How to keep cybercriminals out of your apps

Four ways to implement and maintain security testing.

 

Cybercriminals had a fantastic time in 2014 – breaching major retailers such as Home Depot and Kmart, major financial institutions (notably JPMorgan Chase), and a slew of smaller companies.

Indeed, cybercrimes are growing more common, more costly, and taking longer to resolve. Those are among the key findings of the fifth annual Cost of Cyber Crime Study conducted by the Ponemon Institute on behalf of HP Enterprise Security.

The 2014 global study of U.S.-based companies, which spanned seven nations, found that over the course of a year the average cost of cybercrime climbed by more than 9% to $12.7 million for companies in the United States, up from $11.6 million in the 2013 study. The average time to resolve a cyberattack is also rising, climbing to 45 days, up from 32 days in 2013.

 

How to protect your apps

Clearly, the need to protect apps (as well as network nodes, servers, and so on) has never been more crucial. For apps, the best approach is to integrate security testing into your development process – a process that is increasingly crafted around DevOps and Continuous Development.

DevOps is fundamentally a mindset about how best to bring together two completely different groups of IT people – the developers who create the applications and the IT operations who deploy and manage those applications.

The basic idea of DevOps is to break down barriers in the pursuit of creating excellent software. The idea of separate silos with developers, operations, testers, and management working in isolation, sometimes even in opposition, is dated and flawed.

Continuous Delivery (CD) is a software strategy that enables organizations to deliver new features to users as fast and efficiently as possible. The core idea of CD is to create a repeatable, reliable, and incrementally improving process for taking software from concept to customer.

The key to successfully implementing DevOps and CD is testing, including security testing. Code must be tested over and over before any software is released.

If companies fail to integrate security testing into the development process and make it part of the software development lifecycle, they face numerous problems. Top-of-mind: the expense of retro-fitting functionality that should have been there initially, and the pain of securing a hybrid system with legacy software not designed for modern security threats.

 

4 great ways to implement and maintain security testing

Automated testing enables the DevOps team to create a continuous delivery system in which new features can be rolled into live software as they are created. In terms of security, the testing should always be pro-active and thorough. To achieve those goals, companies should consider the following:

  • Implementing Secure Programming Education. Proper education can help programmers to best limit and test inputs, store minimum data, encrypt code, and so on – all with the goal of eliminating or minimizing security risks.
  • Adopting Interactive Application Security Testing (IAST). This enables companies to combine elements of static and dynamic techniques to run automated tests continuously on their software to see how it copes with malicious traffic. As IAST monitors data inside the application, it can pinpoint issues that might arise from real-world attacks, enable a useful assessment of the impact, and make it easier to remediate.
  • Hiring Security Analysts. These pros can properly configure your tools and interpret the results. You can buy the best security tools in the world, but you have to know how to leverage them and act on the data. An external analysis can provide real insights that will boost application security.
  • Using the Open Web Application Security Project. This is a great community where you can find innovative solutions to modern software security challenges. The community can help you to understand secure development standards and can provide you with invaluable resources and advice from experts around the globe.

 

Full-time InfoSec talent can mean the difference between mediocre software and excellent software

Security testing in your development pipeline should not be any more static than any other part of your dynamic process of creating and reviewing pipelines. Security must be continually reviewed and modernized to ensure it delivers optimum results.

By incorporating solid security foundations and processes into your application development lifecycle, you will protect every current and future software project. Such long-term planning not only makes financial sense, but it is highly likely to result in better quality software.

 

This article was originally posted in Network World.

Image credit Cutcaster.

Introducing Towerwall’s vCISO Services

vCISO_Blog

Towerwall is proud to offer our new vCISO Program.

Introducing Towerwall’s vCISO Program, our unique approach to Virtual CISO. Offering three distinct partner options, our vCISO solutions are tailor fit to your organization’s security needs.

Recognizing many small and mid-sized companies have security concerns, yet do not warrant a full-time position, the Towerwall vCISO Platform has been built with your business needs in mind. It’s lightweight, flexible and scalable all without compromising your security and business needs. Gain direct access to a team of senior level security professionals at a fraction of the cost, all without sacrificing results.

Click here to learn more about our vCISO Program

Data Privacy Alert Vol 13.83 – Anthem Healthcare Breach

secuProvided by William Gallagher Associates Insurance Brokers, Inc.

News broke last week that Anthem, the nation’s second-largest health insurance carrier, was the victim of a data breach by external hackers. This breach affects both current and potentially former clients of Anthem. WGA is monitoring the situation on an ongoing basis, and here is what we know at this point.

Anthem is working with the FBI to determine the extent of the compromised data. To provide members with the most current information, Anthem has created a dedicated website – www.anthemfacts.com – that will be continually updated as well as a toll-free hotline (877-263-7995) that members can access to answer any questions that may arise. Some of the notable information from that page includes the following:

  • The impacted plans/brands include Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare.

At this point, it appears that Blue Cross and Blue Shield of Massachusetts (BCBSMA) was not impacted. However, BCBSMA is working closely with Anthem to determine if any members were affected and if so, they will formally notify individuals in writing and take appropriate, timely action.

  • Initial investigation results include knowledge that the member data accessed included names, dates of birth, member ID/social security numbers, addresses, phone numbers, email addresses, employment information, and income data.
  • Current investigation indicates that the information accessed did not include medical diagnosis or treatment data.
  • Anthem does not believe credit card numbers were accessed.
  • Anthem is currently working around the clock conducting an extensive IT Forensic Investigation to determine which members are impacted.
  • All impacted members will receive notice via mail, which will advise them of the protections being offered to them as well as any next steps.

WGA will continue to report any information as we receive it from Anthem.

Click here for additional information on the consequences of Anthem’s Data Breach.

“Bridging the Cybersecurity Skills Gap: 3 Big Steps” Featured in InformationWeek Dark Reading

Towerwall Founder and CEO Michelle Drolet’s latest article “Bridging the Cybersecurity Skills Gap: 3 Big Steps” is featured in the InformationWeek Dark Reading. Read more below:

The stakes are high. Establishing clear pathways into the industry, standardizing jobs, and assessing skills will require industry-wide consensus and earnest collaboration.

There is a dangerous dearth of qualified Information Security talent in industry today. In the face of mounting threats and an unprecedented number of data breaches, organizations and governments simply aren’t coping. Cybercrime is growing rapidly as sophisticated, targeted attacks flood in from diverse sources.

The exploitation of vulnerabilities has a very real economic toll that’s often underestimated. Economic growth is restricted and job losses are common. For example, a study by the Center for Strategic and International Studies put the loss to business from cybercrime between $375 billion and $575 billion in 2013 alone. And yet, the industry is singularly unprepared to meet the challenge:

The International Information Systems Security Certification Consortium estimates a shortfall of 300,000 cybersecurity professionals, and that may be optimistic.

Cisco’s 2014 Annual Security Report says the deficit of information security staff and managers is 1 million strong.

Clearly it’s vital that something be done to redress the balance and make a career in cybersecurity more desirable. Here are three suggestions…

 

Click here to read the entire article on InformationWeek Dark Reading >

Michelle Drolet published in NetworkWorld – Are mobile apps putting your data at risk?

Are-mobile-apps-putting-your-data-at-risk

Our Michelle Drolet is quoted in NetworkWorld’s article “Are mobile apps putting your data at risk?“. Read more below:

Quite often, companies don’t realize that the mobile apps they use are reason for concern. Once their data is breached, they begin to investigate. However, there are telltale signs that indicate an insecure mobile app. If you know what to look for, you may be able to avoid a catastrophic data breach.

Mobile apps are everywhere and their benefits are many, offering functionality, flexibility, and increased productivity. These apps have altered the way we do business. Unfortunately, all of these benefits do come at a price. As a business owner, how can you be sure that the mobile apps you and your staff access are secure? According to the most recent report from Lookout, the malware encounter rate in the U.S. is at 7%. Estimates indicate that more than 6 million Android devices are affected by malware.

Click here to read the entire article on NetworkWorld >

 

Image credit: Cutcaster

 

Data Privacy Alert Vol 13.82 – The GHOST vulnerability – what you need to know

The funkily-named bug of the week is GHOST.

Its official moniker is the less catchy CVE-2015-0235, and it’s a vulnerability caused by a buffer overflow in a system library that is used in many, if not most, Linux distributions.

A buffer overflow is where you assume, for example, that when you handle a four-byte network number written out as decimal digits, you will never get anything longer than 255. 255. 255. 255.

That takes up 15 characters, so you may decide that you’ll never need more than 15 bytes of memory.

So, if you add a spare byte for luck and allocate 16 bytes, you’re bound to have enough space.

And then, one day, a malicious user decides to see what happens if he ignores the rules, and uses a network number like, say, 1024. 10224. 102224. 1022224.

That network number is nonsense, of course, but your program might not hold out long enough to reject it.

Your code will probably crash right away, because the attacker’s 25 bytes will overflow your 16 bytes of available memory.

GHOST explained

As it happens, the GHOST vulnerability is connected with network names and numbers.

The spooky name comes from the system functions where the vulnerable code was found.

The functions are called gethostby­name() and gethostby­name2(), and they do what the names suggest.

They find the computer-friendly network number of a host (e.g. 93. 184. 216. 34) from its human-friendly name (e.g. example.com).

In other words, these functions do a DNS (domain name system) lookup for you, so your program doesn’t need to deal with the intricacies of the DNS protocol.

For example, if you ignore any error checking in your code, you might do this:

image001

And you’d see something like this:

image002

By the way, even if your program doesn’t directly call gethostby­name(), you may end up calling it indirectly as a side-effect of doing something, anything, involving a computer name.

For example, if your software looks up email addresses, calls home for updates, retrieves postings from online forums, plays podcasts, or any of a number of perfectly unexceptionable network-related activities, it almost certainly triggers name-to-number lookups at some point.

And if those lookups are based on data received from outside, such as a sender’s email address in received email headers, then attackers may very well get to choose what data gets passed to your Linux computer’s gethostby­name() function.

The bug

It turns out that gethostby­name() has a clever feature, where it works out whether you called it with name that is already a network number (digits-dot-digits-dot-digits-dot-digits).

In that case, it would be a waste of time to do a DNS lookup, so it doesn’t bother.

Unfortunately, the code that runs through the name to see if it’s really a network number has a buffer overflow, and if you deliberately send a super-long number laid out just right…

…poof – the GHOST strikes!

So an attacker may be able to rig up messages or network requests that crash your program; and with a bit (or, more likely, a lot) of trial and error, they might be able to trigger that crash in a way that gives them control over your computer.

That’s known as a Remote Code Execution (RCE) exploit, similar to the bug recently found in the super-secure Blackphone, though in that case it was a text message that caused the phone’s software to trip over itself.

What to do?

The good news is that this bug doesn’t exist on every computer.

It actually exists only in some versions of a software module called glibc, short for GNU C library.

In fact, most computers in the world don’t have glibc installed, because it’s not used by default on Windows, OS X, iOS or Android.

The bad news is that many, if not most, computers running Linux do use glibc, and may be at risk.

In short, therefore, if you have any Linux-based systems, including home firewalls and routers:

[if !supportLists]·         [endif]Check with your vendor, or the maker of your distribution, to see if you need a patch.

[if !supportLists]·         [endif]If you do, make plans to apply the patch as soon as you can.

 

Oh, and if you are a programmer, you shouldn’t really be using the gethostby­name functions anyway.

They were superseded many years ago by the much more flexible and useful function getaddr­info(), which you should use instead.

Save the Date: Please join us at the Information Security Summit 2015

Please save the date and plan to  join us for this timely forum on what you need to know about the latest security issues, threats, and technologies that will help you protect your business!

 

June 4, 2015  8:00AM – 1:00PM

MassBay Community College

50 Oakland Street  | Wellesley Hills, MA 02481

Pre-registration required.

 

TW_InfoSecSummit2015

 

Join us for the 3rd Annual Information Security Summit and discover new ways to lead the creation of the secure digital enterprise!

Summit features in-depth, new coverage on:

  • Governance, Risk Management and Compliance Program
  • IT Security Program
  • Technical Insights: Security Architecture
  • Advanced Persistent Threats
  • Data Security and the cloud
  • Vendor Risk Management
  • User Awareness and Training

 

 

Click here for more information & to register!

 

 

 

 

 

Data Privacy Alert Vol 13.81 – Massive breach at health care company Anthem Inc.

Anthem, the nation’s second-largest health insurance company, is the latest target of a security breach. Eighty million customers, including the company’s own CEO, are at risk of having their personal information stolen. VPC

SAN FRANCISCO – As many as 80 million customers of the nation’s second-largest health insurance company, Anthem Inc., have had their account information stolen, the company said in a statement.

“Anthem was the target of a very sophisticated external cyber-attack,” Anthem president and CEO Joseph Swedish said in a statement posted on a website the company created for information about the incident.

The hackers gained access to Anthem’s computer system and got information including names, birthdays, medical IDs, Social Security numbers, street addresses, e-mail addresses and employment information, including income data, Swedish said.

The affected database had records for approximately 80 million people in it, “but we are still investigating to determine how many were impacted. At this point we believe it was tens of millions,” said Cindy Wakefield, an Anthem spokeswoman.

That would make it “the largest health care breach to date,” said Vitor De Souza, a spokesman for Mandiant, the computer security company Anthem has hired to evaluate its systems.

Because no actual medical information appears to have been stolen, the breach would not come under HIPAA rules, the 1996 Health Insurance Portability and Accountability Act, which governs the confidentiality and security of medical information.

No credit card information was obtained, the company said in a statement e-mailed to USA TODAY.

The hackers were probably not interested in medical information about Anthem’s customers, said Tim Eades, CEO of computer security firm vArmour in Mountain View, Calif.

“The personally identifiable information they got is a lot more valuable than the fact that I stubbed my toe yesterday and broke it,” he said.

Both current and former customers were hit, Swedish said.

Anthem has established a website, www.anthemfacts.com, where members can access information about the breach. There is also a toll-free number for current and former members to call, 877-263-7995.

“Anthem’s own associates’ personal information — including my own — was accessed during this security breach. We join in your concern and frustration and I assure you that we are working around the clock to do everything we can to further secure your data,” Swedish said.

Anthem discovered the breach itself last week. “That is very good news, as two-thirds of the time when we respond, the victim was notified by someone else,” said Vitor De Souza, spokesman for FireEye, which owns Mandiant.

Anthem has contacted the FBI and is working with Mandiant, Swedish said.

“The FBI is aware of the Anthem intrusion and is investigating the matter,” said FBI spokesman Joshua Campbell.

“Anthem’s initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances. Speed matters when notifying law enforcement of an intrusion, as cyber criminals can quickly destroy critical evidence needed to identify those responsible,” he said.

Customers whose information has been stolen should report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center atwww.ic3.gov, Campbell said.

“The Anthem insurance company breach is another in a long line of breaches that continue to have a deep and disheartening effect on consumer behavior and the smooth flow of commerce both here at home and worldwide,” said Rep. Bennie Thompson, D-Miss., ranking member of the Committee on Homeland Security.

Anthem Inc. was previously known as WellPoint Inc. It was formed when Anthem Insurance Company bought WellPoint Health Networks in 2004.

Anthem has customers in 14 states.