We’re only a fraction of the way into 2014 and the data breach headlines keep coming. The latest in the list of cyber-attack casualties is Bell Canada, which was affected by a breach that impacted tens of thousands of its customers. On February 2nd, Bell Canada confirmed it had been hacked by hacktivist group “NullCrew”.
From a security perspective, it was interesting to note that the hackers did not have to rely on sophisticated, cutting-edge attacks to extract sensitive customer data. Instead, we’re seeing the same “tools of the trade” – like SQL Injection – used to attack major corporations at their most porous and susceptible entry point – the application perimeter.
Let’s take a closer look at the Bell Canada breach to see what actually happened. “NullCrew”, the hactivist group, approached the attack the same way an automated scanner would – exposing vulnerable functionality on a webpage. According to several blogs, it appears the site was developed in Classic ASP, a programming language that Microsoft retired nearly 12 years ago. Such legacy websites are still in use at many organizations today, often ignored, or even unknown to the organizations themselves. The presence of these legacy sites increases data breach risk, as it opens up a window of opportunity for anonymous threats.
Today’s application perimeter is vast, and is largely a reflection of the rapidly changing business and technology climate. Business expansion is creating a proliferation of marketing microsites, assets acquired through mergers & acquisitions, business applications, customer applications, and third-party applications. The problem is that no one tracks, secures or shuts down these applications when they leave active development. The result is an ever expanding web perimeter, exposing organizations to a huge breach risk caused by insecure web applications. Covering the entire perimeter is the new application security challenge. How is a CISO supposed to manage this maze of web assets with fixed resources and budget? We know for sure that network security alone can’t meet the demands of application layer attacks; in fact, application vulnerabilities are the top concern of security professionals.1
Bell also announced that the attack happened via a third-party supplier, and its own network and IT systems were not impacted.2 This points to the role of the supply chain as an entry point for attackers which is being used as a gateway to customer data. Recent attacks on the Washington Post and CNN were also traced to a weakness with a third-party supplier, Outbrain. Third-party risk is inherent in an enterprise’s software ecosystem. All enterprises assume some risk in using applications sourced from vendors and suppliers. However, most enterprises assume unnecessary and unmitigated risk by their acceptance of vendor software without independent verification of security.
The majority of malicious attacks can be largely avoided by enterprises if some basic security measures are quickly implemented.
Veracode has services that help address these issues. Veracode’s security solutions include Discovery[pdf], for creating an inventory of known and unknown web applications; DynamicMP, for rapid baseline scanning of all applications on the perimeter; and VAST, for independently verifying the security of 3rd party applications.
What do you think of the risks associated with the web perimeter and the supply chain? I’d love to hear your comments below.
 The 2013 (ISC)2 Global Information Security Workforce Study