As a follow up to February’s blog on internet security threats, Five Talent CTO Ryan Comingdeer and Redhawk Network Security David Lindemann, VP of Technology & Products, discuss the best internet security tools and reactive strategies for mitigating IT risk, preventing Internet hack attempts, and protecting sensitive information.
A DEVELOPER’S PERSPECTIVE ON SECURITY
IT security constantly challenges us as developers because it’s an every-changing environment. We’ve got best practices in place that reduce risk, but the volume and sophistication of security attacks also forces us to spend a lot of time reacting to hack attempts and patching software for clients.
From our perspective, security has to be collaborative. We utilize tools like Amazon Web Services (AWS) and implement layers of control to stay ahead of threats, and we also make sure to bring in companies like Redhawk for security audits and risk assessment. The most critical piece rests with the client, as they often have the greatest vulnerabilities when it comes to security. The more they understand what they can do on their end to tighten up Internet security, the better protected they are. Each of us has strengths and areas of responsibility, but it’s the coordinated effort that really delivers the best results.
Security Challenges During Development
We’re constantly trying to stay on top of development. Nonetheless, whether we’re using white box or black box testing, things can still get missed. For example, you can have a team of developers that have expertise in Ruby, PHP, and Perl. If a .NET application lands on their desk, hackers will probably be able to find some high level vulnerabilities. However, without in-depth experience in that particular framework, they can still miss the less obvious ones. That’s why we’ve built a team of seasoned developers with a broad set of expertise.
Another challenge is that projects are usually different enough that you can’t simply replicate what you did on the last project. You could be using .NET framework 4.5 versus the 4.0 you used the last time and find out that it had holes you weren’t aware of in the API framework. You might have best practices, but it may take a project or two to get those in place as you learn. Also, there are many times when developers have to be reliant on things they don’t have control over, such as security patches with Microsoft .Net frameworks, Operating Systems, Database Servers, or even SSL technologies.
Top IT Security Issues for Developers
- Constantly changing security environment
- Inherited projects with existing IT security vulnerabilities
- Lack of client training and education
- Breadth of developer expertise
- Awareness and installation of timely security patches from third party providers
Best Practices for IT Security
The best IT security tools and strategies we use depend on the type of project we’re undertaking. We have two project types: 1) public facing websites and 2) enterprise applications. Enterprise projects represent the majority of our business, but of course, each project type has its own needs and challenges.
Security Best Practices for Marketing Websites
When you have a public facing website, you’re building on open source platforms (i.e. WordPress, Joomla, Drupal or Magento) and they’re usually hosted by a 3rd party hosting company like GoDaddy. Sometimes clients ask Five Talent to build custom plugins to facilitate additional functionality they need. They also have us to maintain those sites once they’re built. 90% of these web apps are public facing, where customers login to create small profiles and then connect socially with other individuals. Whether you’re building your own site, or having a developer build one for you, we recommend the following IT security best practices:
Secure Socket Layer protocol (SSL)
Daily or weekly backups
Enterprise projects usually involve financial institutions or other organizations with HIPPA, PCI, or SOX requirements. As a result, these companies already know what they need to focus on when it comes to security compliance. However, when our development efforts go over and above that compliance, we have to consider its importance and added project costs, which can represent up to 40% of a project’s total budget. Security can be expensive.
Ideally you develop enterprise applications from scratch, using platforms like AWS completely. We use Amazon WAF and IAM Roles to help us avoid a vast majority of potential issues, and load balancers and other AWS tools take care of funneling traffic. Best practices we recommend for enterprise projects include:
- Employ RDS environment with as-needed permissions
- Encrypt private information such as social security numbers, birthdays in the database and use KMS for encryption
- Utilize EC2 servers that act as a middle service layer behind the same VPN that the RDS is in
- When appropriate, use a separate EC2 environment for the Viewer/Presentation layer which is behind a load balancer and Cloud Front (all through the same VPN)
- Minimum permissions (by IP address, by security group, by IAM roles)
- Use powerful on-call monitoring tool for when something goes awry or a website goes down
- Run MalDat as a proactive daily scan
- Segment permissions based on minimum access requirements
- Require multi factor authentication
- Monitor file integrity
A 3rd PARTY AUDITOR PERSPECTIVE – REDHAWK NETWORK SECURITY
Redhawk often takes the role of an internal security auditor – particularly with financial clients who have strict compliance requirements. That compliance is definitely their primary motivator for engaging us. Unfortunately, there are a lot of security firms out there who will simply help these clients check their regulatory box. We do much more than that by educating clients about their risk and helping them to establish a regularly audited security foundation. In our opinion, that foundation is paramount in today’s Internet environment.
Other clients come to us because they’ve just been hacked and jobs are on the line. Both of these scenarios are reactive. However, the disclosure of massive attacks in the media over the past few years seems to be prompting companies to consider security more proactively. We have newly hired CTOs come to us who want to thoroughly understand their company’s security risk and where they should be dedicating IT resources. Last, we collaborate with developers like Five Talent to conduct full feature security audits for complex enterprise projects.
Regardless of the client type, we begin all engagements with a risk assessment. Our objective is twofold. First, we help the client identify the asset or information at stake. Second, we analyze the infrastructure where that information lives so we can make recommendations for action steps. While there are layers of controls we recommend that are fairly unique to every organization, this risk assessment process informs us how to approach any engagement.
Challenges from Within the Organization
When it comes to IT security, everyone talks about innovativeness of malicious black hat hackers, but the fact is that most of these attacks use the same old social engineering tricks that have been used in some form for centuries. That’s why the greatest vulnerabilities a company faces come from within. You can do everything right with assessment, prevention and monitoring and complex social engineering attacks can still circumvent them all.
Something as simple as a phishing email that lands in a spam folder can become a full-blown security breach. How does it start? Someone rescues an email from spam and opens an attachment. The RSA breach began this way. The exploit targeted a low level person who opened the attachment, and once they got in the hackers spent months moving laterally and vertically in the organization until they reached their ultimate target. For every zero day that’s found, there is always a tried and true delivery mechanism that started it.
We have clients assure us that they have trained their employees on company security policies for opening email attachments, sharing passwords and sensitive information. As a test, we’ll send an email, or place a call as IT professionals and ask for passwords. We find that 7 out of 10 employees will provide us passwords. Why? Because they’ve been trained to be helpful, and if they don’t know what to do when faced with a request for information they will simply comply.
There are also certain applications where the company may not consider there is an asset there, and are therefore less robust when it comes to preventative security. They think, what’s the worst that can happen? When that information leaks, it can do a lot tremendous damage. The Ashley Madison site’s private messages may not have seemed like an asset at first, but once hackers had the names of those individuals who sent them they had the power to blackmail the senders.
In terms of infrastructure, there are numerous issues that create security vulnerabilities. Incorrectly segmenting your network is one. The attack on Target came through their HVAC vendor because the network hadn’t been properly segmented. A small HVAC vendor seems inconsequential to a large company like Target, but their access to their network opened the company to a devastating breach. Attacks may be inevitable, but you want to make it at least hard enough that hackers go on to the next company.
- IT Security Issues from Within
- Failure to protect asset at stake
- Social engineering
- Lack of employee training regarding computer security policies and practices
- Infrastructure leaking information (smart phones, PCs)
- Unprotected central repository of information
Best IT Security Practices for the Organization
The following are some of the key practices Redhawk employs during engagements and recommends for organizations:
1. File integrity monitoring
These solutions monitor and send alerts when files are damaged or manipulated.
2. Segmented networks
Physically or logically separating hosts using a firewall is a strong control for containing compromised hosts. We also recommend deploying a web server on a DMZ segment and limiting Ingress and Egress communications to a database in order to minimize impact if the host is compromised.
3. Upload controls
Building controls that limit administrative and user access to the server minimizes unauthorized access and ensures that files can’t be pushed to your host.
4. Load balancing and geographically disperse reverse proxies
Depending on the nature of the website, companies should think about implementing Denial of Service (DOS) controls. If DOS is a concern, there are online organizations available that will proxy access, inspect and sanitize traffic before reaching your website.
5. Password management
We can’t emphasize this enough. Strong and complex passwords are critical to Internet security and should be required for all administrative and website user access.
6. Multi factor authentication
In addition to managing passwords internally, companies should implement multifactor authentication whenever possible. Even if one portion of the authentication is compromised, the second portion will still block the unauthorized access. Multifactor authentication combines two or more independent credentials: 1) something you know (a password); 2) something you have (a phone or FOB); and 3) something you are (a fingerprint).
7. Follow OWASP best practices
Before going live with any application, we recommend that clients review their websites for coding and implementation best practices. OWASP has a best practice checklist that can be found at: OWASP Secure Coding Practices – Quick
8. Perform penetration testing
Before releasing a website to the public, it’s important to get an idea of what possible security flaws may exist. Penetration testing will simulate controlled attacks against your organization’s website to determine weaknesses so they can be remediated prior to going public. A good penetration test does not just perform vulnerability scanning but actively attacks weaknesses in the system including code flaws, insufficient database controls, and operating system missing patches to simulate real-world attacks.
It’s true that the security environment is always changing, and sometimes it can seem like a losing battle. However, when clients, developers, and security professionals follow industry best practices and approach security as an ongoing collaboration, they can do a lot to stay ahead of hackers and keep themselves safe from attacks.