Posted by Ashutosh Agrawal on December 2, 2015
The old proverb, “you don’t know where you’re going until you know where you’ve been,” is a very apt description for the field of application security. The application security industry is still relatively new, and we are still learning from our mistakes as we create a baseline from which are able to move forward. In order to learn from our past, we must first identify areas that require improvement.
As the year 2015 nears its end, it’s time to reflect on some of the most infamous security breaches of the year. Breaches which impacted several million users and compromised classified personal data across a variety of industries. To back up a bit further, over a billion records were breached in 2014, a surge of 78% from 2013. Where does that leave us? Are attacks on a downward trajectory in 2015? Let’s find out.
The year started with a very sophisticated attack on one of the biggest healthcare providers in the country, Anthem. This attack led to the personal data (including social security numbers, health care ID numbers, and income data) of over 80 million users to become compromised. Interestingly, the data was not encrypted.
As per HIPAA guidelines, encryption is an “addressable” but not a required control. Hence, it’s up to the healthcare provider to decide how best to protect its customers’ data. Although Anthem encrypted its data when moving it to other databases (data in transit), it did not enforce encryption during data storage (data at rest), creating an optimally vulnerable site for attackers to invade.
Securing both the ‘data in transit’ and ‘data at rest’ are crucial data life cycle requirements, which are thoroughly covered across all the standards (HIPAA, NIST 800-53, and ISO 27001 etc.). Making matters worse, the attackers were able to bypass other security controls to gain access to an internal administrator’s credentials.
Hackers gained some of the most valuable information which is impossible to change or cancel once breached. Even though Anthem offered free credit monitoring and ID protection services to their customers for a year, this can be a lifelong battle for affected customers as they can be the victim of ID theft, fraudulent tax returns, and other detrimental effects that can take place over the long term future. This breach puts the healthcare industry in the spotlight as their security standards and best practices will be questioned for some time down the line.
In June of this year, the Ivy League was struck with a data system attack. On June 19, Harvard discovered a breach of the Faculty of Arts and Sciences and Central Administration networks. It is believed that login credentials were obtained to personal computers and university accounts. This is one of at least eight other higher education system breaches this year!
While it’s simple enough to reset student and faculty login credentials, the fact that this is a wide-spread pattern should make administrators wonder what other information could be accessible to attackers. University systems within the U.S. and globally should be addressing security to protect students and faculty and to protect the reputation of their university.
In July of 2015, malicious users hacked Ashley Madison and published the entire MySQL database along with the source code on a TOR website (an anonymous network). While the root cause is still unknown, an insider might have helped to execute this massive breach.
Even though the passwords were protected using bcrypt, the insecure coding practices identified in the source code provided enough leverage to crack 15 million passwords in a matter of days. A closer look reveals that several thousands of users provided poor and predictable passwords like: 123456, 12345, password, qwerty and abc123.
Ashley Madison was planning to go public, but had to drop the idea after this attack came to light. Needless to say, the CEO of the parent company, Avid Media, also resigned after this breach.
Broadly speaking, all three attacks can be attributed to inadequate compliance requirements, deficient coding practices and insufficient vendor management programs. The common causes for all three breaches indicate that security was either ignored or was not achieved in an end-to-end manner.
Data provided in Verizon’s 2015 Data Breach Investigations Report shows that 96% of the nearly 80,000 security incidents analyzed this year can be traced to only nine basic attack patterns. Unless organizations start making security an integral part of their people, process, technology and strategy, such breaches will continue to rise and evolve to higher complexities.
If these statistics are making you second guess your firm’s security initiative, a good place to start is by downloading the Building Security In Maturity Model (BSIMM). If you’re interested in joining the BSIMM Community, you will be able to use your BSIMM score to assess your firm’s software security program bi-annually.
It’s also important to note that the software developed internally isn’t the only potential vulnerability. It’s beneficial to also require vBSIMM from vendors. Companies can rely on BSIMM to gauge the maturity of existing security practices through a variety of assessments which can then be used to strategize continual process improvement.
Organizations need to allocate more time and attention to hardening key systems rather than blanketing their entire portfolio with commodity assessments. Assessing the health of the overall software security initiative is extremely important to ensure adequate controls have been placed to protect the company’s name, value, and brand.