Cure Your Big App Attack

Not that I really needed to point his out but, security attacks are moving ‘up the stack.’  90% of security investments are focused on network security, yet according to Gartner, 75% of the attacks are focused at the application layer and ‘over 90 percent of security vulnerabilities exist at the application layer, not the network layer.’  SQL Injection and XSS are #1 and #2 reported vulnerabilities and the top two from the OWASP Top 10.  Plus, from Forrester Consulting, the average loss of revenue per hour for a layer 7 DDoS attack is $220,000.  These vulnerabilities are some of the primary routes that are being exploited in many of the recent attacks.

Modern DoS attacks are distributed, diverse and cross the cavity that divides network components from application infrastructure yet many of these attacks are preventable. The problem is that organizations are using outdated network and/or desktop technology to try and protect against sophisticated application security attacks which traditional solutions like network firewalls, IPS or AV systems have little to no visibility or role. It’s like trying to protect a city against a coordinated air attack by digging trenches in the ground. Wrong band-aid for the attack vector. 

The solution is an integrated approach that covers network and application security along with access control. Another dilemma is that security has often been left up to the network gang who may or may not have expertise in and around the transport and application level exploits.  And deploying more network firewalls, AV, or IPS systems is not really the answer. You might just be digging more trenches.  F5 has technologies like BIG-IP ASM, APM, Edge Gateway and LTM that can help mitigate the recent attacks.  Many of our solutions (particularly ASM) have capabilities to prevent DoS, DDoS, Brute Force, Parameter Tampering (and dynamic parameters), Forceful Browsing, Web Scraping, SlowLoris, Access Control, XSS, SQL Injection and the entire OWASP Top 10.  ASM can also be configured to verify the value of web application set parameters isn’t changed during the user’s session along with ensuring a user has accessed the site via a login page.  With those recent attacks, ASM could have blocked or at least alerted site owners of the intrusion. Detecting and alerting on this when it started, even without mitigating would have considerably minimized the business risk.  BIG-IP LTM can protect you from a network perspective with BIG-IP ASM from an application angle. 

It is interesting that these attacks have been around for a while but also shows how hard it is to get protection right, especially when the attacks are blended.  Once a vector is found to deliver, a variety of exploits can be used in quick succession to find one that will work.  Most of these attacks would also have sailed invisibly through an IPS device – no offense to those solutions – they are just not designed to protect the application layer or didn’t have a signature that matched.  A unified application delivery platform with multi-layer visibility is the best way to detect and mitigate multi-layer attacks.

ps

Resources

• Ongoing storm of cyberattacks is preventable, experts say
• With a click, employees invite a vampire into the network
• DataLossDB
• Codemasters email customers regarding recent security breach
• Thieves Found Citigroup Site an Easy Entry
• Sega Is the Latest Victim, Admits User Accounts Hacked
• Nearly half of firms don't fear hackers
• What Is Next on Hackers' Hit Lists
• Custom Code for Targeted Attacks
• And The Hits Keep Coming
• Unplug Everything!
• The Big Attacks are Back…Not That They Ever Stopped
• Technology Can Only Do So Much

Technorati Tags: F5, data breach report, threats, Pete Silva, security, malware, technology, phishing, cyber-threat, social engineering, attacks, virus, vulnerability, web, internet, cybercrime, identity theft, scam, data breach, ips

Connect with Peter:	Connect with F5:

Drive Identity Into Your Network with F5 Access Solutions

This webinar focuses on F5 Access solutions that provide high availability, acceleration and security benefits critical to your organization.  Running time: 55:51

ps

Technorati Tags: F5, interop, Pete Silva, security, business, education, technology, internet, big-ip, VIPRION, vCMP, ixia, performance, ssl tps, testing

Connect with Peter:	Connect with F5:

Custom Code for Targeted Attacks

Botnets?  Old school.  Spam?  So yesterday.  Phishing?  Don’t even bother…well, on second thought.  Spaghetti hacking like spaghetti marketing, toss it and see what sticks, is giving way to specific development of code (or stealing other code) to breach a particular entity.  In the past few weeks, giants like Sony, Google, Citibank, Lockheed and others have fallen victim to serious intrusions.  The latest to be added to that list: The IMF – International Monetary Fund.  IMF is an international, intergovernmental organization which oversees the global financial system.  First created to help stabilize the global economic system, they oversee exchange rates and functions to improve the economies of the member countries, which are primarily the 187 members of the UN. 

In this latest intrusion, it has been reported that this might have been the result of ‘spear phishing,’ getting someone to click a malicious but valid looking link to install malware.  The malware however was apparently developed specifically for this attack.  There was also a good amount of exploration prior to the attempt – call it spying.  So once again, while similar to other breaches where unsuspecting human involvement helped trigger the break, this one seems to be using purpose built malware.   As with any of these high-profile attacks, the techniques used to gain unauthorized access are slow to be divulged but insiders have said it was a significant breach with emails and other documents taken in this heist.  While a good portion of the recent attacks are digging for personal information, this certainly looks more like government espionage looking for sensitive information pertaining to nations.  Without directly pointing, many are fingering groups backed by foreign governments in this latest encroachment.  

A year (and longer) ago, most of these types of breaches would be kept under wraps for a while until someone leaked it.  There was a hesitation to report it due to the media coverage and public scrutiny.  Now that many of these attacks are targeting large international organizations with very sophisticated methods there seems to be a little more openness in exposing the invasion.   Hopefully this can lead to more cooperation amongst many different groups/organizations/governments to help defend against these.  Exposing the exposure also informs the general public of the potential dangers even though it might not be happening to them directly.  If an article, blog or other story helps folks be a little more cautious with whatever they are doing online, even preventing someone from simply clicking an email/social media/IM/txt link, then hopefully less people will fall victim.  Since we have Web 2.0 and Infrastructure 2.0, it might be time to adopt Hacking 2.0, except for the fact that Noah Schiffman talks about misuse and all the two-dot-oh-ness, particularly Hacking 2.0 in an article 3 years ago.  He mentions, ‘Security is a process’ and I certainly agree.  Plus I love, ‘If the term Hacking 2.0 is adopted, or even suggested, by anyone, their rights to free speech should be revoked.’  So how about Intrusion 2.0?

ps

Resources:

• Inside The Terrifying IMF Hack: Who The Hackers Were And What They Took
• IMF Hacked; No End in Sight to Security Horror Shows
• Join the Club: International Monetary Fund Gets Hacked
• IMF State-Backed Cyber-Attack Follows Hacks of Atomic Lab, G-20
• IMF cyber attack boosts calls for global action
• I.M.F. Reports Cyberattack Led to ‘Very Major Breach’
• IMF Network Hit By Sophisticated Cyberattack
• Where Do You Wear Your Malware?
• The Big Attacks are Back…Not That They Ever Stopped
• Technology Can Only Do So Much
• 3 Billion Malware Attacks and Counting
• Unplug Everything!
• And The Hits Keep Coming
• Security Phreak: Web 2.0, Security 2.0 and Hacking 2.0
• F5 Security Solutions

Technorati Tags: F5, data breach report, threats, Pete Silva, security, malware, technology, phishing, cyber-threat, social engineering, attacks, virus, vulnerability, web, internet, cybercrime, identity theft, scam, data breach, rsa, lockheed, imf

Connect with Peter:	Connect with F5:

Audio White Paper - The F5 Dynamic Services Model

Today, agility in both business logic and an organization’s underlying IT infrastructure is imperative to success. Yet traditional IT infrastructures and processes simply are not agile. It is no surprise, then, that CIOs routinely express frustration with the time and effort required to align IT functions to changing business needs.

F5 believes a new approach to infrastructure design must emerge—one that enables enterprises to add, remove, grow, and shrink IT services on demand, regardless of location. This new infrastructure must dynamically optimize the interaction between users and resources in the face of rapidly changing conditions. It must allow the IT enterprise to adapt quickly to changing organizational demands for security, data protection, ease of access, market responsiveness, low cost, and high performance. This paper outlines F5’s vision for such an approach, explores its business benefits, defines F5’s architecture for delivery, and outlines a roadmap for implementation.  Running Time: 16:17  Read full white paper here.  And click here for more F5 Audio.

 Listen on Posterous

ps

Technorati Tags: F5, integration, data center, Pete Silva, security, business, education, technology, application delivery, data replication, cloud, optimize, dynamic, web, internet, security, hardware, audio, whitepaper, big-ip

Connect with Peter:	Connect with F5:

Posted via email from psilva's prophecies

Who In The World Are You?

Steven Wright has said, 'It's a small world, but I wouldn't want to paint it.' The world is getting smaller with today's 24/7 global marketplace. Businesses have offices and employees around the world to serve the needs of the organization's global customers. Those users, whether they are in a branch office, home office or mobile need access to critical information. Data like corporate information, customer information, sales information, financial information, product information and any other sources of business material is important to be able to make smart enterprise decisions. Without access to this data, poor decisions are made and the business can suffer.

The recent breaches, especially the intrusions tied to the RSA compromise, has put identity and access management in the spotlight.  Once upon a time, users had to be in the office connected to the network to access corporate applications. IT organizations probably knew the user was since they were sitting at a desk; organizations knew the type of device since it was issued by IT and the business applications were delivered quickly and securely since it was from an internal local area network. Then, users needed access to that same information while they were away from the office and solutions like VPNs and Remote Access quickly gained acceptance. As adoption grew, so did requests for access above and beyond the normal employee. Soon partners, contractors, vendors and other 3rd party ecosystems were given access to corporate resources. Employees and partners from around the globe were connecting from a barrage of networks, carriers and devices. This can be very risky since IT might not know the identity of those users.

Anonymous networks allow users to gain access to systems via a User ID and password but they cannot decipher exactly who the user actually is; an employee, guest, contractor, partner and the like. Anonymous networks do have visibility at the IP or MAC address level but that information does not equate to a user's identity. Since these networks are unable to attribute IP to identity, the risk is that information may be available to users who are not authorized to see it. There is also no reporting as to what was accessed or where a specific user has navigated within a system. Unauthorized access to systems is a huge concern for companies, not only pertaining to the disclosure and loss of confidential company data but the potential risks to regulatory compliance and public criticism. It is important that only authenticated users gain admission and that they only access the resources they are authorized to see.  Controlling and managing access to system resources must be based on identity. A user's identity, or their expressed or digitally represented identity can include identifiers like: what you say, what you know, where you are, what you share, who you know, your preferences, your choices, your reputation, your profession or any other combination that is unique to the user. 

Access can mean different things - access to an intranet web application to search for materials, access to MS Exchange for email, access to virtualized Citrix, VMware or Remote Desktop deployments, access to a particular network segment for files and full domain network access as if the user is sitting in the office. The resources themselves can be in multiple locations, corporate headquarters, the data center, at a branch office, in the cloud or a mix of them all.  When users are all over the world, globally distributed access across several data centers can help solve access and availability requirements. Organizations also need their application and access security solution in the strategic point of control, a centralized location at the intersection between the users and their resources to make those intelligent, contextual, identity based decisions on how to handle access requests.

Residing in this important strategic point of control within the network, the BIG-IP Access Policy Manager (APM) for BIG-IP Local Traffic Manager (LTM) along with BIG-IP Edge Gateway (EGW) provide the security, scalability and optimization that's required for unified global access to corporate resources for all types of deployment environments. The ability to converge and consolidate remote users, LAN access and wireless junctions on a single management interface and provide easy-to-manage access policies saves money and frees up valuable IT resources. F5's access solutions secures your infrastructure, creating a place within the network to provide security, scalability, optimization, flexibility, context, resource control, policy management, reporting and availability for all applications.

ps

Resources:

• The IP Address – Identity Disconnect
• Lost Your Balance? Drop The Load and Deliver!
• Identity Theft: Good News-Bad News Edition
• F5 Friday: Never Outsource Control
• Is OpenID too open?
• F5 Friday: Application Access Control - Code, Agent, or Proxy?
• Audio White Paper - Streamlining Oracle Web Application Access Control
• The Context-Aware Cloud
• Be Our Guest

Technorati Tags: psilva, F5, context-aware, infrastructure, IP, security, application security, access control, virtualization, network, application delivery, unified application delivery and data services

Connect with Peter:	Connect with F5:

And The Hits Keep Coming

In case you missed this over the long weekend, a few more notable names were compromised in recent weeks.  A few weeks ago I wrote about how the Big Attacks are Back and it sure seems like the hits keep coming.  First, last Friday, Lockheed Martin said that earlier in the week, they detected that someone was trying to break into their network through the VPN.  Lockheed is a huge military contractor providing fighter jets, spy satellites and other military and intelligence equipment for the US and other government entities.  They are also known for Skunk Works or their Advanced Development Program projects.  These are highly classified assignments with the SR-71 Blackbird and F-117 Nighthawk (Stealth) as examples over the years.  I live very close the Skunk Works facility and I can say that I’ve seen some interesting craft flying over at various times. 

Anyway, there is some indication that this attempted breach is tied to the security tokens issued to the workers.  Reports have indicated that it was RSA tokens and this incident might be directly tied to the RSA breach earlier this year.  Lockheed quickly shut the remote access doors and issued new tokens and passwords to the entire workforce.  They do say that their systems are secure and nothing notable, like customer/employee/program data, was taken.  While defense contractors like Lockheed get probed daily, this is significant since the ‘sources’ are saying that there is a connection between the RSA breach and Lockheed’s.  The intruder seemed to have knowledge of some critical information (possibly algorithm, seed, serial, cloned soft key, key gen time) for the current tokens and dropped a key logger on an internal computer.  After RSA’s initial announcement, Lockheed did take additional protective measures, like an additional password for remote users but a key logger probably would have sniffed that.  Lockheed was fortunate to have caught it quickly but this might be the beginning of the token breach fallout.

Lockheed is not the only defense contractor that has been specifically targeted using compromised tokens .  L-3 Communications has also been fending off penetration attempts according to reports.  In both cases, it appears that the intruders are using both phishing and cloned soft keys to try to attack SecurID systems.  Installed malware or phishing campaigns are being used in an attempt to link end-users with tokens.  Many companies are increasing PIN lengths and lowering the number of failed attempts before accounts are locked out.  Even McAfee is talking about how employees are being approached by strangers in public places looking to gain information. 

Another breach this past weekend involved PBS.  This time, C is for Compromise…and not good enough for anyone.  While, according to PBS, no internal networks were exposed, the malicious hackers were able to break into the website and posted a bogus story about Tupac being alive and well in New Zealand.  They also posted credentials for PBS’s internal media and affiliate station portals.  This was a response to a Frontline story about WikiLeaks called WikiSecrets.  Apparently the group that claimed the attack was less than impressed by the program.

2011 started out *relatively* quiet but is now tuning into a banner year for breaches.

ps

Resources:

• Data Breach at Security Firm Linked to Attack on Lockheed
• Lockheed Martin Suffers Massive Cyber attack
• InsecureID: No more secrets? (Cringely broke the Lockheed story)
• Second Defense Contractor L-3 ‘Actively Targeted’ With RSA SecurID Hacks
• Unknown hackers have broken into the security networks of Lockheed Martin Corp and several other U.S. military contractors
• Hackers breached U.S. defense contractors
• Cyber attack shows constant threat to key intel
• FRONTLINE statement on PBS hacking
• PBS Website Hacked
• Social hackers target McAfee staff in church, at car parks
• The Big Attacks are Back…Not That They Ever Stopped
• 3 Billion Malware Attacks and Counting
• Technology Can Only Do So Much
• Unplug Everything!

Technorati Tags: F5, data breach report, threats, Pete Silva, security, malware, technology, securID, cyber-threat, social engineering, attacks, virus, vulnerability, web, internet, cybercrime, identity theft, scam, data breach, rsa, lockheed, pbs

Connect with Peter:	Connect with F5: