Connect with us

Hi, what are you looking for?


Application Security

Silencing the Security Cynics

Security isn’t Binary. The Trick is to Find the Breakeven Between Expenditure of Resources and the Point of Diminishing Returns…

Security isn’t Binary. The Trick is to Find the Breakeven Between Expenditure of Resources and the Point of Diminishing Returns…

The war on drugs, the war on terror, and now the war on hackers. The pundits, which is to say the mouthpieces who get the prime air time, declare that we’re losing all three, their faces pinched to exude the utmost gravitas. The point has been made many times: neither the war on drugs, nor the war on terror are wars; you can’t bomb either out of existence.

I envision the words “terror” and “drug” fading to white in my dictionary when Osama bin Laden and Pablo Escobar were assassinated. But that’s fantasy: we’ll never eradicate drugs, nor terrorism, and there’ll always be someone who wants to compromise your systems.

Information Security StrategiesIf I have to sit through another presentation on information security that opens with the canned two or three slides peddling fear, uncertainty, and doubt, I’m going to launch myself across the table and unleash my own brand of FUD on the speaker. It’s not the bad guys who are winning, it’s the alarmists.

Despite the claims, we continue to make progress with information security. Overall I’d rate us a B+, with the note, “With a little improvement, Junior is on track for an “A” next semester.”

The evidence is that we’ve forced the adversary to adopt new, more complex techniques to breach our systems. For the most part they’re compelled to take their attacks out of the realm of computers and networks, and hack the human before they can compromise our systems. Social engineering is now a component of all but the most pedestrian attacks.

If you’ll indulge me in using the model of Infrastructure, Applications, Data, and People, as the facets of our attack surface, we’ve pretty much covered the first. Firewalls, IPS/IDSes, and endpoint protection are all doing a decent job of keeping the outside-in compromises to a minimum, at least in enterprises (small and medium business, as well as home users, are all over the map on security.) Scan-and-attack compromises are rare, with the exception of SQL injection, web applications like content management systems (CMSes), and exposed systems with poor security controls, like industrial control systems, web cameras, etc.

The bulk of attacks are now launched against client systems, usually exploiting vulnerabilities in applications installed on workstations. Adobe Acrobat had long been a vector of choice, largely because it’s ubiquitous and reading documents is still considered benign by many non-technical end users. Adobe has stepped up the security of Acrobat by introducing sandboxing into the product, making it much more difficult to compromise—though not impossible, as the purported 0day claims.

Then there’s Microsoft Office malware, a heavier weight variant of attacks against PDFs, affecting even Macs. A series of flaws in the Java runtime are promoting it to the new favorite tasty target, in part because it’s a cross platform hole. In fact, the exploit that stirred up the Apple community by infecting an estimated 600,000 Macs, the Flashback malware, worms its way in through Java. And let’s not forget the ever popular fake anti-virus, as well as cross-site scripting (XSS) and its cousin, cross-site request forgery (CSRF).

Advertisement. Scroll to continue reading.

Ultimately, the data itself is the target, and the infrastructure, applications, and people are a means to get to it. While criminals, competitors, and spies seek to steal, destroy, or hold for ransom, your data, exploits like DDoS attacks attempt to deny access to it. Spear phishing with attached or linked malware, poisoning watering holes, and sprinkling USB drives in a parking lot all attack the human vector. There’s no question that people are hardest to control: unlike infrastructure and applications, which behave predictably for the most part, with the exception of software bugs and vulnerabilities, people behave in unpredictable ways, sometimes in conflict with their own best interests. Security awareness training is only marginally helpful, and there’s a whole debate on the subject, so let’s not tackle that one for the moment.

Instead, let’s agree that we’ve taken the infrastructure hill. It’s been secured. That’s not to say it won’t’ be exposed again; attackers evolve their tactics, the same way the enemy will try to recapture ground in kinetic warfare. Let’s plant our flag and move on to the next combat zone: applications.

Report after report finds that SQL injection is still the primary compromise vector after many years. We know how to stop it; why aren’t we getting the job done? There are a couple of well-known lists of steps to take to protect yourself against the biggest threats, the SANS Top 20 Critical Security Controls and Australian Department of Defence Signals Directorate (DSD) Top 35 Mitigation Strategies. They’re intended to be short lists, but also try to cover a lot of ground. In my view they end up more like a rollup of many regulations and compliance guides. That is to say they’re both good roadmaps for security, but sometimes you just need to assemble a task force and clear out a few tactical controls that cover a wide swath of ground. To that end, here’s my hot list of application security controls:

● Find all your publicly facing applications. Scan your external networks. Talk with finance and find out who they pay for hosting services on a recurring basis, including SaaS. Talk with the folks who manage your DNS and use external IP addresses to discover assets you might not know you had. Use Shodan.

● Test those applications. Use automated vulnerability assessment tools; consider using more than one. Penetration test the systems, not just high value ones. Often vulnerabilities in low value targets are used to gain a foothold, perform reconnaissance, and eventually penetrate high value systems. Monitor those systems for suspicious activity.

● Prevent SQL injection. The OWASP project is a great place to learn about parameterized queries, stored procedures, and escaping user supplied input.

● Fix vulnerabilities in CMSes. Lack of input validation is one of the most prevalent coding errors.

● For vendor supplied software, exercise your right to audit them and/or provide you with proof of source code auditing by an expert third party. For large enterprise, this right is probably already written in the contract with the vendor, unless it’s a giant company providing commodity software, like Windows.

● Decide whether you need the application after all. I’ve seen too many carefully designed DMZs evolve into a New England farmhouse, with applications that don’t fulfill their promise and fall into ruin, their only function to provide a hole for evil to crawl through.

● Enforce configuration management. Create a secure baseline, use it in mandatory system build procedures, and monitor systems in production with an automated configuration management tool.

● Patch. Setup alerts from vendors and threat advisory services. Use a news aggregator to keep up with threats. Respond by patching or disabling vulnerable services.

With just that level of effort we can fend off 80% of infrastructure and application attacks. Remember, security isn’t binary. We’re not “secure” or “exposed”; we’re always at a point along that continuum. The trick is to find the breakeven between expenditure of resources and the point of diminishing returns. When you cross that line onto the long tail, move on.

But not forever. As I mentioned, it’s not a war; instead, it’s more like law enforcement. Once you capture territory and reintroduce the general population, the war is over and you enter an era of defense and peacekeeping. A productive society will change the landscape, building new districts for commerce, razing residential areas and erecting new ones. Our information infrastructure has now expanded to include cloud and mobile. We have to take one step back and figure out how to introduce these new elements and still defend the data. There’s sure to be another battle as a result.

Eventually we have to tackle the data and people problem, and we’ll deal with that another day. For today let’s get declare our wins and expose the despicable defeatists for what they are: hysterical fear mongers.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.