mmoesse's picture

bellWe’re only a fraction of the way into 2014 and the data breach headlines keep coming. The latest in the list of cyber-attack casualties is Bell Canada, which was affected by a breach that impacted tens of thousands of its customers. On February 2nd, Bell Canada confirmed it had been hacked by hacktivist group “NullCrew”.

From a security perspective, it was interesting to note that the hackers did not have to rely on sophisticated, cutting-edge attacks to extract sensitive customer data. Instead, we’re seeing the same “tools of the trade” – like SQL Injection – used to attack major corporations at their most porous and susceptible entry point – the application perimeter.

Let’s take a closer look at the Bell Canada breach to see what actually happened. “NullCrew”, the hactivist group, approached the attack the same way an automated scanner would – exposing vulnerable functionality on a webpage. According to several blogs, it appears the site was developed in Classic ASP, a programming language that Microsoft retired nearly 12 years ago. Such legacy websites are still in use at many organizations today, often ignored, or even unknown to the organizations themselves. The presence of these legacy sites increases data breach risk, as it opens up a window of opportunity for anonymous threats.

Today’s application perimeter is vast, and is largely a reflection of the rapidly changing business and technology climate. Business expansion is creating a proliferation of marketing microsites, 220px-Nullcrewassets acquired through mergers & acquisitions, business applications, customer applications, and third-party applications. The problem is that no one tracks, secures or shuts down these applications when they leave active development. The result is an ever expanding web perimeter, exposing organizations to a huge breach risk caused by insecure web applications. Covering the entire perimeter is the new application security challenge. How is a CISO supposed to manage this maze of web assets with fixed resources and budget? We know for sure that network security alone can’t meet the demands of application layer attacks; in fact, application vulnerabilities are the top concern of security professionals.1

Bell also announced that the attack happened via a third-party supplier, and its own network and IT systems were not impacted.2 This points to the role of the supply chain as an entry point for attackers which is being used as a gateway to customer data. Recent attacks on the Washington Post and CNN were also traced to a weakness with a third-party supplier, Outbrain. Third-party risk is inherent in an enterprise’s software ecosystem. All enterprises assume some risk in using applications sourced from vendors and suppliers. However, most enterprises assume unnecessary and unmitigated risk by their acceptance of vendor software without independent verification of security.

The majority of malicious attacks can be largely avoided by enterprises if some basic security measures are quickly implemented.

  • Inventory web applications to determine the full extent of the web perimeter.[pdf] Identify all the legacy apps, marketing microsites, and applications from acquired organizations and do a quick baseline scan to identify and fix vulnerabilities in these applications.
  • Conduct automated security testing, such as Static or Dynamic analysis to identify and secure applications quickly and efficiently.
  • Mitigate your third-party risk by requesting your suppliers to provide independent attestation of their software.
  • Build a repeatable program to continuously monitor and test the security of your web applications.

Veracode has services that help address these issues. Veracode’s security solutions include Discovery[pdf], for creating an inventory of known and unknown web applications; DynamicMP, for rapid baseline scanning of all applications on the perimeter; and VAST, for independently verifying the security of 3rd party applications.

What do you think of the risks associated with the web perimeter and the supply chain? I’d love to hear your comments below.

[1] The 2013 (ISC)2 Global Information Security Workforce Study

Comments (0)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.