Over the last several weeks, we have seen high-profile cybersecurity breaches involving RSA, the CIA, Sony, the U.S. Senate and the FBI’s InfraGard to name a few. What did we learn from the recent LulzSec rash of high-profile security breaches? To me, it reinforces the concept of “sweating the small stuff,” or, simply, paying attention to the details germane to information security. These breaches are primarily the result of opportunistic attacks waged against exploitable and known vulnerabilities.
To support this position, consider June 27, when the Department of Homeland Security provided a Top 25 list of software errors. This list, called the Common Weakness Enumeration, develops a scoring system and risk analysis framework for evaluating the seriousness of flaws and prioritizing weaknesses. If you thought that this new list looks a lot like the OWASP (Open Web Application Security Project) Top 10 Web Application Security Risks, you would be correct. The OWASP Top 10 list has been around since about 2004, and scanning tools have been built to assess websites against the vulnerabilities included on the OWASP list. It would be reasonable to assume that security-conscious organizations would routinely assess their infrastructure against these standards.
According to a June Anti-Phishing Working Group (APWG) survey, the most targeted and attacked website suite of tools are ones that employ L-A-M-P. LAMP is an acronym for Linux as the operating system, which accounted for 76 percent of the attacks; Apache as the web server in 81 percent of attacks; MySQL as the database in 81 percent of attacks; and PHP/Java as the application platform in 82 percent of attacks. If not properly configured and maintained, the use of LAMP could be an extremely vulnerable combination of technologies and potentially raise an organization’s cyber-risk factors.
When considering the LAMP model, the lack of security patch application in any one of the four technologies could provide attackers with an opening. In the breach of RSA earlier this year, it only took one or two employees to activate the phishing email. And, having a CISO responsible for cybersecurity might have negated or at least minimized Sony’s compromise.
While changing corporate cultures and practices with regard to security is extremely difficult, a sound information security posture includes the old but effective combination of security infused at the people, process and technology levels. In the rush to reach for the “clouds,” cut corners and save money, the security details can’t be overlooked.
30 seconds on…
»Speak truth, not spin
Ron Baklarz says he was dismayed by the post-compromise, defensive articulation by RSA and Sony that they had been victimized by extremely sophisticated attacks.
»APT, in fact
It turns out that RSA was victimized by an advanced persistent threat (APT)-type attack that began with a relatively unsophisticated, but successful phishing email compromise.
»Have personnel in place
Further, he says, with 1,000 subsidiaries and approximately 168,000 employees, Sony did not have anyone in a CISO capacity. It is currently scrambling to fill this position.
»Filling all the holes
Someone once said, “To attack us, the terrorists only have to be right once. To stop them we have to be right 100 percent of the time.” This holds true in cybersecurity as well.