Cyber Security Index: “Cyber Security Index Highlights Political Threats, Business Partner Risk” by Paul Roberts (@paulfroberts). This article from Threatpost looks at this year’s Index of Cyber Security score of 1292, which is 292 points higher than when it was introduced last April. The Index was created by Dan Geer and Mukul Pareek in an attempt to gauge the level of perceived cyber risk and concern based on surveys conducted amongst cyber security professionals. Since its inception, the index has been steadily rising – a trend that can most likely be credited to the increasing number of cyber attacks taking place and the media exposure these attacks have gained. The article also provides a graph showing the “Cyber Fear” Index from month-to-month since March 2011 and a look at what sort of information we can expect to see on next year’s report.

Unisys Security Index: “Americans Rate Cyber-Security as Hot Issue in Presidential Election: Survey” by Brian Prince (@eweeknews). Unisys recently conducted a survery for its bi-annual Security Index, and the results show a major increase in American focus on Cyber-Security awareness and concern as an issue in the upcoming presidential election. Despite this finding, the Unisys Security Index still dropped overall for security concern. Read the full article for more statistics from the Index as well as Prince’s analysis on these national trends. For further commentary on today’s cyber threat environment check out our Q&A with cyber security guru Richard Clarke.

Enterprise Mobile Security: “Companies slow to react to mobile security threat” by Antone Gonsalves (@antoneg). This article offers Antone Gonsalves’ take on the findings from a new study on mobile security from Juniper Networks. The main takeaway from the study is that employees are using mobile devices at work to engage in high-risk activities, often without company consent. Juniper found nearly 90% of employees surveyed to be using their own devices to interact with sensitive company data and that in over 40% of these cases the employer was unaware they were doing so. In addition to these issues, mobile malware is increasing at an alarming rate, subjecting companies to possible data theft or breaches. On a more positive note, Juniper’s report found that a strong share of those surveyed are willing to work with their employers to protect their devices.

For more on “Bring your own Device” policy, check out our new video interview series with Dan Guido of Trail of Bits. In this segment Dan discusses BYOD for businesses and mobile platform security. Read our post and watch the video here.

Data Breach Aftermath: “Global Payments Breach Fueled Prepaid Card Fraud” by Brian Krebs (@briankrebs). Unfortunately it looks like the fallout from the Global Payments data breach is not yet over. Since early March of this year there have been numerous cases of debit card fraud using Union Savings Bank information stolen in the Global Payments breach that made headlines earlier in the year. According to bank officials, the fraud has already cost Union Savings Bank about $75,000, with another $10,000 being spent on replacing customer cards. Additionally, the fraud cases have brought up some new questions about the timing and extent of the damage of the Global Payments breach itself.

Click here to learn about data breaches in general.

SEC Guidance: “SEC Guidance Is a Really Big Deal” by Richard Bejtlich (@TaoSecurity). Richard Bejtlich wrote this blog post after speaking on SEC guidance at a recent conference. According to Richard, the SEC guidance is a “game changer” for several reasons, including its plans for enforcement and an increase in lawsuits and whistleblowing against companies with poor disclosure practices. Richard also provides insights to the new SEC guidance from Congress and Senator Jay Rockefeller.

CLICK HERE to view our webinar showcasing latest research findings about software security posture of public companies.

Photo Courtesy of techtwisted.com

The ability to choose what is disclosed to others is the essence of privacy today. Some would argue that this disclosure policy is not really privacy but equates more closely to confidentiality. Confidentiality deals with relationships and not individual privacy. Confidentiality “involves trusting others to refrain from revealing personal information to unauthorized individuals.”

It’s in this choice of disclosure that the essence of privacy resides. The fact that we willingly give information from ourselves to another entity does not inherently mean that we give permission for that entity to share it with others. Nor does it give the entity the permission to sell, use, or otherwise attempt to profit from that information. Yet that exact premise is what numerous businesses are built upon today. Privacy transference is a major problem.

We click through and digitally sign user agreements that give web properties the rights to share any and all data we upload to third parties. This includes online social networks, games, software as a service solutions, and especially mobile device applications and providers. Advertising is becoming more and more targeted thanks to the customer specific profiles being created. (See Veracode post – Mobile Apps Invading Your Privacy)

Three specific Internet phenomenon have exacerbated the privacy problem to that of high risk making it something that will have to be solved sooner rather than later. The quantity of data we are putting online is enormous and growing exponentially. The type of data that is being placed online is becoming increasingly more private, and in the event we are diligent and only put up public data, many times private information can be inferred. Finally, thanks to big data and the continually lowering cost of storage, we can be assured that all of the data that we place online will be there long after we are gone. The collection of content and the mapping of that data to create a detailed consumer profile is rapidly becoming a major issue for individuals world wide. The collection of detailed data crosses personal boundaries for those that feel it will be abused.

As always I’m sure people want to know how to fix the problem. I don’t have an answer. I wish I did because this is a real problem that requires intelligent solutions. My gut tells me that the problem will be solved eventually via government regulation and intervention. For the sake of businesses and consumers today I hope that we can police ourselves and do the right thing so that government intervention isn’t required. Businesses need to stop private data transference. Consumers must stop putting sensitive data online (I know, this one is a pipe-dream). And everyone must opt OUT of tracking by default and allow users who want the convenience of direct marketing to choose that service, not the other way around.

We also added in a quick summary to cover the highlights of the interview.

How can organizations prepare to face security threats?
Dan states that organizations should look at all the attacks that are happening in the industry they are in, (from peers, data releases from security companies), so they can learn from the lessons that other companies have experienced. Dan states that there is not enough sharing of information in the industry about attacker techniques, tactics and procedures that have been used to perform compromises. Companies need to collect and analyze attack data, understand what hackers are doing, and then utilize that information to develop defenses that work against the techniques being used. Security programs should be able to trace back to actual reductions in data loss.

Which attack vectors pose the greatest threat to enterprises today?
Dan stresses the importance of protecting the entire enterprise from threats, not just protecting one single application. That said, he also notes that attackers interested in financial fraud or credit card theft will be focused on compromising individual applications. To defend against them, enterprises may want to use dynamic web scanning, or source code auditing per application.

To view the other interviews with Dan Guido posted as part of this series, click on the links below.

1. Interview with Dan Guido on Vulnerabilities
2. Interview with Dan Guido on Mobile Platforms and BYOD

Let us know how you liked this interview series with Dan Guido, and if you have any suggestions for other hot topics you would like to see industry experts discuss.

Black Hat (Las Vegas – July 21-26, 2012) provides briefings and training for security professionals from around the world. Black Hat differentiates itself by working at many levels within the corporate and government communities. This unmatched informational reach enables Black Hat attendees to be continuously aware of the newest vulnerabilities, defense mechanisms, and industry trends. Black Hat has grown over the past 15 years from a single annual conference in Las Vegas to a global conference series with annual events in Abu Dhabi, Barcelona, Las Vegas and Washington DC. It has also become a premiere venue for elite security researchers and the best security trainers to find their audience.

Congratulations Chris!

Read below for a quick synopsis of the interview.

Is iOS the most secure platform?
Dan states that it’s definitely possible to exploit vulnerabilities in iOS. He then goes on to explain that it’s either too costly to do this or there are other mitigations that prevent this from happening. By disincentivizing the mobile malware community from performing malware attacks on the iOS platform using clever design choices, Apple demonstrated a different approach to tackle the problem of mobile malware. Dan concludes that Apple’s approach has been different and certainly a very effective response to the mobile malware problem

Dan mentions that trying to trace every single unique identifier for very single malicious application is neither effective nor intelligent, in addition to also being resource heavy on an organization.

What are your recommendations with respect to “bring your own device” policy?

Dan references his research presentation that he delivered at SOURCE Boston this year titled “Mobile Exploit Intelligence Project”. As part of the research, Dan collected a comprehensive database of every piece of mobile malware that affected iOS and Android. This research was used to draw conclusions as to what security measures would be effective if implemented on those devices to protect against the malware that currently exists in the wild.

He points out that there are not really any mobile security products in the market right now that can mitigate against these flaws. To have an effective BYOD policy, Dan states that you need to assume that your devices are compromised, no endpoint security products that can prevent your devices from being compromised. One possible solution Dan talks about is the concept of “secure containers” to store encrypted information on mobile devices. Dan’s colleague, Dino Dai Zovi has written a paper on how effective the data protection APIs are on iOS, and how it is somewhat tenable to create secure containers to store encrypted information in iOS.

CLICK HERE to view Dan’s presentation at SOURCE Boston titled “Mobile Exploit Intelligence Project”.

Data with “integrity” is said to have a complete or whole structure. Data values are standardized according to a data model and/or data type. All characteristics of the data must be correct – including business rules, relations, dates, definitions and lineage – for data to be complete. Data integrity is imposed within a database when it is designed and is authenticated through the ongoing use of error checking and validation routines. As a simple example, to maintain data integrity numeric columns/cells should not accept alphabetic data.

As a process, data integrity verifies that data has remained unaltered in transit from creation to reception. As a state or condition, Data Integrity is a measure of the validity and fidelity of a data object. As a function related to security, a data integrity service maintains information exactly as it was inputted, and is auditable to affirm its reliability. Data undergoes any number of operations in support of decision-making, such as capture, storage, retrieval, update and transfer. Data integrity can also be a performance measure during these operations based on the detected error rate.

Data must be kept free from corruption, modification or unauthorized disclosure to drive any number of mission-critical business processes with accuracy. Inaccuracies can occur either accidentally (e.g .through programming errors), or maliciously (e.g. through breaches or hacks). Database security professionals employ any number of practices to assure data integrity, including:

• Data encryption, which locks data by cipher
• Data backup, which stores a copy of data in an alternate location
• Access controls, including assignment of read/write privileges
• Input validation, to prevent incorrect data entry
• Data validation, to certify uncorrupted transmission

Software developers must also be concerned with data integrity. They can define integrity constraints to enforce business rules on data when entered into an application. Business rules specify conditions and relationships that must always be true, or must always be false. When a data integrity constraint is applied to a database table, all data in the table must conform to the corresponding rule.

Twitter In The News: An interesting occurrence with Twitter this week was the supposed hack that resulted in the posting of over 50,000 user names and passwords online. An initial report by John Mello in PC World reported that “some of the accounts are duds created by robot programs.” Jay Alabaster said in a later article posted in ComputerWorld that, “None of the recently leaked Twitter logins and passwords came from within the company, according to a message posted on Twitter’s Japanese blog Thursday,” after it was determined that the posted accounts were duplicates, unmatched credentials, and spam accounts.

Spike in SQL Injection attacks: A mass increase of the number of SQL Injection attacks has occurred. A Dark Reading article by Ericka Chickowski reports that researchers have found that there has been a spike in automated SQLi attacks, which are being used by hackers to seek out sites that are vulnerable to the attack, who then sell the information in a monetization process. Organizations are being warned to keep up with patches, monitor applications, and use appropriate security measures. More information about Veracode and SQL Injection, as well as how you can protect yourself can be found here.

BYOD: A recently trending issue in the security world is BYOD. As reported by Ellen Messmer in PC World, a new survey “shows wildly abundant use of mobile devices, but profound concerns about security and how employee-owned devices ought to be used for business purposes.” It is also found that, “One-third of the IT professionals in the survey reported their company has already experienced some type of security threat associated with personal mobile devices accessing corporate data.”

Vulnerability in PHP: A very large number of sites using PHP scripting language are currently endangered by an unpatched vulnerability in the code, writes Dan Gooding in Arstechnica. The weakness allows hackers to remotely take control of servers when the PHP sites are running CGI (not FastCGI). Even worse, the full details of the exploit went public, providing hackers with all the information they need to locate and take advantage of the vulnerabilities. There are updates and patches available to mitigate the risk.

Keeping the London Olympics safe from cyber attacks: With the threat of cyber attacks on the 2012 Summer Olympics in London, Atos, the IT outsource for the games, has wrapped up its first round of testing writes Anh Nguyen. He further reports that, “The CIO for the London Organizing Committee for the Olympic Games (LOCOG) said last year that cyber criminals would find it ‘very hard’ to launch a distributed denial of service (DDoS) attack on the Games’ website.”

We’ve also included a short recap of highlights of the interview in this post.

How can organizations better communicate around vulnerabilities?
Dan details the behavioral problem that exists in most organizations today when vulnerabilities are found in software. He notes that organizations are very concerned about individual vulnerabilities, not as much about the reasons as to why the vulnerabilities exist. Dan notes that mitigation efforts should be focused around classes of vulnerabilities, not the individual vulnerabilities that are found.

Which vulnerabilities matter most on the web?
Dan talks about the disparity between the vulnerabilities that the security industry focuses on vs. vulnerabilities that hackers care about. He further goes on to mention that vulnerabilities that matter most on the web are the ones that gain the hacker a shell on a server, like SQL Injection or remote command execution.

Should different businesses focus on different vulnerabilities?
Dan focuses on the vulnerabilities organizations should care about, depending on the type of business model they use. For instance, a service provider whose customers have individual user accounts or a social networking websites like Facebook should care about Cross-site scripting (XSS). On the other hand, SQL Injection attacks have increased in frequency, and should be on every organization’s watch list.

Stay tuned for more sessions with Dan Guido which we will be showcasing next week on our blog.

The webinar enjoyed ample audience participation and response, including a few questions submitted by attendees which did not get addressed live on the webinar due to time constraints. Below we highlight a few of those.

Q: Of the software development houses that are producing these “vulnerable” applications, how many of them have a security assessment phase in their development life-cycle?

Wysopal: The software developers do not disclose to us what security they perform in the SDLC. It is likely that those who have robust programs are the ones passing our test and the ones with no programs are failing but that is just a hypothesis. We would need to ask each customer what application security processes they are performing.

Q: Did you study look at the platform or Operating System upon which the application executes as a factor?

Wysopal: No it does not. For most application layer vulnerabilities this does not matter however.

Q: Can you define the “information leakage” vulnerability? Is there a catalog describing all the vulnerabilities commented in this presentation?

Wysopal: Information leakage happens when sensitive information is displayed to the user inadvertently. An example would be pathnames or database IP addresses returned within an error message to a user. An attacker can use this information to attack the system. The MITRE CWE website catalogs application vulnerabilities. Here is an example: http://cwe.mitre.org/data/definitions/209.html

Q: Of all of the vulnerabilities you find in these applications, which is the most easily exploited ?

Wysopal: The top 4 exploited as determined by the Web Hacking Incident Database are :

1. SQL Injection
2. Cross site scripting
3. Information leakage
4. Command injections

Other reports have ranked directory traversal as another often exploited vulnerability.

Q: Once you complete your testing for a company, what is the usual request/reaction from the business and do you provide them a solution regarding how to make their environment more secure?

Wysopal: Veracode provides a remediation roadmap which includes prioritization and information on how to remediate each specific issue. Some organizations remediate and others choose not to. It depends on the severity of the issues and the businesses tolerance for risk.

Q: The total of Percentage of Hacks seems to be low in the below slide. What methods of attack make up the other 64%?

Wysopal: According to the Web Hacking Incident Database, the other top attack methods are the following:

Less than 1%:

• Clickjacking
• Malvertising
• Forceful Browsing
• Malware
• Phishing
• Remote File Inclusion (RFI)
• Domain Hijacking
• Hidden Parameter Manipulation
• Local File Inclusion (LFI)

If you have any additional questions for Chris Wysopal on this subject, feel free to send them over.

To get a recorded video of the webinar with slides, click here.

Following new SEC guidance issued in the US relating to disclosure of cybersecurity risks in company filings, public companies are beginning to be measured by regulators and investors on the strength of their cybersecurity solution and ability to protect intellectual property and customer data. This infographic looks at the state of software security in public companies, and shows why companies and investors alike should care.

Add this Infographic to Your Website for FREE!

Small Version

Large Version

Infographic by Veracode Application Security