On Friday morning (October 23rd) I was preparing for my lecture on software vulnerabilities to the final year degree students at the University of Salford when I heard the news of the of the TalkTalk data breach.
Now this is not about that breach in particular – it is important to wait until the detailed investigation is complete before drawing conclusions. However that breach provided me with an example of the high level of responsibility now borne by the CISO. Using the story as an example I asked the students how they would like to explain to the press and 4 million customers that their organization had suffered a data breach. Especially if it was – in the words of the old proverb -“all for the want of a nail”
So what does this proverb mean in this context? Well the evidence from the many data breach surveys is that the majority of breaches occur because of vulnerabilities that could easily have been avoided. In my lecture I cover many of these: in particular the OWASP Top Ten project and the CWE/SANS 25 most dangerous software errors. Both of these identify SQL Injection as a highly dangerous but easily avoidable vulnerability.
So what is SQL Injection? When a web based application allows the users of the web interface to perform a query using a text field it is vital that the application checks the user’s input into that field.
The need for this check can be explained using an example – imagine that the field allows the user to input the brand name of the products they wish to see. If the application simply includes the text that the user inputs directly into the SQL query there is a danger. It allows a hacker to input text which is not a brand name but is actually a form of SQL that would always be logically true. In tis case the SQL query would return every record in the database.
Encrypting the database does not help with SQL Injection because the data must have already been decrypted, in the expectation that the system is being used in a legitimate way, in order to perform the query and to provide the results to the application.
The programming effort needed to avoid this kind of vulnerability is very low. All that is usually needed is for the application to scan the content for certain character patterns. Furthermore there is a wide range of tools available that will scan code and exercise the application to detect this as well as other vulnerabilities. So this check is the equivalent of the nail in the old proverb.
The consequences of a data breach extend well beyond the organization holding the data. If an organization loses its own money that organization and its shareholders bear the consequences. However if the personal details of its customers fall into the wrong hands they will be the ones to suffer. When a family’s payment card is refused in the supermarket on a Friday evening or their life savings are stolen from their bank account this is a personal tragedy not just a business risk.
So the CISO is responsible not only for the security of the organization but also for the stewardship of the data that the organization holds about its customers, partners and suppliers. Taking the simple steps needed to avoid well-known vulnerabilities is the equivalent of the nail in the proverb. Failing to take these can lead to much wider consequences. It will be difficult for a CISO to explain to everyone touched by a data breach why the organization’s stewardship of their data was lacking for the want of a nail.
For more information click here.