Verizon performs an annual assessment of a large sample of breaches and attacks that take place all over the world and analyzes the most common problems and key areas which lead to major attacks. In this article, we discuss three specific security incident patterns from Verizon’s report and how architecture analysis assessments can help organizations detect and prevent these issues earlier in the software development life cycle (SDLC).
Point-of-Sale (PoS) intrusion happens when an attacker tries to capture payment data by compromising the computers/servers running the PoS applications. Such attacks can originate from a social engineering attack (like a phone call to gain credentials) to a more sophisticated mechanism involving multiple steps. Trends from the past three years show a constant growth in PoS attacks (2013 – 173, 2014 – 196, and 2015 – 396).
Commonly, PoS intrusions occur due to use of weak authentication controls for remote access to systems where sensitive information, like user passwords or credit card details, are stored. For smaller organizations, direct attacks on the PoS system are often conducted by guessing or brute-forcing the password, possibly due to weak password complexity policies. Attacks on larger organizations often include multiple steps where other systems have been compromised before the PoS is targeted. A major factor in past compromises was usage of default credentials, but the recent shift has been towards stolen credentials. Other factors that contribute to the success of these breaches is a general lack of security controls and audit logs in PoS systems, insufficient network segmentation, and vulnerabilities in the PoS device software.
Architecture analysis assessments can help to detect these weaknesses and provide remediation guidance to prevent them from being exploited in a breach. Architecture analysis helps to identify weak or missing security controls, and is therefore an effective approach to analyze access to PoS systems from various perspectives. For example, it can assess the password complexity policy, credential storage, and multi-factor authentication controls to determine if they are adequate to prevent these types of attacks on PoS systems. The analysis can also identify dependencies on other components and systems to highlight weaknesses that can be exploited if other internal systems have been compromised; this was a common attack vector for large-scale PoS breaches according to the Verizon report.
Architecture analysis identifies not only the technical failures but also process-oriented loop holes. As an example, it can analyze if the process for adding or modifying user access must follow a sequence of approvals and verification checks, and whether these are audited or not to avoid abuse.
One of the prominent, and most common, security incident patterns includes insider threats. Insiders usually have a high degree of trust within their organization and thereby easier access to critical information such as credit card numbers, SSNs, or bank account information. Thus, lack of a centralized data-classification and PII inventory, together with inappropriate access control, can easily lead to a disaster.
Some users might need elevated privileges to access the sensitive data stored by the application from time to time to perform their duties. However, persistent and unaudited privileged access can lead to an increased risk of abuse by these insiders. Another risk is that unintended changes or misconfiguration by the privileged users on the database could provide easy sensitive data access to a malicious end user. The Verizon breach report points out that a majority of insider breaches are carried out by end users, rather than developers or system administrators. Reasons for a deliberate internal attack range from personal financial gain to a frustrated employee who vents his/her dissatisfaction by divulging sensitive internal information.
Architecture analysis assessments can help to identify the data residing within an application, can appropriately classify the data, and can assess if the controls in place are sufficient to protect the data. It can further assess the actors (insiders and outsiders) and their privileges to ensure they follow the principle of least privilege and segregation of duties, which helps to prevent privilege misuse. Finally, architecture analysis can also help to identify deficiencies in application logging and audit trails, which are important both as a deterrent and as a valuable source of information for a forensic investigation if an insider breach were to occur.
The 2015 Data Breach Investigations Report (DBIR) from Verizon shows that 9.4% of attacks were related to web applications. The causes of these attacks range from lack of two-factor authentication, configuration errors, brute-force attacks, and lack of egress filter on traffic leading to data breaches.
While penetration testing and code review are primarily used to identify web app attacks, these assessments can be supplemented with architecture analysis. Architecture analysis reviews assess crucial security controls to prevent applications from being compromised by potential web-related attacks. Some examples of these controls are: authentication, authorization, cryptography, input validation, output encoding, auditing/logging, monitoring/alerting, session management, runtime environment verification, and password storage.
The review may not be limited only to the validation of security controls, but may also include configuration issues. A good architecture analysis can point out issues related to security misconfiguration and lack of environment segregation.
Architecture analysis can also play a crucial role in identifying many web app related vulnerabilities. For instance, two major issues usually identified in applications are SQL injection and cross-site scripting (XSS). A well-defined architecture analysis review can evaluate whether the application employs effective security controls and follows best practices to defend against these and other common attack patterns. Beyond these standard attack patterns, more advanced architecture analysis reviews can also evaluate system-specific attacks and perform dependency analysis to discover vulnerabilities related to the frameworks and components that the application relies on. Keeping an inventory of these and deploying a process that ensures they are kept up-to-date and regularly patched for security issues goes a long way to counter the opportunistic web attacks that account for three-quarters of all web app compromises analyzed in Verizon’s report.
Statistics show that while 50% of the security issues are code-related defects, the remaining 50% are design-level problems which can’t be found effectively by code reviews or penetration testing alone. Architecture analysis can help us detect flaws early in the SDLC by analyzing underlying design principles, architecture, security controls, and processes used to implement the application.
Architecture analysis requires an in-depth understanding of the application architecture. The assessments involve interviewing sessions with technical team members such as architects, lead developers, and design engineers to gain an understanding about the application design and architecture. This is usually followed by brainstorming exercises to uncover the potential weak points. In addition to identifying the flaws, these assessments can also categorize risks based on the business impact and helps organizations prioritize them accordingly.
By deploying architecture analysis, you can find and prevent design-level flaws in your applications and systems before they are exploited by criminal hackers or insiders. After all, we hope you won’t be part of the statistics in next year’s edition of the Verizon’s Data Breach Investigation Report.