Sie sind auf Seite 1von 9

Top Information Security

Issues and Threats

Knowing your enemy


is just as important
in security as it is in
traditional warfare.

6450 Via Real, Suite3


Carpinteria, CA 93013

WHITE PAPER
800-721-9177
805-684-6858
TABLE OF CONTENTS
1 Executive Summary
2 Lack of Security Visibility with Virtualization Infrastructure
3 Ineffective Policy
4 “Drive-By-Downloads”; Web Malware
5 Web Application Threats
6 Botnets, Keyloggers and Other Malware
7 Poor Choice of Identity and Access Management Systems
8 Lack of Attention to Protecting High Business Impact Data
9 Poor Procedures for Patching and Configuring Infrastructure
10 Social Engineering Threats
11 Lack of Encryption and Centralized Key Management
12 Change Management Procedures for Applications
13 Partner Information Access

Page  | www.redspin.com 2009 | White Paper


Executive Summary
Knowing your enemy is just as important in security as it is in traditional warfare.
Understanding the specific incidents and process breakdowns from the past and
being prepared for the future is helpful in moving your security program forward. Our
hope is that you find this report equally valuable in coming to terms with planning and
implementing your security program.

In our review of security threats and issues over the past year, we have broadened our
outlook to consider threats that breakdown the information security fabric that protects
your information. Our unique view of emerging issues and threats gives us the basis for
these 2010 projections.

We believe these security issues are the result of the following important trends:

• The increasing velocity of application deployment (primarily due to


virtualization).
• The rate of growth in corporate data to a point where it is not clear that all
data can be protected nor even identified.
• Increasing network, application and system complexity has resulted in policy,
On the threat front, process and procedure breakdown.

direct attacks against On the threat front, direct attacks against applications in various forms lead the way.
Our belief is that this is because the aim of the attacker is monetary gain and the web
applications in application presents the largest attack surface while being easiest to exploit. Botnets
remain widespread but have become a more significant threat because of their ability
various forms lead to tunnel over common transport protocols. Thus, outdated firewalls offer no protection
nor do IPS or IDS systems.
the way. Let’s now examine some of the threats and security issues we have identified:

Lack of Security Visibility with Virtualization Infrastructure


Ineffective Policy
“Drive-By-Downloads”; Web Malware
Web Application Threats
Botnets, Keyloggers and Other Malware
Poor Choice of Identity and Access Management Systems
Lack of Attention to Protecting High Business Impact Data
Poor Procedures for Patching and Configuring Infrastructure
Social Engineering Threats
Lack of Encryption and Centralized Key Management
Change Management Procedures for Applications
Partner Information Access

This research was conducted by the Redspin security team, during hundreds of security
assessments nationwide in 2008/2009. For questions and comments please email
Redspin at info@redspin.com.

Page  | www.redspin.com 2009 | White Paper


Lack of Security Visibility with
Virtualization Infrastructure
Customers have rushed to take advantage of the economic benefits of server
consolidation. An initial decrease in capital equipment expenditure and ongoing
increases in management efficiency lead to significant operating cost benefits. Often
lost is that the network has been absorbed into the infrastructure. There is a much higher
ratio of virtual NICs and switches than the physical counterparts. No longer can security
teams easily plug a sniffer or IDS into an appropriate SPAN port to troubleshoot an
issue. Perhaps more importantly, the firewall now resides between a cluster of virtualized
machines and an external switch, making configuration much more difficult and fraught
with hazard. There are alternatives such as VM firewalls and tools directly aimed at
virtual infrastructures. The first step is often an infrastructure assessment to get a clear
view of the best known methods for tackling these issues.

Perhaps the most Ineffective Policy


Perhaps the most significant issue a security organization can face is lack of policy or the
significant issue a breakdown of existing policy. Often this happens when security policy becomes stale,
thus what’s happening with the infrastructure is no longer a reflection of the policy. In
security organization other circumstances the security team is faced with policy “creep”, where the reality of
infrastructure security drifts away from intended policy. In both cases, businesses have
can face is lack lost an effective method of managing complexity and managing security issues.

of policy or the The team at Redspin has found this situation time and time again in our assessments over
the years. For corrective action, we recommend a policy review as well as a process
breakdown of change to assess policy effectiveness on a quarterly basis. Equally important is to create
a mechanism for automating the connection of what’s happening with your infrastructure
existing policy. and with the requirements of your policy. Often event logs or the correlated output
of Security Event and Information Management systems (SEIM) can be an effective
approach. Nevertheless, customers must also make the security conscious decision to
review and take action on a regular basis.

“Drive-By-Downloads”; Web Malware


A drive-by-download occurs when a user visits a web page and malicious code is
automatically and silently downloaded and installed on the user’s computer with no
interaction with the user. Once the virus is on the user’s computer, the hackers have
remote access to the computer and can steal sensitive information such as banking
passwords, send out spam or install more malicious executables over time. A typical
way for hackers to compromise a web site is to use widely known web flaws such as
Cross-Site Scripting (XSS) or SQL injection.

Malicious ads (also known as “malvertising”) may also be a way for a website to
experience malware attacks. Rather than infecting a website directly, hackers infect an
ad network (perhaps even by simply creating an ad that looks legitimate, but actually
serves malware to the user). Once their malicious ad is in the ad network, it can be
presented to users on various websites by the ad network simply rotating through its
inventory of ads. This is often a difficult attack to detect on a website because malicious
code may show up intermittently on various user requests. Unless you happen to observe
the malicious ad being served, you will not be able to detect the malicious code on
the website.

Page  | www.redspin.com 2009 | White Paper


A further implication with profound consequences results from website “blacklisting.”
When a website gets infected with web-based malware, it is at risk of getting
blacklisted by browsers, search engines, and desktop anti-virus companies. Internet
users are prevented from accessing blacklisted sites. For example, Google’s crawlers
encountered a website while it was indexing the web. The crawlers detected that the site
was infected with web-based malware, and subsequently Google applied a warning
saying, “This site may harm your computer.” in the search results. Firefox users were
blocked from accessing the site completely. As a result, traffic to this site plummeted.
Microsoft’s Internet Explorer and Live Search, Symantec Norton, McAfee Site Advisor,
and many other browsers, search engines, and desktop anti-virus companies also
blacklist websites. Once a site is blacklisted, it can take days or even weeks for the site
to clear its name from the blacklist.

During this time, the website is experiencing significant business losses:

• Customer Loss (visitors are blocked from accessing the site; the site is “off the
air”)
• Brand Damage (the blacklisting hits the blogosphere and Twitter; the site loses
confidence and trust of existing and new users)
• Support Costs (site has to engage in emergency technical fixes while fielding
concerned calls and emails from their customers)

Certainly, this is a strong illustration of the need for web-facing businesses to take
advantage of web application security assessments.

Web Application Threats


Web application threats have continued to increase and we expect this trend to continue
in 2010. This has been the conclusion of both our own customer observations and
several other security organizations. A number of underlying issues that drive this trend
are as follows:

• Business units are placing a great degree of pressure on their IT and security
groups to support commercial social networking systems. Not only do these
systems have web application flaws that are beyond the customers’ control,
but they present a much larger attack surface. Further, they provide excellent
reconnaissance vehicles for directed attacks.
• Composite of mash-up applications provide another class of web applications
where it is difficult to determine who is really in charge from a development
and security point of view. Has a component of the application gone through a
secure Software Development Life Cycle(SDLC)? Has any security testing taken
place? The business believes it has benefited from rapidly developed, feature-
The rate at which rich applications. Have they accomplished this by overlooking the security threats
and the risks to their brand?
applications are
The rate at which applications are being updated has increased sharply since 2007.
being updated has It is clear that the customer investment in application security and change management
processes has not kept pace. Redspin finds that when we have tested a customer’s
increased sharply application, the customer acknowledges our findings, makes the necessary changes
and enters production with a secure application. However, when we return several
since 2007. months later, the application is on its fifth iteration and is far from secure. In these
cases we recommend that customers look at both their application security and change
management procedures with greater scrutiny.

Page  | www.redspin.com 2009 | White Paper


Botnets, Keyloggers and Other Malware
When reviewing these classes of information until it is signaled by the
threats we find our customers are in controlling botnet to stream back the
what is called asymmetric warfare. An information encrypted over a port sure to
attacker need only find one flaw in the be open (such as port 443).
information security system, whereas the
customer must defend all layers of their Customers must also be mindful of the
infrastructure at all times. Compounding security of partners with which they
the problem, attackers are highly-skilled, do business. In the past year we have
well-compensated and constantly seen several instances of our financial
evolving the nature of their attacks. service provider customers running a
highly secure program, yet using third-
Keyloggers are a good demonstration party partners for wire transfers. These
of the damage that can be done. The partner web applications are insecure
attack in question arrives unnoticed, and provide an attacker with the ability
begins logging keystrokes until it has to break into the system and send
discovered valuable data such as credit unauthorized wire transfers or steal
card numbers or complete account customer information.
information. The malware stores this

Poor Choice of Identity and Access


Management Systems
Additional areas where ongoing challenges are experienced among our customers
are in the area of identity and access systems. This has been the case across most of
the industry segments we serve, but has been most dramatic in the healthcare sector.
We believe this is due to the diverse set of constituents and the vastly different set of
requirements across them.

For example, the IT and security at several healthcare organizations should make
appropriate identity and access management choices across user groups such as
physicians, insurers, healthcare administrators and patients. Clearly, this is not a one-
size-fits all choice in terms of identity and access management.

Our continuing approach is to consider a range of factors such as the most typical
use case, security strength required, client side requirements, portability, multiple uses,
system requirements, and cost and distribution requirements.

In the case of our customers, we recommended software based One-Time Pad


Encryption (OTP) for mobile devices for physicians, that payers use hardware tokens,
and that healthcare administrators also use hardware tokens and patients use risk-based
authentication.

Lack of Attention to Protecting High Business


Impact Data
The imposition of legal and regulatory obligations, such as the need for adequate
information security controls to protect personal data and enforced breach disclosures
has clearly been an important threat in the past year within the customer bases with
which we work. Interestingly, customers are not feeling the most sting from fines, but
from the cost and brand damage associated with organizing a notification campaign
to their customer base.

Page  | www.redspin.com 2009 | White Paper


The customer has a number of risk mitigation options ranging from, broad scale data
loss prevention systems to encryption of data at rest and data in transit. Similar to the
previous problem of managing identity and access systems properly, we recommend
solutions that solve the need of a particular group of constituents well, rather than one-
size-fits-all choice of technology and supporting processes.

A good starting point, most often, is a data classification exercise where the customer
seeks to identify High Business Impact data (HBI), Medium Business Impact data (MBI)
and Low Business Impact data (LBI). In this manner, the customer can focus security efforts
where they have the most value and impact risk reduction to the greatest degree.

Poor Procedures for Patching and


Configuring Infrastructure
During the last year many of our customers an image or taking a “snapshot”. While
transitioned to virtual infrastructures. useful, this tends to lead to a great many
As we noted before, this transition has unmanaged VMs in the data center
demonstrated financial benefits but often (known as server sprawl). Because
brings security issues along, particularly IT has lost sight of these systems, they
in the case of inventory management and tend to be highly dangerous in that they
patching and configuring infrastructure. are not patched and can become likely
In our view (which largely consists of targets.
working in VMware environments) there
are many ways to administer a Virtual Lastly, configuration within virtual
Machine (VM), namely through SSH, environments is remarkably easy — but
web access and a VMware vCenter not so in VM mobility. Machines move
server. This leads to flexibility on the from one trust domain to another and
part of the customer but presents major often a security breakdown is close at
challenges for the security team and hand. We recommend strong policy
auditors. review for virtualized environments,
automation of inventory management
Another benefit of virtualized and highly frequent process checks that
environments is the ease of duplicating policy matches reality.

The scope, depth and


Social Engineering Threats
motivations behind The scope, depth and motivations are after passwords and other account
behind social engineering threats have information. Customers can eliminate
social engineering continued to grow through 2009. We passwords as authentication methods
believe this has much to do with the through the use of hardware of software
threats have more directed efforts of organized tokens. Customers must also invest in
crime. Malicious organizations that are security awareness training. Our own
continued to grow economically motivated can afford to experience shows that this dramatically
hire the staff to mount these offensives reduces attack effectiveness. Customers
through 2009. en masse. need to ensure that effective policies
are in place and that everyone in the
Customers have some options however. organization carries them out.
For the most part, organized attacks

Page  | www.redspin.com 2009 | White Paper


Lack of Encryption and Centralized
Key Management
Encryption is the most powerful method known to protect sensitive data. This can be
done by each application and applied to data stored in data bases or in file systems.
Encryption can also be applied in the storage area network while data is in transit
(generally in the switch). In end user scenarios such as nomadic workers carrying
laptops, whole disk encryption can be used to render the data stored on lost laptops
useless to a thief.

Encryption has another benefit with respect to regulatory requirements. For example,
for healthcare organizations, the regulations state that disclosed data that has been
compromised, yet is protected by encryption, is not subject to notification requirements,
thus saving the customer significant costs and brand damage.

In theory, customers have found the benefits of using encryption attractive but have
backed down when trying to organize a key management approach. We recommend
that key management be centralized rather than the domain of a business unit or outside
IT organization. Policies should be well-documented and describe the management of
We recommend that the operations and procedures such as key rotation, auditing and backup procedures.

key management be
centralized rather
Change Management Procedures for Applications
than the domain In discussions with our customers, the rate of application change (both for feature
and scalability reasons) has increased at a rapid pace throughout 2009. Yet, often
of a business unit development and quality assurance organizations struggle with complex build and test
systems. In this case, the virtualized environments that have created security issues can
or outside IT work in your favor to safeguard your environment. For many of our customers the server
consolidation ratios that they have been able to achieve have led them to create VMs
organization. for many different reasons. We would advocate that the security and IT teams insist that
a sufficient portion of VMs are allocated to the staging environment so robust functional
and security testing may be performed. This includes checking for proper behavior in
the disaster recovery process and that the applications are fully integrated as they will
be in production with system and performance management tools.

Partner Information Access


Organizations should be vigilant of the of your internal network, it is best to
security implications likely present from route these connections into a restricted
the partner networks they connect to security domain.
and, more importantly, those from whom
they allow inbound connections. This risk Accepting partner network connections
began to emerge with more frequency implicitly grants trust to everything on the
in 2009 and it is of particular concern other side of that connection. To what
because most people do not even extent has your partner addressed the
realize that it’s an issue of which to be issues raised in this paper? Do they have
cognizant. A sever room or data center disgruntled employees? How is their virus
would have multiple and completely protection process and policy? What
independent layers of security in order are their processes and procedures for
to gain physical server access. Why remote access? In effect, by connecting
are these same practices not applied your organization to a third party, you
in reference to partner networks? Best expose yourself to a far greater range of
practices state that instead of terminating risk. Despite your organization’s efforts to
the connection directly into the core decrease your security footprint, utilizing

Page  | www.redspin.com 2009 | White Paper


a third party is working in the opposite of that connection. The minimum controls
direction. that should be deployed are a firewall
between you and the partner network
One particular dimension of partner as well as adequate segmentation to
information access is the dangerous ensure that connections terminate in a
assumption on the part of a well- specific area of the network where little
intentioned and security-conscious damage could occur given a worst-case
organization that the partner network scenario. Most crucial is awareness in
from whom they allow connections must the first place that these connections
be secure simply because it is a widely are transpiring and that they could very
recognized, global entity. This is the well represent the weakest link in your
intuitive and natural way to think about network.
security, but our research indicates the
opposite: the bigger, more prominent, The above cited research was conducted
and more complex a network the more it by the Redspin security team, during the
is increasingly targeted and at risk. course of hundreds of security assessments
nationwide in 2008/2009.
Regardless of whether or not a connection
from a partner network or service provider For questions and comments email
is accepted from a globally recognized Redspin at info@redspin.com.
vendor or a local business, best security
practices state that you should never trust Or call 805-684-6858.
“by default” whatever is on the other side

About Redspin www.redspin.com

Redspin delivers the highest quality Information Security Assessments through technical
expertise, business acumen and objectivity. Redspin customers include leading companies
in areas such as healthcare, financial services and hotels, casinos and resorts as well as
retailers and technology providers. Some of the largest communications providers and
commercial banks rely upon Redspin to provide an effective technical solution tailored to
their business context, allowing them to reduce risk, maintain compliance and increase
the value of their business unit and IT portfolios. Penetration Testing

Page  | www.redspin.com 2009 | White Paper

Das könnte Ihnen auch gefallen