Code Review Required for JavaScript Too

December 17, 2016

In the course of my professional activity, I have repeatedly bumped into well-meaning individuals (developers, architects, leaders, and more) who believe that browser-hosted JavaScript is not a real security concern (anything important to protecting our systems and data happens back on servers, right?)  This can lead to a certain amount of passivity during code-promotion code reviews.

I was just looking for a current copy of the Automated Penetration Testing Toolkit (APT2), and happen to glance at one of the author’s blogs, and was presented with another reason that JavaScript code review and accompanying risk management is still a core capability.

Much of the automated web application testing that I see day to day does a great job finding bugs.  It does not, though, do such a great job identifying new features that require only a little code to implement.

Professional pen tester Adam Compton offers some keystroke logging JavaScript along with a primitive  to catch & log the output.  Adding a keystroke logging “feature” to one of your JavaScript modules could involve only a few lines of code, but could result in any number of abuse cases — and resulting in harm of varying scope & impacts.  Monitoring for “feature” additions to your JavaScript is just another reason to keep that language on your code review radar.

REFERENCES:

Automated Penetration Testing Toolkit (APT2)
https://github.com/MooseDojo/apt2

New Script/Tool: KeyLogging in JavaScript
http://blog.seedsofepiphany.com/2015/04/new-scripttool-keylogging-in-javascript.html

 


DevOpsSec Report from OReilly

July 10, 2016

O’Reilly continues to support secure software efforts — and by extension secure options on the Internet.  Last month they released “DevOpsSec: Securing Software through Continuous Delivery” by Jim Bird.

The Agile and Dev Ops Sec worlds have a lot of intersection & overlap, and the challenges of emitting risk-appropriate applications remain for both.  This 86 page report includes adult content for using infrastructure, specific development & operations practices, security-centric development resources, and code to satisfy your risk management obligations, along with recommendations for “proving” that your apps are “secure-enough.”  At 86 pages this report is not comprehensive, and it does not attempt to be.  Like many other aspects of Agile activities, it attempts to help us quickly learn somethings about how to move our position closer to “secure-enough.”

It is also “free” [for a name and email address].  For anyone involved in Financial Services software development, I strongly recommend this quick read.

REFERENCES

DevOpsSec: Securing Software through Continuous Delivery. http://www.oreilly.com/webops-perf/free/devopssec.csp

O’Reilly: http://www.oreilly.com/

 


Verizon Says Passwords are Not Enough

April 25, 2016

Lately, I’ve been spending a lot of time performing static code security assessments of web applications. That leads to working with developers and those who work around them. One thing many of them share with me is their faith in authentication infrastructure — infrastructure that generally sits “in front” of their applications and protects them from unauthorized users. Sometimes I still hear Architects talk about “security” as if it were really just authentication… In that context, the latest Verizon Data Breach Investigations Report (DBIR) reviews their 2016 dataset of over 100,000 incidents, including 2,260 confirmed data breaches across 82 countries.

The full paper is worth a read, but in the context of my comments above I wanted to highlight Verizon’s recommendations concerning passwords:

“…passwords are great, kind of like salt. Wonderful as an addition to something else, but you wouldn’t consume it on its own.”

“63% of confirmed data breaches involved weak, default or stolen passwords.”

The top 6 breaches included the following steps: “phish customer > C2 > Drop Keylogger > Export captured data > Use stolen credentials”

Recommendaton:
“If you are securing a web application, don’t base the integrity of authentication on the assumption that your customers won’t get owned with keylogging malware. They do and will.”

REFERENCES:
Verizon Data Breach Investigations Report (DBIR)
http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/insiders/

 


Risks of Unnecessary Admin Privileges Continue to Increase

February 18, 2015

Excessive access has been an acknowledged risk since the earliest days of distributed data-communication networks in the 1970s.  One key way that some organizations attempt to ‘keep things moving’ is to grant administrative privileges to ranges of individuals & groups who may need some small subset of those permissions in the course of normal operations or in dealing with troubleshooting requests.  In most situations, it would be possible to grant only those permissions required to perform truly required tasks. In the most of the rest of the situations, broader administrative access can be protected with strong two-factor authentication (which will resist many threats that depend upon stolen user credentials).

Constraining and/or hardening administrative access has also been one of the easier ways for large enterprises to materially reduce their attack surface which results in a lower overall risk profile.

A core risk management principle — ‘least privilege’ — reasons that users should be granted only enough rights to support performing the tasks required for their role, and no more.

This is not only a Windows issue,  but Antone Gonsalves (CIO OnLine) passed along today that a review of Microsoft’s Windows vulnerabilities in 2013 (333, of which 147 ranked ‘critical’), showed that fully 60% of them would be mitigated by removing user’s admin rights. Gartner has also argued that 90% of security threats could be eliminited by removing user’s administrative permissions.

Hostile uses of malware and social engineering continue to advance. This results in increasing the gravity of Financial Services organization’s excessive administrative access issues.  The key message is that the risks associated with malware infection could be materially-reduced if we tamped down granting of administrative privileges.

RESOURCES:

“Time to drop unnecessary admin privileges.” By Antone Gonsalves, 02-18-2014.
http://www.csoonline.com/article/2134396/privacy/time-to-drop-unnecessary-admin-privileges.html

“Trends (and other things) Learned at the Gartner IAM Summit.” By Mark Weiner, 12-11-2014
http://blog.centrify.com/trends-learned-at-gartner-iam-summit/

Completosec on Risks of Malicious Code:
https://completosec.wordpress.com/category/malicious-code/


WEF Risk Report Outlines Linkages and Risks to Watch

January 28, 2011

World Economic Foundation Global Risk Reports 2011 Outline Linkages and Risks to Watch.

The World Economic Foundation just released its created a collection of resources to support understanding, thinking, and decision-making about risk.  The Global Risks Report 2011 is available as an interactive web site, or a 60 page PDF.

For context, WEF staff outline some of the resources used to product the 2011 report:

  • “The starting point for Global Risks 2011 was a risk perception survey of 580 leaders and decision-makers across the world.”
  • “The survey was supported by 18 workshops and over 50 expert consultations to assist the (World Economic) Forum’s in-house risk analysis.”
  • “Survey respondents assessed the potential impact, likelihood, and interconnections of a range of 37 global risks, looking forward over a ten year period.”

The report does not stop at the traditional likelihood-impact graph, but delivers another view of the situation by outlining the interconnections between each of the global risks, and by organizing the risks into logical groups.  Their discussion of the web of interconnections between the risks and groups of risks may be the most important output of the 2011 report.  There is a lot of content in this report and supporting materials.  Risk management professionals involved in financial services should be able to make use of this rich resource in a variety of contexts.

After a quick scan of the materials, a few things stood out as useful for me.  Most immediately, the analysis of linkages between information security and other global risks will support my work attempting to help others make decisions about risks involved in global financial services.

This report includes a discussion of what the authors called the “illegal economy nexus” within the Risk Interconnection Map.  At its core, were three broad risks: illicit trade, corruption, and organized crime.  The authors argue that “emerging economies suffer under chronic threats to development as well as acute threats to stability,” while the advanced economies drive “the demand for the illegal economy nexus, face regional and global instability, as well as the pressure to participate in corrupt practices.”  [see: http://riskreport.weforum.org/#/2/7 and http://riskreport.weforum.org/#/?re_layout=0&re_IDs=28]

In the World Ecomonic Forum Risk Report, links between online data and information security extend into the illegal economy nexus through organized crime, corruption, and also have direct linkage to regulatory failures, critical information infrastructure breakdown, infrastructure fragility, threats from new technologies, and terrorism.

For a slightly more extended discussion of these linkages see: “The global risks barometer,” also by the World Economic Forum.

On page 37 of the “Barometer,” it defines “Online data and information security” as “The accidental loss of data or fraud online triggers a loss of confidence in data sharing, negatively affecting e-commerce and communication,” and then identifies a set of key risk drivers and indicators:

These drivers increase this risk:

  • Lack of transparency on meta collection of data and algorithms
  • Difficulty of tracing altered data and infiltrator activity and the lack of agreement on how to intervene when erroneous data is created or misallocated
  • Incompatibility of new and old systems, carrying risks of destabilizing the network
  • Increased reliance on cloud services for data storage and analytics

This driver can both increase or decrease risk.

  • Extent to which policy and regulatory frameworks can keep up, given the lag between innovation cycles and government decision-making cycles

These drivers reduce this risk:

  • Deterrent effect of clear legal framework to penalize offenders
  • Information sharing among governments and private firms regarding loss events
  • Improved education and personal awareness on ethical and moral responsibilities of online activities, including a false sense of security from encryption
  • Development of best practices for data security

The report then outlines a number of “Global Impacts:”

  • Disruption of global e-commerce and network communication as security concerns make users retreat from online services
  • Paralysis of business and governance as trust decreases in data collection, storage, distribution systems and organizations processing mass data
  • Increased degree of tolerance to breaches of privacy
  • Negative blow to the open source society affecting data and process sharing which hampers innovation and trust
  • Unexpected second- and third-order effects through the interconnectedness of systems and data which are generally poorly understood

In their polling and research, the authors of the “Risk Report” found that “cyber thieves experience a substantially lower feeling of guilt than is apparent in other criminal activities.” [page 66]  This idea or finding has been around for quite some time, sometimes a slice of it is abbreviated into a discussion about how individuals behave differently “at work” than they do when they work from home — which some personnel leaders discount.  But delivering this message to participants at the World Economic Forum Annual Meeting in Davos might help factor it into senior decision-making circles.

I have only touched on an extremely small subset of the content in this rich set of resources.  I strongly recommend it as a serious read for all security professionals in financial services.

-References-

“Global Risks 2011, Sixth Edition – An initiative of the Risk Response Network.”
http://riskreport.weforum.org/ or in PDF format at http://riskreport.weforum.org/global-risks-2011.pdf
World Economic Forum (January 2011) in collaboration with Marsh & McLennan Companies, Swiss Reinsurance Company, Wharton Center for Risk Management, University of Pennsylvania, Zurich Financial Services, with Co-editors: Kristel Van der Elst and Nicholas Davis.

“The global risks barometer.” by the World Economic Forum, at http://riskreport.weforum.org/barometers-2011.pdf


Introduction

January 1, 2009

Page one.   I will try to offer a little to those involved in information security, application security, business operations security, and infrastructure security.   I will also try to repeat a lot that bears repeating.

I believe that we need to train business and technology management,  leaders across all types of business, about effectively managing risk.  We need to offer reasonable alternatives to a simple hope that “loss will visit elsewhere — but not at my company, at least not on my watch.”

Ineffective risk management decision-making can result in net risk increase.

And the vast and varied application layer remains a risk-rich territory.

My thanks to WordPress.com for this service, and to Kevin Riggins at Infosec Ramblings for a nudge.


%d bloggers like this: