Last week, CA Technologies has announced several new products in their API Management portfolio. The announcement was made during their annual CA World event, which took place November 16-20 in Las Vegas. This year, the key topic of the event has been Application Economy, so it is completely unsurprising that API management was a big part of the program. After all, APIs are one of the key technologies that drive the “digital transformation”, helping companies to stay agile and competitive, enable new business models and open up new communication channels with partners and customers.
Whether the companies are leveraging APIs to accelerate their internal application development, expose their business competence to new markets or to adopt new technologies like software-defined computing infrastructures, they are facing a lot of complex challenges and have to rely on third-party solutions to manage their APIs. The API Management market, despite its relatively young age, has matured quickly, and CA Technologies has become one of the leading players there. In fact, just a few months ago KuppingerCole has recognized CA as the overall leader in the Leadership Compass on API Security Management.
However, even a broad range of available solutions for publishing, securing, monitoring or monetizing APIs does not change the fact that before a backend service can be exposed as an API, it has to be implemented – that is, a team of skilled software developers is still required to bring your corporate data or intelligence into the API economy. Although quite a number of approaches exist to make the developer’s job as easy and efficient as possible (sometimes even eliminating the need for a standalone backend, like the AWS Lambda service), business persons are still unable to participate in this process on their own.
Well, apparently, CA is going to change that. The new CA Live API Creator is a solution that’s aiming at eliminating programming from the process of creating data-driven APIs. For a lot of companies, joining the API economy means the need to unlock their existing data stores and make their enterprise data available for consumption through standard APIs. For these use cases, CA offers a complete solution to create REST endpoints that expose data from multiple SQL and NoSQL data sources using a declarative data model and a graphical point-and-click interface. By eliminating the need to write code or SQL statements manually, the company claims tenfold time-to-market improvement and 40 times more concise logic rules. Most importantly, however, business persons no longer need to involve software developers – the process seems to be easy and straightforward enough for them to manage on their own.
CA Live API Creator consists of three components:
- Database Explorer, which provides interactive access to the enterprise data across SQL and NoSQL data sources directly from a browser. With this tool, users can not just browse and search, but also manage this information and even create “back office apps” with graphical forms for editing the data across multiple tables.
- API Creator, the actual tool for creating data-driven APIs using a point-and-click GUI. It provides the means for designing data models, defining logical rules, managing access control and so on, all without the need to write application code or SQL statements. It’s worth stressing that it’s not a GUI-based code generator – the solution is based on an object model, which is directly deployed to the API server.
- The aforementioned API Server is responsible for execution of APIs, event processing and other runtime logic. It connects to the existing data sources and serves client requests to REST-based API endpoints.
Although the product hasn’t been released yet (will become available in December), and although it should be clearly understood that it’s by nature not an universal solution for all possible API use cases, we can already see a lot of potential. The very idea of eliminating software developers from the API publishing process is pretty groundbreaking, and if CA delivers on their promises to make the tool easy enough for business people, it will become a valuable addition to the company’s already first-class API management portfolio.
Security is a common concern of organizations adopting cloud services and so it was interesting to hear from end users at the AWS Summit in London on November 17th how some organizations have addressed these concerns.
Financial services is a highly regulated industry with a strong focus on information security. At the event Allan Brearley, Head of Transformation Services at Tesco Bank, described the challenges they faced exploiting cloud services to innovate and reduce cost, while ensuring security and compliance. The approach that Tesco Bank took, which is the one recommended in KuppingerCole Advisory Note: Selecting your Cloud Provider, is to identify and engage with the key stakeholders. According to Mr Brearley it is important adopt a culture to satisfy all of the stakeholders’ needs all of the time.
In the UK the government has a cloud first strategy. Government agencies using cloud services must follow the Cloud Security Principles, first issued by UK Communications- Electronics Security Group’s (CESG) in 2014. These describe the need to take a risk based approach to ensure suitability for purpose. Rob Hart of the UK DVSA (Driver & Vehicle Standards Agency), that is responsible for road safety in UK, described the DVSA’s journey to the adoption of AWS cloud services. Mr Hart described that the information being migrated to the cloud was classified according to UK government guidelines as “OFFICIAL”. That is equivalent to commercially sensitive or Personally Identifiable Information. The key to success, according to Mr Hart, was to involve the Information Security Architects from the very beginning. This was helped by these architects being in the same office as the DVSA cloud migration team.
AWS has always been very open that the responsibility for security is shared between AWS and the customer. AWS publish their “Shared Responsibility Model” which distinguishes between the aspects of security that AWS are responsible for, and those for which the customer is responsible.
Over the past months AWS has made several important announcements around the security and compliance aspects of their services. There are too many to cover in here and so I have chosen 3 around compliance and 3 around security. Firstly announcements around compliance include:
- ISO/IEC 27018:2014 – AWS has published a certificate of compliance with this ISO standard which provides a code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.
- UK CESG Cloud Security Principles. In April 2015 AWS published a whitepaper to assist organisations using AWS for United Kingdom (UK) OFFICIAL classified workloads in alignment with CESG Cloud Security Principles.
- Security by Design – In October 2015 AWS published a whitepaper describing a four-phase approach for security and compliance at scale across multiple industries. This points to the resources available to AWS customers to implement security into the AWS environment, and describes how to validate controls are operating.
Several new security services were also announced at AWS re:Invent in October. The functionality provided by these services is not unique however it is tightly integrated with AWS services and infrastructure. Therefore these services provide extra benefits to a customer that is prepared to accept the risk of added lock-in. Three of these include:
- Amazon Inspector – this service, which is in preview, scans applications running on EC2 for a wide range of known vulnerabilities. It includes a knowledge base of rules mapped to common security compliance standards (e.g. PCI DSS) as well as up to date known vulnerabilities.
- AWS WAF Web Application Firewall – this is a Web Application Firewall that can detect suspicious network traffic. It helps to protect web applications from attack by blocking common web exploits like SQL injection and cross-site scripting.
- S2N Open Source implementation of TLS – This is a replacement created by AWS for the commonly used OpenSSL (which contained the “Heartbleed” vulnerability). S2N replaces the 500,000 lines code in OpenSSL with approximately 6,000 lines of audited code. This code has been contributed to Open Source and is available from S2N GitHub Repository.
AWS has taken serious steps to help customers using its cloud services to do so in a secure manner and to assure that they remain compliant with laws and industry regulations. The customer experiences presented at the event confirm that AWS’s claims around security and compliance are supported in real life. KuppingerCole recommends that customers using AWS services should make full use of the security and compliance functions and services provided by AWS.
According to GCHQ, the number of cyber-attacks threatening UK national security have doubled in the past 12 months. How can organizations protect themselves against this growing threat especially when statistics show that most data breaches are only discovered some time after the attack took place? One important approach is to create a Cyber Defence Centre to implement and co-ordinate the activities needed to protect, detect and respond to cyber-attacks.
The Cyber Defence Centre has evolved from the SOC (Security Operation Centre). It supports the processes for enterprise security monitoring, defence, detection and response to cyber based threats. It exploits Real Time Security Intelligence (RTSI) to detect these threats in real time or in near real time to enable action to be taken before damage is done. It uses techniques taken from big data and business intelligence to reduce that massive volume of security event data collected by SIEM to a small number of actionable alarms where there is a high confidence that there is a real threat.
A Cyber Defence Centre is not cheap or easy to implement so most organizations need help with this from an organization with real experience in this area. At a recent briefing IBM described how they have evolved a set of best practice rules based on their analysis of over 300 SOCs. These best practices include:
The first and most important of these rules is to understand the business perspective of what is at risk. It has often been the case that the SOC would focus on arcane technical issues rather than the business risk. The key objective of the Cyber Defence Centre is to protect the organization’s business critical assets. It is vital that what is business-critical is defined by the organization’s business leaders rather than the IT security group.
Many SOCs have evolved from NOCs (Network Operation Centres) – however the NOC is not a good model for cyber-defence. The NOC is organized to detect, manage and remediate what are mostly technical failures or natural disasters rather than targeted attacks. Its objective is to improve service uptime and to restore service promptly after a failure. On the other hand, the Cyber Defence Centre has to deal with the evolving tactics, tools and techniques of intelligent attackers. Its objective is to detect these attacks while at the same time protecting the assets and capturing evidence. The Cyber Defence Centre should assume that the organizational network has already been breached. It should include processes to proactively seek attacks in progress rather than passively wait for an alarm to be raised.
The Cyber Defence Centre must adopt a systematized and industrialized operating model. An approach that depends upon the individual skills is neither predictable nor scalable. The rules and processes should be designed using the same practices as for software with proper versioning and change control. The response to a class of problem needs to be worked out together with the rules on how to detect it. When the problem occurs is not a good time to figure out what to do. Measurements is critical – you can only manage what you can measure and measurement allows you to demonstrate the change levels of threats and the effectiveness of the cyber defence.
Finally, as explained by Martin Kuppinger in his blog: Your future Security Operations Center (SOC): Not only run by yourself, it is not necessary or even practical to operate all of the cyber defence activities yourself. Enabling this sharing of activities needs a clear model of how the Cyber Defence Centre will be operated. This should cover the organization and the processes as well as the technologies employed. This is essential to decide what to retain internally and to define what is outsourced an effective manner. Once again, an organization will benefit from help to define and build this operational model.
At the current state of the art for Cyber Defence, Managed Services are an essential component. This is because of the rapid evolution of threats, which makes it almost impossible for a single organization to keep up to date, and the complexity of the analysis that is required to identify how to distinguish these. This up-to-date knowledge needs to be delivered as part of the Cyber Defence Centre solution.
KuppingerCole Advisory Note: Real Time Security Intelligence provides an in-depth look at this subject.
Microsoft and Secure Islands today announced that Microsoft is to acquire Secure Islands. Secure Islands is a provider of automated classification for documents and further technologies for protecting information. The company already has tight integration into Microsoft’s Azure Rights Management Services (RMS), a leading-edge solution for Secure Information Sharing.
After completing the acquisition, Microsoft plans full integration of Secure Islands’ technology into Azure RMS, which will further enhance the capabilities of the Microsoft product, in particular by enabling interception of data transfer from various sources on-premise and in the cloud, and by automated and, if required, manual classification.
Today’s announcement confirms Microsoft's focus and investment into the Secure Information Sharing market, with protecting information at the information source (e.g. document) itself being one of the essential elements of any Information Security strategy. Protecting what really needs to be protected – the information – obviously (and if done right) is the best strategy for Information Security, in contrast to indirect approaches such as server security or network security.
By integrating Secure Islands' capabilities directly into Microsoft Azure RMS, Microsoft now can deliver an even more comprehensive solution to its customers. Furthermore, Microsoft continues working with its Azure RMS partner ecosystem in providing additional capabilities to its customers.
There is no doubt that organizations need both a plan for what happens in case of security incidents and a way to identify such incidents. For organizations that either have high security requirements or are sufficient large, the standard way for identifying such incidents is setting up a Security Operations Center (SOC).
However, setting up a SOC is not that easy. There are a number of challenges. The three major ones (aside of funding) are:
- Integration & Processes
The list is, from our analysis, order in according to the complexity of challenges. Clearly the biggest challenge as of today is finding the right people. Security experts are rare, and they are expensive. Furthermore, for running a SOC you not only need subject matter experts for network security, SAP security, and other areas of security. In these days of a growing number of advanced attacks, you will need people who understand the correlation of events at various levels and in various systems. These are even more difficult to find.
The second challenge is integration. A SOC does not operate independently from the rest of your organization. There is a need for technical integration into Incident Management, IT GRC, and other systems such as Operations Management for automated reactions on known incidents. Incidents must be handled efficiently and in a defined way. Beyond the technical integration, there is a need for well thought-out process for incident and crisis management or, as it commonly is named, Breach & Incident Response.
The third area is technology. Such technology must be adequate for today’s challenges. Traditional SIEM (Security Information and Event Management) isn’t sufficient anymore. SIEM solutions might complement other solutions, but there needs to be a strong focus on analytics and anomaly detection. From our perspective, the overarching trend goes towards what we call RTSI - Real Time Security Intelligence. RTSI is more than just a tool, it is a combination of advanced analytical capabilities and managed services.
We see a growing demand for these solutions – I’d rather say that customers are eagerly awaiting the vendors delivering mature RTSI solutions, including comprehensive managed services. There is more demand than delivery today. Time for the vendors to act. And time for customers to move to the next level of SOCs, well beyond SIEM.
With the ever-growing number of new security threats and continued deterioration of traditional security perimeters, demand for new security analytics tools that can detect those threats in real time is growing rapidly. Real-Time Security Intelligence solutions are going to redefine the way existing SIEM tools are working and finally provide organizations with clearly ranked actionable items and highly automated remediation workflows.
Various market analysts predict that security analytics solutions will grow into a multibillion market within the next five years. Many vendors, big and small, are now rushing to bring their products to this market in anticipation of its potential. However, the market is still far from reaching the stage of maturity. First, the underlying technologies have not themselves reached full maturity yet, with areas like machine learning and threat intelligence still being constantly developed. Second, very few vendors possess enough intellectual property or resources to integrate all these technologies into a single universal solution.
In a sense, RTSI segment is the frontier of the overall market for information security solutions. When selecting the tools most appropriate for their requirements, customers thus have to be especially careful and should not take vendors’ claims for granted. Support for different data sources, scope of anomaly detection and usability in general may vary significantly.
Although we should expect that in a few years, the market will settle and the broad range of products with various scopes of functionality available today will eventually converge to a reasonable number, today we are still far from that. While some vendors are deciding for evolutionary development of their existing products, others opt for strategic acquisitions. At the same time, smaller companies or even startups are bringing their niche products to the market, aiming for customers looking for point solutions for their most critical problems. The resulting multitude of solutions makes them quite difficult to compare and even harder to predict in which direction the market will evolve. We can however name a few notable vendors from different strata of the RTSI market to at least give you an idea where to start looking.
First, large vendors currently offering “traditional” SIEM solutions are obviously interested in bringing their products up to date with the latest technological developments. This includes IBM Security with their QRadar SIEM and Guardium products with significantly improved analytics capabilities, RSA Security Analytics platform, NetIQ Sentinel or smaller vendors like Securonix or LogRythm.
Another class of vendors are companies coming from the field of cybersecurity. Their products are focusing more on detection and prevention of external and internal threats, and by integrating big data analytics and their own or 3rd party sources of threat intelligence they naturally evolve into RTSI solutions that are leaner and easier to deploy than traditional SIEMs and are targeted at smaller organizations. Notable examples here could be CyberArk with Privileged Threat Analytics as a part of their Privileged Account Security solution, Hexis Cyber Solutions with their HawkEye G and AP analytics platforms or AlienVault with Unified Security Management offering. Another important, yet much less represented aspect of security intelligence is user behavior analytics with vendors like BalaBit with Blindspotter tool recently added to their portfolio or Gurucul providing a number of specialized analytics solutions in that area.
Besides bigger vendors, numerous startups with products usually concentrating on a single source of analytics information like network traffic analysis, endpoint security or mobile security analytics. Their solutions are usually targeted towards small and medium businesses and, although limited in their functional scope, rely more on ease of deployment, simplicity of user interface and quality of support service to win their potential customers. For small companies without sufficient security budgets or expert teams, these products can be a blessing, because they quickly address their most critical security problems. To name just a few vendors here: Seculert with their cloud-based analytics platform, Cybereason with an unorthodox approach towards endpoint security analytics, Cynet with their rapidly deployed integrated solution, Logtrust with a focus on log analysis or Fortscale with a cloud-based solution for detecting malicious users.
Surely, such a large number of different solutions makes RTSI market quite difficult to analyze and predict. On the other hand, almost any company will probably be able to find a product that’s tailored specifically for their requirements. It’s vital however that they should look for complete solutions with managed services and quality support, not just for another set of tools.
Organizations depend upon the IT systems and the information that they provide to operate and grow. However, the information that they contain and the infrastructure upon which they depend is under attack. Statistics show that most data breaches are detected by agents outside of the organization rather than internal security tools. Real Time Security Intelligence (RTSI) seeks to remedy this.
Unfortunately, many organizations fail to take simple measures to protect against known weaknesses in infrastructure and applications. However, even those organizations that have taken these measures are subject to attack. The preferred technique of attacks is increasingly one of stealth; the attacker wants to gain access to the target organization’s systems and data without being noticed. The more time the attacker has for undetected access the more the opportunity to steal data or cause damage.
Traditional perimeter security devices like firewalls, IDS (Intrusion Detections Systems) and IPS (Intrusion Prevention Systems) are widely deployed. These tools are effective at removing certain kinds of weaknesses. They also generate alerts when suspicious events occur, however the volume of events is such that it is almost impossible to investigate each as they occur. Whilst these devices remain an essential part of the defence, for the agile business using cloud services, with mobile users and connecting directly to customers and partners, there is no perimeter and they are not sufficient.
SIEM (Security Information and Event Management) was promoted as a solution to these problems. However, in reality SIEM is a set of tools that can be configured and used to analyse event data after the fact and to produce reports for auditing and compliance purposes. While it is a core security technology, it has not been successful at providing actionable security intelligence in real time.
This has led to the emergence of a new technology Real Time Security Intelligence (RTSI). This is intended to detect threats in real time or in near real time to enable action to be taken before damage is done. It uses techniques taken from big data and business intelligence to reduce that massive volume of security event data collected by SIEM to a small number of actionable alarms where there is a high confidence that there is a real threat.
At the current state of the art for RTSI, Managed Services is an essential component. This is because of the rapid evolution of threats, which makes it almost impossible for a single organization to keep up to date, and the complexity of the analysis that is required to identify how to distinguish these. This up to date knowledge needs to be delivered as part of the RTSI solution.
The volume of threats to IT systems, their potential impact and the difficulty to detect them are the reasons why real time security intelligence has become important. However, RTSI technology is at an early stage and the problem of calibrating normal activity still requires considerable skill. It is important to look for a solution that can easily build on the knowledge and experience of the IT security community, vendors and service providers. End user organizations should always opt for solutions that include managed services and pre-configured analytics, not just for tools.
KuppingerCole Advisory Note: Real Time Security Intelligence - 71033 provides an in depth look at this subject.
Do you use mTANS (mobile transaction authentication numbers) for online banking? Have you checked your bank account balance lately? Well, what happened to Deutsche Telekom customers recently has happened to others before and is likely to happen again elsewhere if online banking customers and providers don't follow even the most basic rules of IT security.
IT protection measures are smart, unfortunately the attackers are often smarter these days: several customers of Deutsche Telekom's mobile offering have become victims of a cunning fraud series while banking online. The German (online-) newspaper "Süddeutsche Zeitung" reported about this in detail. What led to success for the criminals was their clever acting. The whole scam reminded me somehow of the old television series Mission Impossible, only that this time the protagonists were criminals: first, the robbers hacked the bank clients' computers and installed malware - supposedly via e-mail - that sent them the numbers of the online banking accounts and passwords through the net without any knowledge of the PC owners. But that wasn’t all: the hackers also went through their victim's e-mails looking for their online phone bills. Thus they were, according to an article in "Die Welt", also provided with customer IDs. Simultaneously, the thieves found - or spied - out the mobile phone numbers of their victims, clients of various banks who all happened to have at the same time mobile phone contracts with Deutsche Telekom.
With this information in hand the felons contacted Deutsche Telekom and pretended to be authorized dealers ("Telekom Shop") who needed to activate a substitute SIM card with the mobile number of "their" customer since the original one had been lost or stolen. They had more or less no problems with getting the new cards. Now they were able to receive every text message meant for the original customer. Bingo! The fraudsters could now enter their target's full bank account with all rights and privileges. Transfer in operation.
This sly method could lead to an amazed laugh if it weren't so seriously bad. In dozens of cases the crooks withdrew five-digit amounts, in one known case 30,000 Euro, the whole “take” is estimated to be more than a million Euro. There might still be other victims, but this hasn't been detected so far. The Telekom at least seems to be convinced that the method of the burglars won't work anymore in the future and that they have found safer ways to identify their retailers. But are they prepared for all other hard-to-imagine-now methods in the future? I doubt it. After earlier mTAN hacks providers had already made it generally more difficult to get a second SIM card. Customers have either to show their passports or give a password over the phone. But if it's not Deutsche Telekom, there are other telco providers who might be tricked in the future.
Fitting security concept necessary
Where security relevant elements like SIM cards play a vital part a fitting security concept is absolutely necessary. The whole process and supply chain from ordering to delivery has to be adapted accordingly. However, there are so far no easy solutions available for both secure and comfortable online banking with mTANs. Risk based authentication/authorization might help banks a bit to recognize unusual user behaviour and thus request further credentials, but this is also quite limited - where there are plenty of smaller transactions unusual behaviour quickly remains unrecognized.
The challenges start with the digital certificates and the question of getting them securely from the Certificate Authority to the rightful addressee. Personal handover of e. g. a smart card would be perfect. As well as - on another level - Post Identity Procedure, where one has to appear in person at the post office with an ID card before being able to use online banking. However, such processes require a bigger effort on the user side and they also take longer. This collides with the business models of the providers and the wishes and demands of their customers, like e. g. quickly and comfortably getting a substitute SIM. However, it all depends finally on balancing security needs with demands of both customers and providers. Multi-layer security - identifying the SIM card plus the device, on which the transaction is going to take place - makes mobile banking initially more inconvenient, but there is still the possibility of installing further controls to reduce the risks.
Since it has become a lucrative global industry for criminals, they exert a lot of effort in breaking into the - up to the present day - seemingly most secure infrastructures. Potential victims - vendors of "things and services" as well as end-consumers - should do the same in trying to prevent this. At least everyone should care for state-of-the-art malware protection as well as regular (automatic) software updates and patches. Keep yourself informed: Several non-profit websites provide useful information about cyber threats like phishing, e.g. this one. It cannot be said often enough that there is no one hundred percent security - but for your own sake you better try to come close. It's worth it.
Sometimes when you sit together in meetings during brainstorming and discussions the funniest ideas come up. This is what happened during a meeting of our KuppingerCole team in May. We discussed new ways to attract customers for the KuppingerCole research area and the events on our website. The result was the KuppingerCole „Red Letter Day“. One special day during the year for our customers, followers and interested persons when all research documents can be downloaded free of charge for 24 hours. Additionally the visitors have the opportunity to win a ticket to the next European Identity & Cloud (EIC) Conference.
After several months of preparation we decided to choose October 15, 2015 as the KC Red Letter Day. We sent out marketing mailings and posts on our social media channels to promote this special day.
Quicker than we could think about it, the day, the KC Red Letter Day, arrived. First everything seemed to be like any other day but when we checked the download numbers of the research documents on our website we could not believe our eyes: it was 10:30am and more than 1,300 documents had already been downloaded!
Once the 24 hours were over the number of downloads from our website reached 3,666. Beside the number of new customers that registered on our website it was very interesting to look at the themes of the top 10 documents that had been downloaded.
Out of 423 different research notes which were downloaded at least once the following documents were the top 10 downloads of the Red Letter Day:
- Leadership Compass: API Security Management - 70958
- Advisory Note: Identity Information Quality - 70996
- Leadership Compass: IAM/IAG Suites - 71105
- Executive View: ForgeRock OpenAM – 71405
- Advisory Note: Eight Fundamentals for Digital Risk Mitigation in the Age of Transformation - 71302
- Leadership Brief: How to Justify your IAM Investments – 71410
- Advisory Note: Top Cyber Threats – 71032
- Leadership Compass: Secure Information Sharing – 72014
- Executive View: VMware Identity Manager - 71454
- Advisory Note: Information Security Predictions and Recommendations 2015 and beyond – 71045
By the way, the actual all-time favorite of our research documents is the Advisory Note Life Management Platforms: Control and Privacy for Personal Data – 70608.
248 different Videos/Podcasts had been watched at least once during the Red Letter Day. The Common Symptoms of IAM & IAG Diseases, Dynamic Attribute-Based Authorization, Connected Identity, Authorization Management and Cybersecurity were the top 10 video themes of this Day.
For all those who missed the Red Letter Day there are still good news: it was not the only chance to get free access to the KuppingerCole research. Take a look at our free blog posts, podcasts, monthly analyst’s view newsletter and webinars as well as selected free research documents and surveys to get the latest information and advisory. Furthermore you have the opportunity to register for KuppingerCole Select Access, which provides you with free 30-day access to a great selection of KuppingerCole research materials and to live training sessions.
Don’t forget to sign-up for our newsletters and follow us on our social media channels to keep up to date and join the discussions on hot topics in the field of information security.
On Friday morning (October 23rd) I was preparing for my lecture on software vulnerabilities to the final year degree students at the University of Salford when I heard the news of the of the TalkTalk data breach.
Now this is not about that breach in particular – it is important to wait until the detailed investigation is complete before drawing conclusions. However that breach provided me with an example of the high level of responsibility now borne by the CISO. Using the story as an example I asked the students how they would like to explain to the press and 4 million customers that their organization had suffered a data breach. Especially if it was – in the words of the old proverb -“all for the want of a nail”
So what does this proverb mean in this context? Well the evidence from the many data breach surveys is that the majority of breaches occur because of vulnerabilities that could easily have been avoided. In my lecture I cover many of these: in particular the OWASP Top Ten project and the CWE/SANS 25 most dangerous software errors. Both of these identify SQL Injection as a highly dangerous but easily avoidable vulnerability.
So what is SQL Injection? When a web based application allows the users of the web interface to perform a query using a text field it is vital that the application checks the user’s input into that field.
The need for this check can be explained using an example – imagine that the field allows the user to input the brand name of the products they wish to see. If the application simply includes the text that the user inputs directly into the SQL query there is a danger. It allows a hacker to input text which is not a brand name but is actually a form of SQL that would always be logically true. In tis case the SQL query would return every record in the database.
Encrypting the database does not help with SQL Injection because the data must have already been decrypted, in the expectation that the system is being used in a legitimate way, in order to perform the query and to provide the results to the application.
The programming effort needed to avoid this kind of vulnerability is very low. All that is usually needed is for the application to scan the content for certain character patterns. Furthermore there is a wide range of tools available that will scan code and exercise the application to detect this as well as other vulnerabilities. So this check is the equivalent of the nail in the old proverb.
The consequences of a data breach extend well beyond the organization holding the data. If an organization loses its own money that organization and its shareholders bear the consequences. However if the personal details of its customers fall into the wrong hands they will be the ones to suffer. When a family’s payment card is refused in the supermarket on a Friday evening or their life savings are stolen from their bank account this is a personal tragedy not just a business risk.
So the CISO is responsible not only for the security of the organization but also for the stewardship of the data that the organization holds about its customers, partners and suppliers. Taking the simple steps needed to avoid well-known vulnerabilities is the equivalent of the nail in the proverb. Failing to take these can lead to much wider consequences. It will be difficult for a CISO to explain to everyone touched by a data breach why the organization’s stewardship of their data was lacking for the want of a nail.
For more information click here.