I have highlighted that product teams need to move beyond security (preventing classic buffer overflows) to introducing cybersecurity within the logic of their application for real world scenarios. This active defense (called many things) is essential to having our products operate in hostile environments.
Facebook shared an example how they structure their product (authentication) to bolster the safety for it’s users – even when they are using products / platforms (Android older versions) that are proven to have backdoors and malicious code exploits. This is a great demonstration and opportunity for self reflection:
- How have you enhanced your product?
- Are you just ‘scanning’ and closing tickets or is your cybersecurity intelligence being applied to functional requirements?
- Is your ratio of Development engineers to Cybersecurity engineers appropriate?
Facebook can’t force you to use two-factor identification, even though it knows you would be safer if you did. That forces the social media giant to find other ways to build in safety for you. Alex Stamos CSO says, the company actually monitors black market password databases, looking for password matches against its user base, and warning people when they find compromised ones.
Source: Facebook wants to make you secure no matter how hard you make it | TechCrunch
While the ISPs, DDoS mitigation services, and others scramble to figure out how to augment traditional defenses to handle this new threat, we decided to investigate a less conventional approach. Attackers often rely on exploiting vulnerabilities in software we own to install their tools on our systems…So why not use their own strategy against them?
Source: Invincea Labs
A nice write-up about another contrarian approach to defeating botnet coordinated attacks against online systems. The concept of exploiting an operating botnet is interesting, and in this demonstration successful. What I found most interesting was the introduction of specific active defense methods that businesses, service providers, ISP, OSP, and DDoS mitigation companies can / should / may begin to leverage.
How is your company leveraging active defense? Not specifically counter-attacking, but other methods? In my work around product security, I see the concept of predefining attack scenarios and setting up safeguards in the code (i.e., if X becomes available do Y… not simply stop buffer overflow, but acceptance of an event and establishing the next two steps to continue operations).
Within autonomous infrastructure, cars, online cloud / container environments this now must be instituted. The complexity and fun is in the scenario analysis and multi-variable conclusion requirements.
Glad to see others thinking outside the box.
Iot devices are the new emerging world .. roughly 10 billion such devices are in our daily lives at this moment, and this number is expected to multiply quickly. What are these devices – look at your wrist, your home thermostat, your TV, your lighting, the HVAC at your office, the traffic (ground and air) systems, and billions of more internet connected sensors around the world.
IoT hacked, weaponized
Most recently, and publicly, an online journalist website was taken down with the use of commandeered consumer IoT devices (about 500,000). This was not hard, and can easily be replicated by anyone with about an extra 10 hours on their hands (and a bit of legal protection). The analysis linked below is rich and worth diving in, but I wanted to highlight a different view point:
- First, White Label risks, if you are branding a chip, gadget, component, software package, and such from another business – YOU must ensure the technology is up to your standard. Secure, high quality, safety to the user and an enjoyable experience. Liability risks would be interesting to explore, but beyond those costs …
- Second, customer experience ruined with your device / service. If you had a vulnerable piece of technology (because you didn’t vet it), and then every device you sold was suddenly rebooting, not working, ruining that vital NetFlix binge, etc …. how do you think consumers will react? Not a pleasant scene given how hard we each work to build beautiful customer experiences with our products.
- Finally, this problem won’t go away. Everyone of those vulnerable (500k!!!) devices will ALWAYS be vulnerable given that the weaknesses were hard coded (permanently written into the product), and cannot be changed. Not a fun recall process and with so low margin, how many will actually mandate it / be required to do so / who is looking over this fast and loose area of products?
- I firmly believe we can do better, must do better, and will either be be given the chance or mandated to do just that. How are others vetting these processes? How could all of these white label sourcing / procurement teams have caught this sooner? How complex would it have been to detect and validate? Given the amount of successful attacks on this single product, it seems quite easy to have accomplished. Tongue and cheek, I’d recommend my book that I wrote for my family, How Not To Be Hacked, as it highlights specifically NEVER to leave default passwords – but in this case, the vendor made them permanent.
Let’s do better together and make richer experiences. The only true solution to stopping these zombie IoT Devices will be for carriers to block them wholly on the wire, Internet-Bricking / Banishing them to an offline world.
The culprit behind the KrebsOnSecurity.com and OVH attacks is traced back to one white-box DVR manufacturer, China-based XiongMai Technologies. The company sells white-labeled DVRs, network video recorders and IP camera circuit boards and companion software to a large number of vendors who in turn use the technology in their own products, according to Flashpoint blog post on the DDoS attacks posted Friday.In the case of XiongMai Technologies, it made the fatal error of using a default username “root” and password “xc3511” combination on each of the 500,000 devices used in the DDoS attacks.
Source: When DVRs Attack: Post IoT Attack Analysis | Threatpost | The first stop for security news
What does it take to transform your application development from Waterfall to Agile to DevOps to CI/CD? A lot … but at some point, all of the gears, gadgets, widgets, and funding won’t make the possible happen without one thing. A culture to holding integrity – to the code, to the doing what you know is right. Simply put, leadership and air cover matter a whole lot in the beginning to change.
I love this quote below from Bharat Mediratta on how ultimately they made automated testing (ahem, Security, Integrity, Code Quality, Privacy, and Compliance) a mandate for everyone – no one could submit code that broke the application (pipeline).
What did they do precisely, what is that magic bullet?
They created a hard line: no changes would be accepted into GWS without accompanying automated tests. They set up a continuous build and religiously kept it passing
Source: The birth of the automated testing culture at Google
There is so much to learn and we can do it together – see Gene Kim’s current works the DevOps Handbook, and join his knowledge dropping newsletters to get more insights.
Thanks Gene for building our Tribe (Seth Godin would be proud),
Bruce is by far the most prolific writer and researcher in security. He states things as they are and frames challenges brilliantly. Please check out his site, bookmark it, and be sure to read the comments – they are shockingly worth your time. He recently posted about DDos and the profiling with an aim to perhaps, Take Down the Internet.
While that requires our attention, there is a call out on – what can we do? Well, I see one immediate takeaway as it applies to your business, safety, and ongoing prosperity … but first a quote from the article:
The attacks are also configured in such a way as to see what the company’s total defenses are. There are many different ways to launch a DDoS attack. The more attack vectors you employ simultaneously, the more different defenses the defender has to counter with. These companies are seeing more attacks using three or four different vectors. This means that the companies have to use everything they’ve got to defend themselves. They can’t hold anything back. They’re forced to demonstrate their defense capabilities for the attacker.
Source: Someone Is Learning How to Take Down the Internet – Schneier on Security
So if someone is employing multiple attack methods they are testing your defenses … that begs the question:
- Do you have your own internal threat intelligence shored up to be smart and effective in this area?
- Is fraud a risk and are you able to identify these risks from different angles?
- Are you data mining all of your logs (across the enterprise if you are so large) for such findings and nuggets of importance?
- Are you capturing the right data to conduct such an analysis – it requires a bit of deep integration across IT and your product teams AND your suppliers
So much can be managed with a bit of insight and action … please help keep our Internet operational, pleasant, and your business available.
On demand free security tool that can integrate with your application pipeline or simply post deploy. I am big into finding the highest efficiency methods, and why not augment your brilliant human security experts with this tool to get a head start?!
Many others and this addresses a specific aspect of risk, but heck this is an active project and worth considering in your larger application development security strategy!
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.
Source: OWASP Zed Attack Proxy Project – OWASP
One exciting area I have been digging into is the mixing of risk management and application portfolio development. As we see greater and greater abstraction of services (software eating world), we also have an ever increasing dependency on a multitude of developers, service providers, start-ups, legacy tech companies, and many other institutions.
If you are in application development and list of the pipeline deployment technology and all of the interacting systems, you’ll easily list out 30+. Each of these have the potential of impacting your business, your customer experience, and ultimately your viability as a product.
I found this third party risk management point of view to be insightful (full transparency, I work for this firm), and recommend a review from the application perspective. It is dated, but insightful. I particularly like the risk stratification highlights on page 7 that include:
- Volume of transactions
- Concentration associated with service
- Sensitivity risk of the data vendor has access
- Compliance & regulatory risks
- Customer & financial impact
- Location of vendor (privacy impacts)
- Previous data or security breaches
- Extent of outsourcing performed
- Performance history
Read more here