Misconception No.1: Over-Relying on Network Defenses

By Ed Adams

(Back to article)

Information security mistakes are costly, damaging and all too prevalent. Given the obvious repercussions of poor information security and disclosure strategies (TJX, CardSystems, BJ’s and AOL), one is inclined to believe change agents are in place.

However, organizations continue to make seemingly avoidable mistakes when it comes to enterprise security. Last week, I wrote about the five most common security miscalculations organizations make. Let’s dive into the first one in more detail — over-relying on network defenses.

View the Entire Series

The Five Most Common Misconceptions of Enterprise Security

Misconception No.1: Over-Relying on Network Defenses

Misconception No. 2: Believing the Hype of Technology and Tools

Misconception No.3: Too Many People Assumptions

Misconception No.4: Assuming Secure Software is Costly

Misconception No.5: The “Recency” Trap

If you want to comment on these or any other articles you see on CIO Update, we'd like to hear from you in our IT Management Forum. Thanks for reading.

- Allen Bernard, Managing Editor.

FREE IT Management Newsletters

Firewalls, intrusion prevention systems (IPS), anti-virus solutions, and intrusion detection systems (IDS) protect us from worms, detect anomalous behavior, and prevent some attacks on our networks.

These protective measures are good ones to take, however, there are problems with these solutions that many organizations don’t realize:

  • They miss the majority of security vulnerabilities;
  • They give the user a false sense of security; and
  • In many instances they enable damaging business logic attacks.

    Application vs. Network Security

    Let’s look at some research and analyst perspectives. Many of you are familiar with the Gartner statistic from 2004 (updated in 2006) that states: “Over 70% of security vulnerabilities exist at the application layer, not the network or system layer.”

    The National Institute of Standards and Technology (NIST) claims this number is 92%! IDC states, “The conclusion is unavoidable: any notion that security is a matter of simply protecting the network perimeter is hopelessly out of date.”

    Another interesting metric that was collected from Microsoft Developer Research is: “64% of developers are not confident in their ability to write secure applications.”

    It is very telling that two out of every three developers in this survey were not confident in their ability to write secure code. It’s an interesting question you may want to ask your own developers. And while you’re at it, ask this of your budgeting process: “If over 70% of security vulnerabilities exist in the application layer vs. the network layer, are we spending over 70% of our IT security budget on application security?”

    Here’s a case-in-point from an e-commerce company I worked with last year. This company had intrusion detection, intrusion prevention and a firewall in place. Because it was a large e-commerce site, we had to do testing on the actual production system.

    This e-commerce system had the common “shopping basket” functionality. During testing, we put an item in our basket, did some testing and didn’t find anything, so we closed the browser and went out for lunch. When we returned, we opened the browser and noticed the item we had placed in our basket was still there.

    This told us the e-commerce site used cookies — small text files that store bits of information on your machine about you and the items you have chosen during the session. We decided to find that cookie on our client and mess with it; something the security world calls “cookie poisoning.”

    We opened the cookie with the world’s best hacking tool, Notepad, and found information like our session ID, the merchandise item number, a description of the item, and the price of the item. Hmmm … price. We decided to mess with that parameter and change the price from $9.95 to negative (-$9.95) and save the file with this new information.

  • When we re-opened the browser, sure enough that item was now showing at -$9.95. What a deal! We bought five. And shipping was calculated in the same manner, so we got that for a real bargain, too.

    So much for fun, here’s when the real trouble started. Since this was a live production site, the order was actually placed. Because our systems are so compartmentalized today, the accounting department only got a message saying, "debit this account $49.75."

    The people in shipping received a message saying to send five of these items to Security Innovation. There was no correlation or check between the processes. This order was never detected or blocked by the firewall or IDS because there was no abnormal behavior.

    The only thing our “attack” did was select an item, place it in the basket and check out. Of course, we cancelled the order before it actually shipped, but it was difficult. We had to have conversations with several teams before they could stop that shipment.

    This is a great example of why network security can give people a false sense of security and how we need to pay attention to the business processes we think we’re protecting.

    These network defenses enable business logic attacks because the watchers are looking the other way; thinking they’re safe because they’ve got the latest and greatest deep-packet inspection firewall. Wrong.

    Some buffer overflows can work the same way. Buffer overflows were the security bug of the 1990’s — cross-site scripting and SQL injection soon took over as the high-profile scares this decade. But buffer overflows still wreak havoc on many systems because our network defenses don’t have the context in which to understand well-crafted buffer overflow attacks.

    Take for example a string of data that comes over the network pipe. It may be part of a picture, it may be text, we don’t know. But neither does the firewall watching the traffic. If this data happens to be part of a Flash, WMF, or PDF file, for example, the firewall has no way to determine if it is innocuous or evil.

    Firewalls have no context in which to understand how a piece of network traffic is going to be used by an application. In this example, an input buffer on a piece of freeware, e.g., Flash Player, Adobe Acrobat Reader, etc. can be overflowed and the client machine compromised very easily.

    Can’t happen you say? This exact vulnerability existed for years until early 2006 in a ubiquitous piece of Web software and no network defense in existence could stop it from being exploited.

    Do you account for down-time and productivity losses when making your TCO (total cost of ownership) calculations on freeware like Acrobat Reader and Flash Player? Or do you just assume your network defenses protect you?

    Think again.

    Network security defenses have a place in your security portfolio. They capture some malicious users and are affective and stopping known attacks and viruses. But beware of the shortcomings so you aren’t caught asleep at the wheel.

    In the coming weeks look for more expanded articles from Ed Adams covering each of these themes: Over-relying on Network Defenses, Believing the Hype of Technology/Tools, Too Many People Assumptions, Assuming Secure Software is Costly, and Falling into the “Recency” Trap.

    Ed Adams is CEO of Security Innovation, an independent provider of application security services that include security testing and training.