Evaluating an enterprise's IT security isn't about network scanning any more. Firewalls and intrusion prevention systems (IPS) have evolved, and the network attacks of yesterday where script kiddies press a button and compromise a system are quickly loosing potency.
Gone are the days when one could unleash a tool to size-up a network or system and uncover most of its problems. Attackers are turning to a richer source of vulnerabilities: applications.
Gartner estimates that 70% of vulnerabilities exist at the application layer. That's alarming considering that most of the vulnerabilities at the application layer can't be mitigated by today's network defenses.
To operate with confidence, IT must now look beyond network defenses and instead address problems at their root: software.
Tools, however, are just trying to keep up. Take Web application scanners for example: they can find some standard vulnerabilities that have generic symptoms but many of the problems here just can't be found with a tool.
Fortunately, the software industry is coming to terms with this need. Most major vendors have put large amounts of money and effort into security pushes that have helped to reduce the security flaws in their software. One of the most aggressive efforts has come from the software giant Microsoft which have made phenomenal progress on security with the release of Windows Server 2003.
Other vendors are following suit with company-wide security training initiatives quickly becoming the norm.
Having more confidence in commercial off-the-shelf software (COTS) is only part of the issue though. In today's world, every company is a software company because of the Web applications and internal systems they must create, customize and deploy.
It is this software that needs to be hardened against the would-be attacker and it is here that an organization needs to be able to assess security.
To truly protect an enterprise, however, one must think like the enemy. This realization has led to a significant change in how many companies are assessing risk. In this article, we'll take a look at three proven methods for finding the problems that count, and what you can do to tighten up defenses.
One of the best ways to understand where your risks are is to create a threat model: a detailed written description of your key IT risks.
Creating a threat model is a creative and collaborative process, one where you try to think like a bad guy using your infrastructure architecture, applications and network as possible attack vectors. Once you flesh out these high-level attacker goals then you can build a hierarchical tree of things that need to happen for the threat to be realizable.
Threat models are one of the best security investments that a team can make but their value is also highly dependant on the creativity of the people involved in creating them.
Some useful techniques exist for threat modeling at the application level, and there are books such as Writing Secure Code, Threat Modeling and How to Break Software Security that can help.
Creating a Red-Team
As the focus of attackers shifts towards exploiting application-level vulnerabilities, the pressure is on for organizations to find and fix these problems first.
Finding them though isn't as easy as running a tool; it takes careful and methodical inspection by people who know what to look for. Take one of the more common Web vulnerabilities, SQL injection, for example.
SQL injection usually involves manipulating a command on the server using data entered into a Web page. While some simple SQL injection vulnerabilities can be found with scanners, the more insidious ones require thoughtful inspection by someone who can reason about the often subtle symptoms of failure.
Organizations need to focus on sizing-up their application as an attacker would. One of the most effective ways to do this is to form a small team of testers and developers who engage in focused security testing.
This team is guided by the threat model described earlier and their purpose is to think out-of-the-box on ways to cause harm through exploiting internet-facing applications.
As an example, consider the common practice of locking a user account out for 24 hours after a certain number of failed login attempts. While these types of safeguards are put in place to mitigate one type of threat, password guessing, an attacker could potentially create automation to run through every possible account and porously provide several bad password guesses with the goal being denial-of-service to customers. Red teams focus on this type of out-of-the-box thinking and testing.
Yet, many companies though don't have the expertise or resources to field this type of group internally and are opting to go with outside firms that specialize in application security testing. Others are bringing the knowledge in-house with security testing training.
Either way, this assessment of weaknesses is a critical part of operating securely.
Developing a security-aware culture is critical.
Even if you're able to shore up IT defenses there are some things like phishing and social engineering that no weapon in your security arsenal can combat. Training can help.
Many organizations are now including security awareness training as a part of new employee orientation. This can be an effective shield against social-engineering type attacks that technology is not well suited to protect against.
Many companies are also providing specialized security training for developers and testers in order to weed out security vulnerabilities before their applications are deployed. When developers and testers are exposed to the types of security problems, they can fix potential security holes pre-deployment.
Gartner estimates that the cost of fixing these types of issues before release/deployment is about two percent of what it cost to fix them afterward and thus, for many organizations, training is a wise investment.
The bottom line is we are in a new age of security. The generic network vulnerabilities of yesterday are quickly being replaced with security holes at the application-level.
This changes the way that we need to mount our defenses. For example, when a worm or virus exploiting a common vulnerability is spreading rapidly on the Internet, the entire antivirus industry is focused on quickly finding and deploying solutions to its customers. What happens though if there's a security flaw in your Web application? There's no worm to draw attention to it; no masses of security researchers working on a solution.
Security is changing from a generic problem (with generic protections) to a very organization-specific issue. Are you ready?
Herbert Thompson is director of Security Technology and Research at Security Innovation. Herbert trains software developers and testers at the world's largest software companies on security techniques. He is also the co-author of several books on software security including How to Break Software Security (Addison Wesley 2003). Please feel free to contact him at firstname.lastname@example.org.