.
Forexample,inBlackhat2011,researchersshowedhowahackercanusea"NoSQLInjection"toaccessrestrictedinformation.
Forexample,"TheWebApplicationHacker'sHandbook:FindingandExploitingSecurityFlaws"containsanewseparatechapterfocusedsolelyonthesecurityofprogrammingframeworksusedforNoSQL.
Applicationawareness.
Inthecasewhereeachapplicationneedstomanagethesecurity,itwillhavetobeawareofeveryotherapplication.
Thisisrequiredinordertodisableaccesstoanynon-applicationdata.
Whennewdatatypesareaddedtothedatastore,thedatastoreadministratorwouldhavetofigureoutandensurewhatapplicationcannotaccessthatspecificdata.
Vulnerability-pronecode.
ThereareacertainamountofNoSQLproducts,butamagnitudemoreofapplicationsandapplicationserverproducts.
Themoreapplications,themorecodeingeneralpronetobugs.
7Report#6,December2011HackerIntelligenceInitiative,MonthlyTrendReportDataDuplicity.
InNoSQLsystems,dataisnotstrictlysavedinparticulartables.
Instead,thedataisduplicatedtomanytablesinordertooptimizequeryprocessing.
Asaresult,itisnotpossibletoclassifycreditcardsaccordingtoaparticularsensitivetable.
Onthecontrary,thistypeofdatacanbefoundindifferentplaces:transactionlogs,personaldetails,specifictableswhichrepresentsallcreditcards,andotherlocationswhichmayhavenotevenbeenconsidered.
Privacy.
Althoughourfocusisonsecurity,privacyconcernscannotbeignored.
Takeforexampleahealthcareplatformwhereprovidersgettogetherandsharepatientdata.
Apatientmightaccessthesystemforgeneticinformation,andlateraccessitinrespecttodruginfo.
Anapplicationwhichanalyzesthisdatacancorrelatetheinformationtofindpurchasingtrendsrelatingtogeneticsandhealth.
Theproblemisthatthistypeofcorrelationwasnotconsideredwhenthedatawasinitiallyinserted.
Asaresult,thedatawasneveranonymizedallowinganyonetoidentifyspecificindividualsfromthebiggerpicture.
NoSQLisstillinitsinfancy.
Itwilltakeawhileuntilwewillseethesesystemsfullydeployedatthemajorityofenterprises.
Forthisprecisereasonitissoimportanttoinvestintheinthesecurityofthesesystems.
Trend#4:TheKimonoComesOffofConsumerizedITAfterbeingcaughtoff-guardbytheprocessofconsumerizationofIT,professionalsaretryingtoregaincontrolofcorporatedata.
Theproblemisthattheyaredoingitthewrongway.
Insteadoftryingtocontroldataatthesource,ITorganizationstrytoregulatetheusageofend-userdevicesandde-clouddataaccess.
Weexpectorganizationstospendalotoftime,moneyandeffortonthesetechniquesandtechnologiesnextyear–withverypoorresults.
TheconsumerizationofITreferstotheprocessinwhichcorporatedataisincreasinglybeingprocessedbyend-userdevicesandapplicationschosenandprovidedbytheend-usersthemselves.
Smartphones,tabletsandcustompersonallaptopsareleadingthistrendwiththeirincreasingprocessingpowerandstoragecapabilities,combinedwiththeirgrowingdiversityofavailableapplications.
Theseareaugmentedbytheincreaseofaremoteworkforceandindividualswhousehomecomputersandhomenetworksonaregularbasistoaccesscorporateresources.
Thisprocessbyitselfpossesmanychallengestoanorganizationthatarerelatedtothecompromiseofinformationonthedevice(eitherphysicallythroughlossandtheftofthedevice,ordigitallythroughmalware),aswellasthecompromiseofenterprisenetworksthroughacompromiseddevice.
Coupledwiththemoveofcorporatedataintothecloud–wherecorporatedataisstoredoutsideoftheorganization–anevenamoredifficultproblememerges.
Withtheseissuesinmind,theorganizationcompletelylosescontrolovertheentireinteractionbetweenend-usersandcorporatedata.
ThereisagrowingtrendamongITprofessionalstotryandregainthecontrolofend-userdevices.
Throughdifferentmeans,organizationsaretryingtoenforce"proper"usageandsettingsofnon-corporatedevices.
ITdepartmentsareattemptingtoenforcepoliciessuchaspasswordstrength,devicelockupandevenremotewipinginthecaseofdeviceloss.
Forexample,accessthroughtheActiveSyncprotocoltoMicrosofteMailserverscanberestrictedtodevicesthatimplementaspecificsecuritypolicy.
Someenterprisesalsogoasfarastotryandregulatethedevicesthatareallowedtoaccessenterprisedatatothosemodelswhopossescertainsecuritycapabilities.
Weanticipatethatthenextstepwillbetorequirethatcertainsecuritysolutionsbeinstalledonthosedevicesthatareallowedtoconnecttothenetwork(e.
g.
LookoutoranyothermobileAV).
Inordertoreducetheriskofdevicecompromise,enterprisesarealsotryingtoenforceanywebaccessfromthedevicetoberelayedthroughtheenterprisenetworkwhereitcanbemonitoredandcontrolled(which,ofcourse,hassevereimplicationsinthecaseofSSLprotectedwebresources–asexplainedinadifferenttrend).
Further,thisapproachhopestobridgegapthatexistsbetweenuserdevicesandcloudapplicationsthatholdenterprisedata.
Theapproachdescribedaboveisboundtofailforquiteafewreasons.
Mostofthemstemfromoverlookingpastexperienceandhumannature:8Report#6,December2011HackerIntelligenceInitiative,MonthlyTrendReport1.
Pastisprologue.
Thepastcoupleofyearshaveshownthatenterprisesarefailingtopreventthecompromiseofenterprisecomputingequipment.
Extendingthescopeoftheproblemtoalargervarietyofdevicesonlymagnifiestheproblem:2.
Maintainingavailability.
Organizationsthatdelegateinformationavailabilityandnetworkaccessibilityissuestothecloudandthentaketheapproachoftunnelingalluserdevicetraffic,aregoingtofacemajornetworkingissues.
Consequently,theywillfindthemselvesspendingtimeandmoneyoncreatingandmaintainingthehighlevelofworldwideavailabilitywhichtheywantedtoavoidinthefirstplace.
3.
Userprivacy.
Thereareunsolvedissuesregardingtheimpacttouser'sprivacyandtheliabilityoftheenterprisetopersonalinformationstoredonthesedevices.
Forinstance,remotewipe-outtoolscannotdifferentiatebetweencorporateandpersonalinformation.
Thisupcomingyear,organizationsaregoingtospendquitealotofmoneyandeffortbeforerealizinghowlittleimprovementthisapproachbringstoenterprisedatasecurity.
Whentheydorealizethefailureofthesemeasures,theyaregoingtolookforadifferentsetofsolutionsthataregoingtobemoretightlycoupledtothedataitself.
Suchsolutionsincludemonitoringrequirementsforaccesstothedatastoresandstrictcontrolofthataccess.
Trend#3:Anti-SocialMediaAsmanymoreorganizationsaremakingtheirwayintothesocialmediaspace,weexpecttoseeagrowingimpacttotheintegrityandconfidentialityoftheenterprise'sinformation.
Moreover,hackerswillcontinuetoautomatesocialmediaattacks,furtherexacerbatingthesituation.
Theheartoftheproblemresidesinthreeseparateissuesinherenttosocialnetworks:1.
Sharing–Themostimportantthingtounderstandaboutsocialnetworksandthetoolsbuiltontopofthemisthattheyaredesignedforsharinginformation–notrestrictingaccesstoit.
Enterprisesthattrytousesocialmediaascollaborationsuitesforinternal,sensitivebusinessdata–whichrequiredifferentlevelsofaccessprivileges–areboundtoencountermassivedatabreaches.
Thereasonisnotduetoflawedaccesscontrolsandprivacymechanisms.
Rather,therestrictionofinformationthroughthesechannelsisincompletecontrasttotheconceptofsuchenvironmentswhichis,infact,allaboutsharing.
Consequently,organizationsshouldkeepanoperationalcopyofalltheirdatainabusinesssystemthatcanprovidedecentaccesscontrols.
Datathatcanbemadepubliccanbeexportedoutofthissystemandpostedtothesocialnetwork.
Thisway,restrictedinformationiskeptinsidebusinesssystems(regardlessofwhethertheyareonpremiseorinthecloud),whilepublicinformationcanberetrievedtopublicationonthesocialplatform.
2.
Control–Organizationsneedtounderstandthatthereisnearlyanabsolutelackofcontroloverinteractionswithmembersofthesocialplatform.
Intherealworldweattempttocontrolthetypesofsocialinteractionsweexperiencebycarefullychoosingoursocialcirclesaswellastheplaceswehangout.
Thisisnotpossibleinthecyberworld.
Commentspam,defamation,falseclaimsandbadlanguagearethenorm.
Keepingyoursocialcyberenvironmentcleanoftheseisadifficulttask.
Further,cybercleansingclaimsresourcesinamannerproportionaltothepopularityoftheenterprise.
Measuresrangefromsiftingandsanitizingcommentstoengagingcloselywiththesocialnetworksincaseofdefamation.
Enterpriseswhofailtoinvesttheseresourceswillquicklyfindthattruefollowersarefleeingthescene.
Inthemeanwhile,thebrandnameerodes–defeatingthepurposeofenteringthesocialnetworkscene.
3.
LackofTrustandProperIdentification–Thereisnorealwayforenterprisestoavoidcopy-cats.
Intoday'ssocialplatforms,thereisnosolidwaytotellaparttherealownerofabrandfromimpostorsandcopy-catswhoaretryingtotakeadvantageofthepopularityofaspecificbrand,toabuseitortoerodeit.
Theidentityofmessageposterscannotbeverifiedinanywayandtherearenorealtoolstoevaluatethetrustworthinessofmessagesandtheircontent.
9Report#6,December2011HackerIntelligenceInitiative,MonthlyTrendReportTheconsequencescouldbegeneralbranderosionorattackcampaignstargetedtowardsenterprise'ssocialcircle.
Mixthesethreeconceptswiththegrowinguseofautomationandyougetsocialnetworkmayhem.
Inthepastcoupleofyearswehavewitnessedtheimpactofthepowerofautomationwhenappliedtosocialnetworks:InFebruary2011,theLovely-Faces.
comwebsiteshowcasedhundredsofthousandsofscrapedFacebookuserprofiles.
InSeptember2011,anothergroupdemonstratedanapplicationthatautomatestheprocessof"friending".
Basedonthisprocess,theapplicationcreatesacollectionofallpersonalinformation,includingphotos,fromthosewhoacceptedthefriendshiprequest.
Recentlyagroupofresearchersdemonstratedthepowerof"socialbotnets".
Thesearefakeprofiles.
However,theseaccountscanautomaticallygrowanetworkoffriendsofactualrealaccounts.
Theresearchprovedthattheflawed"friendofafriend"trustmodelenabledthistypeofbotnetproliferation.
Further,theirresearchfoundthatindividualswerethreetimesmorereceptivetoacceptingafriendshiprequestiftherequesteralreadysharedamutualfriendwiththem.
Softwareautomatingaccountgenerationandvariousdataminingresearchprojectsexist.
ThisFall,DHSstartedsettinguppoliciestomonitorFacebookandTwitter.
Automatingthisprocesswillbeatheartofthisprojectinordertosiftthroughtheincrediblyhighvolumeoftraffic.
Unfortunately,wedonotseeanymarketsolutionsreadytohandletheaboveissues.
Facebookaswellasothersocialmediaplatformprovidersarecurrentlykeepingfullcontrolandareattemptingtofightsomeoftheissues(mainlyautomationandfakeaccounts)fromwithin.
OnesuchinitiativeisFacebook'sImmuneproject.
Thishasproventobemostlyfutilesofar(forinstance,there'saclearconflictofinterestsbetweenFacebook'sattempttoremovefakeaccountsanditsattempttoshowconstantunbelievablegrowth).
Rather,thesolutionsmustbeincorporatedintoexistingplatformsbyenterprisesthemselves.
Thesesolutionswillhavetorelyonthirdpartiesthatoffertrustanddatacontrolservicesoverthesocialmediaplatform.
Currently,wearenotawareofanysuchexistingsolutions,leavingavoidspaceripeforresearch.
Trend#2:TheRiseoftheMiddleManIn2010,wepredictedtheindustrializationofhacking.
Whatistheimpactofindustrializationtohacker'sbusinessmodelsIn2012,withtheincreasedsupplyanddemandforcompromisedmachines,aswellasforsensitivecorporateinfo,wepredicttherisetoanewcybercrimejobrole:thebroker.
Thisindividualisresponsibletomatchthebuyersofstolendata,orcompromisedmachines(aka"bots"),withthesellersofthedata(orbotrenters).
Inthesamewaystocksandinvestorsgaverisetostockmarkets,hackersneedamiddleman.
Thesuccessofbotherdingopenedupalargemarketwherelotsofhackershavemanycorporatemachinesundertheircontrol,eachpotentiallyholdingavastamountofdata.
However,waitingforindividualstoapproachandbuythistypeofdatafromthemissimplytoomuchofaslowandineffectiveapproach–causingthehackerstobeavictimoftheirownsuccess.
Instead,weareseeingthatthissituationactuallyopensupthewholesaleopportunityforamiddlemantobridgethisgap.
10Report#6,December2011HackerIntelligenceInitiative,MonthlyTrendReportTrend#1:Security(Finally)TrumpsComplianceIn2012weexpecttoseesecuritydecisionsdrivennotbycompliancebutforthesimplereasonof.
.
.
security.
Itsoundssimpleenough,butinpreviousyearswehaveseentheinfluxoflawsandregulationswhichdrovethebudgetandsecuritysolutions.
PCI,SOxandworld-wideDataPrivacyActswereallusedasthereasonstofeedthesecuritybudget.
Butthisapproachoftenbackfired.
Anecdotally,whenoneCIOwasaskedaboutthekeylessonfromamajorbreachhisfirmexperiencedanswered,"Securityisnotaboutsurvivingtheaudit.
"Smartcompaniesusedtheseregulationsasspringboardstoenforcethecaseofsecurity.
Infact,botha2011Ponemonsurveyandthe2010VerizonDataBreachReportshowedthatPCIdidimprovetheorganization'ssecuritystance.
However,regulatorycomplianceisnotequivalentanddoesnotconfersecurity.
ItisenoughtoturntoHeartlandPaymentSystemsforsuchanexample.
ThecompanypasseditsPCIevaluation,andyet,theyhadsufferedoneofthebiggestbreachesinhistory.
Thispastyearwehaveseenashiftinthecorporateattitudeforseveralreasons:1.
Breachesarecostly.
SecuritybreachessuchasthosesufferedbyEpsilon,RSAandSonydominatedfrontpagenews.
Thehighprofilebreacheshighlightedtheimpactofsecurity.
Branddamage,lossinbrand,legalcosts,notificationcosts,serviceoutagesandlossinshareholdervalueallbecamenewsoftheday.
Infact,thedayafterSony'sbreachannouncement,thestockpricedroppedsteeply.
DigiNotar,aCAcompanywasbreachedinSeptember(seeSSLtrend)wentunderbellylaterthatmonth.
Whileactualassessmentsofthecostofthesepastyearbreacheshavenotyetbeenmadepublic,wecanreturntotheHeartlandPaymentSystemsbreachforalesson.
FornearlytwoyearsfinancialanalystswatchedaslargelegalpaymentsfordamagesweresettledbeforethemarketcouldfeelcomfortableaboutHeartland'sabilitytostabilizerevenues.
2.
Companieswithanonlinepresence,regardlessofsize,aretargeted.
Notonlywerelargecorporationsaffectedbybreachesinthepastyear.
Hackershavebecomeveryadeptatautomatingattacks.
Accordingtothe2011VerizonDataBreachInvestigationRepot,hackershave"createdeconomiesofscalebyrefiningstandardized,automated,andhighlyrepeatableattacksdirectedatsmaller,vulnerable,andlargelyhomogenoustargets".
Inotherwords,inaworldofautomatedattacks,everyoneis–orwillbe–atarget.
ThispointwasexemplifiedinAugust2011whenUSATodaypublishedthat8millionwebsiteswereinfectedbymalware.
Ourownresearchhighlightshowapplicationsarelikelytobeprobedonceeverytwominutesandattackedseventimesasecond.
3.
Hacktivismbrings(in)securitytothefrontlines.
HackinggroupssuchasAnonymousandLulzsechavereceivedheadlineswhentheyrepeatedlyhackedintodifferentcorporations,largeandsmall.
Visa,Paypal,SonyPictures,Fox.
com,PBS.
orgaswellascountriessuchasTunisia,andgovernmentagenciessuchasInfragardallfeltthehackitivistwrathwhoseattackstargetedapplicationsandinfrastructure.
4.
APTbecomesanactualthreat.
AdvancedPersistentThreats(APT)attacksaresophisticatedattackswhichrelentlesslytargetcorporationsandgovernmentsforespionageanddestruction.
However,withgoodbrandingfromworldwideMarketingandPRteams,thistermhasbecomethealternativedescriptiontoacompromisefollowingacorporate-phishingattack.
Thefearofsuchanattackisboostingthesecuritybudget.
ArecentsurveybyESGindicatedthatduetoAPTconcerns,32%ofrespondentsareincreasingsecurityspendingby6-10%.
5.
Intellectualpropertyrequiresprotection.
Organizationsarebeginningtounderstandtheriskandconsequencesofacompromiseoftheirbreadandbutter.
Thebiggestriskofexposureofintellectualpropertyisactuallycausedunintentionally.
Forexample,throughanemployeeleavingthecompanywithcorporateinfoobtainedrightfullyovertime.
Or,throughamis-configuredserverholdingconfidentialdocuments(seetrendsontheexternalizationofcollaborationplatforms).
Organizationsalsofacetheriskthedeliberatetheftofdatafromvengefulormaliciousemployees.
Forinstance,thispastyearaformerGoldmanSachsemployeereceivedaneightyearsentenceforstealingproprietarysoftwarecode.
Compromiseofintellectualpropertymayevenbeperformedbythehandsofexternalhackers.
Inthepastwesawhowhackersweresolelyfocusedoncreditcardnumbers,logincredentialsandothersuchgenericcommodities.
Althoughthistypeofdataisstillontheattacker'sradar,wearestartingtoseehackersfocusingalsoonintellectualproperty.
Asapointincase,considertheRSAattackwhichinvolvedthedatarelatingtotheSecureIDtokens.
HackerIntelligenceInitiative,MonthlyTrendReportImperva3400BridgeParkway,Suite200RedwoodCity,CA94065Tel:+1-650-345-9000Fax:+1-650-345-9004www.
imperva.
comCopyright2011,ImpervaAllrightsreserved.
Imperva,SecureSphere,and"ProtectingtheDataThatDrivesBusiness"areregisteredtrademarksofImperva.
Allotherbrandorproductnamesaretrademarksorregisteredtrademarksoftheirrespectiveholders.
#HII-DECEMBER-2011-1211rev16.
Shareholdersarenowinvolved.
TheSEChasrecognizedtheimpactofasecuritybreachtoacompany.
Asaresult,recentupdatedSECregulationsrequirereportinginformationsecuritybreachestoshareholders.
Ifinthepastbreachescouldhavebeensweptunderthecarpet,thisregulationwillmakeithardertodoso.
Forthesereasons,wewillincreasinglyseehowcompanieswillperformwisesecuritydecisionsbasedonactualsecurityreasoning.
Furthermore,theabundanceofregulations–whichultimatelytrytosetaminimalbarofsecurity–willmakeittoocostlyfororganizationstohandleonaregulation-by-regulationbasis.
Instead,enterpriseswillimplementsecurityandthenassesswhethertheyhavedoneenoughinthecontextofeachregulation.
ConclusionHowdidwecomeupwiththesetrendsTherewereseveralfactors:Hackers–AsapartofImperva'shackerintelligenceinitiative,wemonitorhackerstounderstandmanyofthetechnicalandbusinessaspectsofhacking.
Theinsightsprovidedfromourinvestigationshelpusseewhathackersaredoingorinthiscase,plantodo.
Insomecases,hackersmakesmalltweakstoexistingattacksorcomeupaltogethernewones.
Thegoodguys–Manyofourcustomersaresmart,reallysmart.
Wemeetwiththemregularlytounderstandtheirchallengesandconcernstounderstandemergingtrends.
Weatherballoons–Wemonitortrafficincyberspace.
Thishelpsusunderstandstatisticallyhowhackersmaybeshiftingfocusregardingattacks.
Intuition–ManyintheADChavebeeninsecurityformanyyearsintheprivatesector,themilitaryandacademia.
We'veseenalotinthoseyears.
Ourhopeistogivesecurityteamsacomprehensive,substantivesetofpredictionstohelpyouprioritizeyoursecurityactivitiesforthecomingyear.
Besafe!
HackerIntelligenceInitiativeOverviewTheImpervaHackerIntelligenceInitiativegoesinsidethecyber-undergroundandprovidesanalysisofthetrendinghackingtechniquesandinterestingattackcampaignsfromthepastmonth.
ApartofImperva'sApplicationDefenseCenterresearcharm,theHackerIntelligenceInitiative(HII),isfocusedontrackingthelatesttrendsinattacks,Webapplicationsecurityandcyber-crimebusinessmodelswiththegoalofimprovingsecuritycontrolsandriskmanagementprocesses.