Wow. Two months or so after my first blog post, comes my to-say-it-is-delayed-is-probably-an-understatement second blog post. I now have massive respect for those people who get blog posts up on a daily or weekly basis consistently.
At the end of August, stratsec hosted our first ever ‘stratHACK’ event.
stratHACK is a week-long assembly of our best and brightest information security testers and researchers, with the aim of finding new, undiscovered security weaknesses in some of the industry’s most important products and technologies. At stratsec we strive to be the best at what we do. We hire the best people and provide them with an environment to improve their skills and capabilities by learning from each other and setting new challenges. stratHACK allows our top people to share their latest techniques, skills, and knowledge. This is one way that we can keep current with a moving target and ensure our customers always have the latest knowledge at their disposal.
At the end of the stratHACK week, was our ‘stratHACK briefings’ event, with close to 100 attendees attending our inaugural event in Canberra.
Given the theme of straHACK week, of finding new vulnerabilities, and sharing knowledge, I took the opportunity to focus my presentation at stratHACK briefings on the same theme. My topic became:
The slide set is available in the Publications section of the report (link above).
When aggregating 1000 application tests, covering applications developed with dozens of technologies, by thousands of developers, and probably billions of dollars of IT investment, what have we learned? The following came out as the key lessons…
1. Not everyone finds it easy to think bad thoughts
2. ‘Common’ != Secure
3. Security is not correlated to budget
4. Non-Core = Non-Secure
5. Most ‘solutions’ involve papering over the cracks
6. Legitimate Access = Game Over
1. Not everyone finds it easy to think bad thoughts
One of the great sayings in the information security industry is that we – as information security professionals – are people paid to think bad thoughts. To identify ways to breach security, to circumvent controls, to manipulate systems to give up their secrets... with the aim of helping our clients plug these holes before someone genuinely malicious takes advantage of them.
The corollary of this, is that people who don’t naturally think ‘bad thoughts’, will often struggle to see the relevance of the risks we are seeking to present to them. As an example, when presented with an attack that an authorised user could complete against an application, it is surprising how often the response is along the lines of:
- “Only an authorised user could do that, and we wouldn’t authorise a hacker to use the system;” or
- “You have made an assumption that the application would be used in a malicious way. Our users are not malicious.”
To be fair, the second of these isn’t too far from being a reasonable statement. If some words like “in general…” were added before “…our users are not malicious” it would probably be correct.
But just like non-disclosure agreements that are signed day-in and day-out despite the fact that 99% of them won’t ever be used in anger, they are there for the 1% of the time that they are. To ingore an attack that can be completed by an authorised user, is putting your business systems at risk.
You can approach this by relying on what your users will or won’t do; but you will get much greater comfort knowing what they can or can’t do.
More to come…