Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Unto the Breach – from Medieval Castles to Today’s Online Retail Market

Krak des Chevaliers was one of the most dominant castles in medieval Syria. In 1271, it was breached when attackers found its weakness: a timber palisade. The attackers overran this simple timber palisade to capture a castle outwork. From there, they undermined and collapsed a castle wall. More than 100 years of wall building destroyed in an instant.

Krak des Chevaliers was one of the most dominant castles in medieval Syria. In 1271, it was breached when attackers found its weakness: a timber palisade. The attackers overran this simple timber palisade to capture a castle outwork. From there, they undermined and collapsed a castle wall. More than 100 years of wall building destroyed in an instant.

Striking an odd parallel to the story of Krak des Chevaliers is that of the recent data breaches at U.S. retail chains Neiman Marcus,Target, and Michaels. It seems there’s more to learn from medieval times than even our history teachers could have guessed.

Pivot Points and Outworks

The retail hacks have led to a lot of talk and debate over the use of chips versus magnetic stripes on credit cards. While I’d argue the point that the chip and PIN system is better and more secure than the mag stripe, it’s not what caused these or what will prevent future malware attacks.

Details on the primary ingress points for each of these data breaches remain murky, but current speculation, unsurprisingly, is centering on compromised Web applications. A report from KrebsonSecurity on the Target attack indicates that “according to sources, the attackers broke in to Target after compromising a company Web server. Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Target’s internal network that served as a central repository for data hovered [sic] by all of the infected point-of-sale devices.”

When a Web application is compromised, the server becomes “owned” by the attacker and becomes a pivot point into other unrelated applications in the data center, a backdoor into the network. In its latest report, Mandiant identifies this as a key trend in advanced persistent threats (APTs), with more examples of the same attack vector. Millions of dollars spent on isolating a PCI zone can be defeated in minutes, just as the walls at Krak des Chevaliers were undermined by digging from the captured outwork.

Timber!

This highlights our modern timber palisade: Web application security. If you had an attacker on your website right now, would you know? If your answer is “no” or “I’d check the log files” (a rear-view mirror at best), you’re far from alone.

Silver Bullet

Protecting Web applications is hard, and there’s no silver bullet. Secure development practices for Web applications is important, including following secure software coding practices, utilizing penetration testing as part of Q&A process, and other techniques. Web application firewalls (WAFs) play an important role, too, in protecting vulnerabilities from known attacks, including flavors of SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and buffer overflow attacks. Unfortunately, most organizations struggle to deploy them. In fact, a 2013 Ponemon Institute study (PDF) of 5,000 global IT professionals showed that only about one in six have a WAF that’s deployed in block mode due largely to complexity and false positives.

New techniques like intrusion deception promise to play a role in detecting, tracking, and preventing hackers in real time, providing both visibility and a new layer of defense.

What’s Next?

As a frequent Target shopper and recipient of the email from this retailer’s CEO that suggested I check my debit and credit card accounts for possible fraudulent activity and offered a year of free credit monitoring, I am definitely concerned, but also in a dilemma.

See, I’m relieved that:

a) Citigroup, the credit card company I often use for retail purchases, is on my side and has placed a notice on its website home page stating that, as a customer, I won’t be liable for any fraudulent charges to my account as a result of the Target data breach.

b) My credit card accounts look clean so far.

However, I won’t necessarily stop buying from this retailer or others who’ve similarly been affected, since I still value their products and services. Certainly though, I’d like to see them using better network controls so that this doesn’t happen again.

It’s in these modern times that we must really think to upgrade from timber to titanium.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...