News is emerging of a hack at the US Treasury Department, in which a series of websites associated with the U.S. Bureau of Engraving and Printing (BEP) were affected.
Visitors to the sites were directed to another site in the Ukraine, one that is notorious for installing malware on computers.
The attackers targeted a cloud computing company that hosted the BEP’s pages.
This hack has the elements for a good press story because it involves a government agency, the Ukraine and the cloud environment. But, these elements are not newsworthy.
US governmental sites have been under attack for the past year, and these prior attacks should have been a call to action for all federal and state IT departments to review their security policies and practices.
The hackers’ purported destination of Ukraine is also not newsworthy.
Hackers will not attempt access in their own country but will target foreign sites, knowing that the likelihood of prosecution is slim to none.
That this happened in the cloud is also not a news hook. Cloud environments are no more or less safe than any other environment. Agencies putting their information in the cloud should know the security measures and practices involved.
What is newsworthy? The fact that there are still questions about the number of people affected and even whether all of the affected sites are disabled is disturbing.
(http://thompson.blog.avg.com/2010/05/whoops-treasury-still-hacked.html)
All organizations, especially government agencies, should have a disaster recovery plan in place in the event of a breach. This plan should include informing those involved with the basic details of what happened, who was affected, and what people should do.
The reality is likely that the US Treasury is looking to answer those questions now, which comes too little too late.
Tuesday, 4 May 2010
Monday, 19 April 2010
No surprises in the OWASP 2010 tail – Injection remains the number-one stinging risk in 2010
OWASP have released their 2010 “top 10” Application Security Risks. Topping the list (again) is the “Injection” risk. People involved in both application security and database security will not be surprised. The world is awash with applications that have each been poorly engineered in their own individual manner. It is an easy mistake to make, but very difficult to rectify without good tools and technologies to deploy.
Comparing this year’s results and those from 2007 shows that the top three risks remain unchanged 1. Injection; 2.0 Cross-Site scripting (XSS); 3. Broken Authentication and Session Management. New entrants to the list are: Security Mis-configuration, ranked sixth, and Un-validated Redirects and Forwards coming at the bottom of the list.
It is interesting that security mis-configuration is a rising risk. It seems that system owners are at least trying to use security features, but are failing to get it correct. Getting any security system just right without disturbing the business is notoriously difficult.
Even more difficult is retrofitting security into an enterprise application environment which has a complex array of components – each tailored to the business. Good application security requires strong knowledge of the application operation combined with the ability to accurately prevent (or block) out-of-policy interactions. For example, the protection of a database from a poorly written web facing application requires a firewall that can determine that a query is inappropriate and stop it from ever reaching the database.
One does not need a crystal ball to forecast next year’s winner of the list!
Comparing this year’s results and those from 2007 shows that the top three risks remain unchanged 1. Injection; 2.0 Cross-Site scripting (XSS); 3. Broken Authentication and Session Management. New entrants to the list are: Security Mis-configuration, ranked sixth, and Un-validated Redirects and Forwards coming at the bottom of the list.
It is interesting that security mis-configuration is a rising risk. It seems that system owners are at least trying to use security features, but are failing to get it correct. Getting any security system just right without disturbing the business is notoriously difficult.
Even more difficult is retrofitting security into an enterprise application environment which has a complex array of components – each tailored to the business. Good application security requires strong knowledge of the application operation combined with the ability to accurately prevent (or block) out-of-policy interactions. For example, the protection of a database from a poorly written web facing application requires a firewall that can determine that a query is inappropriate and stop it from ever reaching the database.
One does not need a crystal ball to forecast next year’s winner of the list!
Sunday, 11 April 2010
Modern espionage, social media and the cloud
Reports are emerging of another attack on government computers, this one by a group in China that targeted networks in India and other countries. Among the data the hackers obtained are information on missile systems and relations between governments as well as correspondence from the Dali Lama’s office.
The researchers who identified and tracked the hacker’s actions have identified social media as the main means to infiltrate the networks. In the report, the researchers point to Twitter accounts, Yahoo Mail accounts, Google Groups and Blogspot blogs as among the hackers’ infrastructure. Compounding the problem is that some of these networks used cloud configurations, which the report alleges provides a “powerful mode of infiltrating targets who have become accustomed to clicking on links.”
What the researchers are also clear about – and perhaps the most alarming aspect – is that there is no way to track exactly what the attackers did once on the networks. Not being able to know the state of data at any time is the key to this hack – rather than the security vulnerabilities from the cloud infrastructure or social networking. We have advocated a security defense from the inside out – rather than the commonly accepted firewall to database approach.
In this threat environment, governments and others in the public sector will be targets. Quite simply put, the information that they hold is valuable to someone, and the hackers know this. What the report should signal to all groups holding sensitive information is to assume that your network will be infiltrated. What information will be at risk and how will you know if it is being accessed inappropriately? Knowing the answers could mean the difference between data protection or a devastating hack.
The researchers who identified and tracked the hacker’s actions have identified social media as the main means to infiltrate the networks. In the report, the researchers point to Twitter accounts, Yahoo Mail accounts, Google Groups and Blogspot blogs as among the hackers’ infrastructure. Compounding the problem is that some of these networks used cloud configurations, which the report alleges provides a “powerful mode of infiltrating targets who have become accustomed to clicking on links.”
What the researchers are also clear about – and perhaps the most alarming aspect – is that there is no way to track exactly what the attackers did once on the networks. Not being able to know the state of data at any time is the key to this hack – rather than the security vulnerabilities from the cloud infrastructure or social networking. We have advocated a security defense from the inside out – rather than the commonly accepted firewall to database approach.
In this threat environment, governments and others in the public sector will be targets. Quite simply put, the information that they hold is valuable to someone, and the hackers know this. What the report should signal to all groups holding sensitive information is to assume that your network will be infiltrated. What information will be at risk and how will you know if it is being accessed inappropriately? Knowing the answers could mean the difference between data protection or a devastating hack.
Subscribe to:
Posts (Atom)
