Research

This post will discuss security and compliance use cases for an enterprise application security program. The following are the main issues enterprises need to address with enterprise application management, in no particular order. None of these drivers are likely to surprise you. But skimming the top-line does not do the requirements justice – you also need to understand why enterprise applications offer different challenges for data collection and analysis, to fully appreciate why off-the-shelf security tools leave coverage gaps. Compliance Compliance with Sarbanes-Oxley and the Payment Card Industry Data Security Standard (PCI-DSS) remain the primary drivers for security controls for enterprise applications. Most compliance requirements focus on baselining ‘in-scope’ applications – essentially configuration assessments – to ensure known problem areas are periodically verified as compliant. Compliance controls typically focus on issues of privileged user entitlements (what they can access), segregation of duties, prompt application of security patches, configuring the application to promote security, and consistency across application instances. These assessment scans demonstrate that each potential issue has a documented policy, that the policy is regularly tested, and that the company can produce a report history to show compliance over time. The audience for this data is typically the internal audit team, and possibly third-party auditors. Change management & policy enforcement Beyond external compliance requirements enterprises adopt their own policies to reduce risk, improve application reliability, and reduce potential for fraud. These policies ensure that system and IT administrators perform their jobs – both to catch mistakes and to help detect administrative abuse of assigned privileges. Examples include removal of unneeded modules which contain known vulnerabilities, tracking all administrative changes, alerting on – and possibly blocking – use of inappropriate management tools, disabling IT administrators’ access to application data, and detecting users or permissions which could provide ‘backdoor’ access to the system. All of which means these policies are specific to an individual organization, are more complex, and require a great deal more than application assessment to verify. Effective enforcement requires a combination of assessment, continuous monitoring, and log file analysis. And let’s not beat around the bush – these policies are established to keep administrators – of IT, databases, and applications – honest. The audience for these reports is typically internal audit, senior IT management, automated change management systems, and the security group. Security A debate has raged for 15 years about whether the greatest threat to IT is external attackers or malicious insiders. For enterprise applications the distinction is less than helpful – both groups pose serious threats. Further muddying the waters, external parties seek privileged access, so they may be functioning as privileged insiders even when that is an impersonation. Beyond attack detection, common security use cases include quarterly ‘reconciliation’ review, watching for ad hoc operations, requests for sensitive data at inappropriate times or from suspicious locations, and even general “what the heck is going on?” visibility into operations. These operations are commonly performed by users or application administrators. Of all the use cases we have listed, identifying suspicious acts in a sea of millions of normal transactions is the most difficult. More to the point, while compliance and policy enforcement are preventive operations, security is the domain of monitoring usage in near-real time. These features are not offered within the application or supporting database platform, but provided through external tools – often from the platform vendor. Transaction verification As more enterprise applications serve external users through web interfaces, the problem of fraud growing. Every web-facing service faces spoofing, tampering, and non-repudiation attacks, and often (and worst) SQL injection. When successful these attacks can create bogus transactions, take partial control of the supporting database, and cause errors. But unlike general security issues, these attacks are designed to create fraudulent transactions and constructed to look like legitimate traffic. How companies detect these situation varies – some firms have custom macros or procedures that look for errors after the fact, while others use third-party monitoring and threat intelligence services to detect attacks as they occur. These tools are designed to detect users who attempt to make the application behave in an unusual manner – relying on metadata, heuristics, and user/device attributes to uncover misuse by application users. Use of sensitive information Most enterprises monitor the use of sensitive information. This may be for compliance, as with payment data access or sensitive personal information, or it may be part of a general security policy. Typical policies cover IT administrators accessing data files, users issuing ad hoc queries, retrieval of “too much” information, or any examination of restricted data elements such as credit card numbers. All the other listed use cases are typically targeted at specific user or administrative roles, but policies for information usage apply to all user groups. They are constructed to define uses cases which are not acceptable, and alert or block them. These controls may exist as part of the application logic, but are typically embedded into the database logic (such as through stored procedures), or provided by a third-party monitoring/masking tool deployed as a reverse proxy for the database. The next post will detail how enterprise applications differ from other platforms, and how those differences create security gaps for off-the-shelf tools. Share:

I realize I have been slacking off posting here at Securosis, but thanks to a string of big event thingies, I thought I should link to a bunch of recent Apple security and privacy articles I posted over at TidBITS (mostly) and Macworld. I do probably need to write up the bit where local apps that are iCloud enabled seem to save document drafts on iCloud once you start writing, as opposed to when you save the documents in iCloud. This means any open drafts, in many text editors, load data into the cloud even if you only want to save them locally. Apple states they remove this data once you save the file to your local drive, but it is a bizarre design decision from a company that has made so many security and privacy improvements recently. So, um, don’t open up a TextEdit window and paste your temporary (or permanent!) passwords in it, unless you save the file someplace local first. Now on to the articles: First is an older Macworld article, Why Apple Really Cares About Your Privacy. This one predated Apple’s big public privacy push, and is the key piece that ties the rest of these together. Basically, Apple is using privacy against Google (and to a lesser degree certain other competitors) because the differences in business models makes it difficult for anyone else to differentiate on privacy to the same degree. This is an excellent alignment of economics to improve security and privacy, and I expect it to define a lot of what we see in the coming years. The next three articles show how Apple is following through on its privacy messaging within products: To start Apple dramatically improved the data security of iOS, much to the chagrin of folks in law enforcement. You likely read this all over the place, but this piece ties together a lot of context I didn’t see in other articles. Also, as an emergency responder, my arguments cannot be dismissed with the “if you only saw what we see” argument. I have seen more than my fair share of horrible things, including horrible things happening to children, so I get it. But that is no excuse to sacrifice fundamental civil liberties. Part of the problem is that some people in law enforcement are so used to getting access to whatever they need for an investigation that they see it as a legal right, and don’t understand that today’s technologies cannot include lawful access capabilities without deeply compromising security. Next up I wrote a piece detailing how Spotlight Suggestions handles privacy. While less of a big picture issue, this highlights the steps Apple is taking to harden their pro-privacy stance down to low-level feature design. Not that they always get it right – as illustrated by that iCloud issue. This next piece also relates to privacy, but is more about the business landscape Apple is working within. I discussed the real reason some merchants are blocking Apple Pay. Many of you understand the reasons merchants hate credit card companies (Hello, PCI!), and Apple is merely caught in the middle. For the record, I wish we would get half as many comments on Securosis articles as on this one! One last article ties the series up (even though it wasn’t the last one published) and serves as a good bookend to the privacy piece: The last piece is the most important for the long term. You Are Apple’s Greatest Security Challenge. Yes, Apple made mistakes with the celebrity photo thefts. Mistakes that those of us in cloud security are very familiar with. But, to their credit, they also deal with a scale and scope very few organizations need to consider. Including some key differences from Google, who has been doing a better job on this front. It is a very nuanced issue, and the decisions Apple makes here will have profound repercussions for the ecosystem. That’s it for now. It seems there is Apple-related security news every week. A lot of the headlines are total BS, like the article a few years back claiming a major security flaw in iPhones, when it was really a problem in every GSM phone on the planet. But that doesn’t get page views, and Apple security has become the “if it bleeds, it leads” of the tech world. Share:

I was at Intel’s Focus conference earlier this week. Intel basically held a McAfee coming-out party, and announced that the security practices of both firms will henceforth be run under the single umbrella of Intel Security. Not much to report on that, but I spoke to more customers at this event than at any other vendor event. And they were chatty, which is nice. But something is troubling me. Do you know what they did not mention as a problem? Mobile. Nope. The biggest surprise of the week was hearing security practitioners and CISOs talk about the threat of the IoT (Internet of Things), without even mentioning mobile. I am still surprised, because a) mobile is really here, b) security of mobile data is a problem on most devices, c) mobile app controls and spotty authentication are still an issue, and d) the market has yet to embrace a good model for control. IoT does not even feel real yet, but the security practitioners I heard speak are currently dealing with threats to Point of Sale terminals, medical devices, cars, and a whole bunch of devices we have used for a long time, but where the current generation includes sophisticated processors and Internet connectivity. Still, IoT is your biggest concern? Really? This will be the one of the shorter Friday Summaries I have written because … it’s here. The puppy I predicted would be landing in my home has arrived. Early, in fact. I am sure it’s because the breeder was exhausted by him. He is slightly ornery, possessed of limitless energy, and fearless. Which means he is into everything all the time. Say hello to ‘Satchmo’: I don’t usually talk about my pets much on this blog, but it has been years since we had a new puppy in the house, and you forget all the lifestyle changes that come with a new puppy. Plus he’s very cute, and seems to get along with everyone great. He has only been here a short time but he’s worn me out. And my wife. And my adult Boston. And everything else that lives here … except the Boxer. Boxers never get tired, so I think the rest of us are going to take a nap while those two play. Happy Halloween all! Halloween on a Friday is the best, so have fun! On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian and Chris Eng will talk integrating security into Agile next week. Favorite Securosis Posts Adrian Lane: Incite 10/29/2014: Short Memory. I am actually FAV-ing my “Card of the Sith” Incite in this week’s post. Rich: [Building an Enterprise Application Security Program New Series. Ho boy, is this a big topic. Adrian jumps into one of the most painful issues for enterprises to deal with: internal apps. Mike Rothman: Firestarter: It’s All in the Cloud. I had fun recording this week’s Firestarter. Though we did miss Adrian. There was no one to keep Rich and me on track! Other Securosis Posts Building an Enterprise Application Security Program: Use Cases. Apple Security and Privacy Updates. New Research Paper: Trends in Data Centric Security. Old School (Computer). Favorite Outside Posts Adrian Lane: Challenges With Randomness In Multi-tenant Linux Container Platforms. Containers seem to have caught fire, and I expect them to be the ‘struts’ of this generation. But stressing any hot new approach turns up systemic flaws. A good discussion by James Bayer. Rich: Facebook Open Sources Host Monitoring Tool, Increases Internet Defense Prize. This is interesting. I did an interview on the tool, based on a high-level description (trust me – I warned the reporter I would need to see it working for a real assessment). It sounds like a Chef/Puppet competitor. But this gathers different information, which is more security relevant, and then enables you to query it like a database. That is very interesting. Might have to play with it! Mike Rothman: SHE’S A WRECK. What a courageous post by aloria, baring her issues with brutal honesty and candor. Thankfully she made it through, but understand that her bipolar disorder is a daily battle. Rarely do we get to see the people behind the avatars, the unvarnished challenge of being imperfect and human. as we all are. Pepper: AT&T, Verizon Using ‘Perma-Cookies’ to Track Customer Web Activity. I didn’t think I needed a VPN but I am now considering paying for Cloak. Research Reports and Presentations Trends in Data Centric Security White Paper. Leveraging Threat Intelligence in Incident Response/Management. Pragmatic WAF Management: Giving Web Apps a Fighting Chance. The Security Pro’s Guide to Cloud File Storage and Collaboration. The 2015 Endpoint and Mobile Security Buyer’s Guide. Analysis of the 2014 Open Source Development and Application Security Survey. Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Top News and Posts UPnP Devices Used in DDoS Attacks Chip & PIN vs. Chip & Signature Adobe’s e-book reader sends your reading logs back to Adobe–in plain text. *sigh* Automated NoSQL exploitation with NoSQLMap CurrentC for mobile payments and exclusivity CurrentC site hacked Alleged Dropbox hack underlines danger of reusing passwords Blog Comment of the Week This week’s best comment goes to Pat Bitton, in response to Old School. I always hark back to the operating code for dBase II and WordStar both fitting on a single 360K floppy. Share: