A key lesson to be learned from our recent experience of LulzSec is that we are slow to learn from experience, it emerged from a talk given by OWASP project leader Daniel Cuthbert to the Royal Holloway Information Security Group.

Their activities are a useful measure of wider security practices, but they also expose failings within the security industry itself, Cuthbert said. Around ten years ago the so-called GOBBLES collective embarked on a hacking spree that exposed vulnerabilities in Apache, and also in the attempts by the ISS X-Force security professionals to fix it, he reminded us.

Yet, despite these regular warnings, the same old vulnerabilities trouble us. An example is SQL injection, Cuthbert said. “I first found about it in about 1998, when I was working for the FT [Financial Times], working with Perl and Lotus Notes. I discovered that I could interact with the Oracle back end, and raised this with them, but was told ‘oh, it’s not a problem’,” he said.

More recently, the activities of LulzSec in exposing weaknesses in high profile organisations have raised awareness of old vulnerabilities, but instead of pointing us towards a serious rethink of our approach, we may be tempted to draw the wrong conclusions, it was suggested in the discussion that followed. If a company with the resources of Sony can be compromised so badly, perhaps others will feel they only have to do slightly better in order to be “respectable”!

So, what is wrong with our approach? Cuthbert asked. We’re too tempted to look for the quick fix, usually in the form of technology. “We buy tools – we love them…we spend hundreds of thousands of pounds on a box with seven glowing lights!” he said. Of course, the security vendors are well aware of this, and happy to indulge us.

Tools such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) got short shrift from Cuthbert: “Useless – they will tell you that you’ve been slapped in the face when you’re already sitting on the floor,” he said. “The elephant in the room is: tools like vulnerability scanners, IPSs, and WAFs will fail you when you need them most.”

A clear example of how technical expertise may give little protection against security breaches is RSA, which notoriously fell victim to a relatively unsophisticated phishing exploit, he said. Cuthbert said that one of his own pen testing team had recently texted him a message reporting that he had gained worldwide admin rights on a network after only 12 hours with a client – a global enterprise that appeared to take security seriously. Such experiences are not uncommon, he said.

But as the example of RSA shows, it is the “human factor” that is often the critical weakness. PAs and staff who work in support roles such as human resources, often with access to details of the senior figures in an organisation are prime targets for attackers. In the case of PAs, it is not uncommon for them to hold the passwords and other authentication credentials of their bosses.

What will drive improvements? Tougher regulation is a possibility, but there is a danger that this encourages a tick-box approach, where compliance rather than security is the goal. Cuthbert reported that some companies are now declaring parts of their networks “off-limits” to pen testers – on the grounds that these parts are already PCI-compliant, and therefore secure!

“This is the only industry I know where the customer is always wrong,” Cuthbert said, reflecting on what all this means for the individual. New legislation that makes it compulsory for custodians of personal data to report breaches is being enacted in various jurisdictions – in South Africa, and at State level in the US, while the EU is examining how it could be incorporated into a Directive. Legal developments may be our best hope for the improvements we need and deserve, he suggested.

Did you like this article?

If yes, please click the LIKE button and share it with your friends!

Express yourself!

Start or join the discussion!

 Leave a comment