5 IT security hot topics How safe are you?

Transcription

1 5 IT security hot topics How safe are you? Why this whitepaper? We meet many people in IT, of various levels of experience and fields of work. This whitepaper is written for everybody who wants to read views on IT security from the software code perspective. To learn, reflect, identify, agree, comment or take action! Omnext B.V

2 5 IT Security hot topics Read the newspapers and you will find a surprising amount of news related to cybercrime and security breaches. IT Security is a hot topic. Almost all companies have internet connected IT systems and more and more businesses are based on digital interaction and commerce. Breaching the security measures of IT systems is serious business. Ethical hacking, theft of intellectual property, destabilizing governmental systems or compromising credit card and personal data are every day examples. PC s, mobile devices, servers and cloud services are attacked. Not just companies, governments or infrastructures, but also individuals and appliances are the focus of digital attacks. How are we going to protect our internet connected systems or, in general, IT systems? The vector of attack In the movies you experience the fictional world of a hacker. Reality shows that attacks are just a matter of knowing the flaws in systems and finding the (documented) ways to access the system through the known vulnerabilities. Automated tools, official vulnerability sources, hacking blogs and hacker communities are actively spreading knowledge and new flaws. The variety of vectors of attack, e.g. how to get into a system, is growing in a rapid pace. The possibilities towards intercepting internet traffic and to decoded encryption is common knowledge. Imagine your laptop at the airport, linking onto the public Wifi. If you know how easy it is to get your credit card details, would you act the same way you do now? Let s browse through some viewpoints, let s say, our 5 IT security hot topics: 2

3 1. The human is the weak spot Human behavior is one of the most problematic areas of security. It starts with choosing secure passwords. Nowadays when using multiple accounts at internet-shops, you would probably have multiple passwords, don t you? Or is your banking password the same as the one used for your daily e-paper newsfeed? Unauthorized access to systems is a fair (10%) vulnerability based on retrieving passwords due to negligence of the user. By the way, did you encrypt your hard drive of your computer/laptop? This is a must if you want to keep your digital data belongings safe. Updating your OS / applications, clicking on links in s of unknown origin or Post-its on your monitor with passwords. The awareness will grow to the max if you have ever been victim of a cybercrime event. Something to think about: 1 employee owns 1 smartphone, 1 laptop and 1 tablet computer, visits 25 websites regularly with a username/password, has 2 bank accounts, 3 mail addresses, which are accessed from all three devices. He regularly hooks up to a public Wifi at his favorite coffee shop and logs on to your intranet. How high would the risk now be? 2. The unknown attack on infrastructure Did you know that there is a website which describes the security vulnerabilities of mainstream webserver and infrastructure software per version? If you are a hacker and you know a company uses an old webserver version, you know the security vulnerabilities and exploit it. Hacking is now tutored over YouTube, dark-net or shared on fora and user groups. This means that your infrastructure needs to be up to date, always! The latest patches need to be installed, logs are to be checked etc. The benefit of managed cloud services for application can help but if you host your server in-house, you must realize what a security effort is requires. Being aware of the vulnerabilities is one thing. Verify if the infrastructure is well protected can only be done by logging, settings/script reviewing, traffic monitoring and penetration testing. So who is doing that? Besides the software components it is also about all your network equipment like routers, switches, firewalls, Wifi hotpots, cable modems etc. It s already a good thing that various network equipment applicants are managing the version control automatically. Something to think about: getting into infrastructure is the most unknown and unseen way of hacking. Reports identify a great threat but cannot pinpoint the number of exploits. The risk is high, the vulnerabilities are present but it is not easy to measure. Production control systems (SCADA) in industrial complexes is one of the areas which hit the news, but you can also think about simple threats like a Wifii hotspot in your network with the factory settings username/password = admin/admin 3. There is no reason that applications are insecure What runs on computer servers or in your browser is written by developers. We have seen applications made by experienced developers containing various security vulnerabilities. Not that the developers did that on purpose, but because they were not aware, not trained, or not instructed. The last few months we have analyzed 35+ computer applications from various businesses and company sizes. Guess what: there were only 3 applications without high vulnerable risks. SQL injection and cross site scripting (XSS) were the main issues of the other packages. These two types are the most common (and also most documented) threats and are listed in the famous OWASP top10 list of security vulnerabilities. 3

4 Interesting was that the medium risk vulnerability risk weak encryption algorithm was present in every application. Nowadays a used-to-be-good encryption algorithm like DES 64 bit can be cracked in seconds instead of months like in What does this mean? Applications must be secure by design and updated to the latest standard! Let s explain a vulnerability to show how easy this can be: SQL-Injection If you enter your username and password the it will send a statement like this to the server Gf Username: Jan. Password: Pietersen. Select * from user where name= Jan and Password = Pietersen But if you enter this Username: OR 1-1; /*. Password: */--. This will be end to the server Select * from user where name= or 1=1; /* and Password = */ -- Text between /* */-- is ignored so: It means you have access to the system! It so simple that it inspired a driver to protect him from a speedcamera. With advanced tools and techniques, you can verify if program code (source code) contains these risks. By identifying problems, the risks can be reduced to the minimum. Every input field, every API or interface can be checked almost automatically. That means an almost 99% security by design if done right. 4

5 4. Freebies come for the price of maintenance Open Source Software can be freely downloaded from the internet and used in your application. This is a widely used method to create good programs without reinventing wheels. Everybody can see how it works, add their improvements and benefit from a piece of software they didn t have to write. But there is also a security issue here. The open source code is released in versions and as a developer you need to use the latest version with the latest flaws fixed. That means that you have to release your end-product every time one of your open source components changes. That is not always workable, and so we see packages with many outdated open source components which contain (documented) vulnerabilities, It is evitable that free software requires also maintenance. Something to think about: Lately a block chain open source implementation was tagged as vulnerable because a security flaw was found in the code. The good thing was that it was revealed in a test by a bank. In the near future banking systems will use open source components in a block chain based IT strategy for bank transactions.. 5. Quick wins, in a structured approach. IT Security spans so many areas of attention, that it requires a structured approach. Best practices are hidden in rather lengthy documents like ISO standards. So what would be the best thing to do? To assess the risk of your system there are holistic ISO27001 based approaches are used. ISO27001 is a framework identifying which areas should be thought of. Make a choice of what s important in your business, and classify the risks. That can lead you to the right framework like Cobit, GDPR or ISO27002 to create action plans for a secure process. So what are your options A. The structured holistic ISO27001 (or other security framework) track. It s the real thing, it s the most holistic way to do this through the front door, to the roof to the basement. The framework is so extensive that it requires a lot of management, especially when you have only a few areas of first concern. But okay, ISO27001 is the way to go in the end. B. The quick win strategy; pen testing, code review, awareness mail for your workforce, a taskforce to check all network components, checkup for all the laptops, etc. It is just that this is usually a one off thing and it does not improve the long term security. Doing so is good, but it should be on top of things and be part of a continuous security process in your company. C. A focused narrowed down approach focusing on a certain type of IT security. There are narrowed down frameworks focusing on application security derived from ISO These subsets are much easier to interpret and to create action plans. By using this subset approach you can embed the most important actions into a process structure in your company. For compliance on the long term you can extend the framework work to the ISO27001 standard and cover more areas of concern. Something to think about: A continuous part of your IT business will be security. With planned and monitored action plans to ensure long term security, regular audits and secure work methods will ensure better security and a minimized risk. You have to live with the fact that you are never 100% sure you did all the right things at the right time. The technology will continue to change, revealing new threats and therefor also new countermeasures. By looking at security from different perspectives, in a structured and long term view, many risks can be managed. 5