Cyber Security Index: “Cyber Security Index Highlights Political Threats, Business Partner Risk” by Paul Roberts (@paulfroberts). This article from Threatpost looks at this year’s Index of Cyber Security score of 1292, which is 292 points higher than when it was introduced last April. The Index was created by Dan Geer and Mukul Pareek in an attempt to gauge the level of perceived cyber risk and concern based on surveys conducted amongst cyber security professionals. Since its inception, the index has been steadily rising – a trend that can most likely be credited to the increasing number of cyber attacks taking place and the media exposure these attacks have gained. The article also provides a graph showing the “Cyber Fear” Index from month-to-month since March 2011 and a look at what sort of information we can expect to see on next year’s report.

Unisys Security Index: “Americans Rate Cyber-Security as Hot Issue in Presidential Election: Survey” by Brian Prince (@eweeknews). Unisys recently conducted a survery for its bi-annual Security Index, and the results show a major increase in American focus on Cyber-Security awareness and concern as an issue in the upcoming presidential election. Despite this finding, the Unisys Security Index still dropped overall for security concern. Read the full article for more statistics from the Index as well as Prince’s analysis on these national trends. For further commentary on today’s cyber threat environment check out our Q&A with cyber security guru Richard Clarke.

Enterprise Mobile Security: “Companies slow to react to mobile security threat” by Antone Gonsalves (@antoneg). This article offers Antone Gonsalves’ take on the findings from a new study on mobile security from Juniper Networks. The main takeaway from the study is that employees are using mobile devices at work to engage in high-risk activities, often without company consent. Juniper found nearly 90% of employees surveyed to be using their own devices to interact with sensitive company data and that in over 40% of these cases the employer was unaware they were doing so. In addition to these issues, mobile malware is increasing at an alarming rate, subjecting companies to possible data theft or breaches. On a more positive note, Juniper’s report found that a strong share of those surveyed are willing to work with their employers to protect their devices.

For more on “Bring your own Device” policy, check out our new video interview series with Dan Guido of Trail of Bits. In this segment Dan discusses BYOD for businesses and mobile platform security. Read our post and watch the video here.

Data Breach Aftermath: “Global Payments Breach Fueled Prepaid Card Fraud” by Brian Krebs (@briankrebs). Unfortunately it looks like the fallout from the Global Payments data breach is not yet over. Since early March of this year there have been numerous cases of debit card fraud using Union Savings Bank information stolen in the Global Payments breach that made headlines earlier in the year. According to bank officials, the fraud has already cost Union Savings Bank about $75,000, with another $10,000 being spent on replacing customer cards. Additionally, the fraud cases have brought up some new questions about the timing and extent of the damage of the Global Payments breach itself.

Click here to learn about data breaches in general.

SEC Guidance: “SEC Guidance Is a Really Big Deal” by Richard Bejtlich (@TaoSecurity). Richard Bejtlich wrote this blog post after speaking on SEC guidance at a recent conference. According to Richard, the SEC guidance is a “game changer” for several reasons, including its plans for enforcement and an increase in lawsuits and whistleblowing against companies with poor disclosure practices. Richard also provides insights to the new SEC guidance from Congress and Senator Jay Rockefeller.

CLICK HERE to view our webinar showcasing latest research findings about software security posture of public companies.

We also added in a quick summary to cover the highlights of the interview.

How can organizations prepare to face security threats?
Dan states that organizations should look at all the attacks that are happening in the industry they are in, (from peers, data releases from security companies), so they can learn from the lessons that other companies have experienced. Dan states that there is not enough sharing of information in the industry about attacker techniques, tactics and procedures that have been used to perform compromises. Companies need to collect and analyze attack data, understand what hackers are doing, and then utilize that information to develop defenses that work against the techniques being used. Security programs should be able to trace back to actual reductions in data loss.

Which attack vectors pose the greatest threat to enterprises today?
Dan stresses the importance of protecting the entire enterprise from threats, not just protecting one single application. That said, he also notes that attackers interested in financial fraud or credit card theft will be focused on compromising individual applications. To defend against them, enterprises may want to use dynamic web scanning, or source code auditing per application.

To view the other interviews with Dan Guido posted as part of this series, click on the links below.

1. Interview with Dan Guido on Vulnerabilities
2. Interview with Dan Guido on Mobile Platforms and BYOD

Let us know how you liked this interview series with Dan Guido, and if you have any suggestions for other hot topics you would like to see industry experts discuss.

Black Hat (Las Vegas – July 21-26, 2012) provides briefings and training for security professionals from around the world. Black Hat differentiates itself by working at many levels within the corporate and government communities. This unmatched informational reach enables Black Hat attendees to be continuously aware of the newest vulnerabilities, defense mechanisms, and industry trends. Black Hat has grown over the past 15 years from a single annual conference in Las Vegas to a global conference series with annual events in Abu Dhabi, Barcelona, Las Vegas and Washington DC. It has also become a premiere venue for elite security researchers and the best security trainers to find their audience.

Congratulations Chris!

Read below for a quick synopsis of the interview.

Is iOS the most secure platform?
Dan states that it’s definitely possible to exploit vulnerabilities in iOS. He then goes on to explain that it’s either too costly to do this or there are other mitigations that prevent this from happening. By disincentivizing the mobile malware community from performing malware attacks on the iOS platform using clever design choices, Apple demonstrated a different approach to tackle the problem of mobile malware. Dan concludes that Apple’s approach has been different and certainly a very effective response to the mobile malware problem

Dan mentions that trying to trace every single unique identifier for very single malicious application is neither effective nor intelligent, in addition to also being resource heavy on an organization.

What are your recommendations with respect to “bring your own device” policy?

Dan references his research presentation that he delivered at SOURCE Boston this year titled “Mobile Exploit Intelligence Project”. As part of the research, Dan collected a comprehensive database of every piece of mobile malware that affected iOS and Android. This research was used to draw conclusions as to what security measures would be effective if implemented on those devices to protect against the malware that currently exists in the wild.

He points out that there are not really any mobile security products in the market right now that can mitigate against these flaws. To have an effective BYOD policy, Dan states that you need to assume that your devices are compromised, no endpoint security products that can prevent your devices from being compromised. One possible solution Dan talks about is the concept of “secure containers” to store encrypted information on mobile devices. Dan’s colleague, Dino Dai Zovi has written a paper on how effective the data protection APIs are on iOS, and how it is somewhat tenable to create secure containers to store encrypted information in iOS.

CLICK HERE to view Dan’s presentation at SOURCE Boston titled “Mobile Exploit Intelligence Project”.

Data with “integrity” is said to have a complete or whole structure. Data values are standardized according to a data model and/or data type. All characteristics of the data must be correct – including business rules, relations, dates, definitions and lineage – for data to be complete. Data integrity is imposed within a database when it is designed and is authenticated through the ongoing use of error checking and validation routines. As a simple example, to maintain data integrity numeric columns/cells should not accept alphabetic data.

As a process, data integrity verifies that data has remained unaltered in transit from creation to reception. As a state or condition, Data Integrity is a measure of the validity and fidelity of a data object. As a function related to security, a data integrity service maintains information exactly as it was inputted, and is auditable to affirm its reliability. Data undergoes any number of operations in support of decision-making, such as capture, storage, retrieval, update and transfer. Data integrity can also be a performance measure during these operations based on the detected error rate.

Data must be kept free from corruption, modification or unauthorized disclosure to drive any number of mission-critical business processes with accuracy. Inaccuracies can occur either accidentally (e.g .through programming errors), or maliciously (e.g. through breaches or hacks). Database security professionals employ any number of practices to assure data integrity, including:

• Data encryption, which locks data by cipher
• Data backup, which stores a copy of data in an alternate location
• Access controls, including assignment of read/write privileges
• Input validation, to prevent incorrect data entry
• Data validation, to certify uncorrupted transmission

Software developers must also be concerned with data integrity. They can define integrity constraints to enforce business rules on data when entered into an application. Business rules specify conditions and relationships that must always be true, or must always be false. When a data integrity constraint is applied to a database table, all data in the table must conform to the corresponding rule.

Twitter In The News: An interesting occurrence with Twitter this week was the supposed hack that resulted in the posting of over 50,000 user names and passwords online. An initial report by John Mello in PC World reported that “some of the accounts are duds created by robot programs.” Jay Alabaster said in a later article posted in ComputerWorld that, “None of the recently leaked Twitter logins and passwords came from within the company, according to a message posted on Twitter’s Japanese blog Thursday,” after it was determined that the posted accounts were duplicates, unmatched credentials, and spam accounts.

Spike in SQL Injection attacks: A mass increase of the number of SQL Injection attacks has occurred. A Dark Reading article by Ericka Chickowski reports that researchers have found that there has been a spike in automated SQLi attacks, which are being used by hackers to seek out sites that are vulnerable to the attack, who then sell the information in a monetization process. Organizations are being warned to keep up with patches, monitor applications, and use appropriate security measures. More information about Veracode and SQL Injection, as well as how you can protect yourself can be found here.

BYOD: A recently trending issue in the security world is BYOD. As reported by Ellen Messmer in PC World, a new survey “shows wildly abundant use of mobile devices, but profound concerns about security and how employee-owned devices ought to be used for business purposes.” It is also found that, “One-third of the IT professionals in the survey reported their company has already experienced some type of security threat associated with personal mobile devices accessing corporate data.”

Vulnerability in PHP: A very large number of sites using PHP scripting language are currently endangered by an unpatched vulnerability in the code, writes Dan Gooding in Arstechnica. The weakness allows hackers to remotely take control of servers when the PHP sites are running CGI (not FastCGI). Even worse, the full details of the exploit went public, providing hackers with all the information they need to locate and take advantage of the vulnerabilities. There are updates and patches available to mitigate the risk.

Keeping the London Olympics safe from cyber attacks: With the threat of cyber attacks on the 2012 Summer Olympics in London, Atos, the IT outsource for the games, has wrapped up its first round of testing writes Anh Nguyen. He further reports that, “The CIO for the London Organizing Committee for the Olympic Games (LOCOG) said last year that cyber criminals would find it ‘very hard’ to launch a distributed denial of service (DDoS) attack on the Games’ website.”

We’ve also included a short recap of highlights of the interview in this post.

How can organizations better communicate around vulnerabilities?
Dan details the behavioral problem that exists in most organizations today when vulnerabilities are found in software. He notes that organizations are very concerned about individual vulnerabilities, not as much about the reasons as to why the vulnerabilities exist. Dan notes that mitigation efforts should be focused around classes of vulnerabilities, not the individual vulnerabilities that are found.

Which vulnerabilities matter most on the web?
Dan talks about the disparity between the vulnerabilities that the security industry focuses on vs. vulnerabilities that hackers care about. He further goes on to mention that vulnerabilities that matter most on the web are the ones that gain the hacker a shell on a server, like SQL Injection or remote command execution.

Should different businesses focus on different vulnerabilities?
Dan focuses on the vulnerabilities organizations should care about, depending on the type of business model they use. For instance, a service provider whose customers have individual user accounts or a social networking websites like Facebook should care about Cross-site scripting (XSS). On the other hand, SQL Injection attacks have increased in frequency, and should be on every organization’s watch list.

Stay tuned for more sessions with Dan Guido which we will be showcasing next week on our blog.

The webinar enjoyed ample audience participation and response, including a few questions submitted by attendees which did not get addressed live on the webinar due to time constraints. Below we highlight a few of those.

Q: Of the software development houses that are producing these “vulnerable” applications, how many of them have a security assessment phase in their development life-cycle?

Wysopal: The software developers do not disclose to us what security they perform in the SDLC. It is likely that those who have robust programs are the ones passing our test and the ones with no programs are failing but that is just a hypothesis. We would need to ask each customer what application security processes they are performing.

Q: Did you study look at the platform or Operating System upon which the application executes as a factor?

Wysopal: No it does not. For most application layer vulnerabilities this does not matter however.

Q: Can you define the “information leakage” vulnerability? Is there a catalog describing all the vulnerabilities commented in this presentation?

Wysopal: Information leakage happens when sensitive information is displayed to the user inadvertently. An example would be pathnames or database IP addresses returned within an error message to a user. An attacker can use this information to attack the system. The MITRE CWE website catalogs application vulnerabilities. Here is an example: http://cwe.mitre.org/data/definitions/209.html

Q: Of all of the vulnerabilities you find in these applications, which is the most easily exploited ?

Wysopal: The top 4 exploited as determined by the Web Hacking Incident Database are :

1. SQL Injection
2. Cross site scripting
3. Information leakage
4. Command injections

Other reports have ranked directory traversal as another often exploited vulnerability.

Q: Once you complete your testing for a company, what is the usual request/reaction from the business and do you provide them a solution regarding how to make their environment more secure?

Wysopal: Veracode provides a remediation roadmap which includes prioritization and information on how to remediate each specific issue. Some organizations remediate and others choose not to. It depends on the severity of the issues and the businesses tolerance for risk.

Q: The total of Percentage of Hacks seems to be low in the below slide. What methods of attack make up the other 64%?

Wysopal: According to the Web Hacking Incident Database, the other top attack methods are the following:

Less than 1%:

• Clickjacking
• Malvertising
• Forceful Browsing
• Malware
• Phishing
• Remote File Inclusion (RFI)
• Domain Hijacking
• Hidden Parameter Manipulation
• Local File Inclusion (LFI)

If you have any additional questions for Chris Wysopal on this subject, feel free to send them over.

To get a recorded video of the webinar with slides, click here.

Also, if you would like to get a understanding of how to build and scale an Application Security program within your organization, check out Veracoder Fergal Glynn’s latest blog post on threatpost.

Enterprise Security Practices: “Latest wave of healthcare data breaches symptomatic of sloppy security practices” by Neil Roiter (@nroiter). In this Security Bistro blog post Neil Roiter takes a look at the current state of security in the healthcare industry. Neil offers statistics from Symantec’s recently released Internet Security Threat Report that focus on the major security concerns plaguing the industry today – particularly data breaches. He also offers a more in-depth look at some of the severe data breaches the healthcare industry has suffered in the past decade or so. The post ends with a sliver of hope: the Health Information Trust Alliance (HITRUST) has created the HITRUST Cybersecurity Incident Response and Coordination Center, a multi-organizational effort aimed at preventing attacks through collaboration.

Apple Security: “Flashback malware exposes big gaps in Apple security response” by Ed Bott (@edbott). In this article Ed Bott offers his take on Apple’s security practices following the two large scale malware attacks against the company over the past year or so. This issue has received a lot of attention lately, especially after Eugene Kaspersky’s criticisms of Apple’s security responses. Ed breaks down Apple’s security shortcomings into four basic issues: poor response time in releasing security updates, the lack of an option for automated updates, Apple’s practice of only releasing updates for the most recent versions of its operating system, and inadequate disclosure practices.

PHP Vulnerability: “Serious Remote PHP Bug Accidentally Disclosed” by Dennis Fisher (@DennisF). This past Wednesday saw the unfortunate disclosure of a PHP vulnerability that was discovered and reported by researchers in January of this year. The remote-code execution vulnerability allows attackers to to access information and execute arbitrary code using certain query strings. PHP Group Developers are currently still working on patching the flaw, just as they were when it was accidentally disclosed.

Skype Security Hole: “Skype knew about IP address security flaw since November 2010” by Lisa Vaas (@LisaVaas). Voice and video chat app Skype has received lots of criticism this week after it was found that the application has knowingly contained a significant security flaw for the past year and a half. The flaw allows hackers to access private user data including location, internet provider, and IP address. This information is sensitive because it can be used to facilitate industrial espionage and potentially cyber attacks against corporations. Skype reports that they are looking into a solution.

SOCA Attack: “UK’s SOCA website taken offline in DDoS attack” by Zack Whittaker (@zackwhittaker). The website for the United Kingdom’s Serious Organised Crime Agency has been down since Wednesday evening following a distributed denial-of-service (DDoS) atack. It is suspected that the attack was done in response to SOCA’s announcement in late April that they had regained the credentials of 2.5 million stolen credit cards and had begun arresting the individuals found responsible. SOCA willingly shut down their site in order to protect taxpayers from bearing the financial burden of running the site during the attack. It is still unknown as to who is responsible for the attack.

That conversation got me thinking about how a CFO might look at Veracode’s State of Software Security (SOSS) reports – especially the latest supplement that focuses on public companies. It seems to me that SOSS gives CFOs some raw data to start understanding the bets the company is making with their application development and application sourcing processes.

For example, 84% of web applications from public companies were found to be vulnerable to web application vulnerabilities listed in the OWASP Top 10. While our report looks at the prevalence of a wide variety of flaws, this statistic is telling because it focuses on the most easily and frequently exploited web application vulnerabilities – the ones that have flashing neon signs saying “WELCOME HACKERS, ENTER HERE.” This statistic is saying that if a typical web application is deployed without going through some sort of security quality checks and mitigation, then there is a higher probability of surprises for a CFO.

Our analysis further showed that public company revenue has no bearing on application security performance against industry standards, proving that improvements are needed across companies of all sizes. What this means is that public companies of all sizes are making bets that there will be no CFO surprises once the applications are live.

Given what we’re seeing in the public company SOSS data, those bets are long-shots that would give any CFO ulcers. So one of the things we’re working on with our business consulting partners is A Financial Model for Application Security Debt which we hope will eventually help CFOs get a better handle on modeling the monetary risks of their software vulnerabilities.