The "RISKY BUSINESS" Blog

Fair warning -- this blog takes place from the top of my soap-box, so continue at your own risk!

We all know that application security, especially web application security is real complex, and can only be addressed by equally complex technical solutions like web application firewalls, virtual system patching, ... NOT ....

Having been involved in one too many breach incident responses the last few weeks, I'm increasingly convinced that my belief that complex challenges demand simple responses is the right path. My challenge is convincing others .. so it's up onto the soap-box. As a pure assessment firm we often end up leveraging root cause analysis post incident. Invariably, the perceived root cause "we were vulnerable to SQL injection" is actually the symptom of much more fundamental causes: "we failed to conduct proper tests before deploying", "our developers were not sufficiently knowledgeable of web application attacks", "we failed to understand the risks to the application", etc.

Raise your hand if you have an SDLC. Not too bad, now; keep it up only if your SDLC:

• Is current (has been updated within the last year,
• Includes security touch-points throughout the life-cycle,
• Includes OWASP Top 10 touch points for management, developers, & testers,
• Is enforced by an IT Steering Committee (or equivalent) and includes milestones for key phases.

I could add another ten bullets ... but being everyone's hand is down by now ... I think you get my point.

The good news is that there is some new and very well done guidance on integrating security into the SDLC. OWASP's Software Assurance Maturity Model (SAMM) is a terrific new resource. Rather than define SAMM ... I'll steal the high level description from OWASP's site:

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in:
• Evaluating an organization's existing software security practices
• Building a balanced software security assurance program in well-defined iterations
• Demonstrating concrete improvements to a security assurance program
• Defining and measuring security-related activities throughout an organization

One of the things I like best about SAMM is that it was targeted at non-security personnel and non-application developers which means that it can be governed by normal business folk. SAMM helps make an S-SDLC a simple solution to a complex problem.

Remember simple ≠ simplistic ... (time to climb off the soap-box and get a new cup of coffee!)

We have an on-demand webinar that talks to this specific issue, SAMM, and OWASP as a whole that I recommend you look at if this blog piqued your interest.

Ever have one of those really intriguing moments ... where for the rest of the day your mind keeps circling back and considering the possibilities? I had one yesterday.

A client asked us to help them on a SIEM Proof of Concept leveraging OSSIM (Open Source Security Information Manager). We had tried OSSIM a few years ago with minimal success, but had been intrigued by Alien Vault's stewardship of the project, so we were excited to participate. We figured the best way to get started was to deploy OSSIM in our environment.

Just a few hours later our SIEM Practice Manager grabbed me by the arm with a big smile, "you gotta see this!"

Remarkably, our network had been auto-discovered, a Vulnerability Assessment had been run, net-flows were being captured, we had real-time visibility to network traffic, a snort ids sensor with an appropriate signature set had been deployed, and basic network monitoring functionality was in place.

Now if OSSIM doesn't sound like a conventional SIEM, it isn't. OSSIM integrates a diverse array of existing Open Source security tools into a unified whole which is notably more valuable than the sum of its parts. Surfing our security related data gave me greater insight into our operations and our information security posture. Very quickly we had a comprehensive view of our environment, with one notable exception, we were not yet monitoring device logs (which is really the lynch-pin of SIEM).

It took another 10 minutes or so and OSSIM was receiving logs from one of our more chatty Cent-OS boxes. After updating Snare on our 2008 Active Directory box OSSIM happily consumed our AD logs, although, the regex's will need a bit of fine-tuning to handle a few of the event types we want to capture.

So would Devin Woodcomb proclaim that OSSIM is "awesome"? Not sure yet, but I am intrigued as hell at its ability to provide significant value right out of the box. BTW, I wonder if mentioning that everything we have tested to this point is part of the open source version (free!) would tip his opinion ...

Sadly the ABA's warnings regarding small businesses' use of online banking has not been well heard. Most small businesses have not yet changed their information security practices to protect themselves from banking malware.

King & Little, a NY based marketing firm faces bankruptcy after it was victimized by the Zeus banking trojan.  Over a very short period the attacker emptied the bank account of $164,000.

Understandably (but still way disconcerting), TD Bank advised King & Little that because the theft occurred because one of King & Little's computers was infected with malware that TD Bank is not responsible for the loss.

What is most disappointing is that the online banking sites do not yet have the controls necessary to protect from this type of attack.  For example, requiring out of band (e.g., text message) validation for certain types of events (e.g., new payee added, payments above a user definable threshold, etc.)

I have long been a fan of online banking and had taken precautions, most notably not using a windows based machine for my online banking.  Post this incident, I built an Ubuntu based machine that is only turned on when I am doing banking.  Further, I have restricted outbound and inbound access to HTTPS to the specific banking sites I use. The user account that I use to do the banking has limited rights as well.

To this point I am not aware of Zeus, URLZone, Clampi, or SilentBanker targeting Ubuntu. Should that change .. it may be time to find my old checkbook ...  

* * * * * * * * * * *

Check out our Techno-Blog for a safe, simple solution!