Sunday, August 09, 2009

Security Religions and Risk Windows

Information security threats are way up, fraud losses continue to rise, regulatory fines are increasingly common, and budget dollars to solve the myriad of problems are in short supply. Hampered by a sluggish economy, organizations simply cannot afford to hire all the talent they need, implement every best-practice, or buy every blinking light widget out there. Sacrifices are unavoidable, risk must be managed.

Each organization must decide for themselves the level of risk they are willing to accept. Security managers are asked to provide budgetary guidance by articulating that spending “$X on Y, will reduce of risk of loss of $A by B%.” These decisions have given rise to two prevailing, but opposing security religions -- Depth and Breadth. Graciously referred to as religions for how their value is typically justified resembles more of a belief system rather than rooted in science or metrics. Examining how these beliefs apply to website security and vulnerability management was the underlying message of the Mo’ Money Mo’ Problems presentation Trey and I delivered at BlackHat USA 2009.

To begin we organized the threats, the attackers, or those we want to defend our websites against using the Verizon DBIR naming conventions. Those are Random Opportunistic, Directed Opportunistic, and Fully Targeted. The descriptions are our own and made to apply to the overall Web security threat landscape. Trey and I focused exclusively on real-world examples of Fully Targeted business logic flaw attacks. Attacks exceptionally easy for anyone to perpetrate, invisible to IDS’s, inaccessible to scanners, legally gray, and most importantly lead to making A LOT of money.

Random Opportunistic: Targets selected widely and indiscriminately. Attacks are fully automated, unauthenticated, exploit unpatched issues and some custom Web application vulnerabilities. Mass SQL Injection worms that infect websites with browser-base malware and/or load Web pages with hidden SEO links are a prime examples.

Directed Opportunistic: Targets selected from a narrow segment that possess valuable data or a tarnishable brand. Attacks are both automated and sentient, use commercial or open source scanners, may register accounts, and exploit custom Web application code found easily with little to no configuration. Typical examples are Cross-Site Scripting and open URL Redirector flaws that aid in phishing scams, SQL Injection issues to compromise sensitive data, remote command execution to perform website defacement, or embarrassing full-disclosure.

Fully Targeted: Targets selected specifically. Attacks may be both automated and sentient, utilize customized tools, exercise multi-stage business processes, and exploit business logic flaws in custom Web applications. Examples are discovering unlinked press releases, reseting account passwords, accessing other users data/access, abusing product replacement programs and refund processes, altering expected purchase prices, etc.

Depth Religion
A belief system that recommends identifying the most valuable assets, especially those containing sensitive data, and investing the bulk (or all) of the security dollars in defending them. See the investment strategy diagram. Secondary and tertiary assets are essentially left as sacrificial lambs. Borrowing from the age old militaristic strategy of the castle and moat, establish a perimeter around your most valued assets and defend it to the last with defense-in-depth being a fundamental tenet.
The open risk window is a determined and fully targeted adversary, some described as the “super hacker,” capable of penetrating the system. The belief is this individual exists and given enough time simply can’t be stopped. Anything short of that skill level can be successfully defended against. Of course the secondary and tertiary assets lay wide open to anyone, including Random and Directed Opportunistic attackers. The blind often forget about shared data stores neglected sites may share with those “safe” high value assets.

Breadth Religion
A belief system that recommends identifying all assets and establishing a security baseline applied across the range. Primary, secondary, and tertiary assets and treated basically with the same level of care. See the investment strategy diagram. The thinking is most breach losses are due to assets not abiding by security minimums set by compliance requirements, and not the exploits of a “super hacker.” By elevating the intrusion bar to a compliance standard, and believing that to be “good enough,” then the most common attack types can be eliminated or significantly diminished.

The risk window is open to any attacker slightly more sophisticated than a dumb robot. Far shy of a “super hacker” skills and not especially difficult considering that mass scale attacks need not login. Stated differently, the barrier of entry for an attacker will stop at the Random Opportunist, a payday for those paying attention, because compliance requirements are routinely watered down by those clinging to the bare minimum.

So the billion dollar question everyone is asking, “Which belief system is more effective?“

Our intent was not to directly answer this question, but instead expose common misconceptions applied to website security. When organizations want to raise the security bar, as measured by vulnerability assessment, they utilize different levels of testing comprehensiveness.
  • To reach the green rung, an option is a completely automated and unauthenticated scans with a few basic Web security checks (network scanners and PCI-DSS compliance report mills).
  • For the blue rung a person, with at least a basic knowledge of Web security, runs a commercial grade Web application scanner while logged-in and configured. Mid-tier firms offering a junior level consultant, AKA “scanner jockey,” is common.
  • The purple rung requires a person to walk through, understand, and test all the business process flows -- perhaps even create custom tools. To find a single issue, a person only need to be clever and not necessarily highly experienced, let alone a super hacker. On the other hand to have chance to finding all the possible issues all the time, they do -- need to be experienced!
So the fallacy is assuming the “threat-o-meter” represents an attackers skill level. The fact is Fully Targeted attackers are not necessarily more skilled than Directed Opportunists. And, Directed Opportunists in turn are not automatically more sophisticated than a Random Opportunist. In reality attackers types have more to do with target focus and technique of choice. Our presentation focused almost exclusively on Fully Targeted attacks that anyone can pull off, driving revenue anywhere from 5 to 9 figures, and then scale up. For example, how advertising campaigns have been gamed and how the use of discount coupon codes led to significant losses. How WebMail accounts were broken into claiming a hacking contest prize or leveraged to compromise an entire enterprise. Reveal nefarious SEO and affiliate revenue generating schemes.

Two years ago when I said PCI Certification doesn’t make a website harder to hack, these were my primary concerns. Raising the minimum bar to just Random Opportunistic is simply not enough. Website security is clearly a different environment where conventional wisdom is constantly tested. Vulnerability assessment solutions, and by extension compliance standards, must truly be risk-based. Flexibility is essential in security testing. From deep dive to cursory level, vulnerability assessments capable of meeting or exceeding an attackers capability is an absolute necessity. Also crucial is the capacity to scale massively across the enterprise to compare the current security posture against the tolerance for risk.

For those who missed Trey and I at BlackHat or couldn’t attend the show, we’re hosting a special encore webinar of Mo' Money Mo' Problems: Making A LOT more money on the Web the Black Hat Way. Improved material!

Free to attend, but you must register. Space is limited.
Tuesday, August 18th, 11:00 AM PT (2:00 PM ET).

1 comment:

kingthorin said...

Hmmm in this context maybe it's best to say neither depth or breadth and take a suggestion from Pete and open ourselves to the concept of the "mobius defense":

(Warning, the PDf is about 35MB).