Beruflich Dokumente
Kultur Dokumente
WHITE PAPER
800-721-9177
805-684-6858
TABLE OF CONTENTS
1 Executive Summary
2 Lack of Security Visibility with Virtualization Infrastructure
3 Ineffective Policy
4 “Drive-By-Downloads”; Web Malware
5 Web Application Threats
6 Botnets, Keyloggers and Other Malware
7 Poor Choice of Identity and Access Management Systems
8 Lack of Attention to Protecting High Business Impact Data
9 Poor Procedures for Patching and Configuring Infrastructure
10 Social Engineering Threats
11 Lack of Encryption and Centralized Key Management
12 Change Management Procedures for Applications
13 Partner Information Access
In our review of security threats and issues over the past year, we have broadened our
outlook to consider threats that breakdown the information security fabric that protects
your information. Our unique view of emerging issues and threats gives us the basis for
these 2010 projections.
We believe these security issues are the result of the following important trends:
direct attacks against On the threat front, direct attacks against applications in various forms lead the way.
Our belief is that this is because the aim of the attacker is monetary gain and the web
applications in application presents the largest attack surface while being easiest to exploit. Botnets
remain widespread but have become a more significant threat because of their ability
various forms lead to tunnel over common transport protocols. Thus, outdated firewalls offer no protection
nor do IPS or IDS systems.
the way. Let’s now examine some of the threats and security issues we have identified:
This research was conducted by the Redspin security team, during hundreds of security
assessments nationwide in 2008/2009. For questions and comments please email
Redspin at info@redspin.com.
of policy or the The team at Redspin has found this situation time and time again in our assessments over
the years. For corrective action, we recommend a policy review as well as a process
breakdown of change to assess policy effectiveness on a quarterly basis. Equally important is to create
a mechanism for automating the connection of what’s happening with your infrastructure
existing policy. and with the requirements of your policy. Often event logs or the correlated output
of Security Event and Information Management systems (SEIM) can be an effective
approach. Nevertheless, customers must also make the security conscious decision to
review and take action on a regular basis.
Malicious ads (also known as “malvertising”) may also be a way for a website to
experience malware attacks. Rather than infecting a website directly, hackers infect an
ad network (perhaps even by simply creating an ad that looks legitimate, but actually
serves malware to the user). Once their malicious ad is in the ad network, it can be
presented to users on various websites by the ad network simply rotating through its
inventory of ads. This is often a difficult attack to detect on a website because malicious
code may show up intermittently on various user requests. Unless you happen to observe
the malicious ad being served, you will not be able to detect the malicious code on
the website.
• Customer Loss (visitors are blocked from accessing the site; the site is “off the
air”)
• Brand Damage (the blacklisting hits the blogosphere and Twitter; the site loses
confidence and trust of existing and new users)
• Support Costs (site has to engage in emergency technical fixes while fielding
concerned calls and emails from their customers)
Certainly, this is a strong illustration of the need for web-facing businesses to take
advantage of web application security assessments.
• Business units are placing a great degree of pressure on their IT and security
groups to support commercial social networking systems. Not only do these
systems have web application flaws that are beyond the customers’ control,
but they present a much larger attack surface. Further, they provide excellent
reconnaissance vehicles for directed attacks.
• Composite of mash-up applications provide another class of web applications
where it is difficult to determine who is really in charge from a development
and security point of view. Has a component of the application gone through a
secure Software Development Life Cycle(SDLC)? Has any security testing taken
place? The business believes it has benefited from rapidly developed, feature-
The rate at which rich applications. Have they accomplished this by overlooking the security threats
and the risks to their brand?
applications are
The rate at which applications are being updated has increased sharply since 2007.
being updated has It is clear that the customer investment in application security and change management
processes has not kept pace. Redspin finds that when we have tested a customer’s
increased sharply application, the customer acknowledges our findings, makes the necessary changes
and enters production with a secure application. However, when we return several
since 2007. months later, the application is on its fifth iteration and is far from secure. In these
cases we recommend that customers look at both their application security and change
management procedures with greater scrutiny.
For example, the IT and security at several healthcare organizations should make
appropriate identity and access management choices across user groups such as
physicians, insurers, healthcare administrators and patients. Clearly, this is not a one-
size-fits all choice in terms of identity and access management.
Our continuing approach is to consider a range of factors such as the most typical
use case, security strength required, client side requirements, portability, multiple uses,
system requirements, and cost and distribution requirements.
A good starting point, most often, is a data classification exercise where the customer
seeks to identify High Business Impact data (HBI), Medium Business Impact data (MBI)
and Low Business Impact data (LBI). In this manner, the customer can focus security efforts
where they have the most value and impact risk reduction to the greatest degree.
Encryption has another benefit with respect to regulatory requirements. For example,
for healthcare organizations, the regulations state that disclosed data that has been
compromised, yet is protected by encryption, is not subject to notification requirements,
thus saving the customer significant costs and brand damage.
In theory, customers have found the benefits of using encryption attractive but have
backed down when trying to organize a key management approach. We recommend
that key management be centralized rather than the domain of a business unit or outside
IT organization. Policies should be well-documented and describe the management of
We recommend that the operations and procedures such as key rotation, auditing and backup procedures.
key management be
centralized rather
Change Management Procedures for Applications
than the domain In discussions with our customers, the rate of application change (both for feature
and scalability reasons) has increased at a rapid pace throughout 2009. Yet, often
of a business unit development and quality assurance organizations struggle with complex build and test
systems. In this case, the virtualized environments that have created security issues can
or outside IT work in your favor to safeguard your environment. For many of our customers the server
consolidation ratios that they have been able to achieve have led them to create VMs
organization. for many different reasons. We would advocate that the security and IT teams insist that
a sufficient portion of VMs are allocated to the staging environment so robust functional
and security testing may be performed. This includes checking for proper behavior in
the disaster recovery process and that the applications are fully integrated as they will
be in production with system and performance management tools.
Redspin delivers the highest quality Information Security Assessments through technical
expertise, business acumen and objectivity. Redspin customers include leading companies
in areas such as healthcare, financial services and hotels, casinos and resorts as well as
retailers and technology providers. Some of the largest communications providers and
commercial banks rely upon Redspin to provide an effective technical solution tailored to
their business context, allowing them to reduce risk, maintain compliance and increase
the value of their business unit and IT portfolios. Penetration Testing