Data breaches happen. They happen across all industries, including Security Services as witnessed recently by Imperva’s Incapsula, and they show no signs of stopping.
Your data, and I stress this is your data, can be classified as Public, Private, and Confidential. Public data is the information that you want to disclose to the world, things that are required for basic services to function, like your address for mail, or pizza. On the other end of the scale is confidential information, this is information that you wouldn’t tell anyone unless it was absolutely critical to the process, like your Social Security Number for taxes. Somewhere in between is Private data. This is information that you don’t necessarily tell everyone, but it wouldn’t be disastrous if it was known, things like an unpublished phone number.
It should be up to each of us to determine where any particular piece of our data falls. But service providers are requiring more and more of our data, and we all make concessions from time to time. e.g. My Cable TV provider requires my email address, even though they have yet to ever email me anything I would want.
So we inevitably share our data with companies, an email here to watch game of thrones, an SSL key there to make a cloud WAF service function. And when this data gets breached the cleanup is left to you.
As a user of these services how do you protect yourself?
Require multi factor authentication. Insist on it.
If your vendor helpdesk / support line can recover your password for you or tell you what it is, then it is recoverable by anyone who has access to the data (or worse not encrypted at all). Better password management uses hashes which only work one way, like dividing by ten but only keeping the remainder. Even if I tell you my hash is 3, you still don’t know if my secret number was 3, 13, 23, or 157331763.
But password hashes, no matter how strong, can be cracked. Search for free password crack, they even have adword campaigns.
With any hashing algorithm there are “collisions” where different strings of characters make the same hash. Which means the bad guys don’t even have to recover your actual password, they just need a phrase that generates the same hash. There are massive lists of common passwords and their respective hashes called rainbow tables that match up phrases with hashes, if your password hash is in one of those tables then it is certainly already compromised. Even if it is unique, with enough guessing you will eventually figure out a phrase that creates that same hash.
Multi factor authentication solves this problem. Your password, “something you know”, is vulnerable to a data breach. But if you also require a token on a physical device “something you have” you’ve just made the bad guys job infinitely harder. Incidentally the other common factor is “something you are”, like a fingerprint or facial recognition.
Change your passwords periodically
Once breached, your data can get copied, passed around and hangs out in some pretty shady corners of the Internet, forever.
I was going to title this “You should always use different passwords and usernames on each account”, but apart from being just too wordy it’s probably the most disregarded advice given. I get it, remembering one password with letters, number, symbols without using names, dates, or important events is hard. Keeping 30 of them straight is pretty much impossible. You are going to reuse a password here or there. Most accounts use your email as your username, which is an even more likely candidate for repetition.
So I went with the current title, and my advice is this:
Every now and then change things up a bit, so a data breach on a platform you haven’t used in years won’t potentially compromise the bank account you open next year, just because you’re still using the password “snuffles1995”.
As a service provider how do you protect your users?
Employ a Web Application Firewall (WAF).
Irony aside, a WAF should be your best defense against data breaches. A properly configured WAF will detect and block illegal attempts to access your application and thwart the data exfiltration before it can begin.
But be aware, not all WAFs are created equally. WAFS can be built around either the positive or negative security models. Positive WAFs define what is known good behaviour for your application and block anything that deviates from that. Whereas negative WAFs define a list of known bad behavior and allow anything else. Because a positive model needs to define the known good behavior it requires more effort to initially deploy; however once configured it only needs to be re-tuned if there are significant changes to your application. Negative model firewalls, conversely, are much simpler to initially install, but require constant updates to ensure that the latest malicious signatures are known.
DOSarrest offers its customers a WAF based on a positive security model
https://www.dosarrest.com/solutions/web-application-firewall-waf
Conduct periodic security audits and penetration tests.
“You are only as good as your last audit”. I don’t think that’s really a saying, but it ought to be, so I’m saying it and I hope you will too.
The definition of periodic here depends on how much risk you want to assume, personally I’m not comfortable with anything less frequent than quarterly, or whenever a new release comes out (which usually happens more frequently than quarterly). These audits are like colonoscopies, nobody enjoys them, but they can reveal a lot about the health of your systems, and you’d be surprised the amount of excrement that you find.
Foster a culture of security
Do you do obligatory annual security awareness training? If it’s obligatory and annual, it’s not doing much to reinforce the importance of security on a daily basis.
I’m routinely invited to sit in on interviews with other departments where I get to ask a few security related questions. I asked one developer how they wrote secure code, and he responded that security was someone else’s job, he was just a developer. The interview didn’t last much longer.
Security Operations shouldn’t be a separate department isolated away from everyone else. We have members of our SecOps teams working with our developers, our IT and NetOps teams, even our Sales department. Don’t make security something that gets in the way of what you want to do, let security be the reason you get to keep doing the thing you want to do.
Sean Power
Senior Application Security Architect, DOSarrest Internet Security
