tldr; Application Security Trend Report

  • According to the Application Security Trend Report, 81% of surveyed use java as their programming language to add value to their customers.
  • 87% of surveyed respondents develop web applications, while 60% develop enterprise business application
  • 38% of the surveyed respondents are developers or engineers, 22% work as developer team lead, and 22% are architects

Security and Developers

Developers are in the first line of defense when it comes to securing their valuable asset: code. This is called the shift-left movement. In essence, developers need to think more about security before pushing their work to the next stage in the pipeline.

Writing secure code is key. Secure as in not being penetrable from external or internal actors. Another key factor about being secure is that the software works as intended. There are six techniques that developers definitely need to consider when sitting down and planning out the testing phase of this work:

  1. Validating Inputs
  2. Architecting and Designing for Security Policy
  3. Making Permissions Explicit and Denial Default
  4. Using a Secure Coding Standard
  5. Executing All Processes with the Least Set Privileges
  6. Sanitizing Data Before Sending it to Other Systems

One major vulnerability that all software has is the potential to be a candidate for a buffer overflow attack.

“A buffer overflow condition exists when a program when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer. In this case, a buffer is sequential section of memory allocated to contain anything from a character string to an array of integers. Writing outside the bounds of a block memory can corrupt data, crash the program, or cause execution of malicious code”

The most popular ways to mitigate this type of attack are code auditing, bounds checking, use of compiler tools, and only coding in strongly-typed in languages with no direct memory access, including libraries.

I found it fascinating that more companies are doing source code analysis. However, it does sadden me to see that fewer companies are relying on penetration testing as a security defense. I am a big advocate for static and dynamic code analysis. This will help out developers to think about security at the left-side of the pipeline.

Security and Enterprises

I can not stress enough the importance of having a well-defined application development lifecycle. Also, knowing when in the lifecycle to implement security protocols can seriously affect the efficacy. I want this shift-left movement to start spreading into company culture everywhere.

I am not surprised that 29% of survey companies spend most of the time on application security during the design phase. However, I am shocked that 26% of survey companies spend most of the time on application security during the implementation phase. Are companies thinking about security at all?

Luckily, only 12% of respondents reported that 1/5 of deployments contain known security vulnerabilities. But, we should be at a point where deployments do not have any known vulnerabilities. The fact that these vulnerabilities are known to the public is disheartening. I thought we were at a point where deployments would be clean of at least known ones.

The threats that organizations plan on allocating most of their resources for are phishing attacks, distributed denial of service, ransomware, and SQL injection.

Building Security into Application Architecture for Continuous DevOps Protection

  1. Implement a single security solution that reduces dependencies and integrates without DevOps tools, pipeline, and hybrid cloud environments
  2. Reduce disruption of development schedules and workflows, with automated protection for images, containers, and your host
  3.  Implement early detection best practices via application programming interfaces by scanning images at build time and repeatedly for the duration of life in the registry
  4. Maximize threat detection, at both the software build pipeline and runtime, with industry pro and focused threat intelligence feeds
  5. Help meet risk and compliance requirements by implementing comprehensive threat and risk detection that covers malware vulnerabilities, secrets, and policy violation early in the CI/CD pipeline

Automated Full Life Cycle, Full Stack Container & Workload Security

We’re able to protect a container pre-runtime by understanding what’s going on in the environment from a security perspective before it even hits production”

  1. Prevent exploits within the build pipeline
  2. Provide continuous security for unknown security
  3. Expedite deployments with image assertion
  4. Secure workloads and container platforms at runtime
  5. Meet compliance needs with trusted security

Is your system vulnerable to BlueKeep?

bluekeepThere was a critical exploit that was announced about two month ago. The exploit (CVE-2019-0708) is a remote wormable vulnerability in Microsoft’s RDP known as BlueKeep. This means that people with RDP services running need to patch their systems as soon as possible, unless there will be attackers trying to gain access to your networks. For a list of affected products and the security patch needed to remedy this exploit can be found here

Normally, RDP servers are only secured by simply a username and password, which could cracked easily with brute force or password cracking tools like mimikatz. Once cracked, the attacker has the ability to execute arbitrary code on the target system. Also, the attacker would have the ability to install programs; view, change, or delete data; or create new accounts with full user rights. This exploit is giving me nightmares tonight!

In order to exploit this vulnerability, an attacker will need to send special requests to the target systems Remote Desktop Service via RDP. Here is a link to an example implementation of Microsoft Windows Remote Desktop BlueKeep Denial of Service: click here and here. I am not responsible for what you use this to accomplish and should only be used for education purposes.

Some possible mitigation practices is to disable Remote Desktop Services if they are not required. Disabling unused and unneeded services help reduce exposure to security vulnerabilities. Another option is to enable Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2. The last option is to block or only allow certain host to go through TCP port 3389 (for RDP) at the enterprise perimeter firewall. 

Resources

 

 

CCNA Security Certified

CCNA_security_large

I am excited to write this post, finally! I passed my CCNA Security Exam – Implementing Cisco Network Security (210-260). I started studying around Summer of 2018 with reading the CCNA Security Official Certified Guide. I read this document for about two or three months getting halfway through that thick lexicon of security terms. If you have read my previous post about me getting my VCP-DCV6.5 certification and keeping up with my new role at Trend Micro. So far, I have not been on track for what I wanted to do originally. However, I am thankful because I am a network professional who demonstrates the skills required to develop a security infrastructure, recognize threats and vulnerabilities to networks, and mitigate security threats.

You are probably thinking, you just ONLY read the OCG!? The answer to that question is simply no. I used various mediums to get the knowledge needed. To start, purchase the “31 days until the CCNA security exam” and the “CCNA portable commands guide”. I used these two books religiously through my studies. Going through 31 days until the CCNA security exam book was the most helpful in understanding what I needed to know for the exam. Note that this book is not the only thing you need to do.

Another aspect of my studies was actually getting my hands wet with the Cisco Firewall Adaptive Security Appliance 5505. I was able to use the ASDM which was necessary for this exam. Also, I configured different features on firewalls, routers and switched that were outlined in the books I mentioned above. People say that you can use GNS3, but I always have a hard time getting the application to work properly. Doing it with a physical device will work fine.

Make sure to go through all the supplemental resources that are given in 31 days until the CCNA Security exam. I love that this book gives extra resources to go and get more information when confused about something. The key is to get a lot of information from a lot of different places.

The week leading up to the exam, I studied my butt off looking for exam dumps that had sample questions. Luckily, I found this youtube video and it saved me on a couple of questions on the exam. I am glad that I took my time and answered everything within time to leave with around 20 minutes left. I was stressing when I got my results. 870 out of 1000. Ten points away from having to pay another $300 to get this certification. Thank God Almighty!

Overall, this test was stressful since I was reading comments about people barely passing on Reddit and didn’t want to be one of those people. I needed to pass the first time. That is why it took me so long to actually get my confidence up to schedule the exam. So now, I want to continue my quest by getting my CCNP Security certification before the Cert Apocolyse happens on 2/23/2020. I plan on finishing this certification sometime before the end of the year, so stay tuned on my journey to become an Information Security engineer.

Phishing Attacks : Too Many Phishers for ISPs to Catch

Privacy for all People

Information security has recently become a thriving and fast-moving discipline by the failure of security systems from technical factors. The purpose of having secure information is to preserve confidentiality, integrity, and availability of information. Confidentiality means that only the right people will have permission to access the information; integrity means that the information system and data are accurate; and availability means that the information system operates reliably. These three key ideas will shape the way organizations create policy.

Phishing attacks have been making their appearance locally and internationally in a big way. The United Kingdom trade association asserted a 726% increase in phishing attacks between 2005 and 2006. This drastic increase in attacks shows that people need to pay close attention to what information they provide to others. Also, organizations need to update and enforce policies that involve privacy of personal data. IBM states that phishing is one of the more prominent attack vectors used to compromise information and communications technology networks. With the growing number of attacks, we must develop better ways to implement information security.

Internet service providers (ISPs) play an important role when it comes to crime committed in the cyber domain. All traffic that goes to the world wide web flows from the source host to provider to target host. This shows that providers are the ones responsible for allowing all malicious payload through their network to reach the victim. Information security is compromised every time the ISP is negligent in securing their massive network. ISPs are at fault and should play a larger role in protecting people from attacks that can cripple their internet wellbeing. 

Phishing attacks are pervasive and can happen at any moment. There are various types of phishing attacks such as smishing and vishing. These types are not as common as the email phishing, but still, raise a real concern for citizens’ privacy. For example, privacy is compromised when people use their mobile devices for actions that require collecting sensitive and personal information. Phishing attacks on mobile devices are three times more vulnerable than desktop users. Since consumers are constantly using their mobile devices, they need to be cautious about the information they input, because there is a distinct possibility phishers are maliciously stealing their information. 

Technical Perspective of Phishing Attacks

Typically, a phisher (person committing the phishing attack) starts by running a web server and building a spoofed website of well known companies such as Facebook or Amazon. The spoofed website will have malicious code to capture the user’s personal information like their credentials or credit card number. Once the website is created and has access to the internet, the phisher will send the spoofed link to a victim, with their intention to trick them into giving up their personal data. The malicious code goes through the phishers internet service provider then  on to the victim. After receiving the link, the victim may open it and input his or her personal information without knowing it is a spoofed website. The malicious code is executed storing the information in a database for the phisher to use at his or her own discretion. One way the user can use the information is by inputting it into the real website to steal more information about the victim. This simple, typical and low-cost phishing scenario is outlined in figure 1.

Simple Phishing Scenrio

Other phishing attacks have most of the same steps as depicted in figure 1. The main differences are the medium to send the spoofed link and the malicious code. Most commonly the medium is email, but recently mobile devices are becoming more vulnerable to phishing attacks. Since the web server hosting the fake site is accessible through the internet, phishers will be able to send text messages to victims’ mailboxes. The most common phishing tactics are spoofing websites, text messages and images; weblink manipulation; malicious scripting languages; javascript popup and fake address bars; and utilizing browser vulnerabilities. Figure 2 gives a graphical representation of the most common tactics used to compromise people’s privacy. Thus, the methods that hackers carry out to exploit their victims are endless.

Screen Shot 2018-07-26 at 7.15.57 PM

Spoofing websites, text, and images involve the perpetrator crafting files that are similar to something that the victim is accustomed to seeing. In other words, these files are not real and will mislead you into thinking that you are on the real site. Web link manipulation attacks occur when the user does can see the link explicitly. The user is unaware that if the link is clicked he or she will be brought to a website that will trick them into giving up their credentials. Malicious use of scripting languages has a similar behavior to the spoofed website but is hidden to the victim. On the other hand, there are attacks that will steal information when there is a javascript popup or when someone installs a plugin that actually is a malicious address bar. The last phishing attack is knowing the vulnerability of web applications and exploiting them to get sensitive data. Thus, there are many ways to implement a phishing attack and cyber professionals need to be confident that their systems are secure for any attack.

There are many industries that are susceptible to these types of phishing attacks. Some will need a stronger cybersecurity infrastructure than others. Two examples of phishing attack in different industries and countries are given below to show how widespread the phishing problem is. Above all, industries that collect and store private information need to be cautious at all times of the risks that will arise when conducting operations via the internet.

 Foreign Bank Meltdown

TSB, a bank that is located in the UK, was in a merger with Lloyd Banking Group until September 2013 when the two companies split. Once TSB left, it became an orphaned bank forcing a portion of the customer base to go along with it. The orphaned bank was on its own to protect the information of roughly five million customers. For example, one customer banked with Lloyd Banking before TSB was part of the merger, but had to switch due to TSB being the customer’s local branch. 

A project was underway to migrate TSB customers data from Lloyd Banking Group systems to their own proprietary systems. Proteo4UK was the migration tool that the banking institution chose to help with moving the data securely and efficiently. The project finished with a press release from TSB stating the migration was complete, but the migration did not move the data as expected. When the bank reopened for the public to access their accounts after the system downtime, people began to notice other accountholders’ transactions and that their accounts simply didn’t add up. A writer from the Wired UK states that “Banking systems are almost as low-tech as they are complex.” A technical failure that resulted in bank tellers not being able to access the system occurred at the completion of the data migration. TSB customers struggled to make payments, pay off bills or simply access their account without being confronted with someone else’s transactions. It seems that banking institutions such as TSB use software that compromise their privacy’s confidentiality, integrity, and availability.

As a result of the data migration failure, phishing emails and text messages were sent to TSB customers attempting to steal their banking details. Not only were TSB customers the target, but also other customers at local banks such as Barclay and NatWest. Phishers and scammers are aware of companies with internal scandals due to angry customers on social media posts. Customers were exploited by being encouraged to click a link and input their username and password to process their complaint against TSB. These customers lost control of their bank accounts. There have been ten complaints per day from frustrated customers since April 30th. The frustrated customers were exploited during the technical failure when they did not have access to see their accounts. One customer stated that “it was a vulnerable time, and clearly security behind-the-scenes was not up to scratch.”

When private information is at stake, the correct security measures need to be taken in order to establish confidentiality, integrity, and availability. TSB is at fault for not testing the migration beforehand to know that everything would be error free. Furthermore, there needs to be policy at TSB to ensure that this event never happens again. After creation of such policy, other banks in the area need to adopt similar cyber policy positions. With the spread of policymaking, people will become more aware of cyber attacks and have a way to defend against them.

Education System Attack

Around the same time of the TSB meltdown, there was a phishing attack on teachers at a high school in California called Ygnacio Valley High School. This attack was similar in nature but was not as serious as the attack in the UK. Schools do not collect financial information such as credit card and saving accounts number, but schools do collect grades and other sensitive information like social security numbers. The main differences between what happened in the UK and California are the number of people who were affected and the culprit’s age. 

At the beginning of May, the police department in Concord, California put a teen in handcuffs for sending phishing emails to his teachers. The email contained a link that could take the victims to a spoofed grading system login page. After the victim inputed his or her’s information, the teenager phisher was able to logon to the grading system with real credentials. As a result of gaining access to the confidential and password protected system, the phisher was able to change grades for some students excluding his own.

The student wanted to teach his school how easy it was to trick people into giving him what he wanted. Since a teenager did this act instead of an adult, the police department had to deal with a minor committing serious crime. Apparently, the teen phisher only spent five minutes to create the email. Even surprisingly, an information technology staff found the message two weeks later in the spam folder. The high schooler stated a playful remark that “it was like stealing candy from a baby.” If anything was learned, the administrators know now that they have threats coming from their students.

It is important to note that the number of people affected by this phishing attack was relatively small. The people affected included a couple of teachers who received the email and students whose grades were changed. Even though the number is not close to five million like the TSB crisis, it still had a great impact on the high school’s community and its reputation. Now that students see how easy it is to trick teachers into giving them their credential, the number of phishing attacks are most likely to rise. Thus, the community will have to deal with malicious attacks not only from outside but also from within.

Teachers in school systems and universities around the globe are susceptible to malicious phishing attacks. Some students will do similar acts to change their grades if they feel they will not get caught. In this case, the student did not care about his grade, but he wanted to show that social engineering is an easy and effective technique. Just imagine if he did a better job covering up his tracks, what would the school do? As a response, the school district needs to make changes in their cyber operations and policy to ensure that this will not happen again. Hopefully, these changes in policy will spark a conversation with other school districts around the nation, so they can adopt similar upgrades.

The role of ISPs

Since TSB is not a well-known bank to United States citizens, they will not undoubtedly care about the outcome because it did not affect their financial situation. However, citizens need to care so that industries and companies holding their data in the United States understand the risks at hand. The executives in these industries are constantly battling with phishers internally and externally. Phishers are the present day cyber criminals and they will not cease to exist, only increase in numbers. In the financial world, these criminals are similar to a present-day bank robber. Banks will never stop getting harassed; all the money is located there. In the educational world, phishing is not a problem until it becomes one. So in order to deter phishing, public and private sector industries and educational institutions need to practice safe browsing and have updated software and hardware. 

Phishing is everywhere. Also, phishing is only one type of the techniques that cybercriminals can use against public and private sector industries. The examples mentioned are supposed to show that this is a current and prevalent problem that many countries are facing. This problem needs to be resolved collectively by working together to stop cybercriminals. Internet service provider such as AT&T and Comcast need to step there game up when it comes to securing its networks. As we speak, malicious traffic is going unnoticed. There could be a phishing attack on you and the ISP would not know until after the target is exploited. Internet service providers are usually well placed to detect infection because evidence of a user’s infection flows over an ISP’s network. Hosting providers that have control of the malicious hosting can take the phishing pages down. Anderson et. al. proposes fixed statutory damages against an ISP that does not act within a fixed time period after being notified of an infected computer on its network. This proposal was for the European Union, but something similar should be proposed to the United States government. If ISPs are unable to detect infected hosts that are connected to their network then shame on them. They need to understand that they are the middleman in every cyber attack.

When an ISP notices that a host is sending spoofed links, it should immediately take that host offline. The way in which the provider deciphers between the infected hosts and the uninfected hosts is something that service providers need to implement, if not already. This algorithm or firewall of some kind will have the potential to protect people’s privacy around the globe. As a result, there needs to be pressure on small ISPs and large ISPs, so that they can share knowledge about phishing hosts. When there is such teamwork between the ISP there will be better communication which should lead to fewer attacks. In all, it is imperative that ISPs play a vital role in securing the world wide web from attackers.

Conclusion

The internet is vast and is home of phishers that will steal information right from under your fingertips. In order to mitigate phishing attacks, there needs to be a collaborative effort among governments, private and public sector industries, and internet service providers. These are the main actors when coming to implement a policy that will safeguard a citizen’s confidentiality, integrity, and availability. The two recent attacks show that this technique is inevitable and easy to accomplish. So why cannot ISPs detect malicious web traffic before reaching the victim? The traffic could be simply dropped or filtered, but knowing which packet to filter is the issue. This is clearly an issue that ISPs need to resolve in order to make the world wide web safe.

Research Log

Aaron, G. (2010). The state of phishing//doi.org/10.1016/S1361-3723(10)70065-8 Retrieved from http://www.sciencedirect.com/science/article/pii/S1361372310700658

Anderson, R. (2001). “Why Information Security is Hard – an Economic Perspective”.Web.

Anderson, R., Böhme, R., Clayton, R., & Moore, T. (2008). Security economics and the internal market. United Kingdom: European Union Agency for Network and Information Security.

Anti-corruption Digest. (2018, May 23,). TSB phishing scams are surging in the wake of its online banking crisis. Retrieved from https://anticorruptiondigest.com/anti-corruption-news/2018/05/23/tsb-phishing-scams-are-surging-in-the-wake-of-its-online-banking-crisis/#axzz5IKxABvFx

Farivar, C. (2018, May 14,). ‘Like stealing candy from a baby,’ arrested teen says of his phishing efforts. Arstechnica Retrieved from https://arstechnica.com/tech-policy/2018/05/like-stealing-candy-from-a-baby-arrested-teen-says-of-his-phishing-efforts/

Gaurav, Varshney, Misra Manoj, and Pradeep K. Atrey. (2016) “A Survey and Classification of Web Phishing Detection Schemes.” Security and Communication Networks 9.18: 6266-84. Web.

Gramma, Joanna. (2015). Legal Issues in Information Security. 2nd ed. Massachusetts: Jones & Bartlett Learning. Print.

IBM. (2018). IBM X-Force Threat Intelligence Index 2018. Armonk, New York: IBM Security. Print.

Jones, R. (2018, June 6,). TSB admits 1,300 customers lost money from accounts. Retrieved from https://www.theguardian.com/business/2018/jun/06/tsb-admits-1300-customers-lost-money-from-accounts

Kollewe, J. (2018, April 30,). TSB online banking meltdown drags into second week. Retrieved from https://www.theguardian.com/business/2018/apr/30/tsb-online-banking-internet-business-it

Megaw, N. (2018, June 5,). FCA to launch formal investigation into TSB’s IT failure. Financial Times Retrieved from https://www.ft.com/content/a000d194-68a6-11e8-8cf3-0c230fa67aec

Moore, Tyler, Richard Clayton, and Ross Anderson. (2009) “The Economics of Online Crime.” Journal of Economic Perspectives 23.3: 3-20. Web.

Shahriar, Hossain, Tulin Klintic, and Victor Clincy. (2015). ”Mobile Phishing Attacks and Mitigation Techniques.” Journal of Information Security 6.03: 206. Web.

Stokel-Walker, C. (2018, May 1,). ‘We’re on our knees’: Inside the tally avoidable TSB crisis. Wired UK Retrieved from http://www.wired.co.uk/article/tsb-crisis-it-issues-online-banking-problems-ibm-paul-pester-compensation