There are many excellent discussions on the whole thing from people such as Brian Krebs (http://krebsonsecurity.com/), Paul Moore (https://paul.reviews/) and of course Troy Hunt (http://www.troyhunt.com/) - although admittedly, most of the discussion has been on Twitter.
Some Background
...in case you missed it.
A telecoms provider in the UK got "hacked", had a shed load of Customer Data stolen / copied (is it really "stolen" if the data remains behind?), ransoms demanded (and not paid - well done there! No, seriously, don't pay them, it only encourages them and others to 'come back') and data subsequently released.
One thing that is amusing is the repeated refrain of "we take security very seriously" - with the unspoken but obvious "...but not seriously enough to prevent this breach". Indeed, I am mindful of a tweet from Troy in October 2013 "se·cu·ri·ty [si-kyoor-i-tee] noun: Gets in the way of getting stuff done until you get pwned then it's the most important thing in the world."
So, to the story that prompted this post. In the Guardian on-line - http://www.theguardian.com/business/2015/oct/24/talktalk-cyber-attack-new-powers-regulators-hacking?CMP=ema_632 - there appear to be calls for "tougher laws" with regards to "cybercrime", and thus tougher penalties for the perpetrators when (if?) they are caught.
But, let's turn our attention to TalkTalk here.
Questions are raised as to what level of PCI-DSS Compliance (see the PCI Data Security Standards site https://www.pcisecuritystandards.org/security_standards/index.php for more info) TalkTalk had, and what were the results of its last annual PCI-DSS Audit (indeed, the last few years would be interesting).
With all the talk (pun not intended, sorry) of legislation and penalties, I wonder if there will be any focus put on the companies who have been deficient in protecting the personal data of their customers? There is great focus on the "evil haxxors" who plunder the databases with impunity, but very little on the lax systems and network security practices adopted by the company.
Security is only as important as the company funds it. If the company is not willing to pay for systems and network (and application) security, then obviously it is "not important". Well, it isn't until the excrement impacts the air-movement device - then it's so important that they "...take it very seriously".
Wow, not even "seriously", but "very seriously".
Hmm...
New Techniques for attack
In the above mentioned Guardian article, '...a spokesman for the firm said: “New techniques for attack develop all the time...'
I suspect though this attack will be everyone's favourite - SQL-Injection.
For those who don't know, this is where the attacker enters extraneous Database Language Commands into a form on the web-site (typically), and this extra code slips through the defences (if any) to be executed by the Database at the back-end. The Database then dutifully reports its results back to the attacker's web-browser.
This method of attack has only been around since 1998, so maybe one day soon we'll get a handle on defending against it. (I hear the percussive "pop!" of many sarcasm detectors as they explode :)
Yes, that's right - 1998. Nearly two decades! If it were a person, it would be about to graduate from High School, and sometime next year could start drinking alcohol. It would already be driving a car on a restricted licence.
How do we fix this?
Well, first off, we need to convince those who say they "take security very seriously"to actually start taking "security seriously".
I am suggesting that those at the "top", those who are more than willing and able to bask in the glory when everything is going well, those with the large pay-packets and the even larger share-options... these are the ones who should be answerable to why they were not compliant with the PCI-DSS; why their systems do not have correct coding practices in place to defend against these threats. i.e. the ones who "take security very seriously", but not so much when it costs money.
I don't expect "very seriously" to start with, just "seriously" will be sufficient. However, it needs to be so seriously that they will actually put some money towards security.
Where to spend this money? Where to get the biggest bang for the buck?
Not on consultants. Not on outsourced experts. What about...?
The Developers
I am not suggesting that the developers are made the scapegoats in this. They will no doubt have been pressured not to include "unnecessary bells-and-whistles" such as filtering and "whitelisting" inputs, implementing anti-XSS defences, properly hashing (NOT "encrypting") passwords, and not storing data that they just do not need to keep, just to name a few.
If they know about these things, that is.
The sad reality is that the majority of coders don't know the basics of defending their applications against attack.
When I was learning to code (too long ago, mind your own business whipper-snapper) I was taught to treat all data with a level of scepticism - even data that was coming from other areas of the system where (it was assumed) the data had already been declared "safe".
Too often today the assumption is that the end-user will do the "right-thing" and that no one is out to do nasty things to your system. I have my own theory on how developers got lazy in their assumptions (perhaps another post?).
We have seen the fruit of this philosophy way too many times in recent history - TalkTalk being just the latest victim (to date) in a long line since the last millennium!
My first question to organisations (well, their head-honchos) would be "have you trained your developers in defending against the OWASP Top 10?"
"If not, why not?"
"If so, what processes are in place within your QA team to practice the 'WhiteHat Hacker' techniques to test these risks?"
Education
The "fix" is quite simple - educate the developers. Indeed, educate the QA teams as well.
One of my tasks in my present job is to educate web application developers to be aware of the OWASP Top 10, understand the defences they need to have in place to defend against at least the 'Top 5', and understand what they need to do to code these defences. I try to keep it as "code neutral" as possible - although I do show examples of code. My focus is on what they need to do, not just "do this and you will be protected".
Since I started teaching "How to hack your websites" in the mid-2000s I have educated over 300 developers in this. Of course, things have changed, although interestingly (if you look back over the OWASP Top 10 in that time), things have stayed a lot "the same" too - plus ça change, plus c'est la même chose. (The more things change, the more they stay the same).
There are a number of excellent on-line courses. I can highly recommend Troy's Pluralsight courses - see http://www.pluralsight.com/author/troy-hunt, as well as others. I may even be able to add my own one day, although it will probably be with another online education provider, rather than Pluralsight. They may not need another Aussie :)
There is also Dafydd Stuttard & Marcus Pinto's "The Web Application Hacker's Handbook" if you want to do it on your own.
Or (blatant plug) there is the Web Developer's Diploma Course at Hornsby TAFE where I teach (in the second half of the semester) the basics of defending your web sites.
No comments:
Post a Comment