Krak des Chevaliers was one of the most dominant castles in medieval Syria. In 1271, it was breached when attackers found its weakness: a timber palisade. The attackers overran this simple timber palisade to capture a castle outwork. From there, they undermined and collapsed a castle wall. More than 100 years of wall building destroyed in an instant.
Striking an odd parallel to the story of Krak des Chevaliers is that of the recent data breaches at U.S. retail chains Neiman Marcus,Target, and Michaels. It seems there’s more to learn from medieval times than even our history teachers could have guessed.
Pivot Points and Outworks
The retail hacks have led to a lot of talk and debate over the use of chips versus magnetic stripes on credit cards. While I’d argue the point that the chip and PIN system is better and more secure than the mag stripe, it’s not what caused these or what will prevent future malware attacks.
Details on the primary ingress points for each of these data breaches remain murky, but current speculation, unsurprisingly, is centering on compromised Web applications. A report from KrebsonSecurity on the Target attack indicates that “according to sources, the attackers broke in to Target after compromising a company Web server. Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Target’s internal network that served as a central repository for data hovered [sic] by all of the infected point-of-sale devices.”
When a Web application is compromised, the server becomes “owned” by the attacker and becomes a pivot point into other unrelated applications in the data center, a backdoor into the network. In its latest report, Mandiant identifies this as a key trend in advanced persistent threats (APTs), with more examples of the same attack vector. Millions of dollars spent on isolating a PCI zone can be defeated in minutes, just as the walls at Krak des Chevaliers were undermined by digging from the captured outwork.
This highlights our modern timber palisade: Web application security. If you had an attacker on your website right now, would you know? If your answer is “no” or “I’d check the log files” (a rear-view mirror at best), you’re far from alone.
Protecting Web applications is hard, and there’s no silver bullet. Secure development practices for Web applications is important, including following secure software coding practices, utilizing penetration testing as part of Q&A process, and other techniques. Web application firewalls (WAFs) play an important role, too, in protecting vulnerabilities from known attacks, including flavors of SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and buffer overflow attacks. Unfortunately, most organizations struggle to deploy them. In fact, a 2013 Ponemon Institute study (PDF) of 5,000 global IT professionals showed that only about one in six have a WAF that’s deployed in block mode due largely to complexity and false positives.
New techniques like intrusion deception promise to play a role in detecting, tracking, and preventing hackers in real time, providing both visibility and a new layer of defense.
As a frequent Target shopper and recipient of the email from this retailer’s CEO that suggested I check my debit and credit card accounts for possible fraudulent activity and offered a year of free credit monitoring, I am definitely concerned, but also in a dilemma.
See, I’m relieved that:
a) Citigroup, the credit card company I often use for retail purchases, is on my side and has placed a notice on its website home page stating that, as a customer, I won’t be liable for any fraudulent charges to my account as a result of the Target data breach.
b) My credit card accounts look clean so far.
However, I won’t necessarily stop buying from this retailer or others who’ve similarly been affected, since I still value their products and services. Certainly though, I’d like to see them using better network controls so that this doesn’t happen again.
It’s in these modern times that we must really think to upgrade from timber to titanium.