It certainly has been a wild ride thus far for 2013 as we head into the second half. Breaches, hacks, exposures, leaks, along with things like BYOD and SDN should make the next 6 months interesting. From the many headlines in 2012, you'd think organizations would be locked down tight but alas, intruders are still kicking a$$ and taking names...literally.
Media and news organizations, like the New York Times and Wall Street Journal, experienced data breaches due to spear fishing and malware. According to various news articles, certain journalists were targeted based on their story coverage but more interesting to me is the fact that the anti-virus along with the IPS/IDS in place failed to catch the malware. Unless there is a signature in place for a known piece of evil code, that demon will make it's way through.
Financial institutions up to and including the Federal Reserve were breached. While many bank hacks are driven by monetary gain, sometimes they are the targets of political activists. Humans are very passionate about their beliefs and like to express those feelings. There have always been protesters and activists - some write letters, some picket on the sidewalk, some throw rocks and with the advent of the internet, now you can protest by creating digital havoc. Instead of hoping that people boycott a particular entity, you can simply take it out yourself so no one can get to the site.
Social media networks continue to feel the heat from breaches. Many social media sites are now deploying two-factor authentication to help reduce password exposures and increase verification checks. Many news stories have talked about password usage and it's good that two factor is being deployed...but,in many cases, it is only after the bad news hits the media. Why wait?
To help organizations understand the various web threats, OWASP has released their Top 10 for 2013 (with changes from 2010 Edition):
- A1 Injection
- A2 Broken Authentication and Session Management (was formerly 2010-A3)
- A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)
- A4 Insecure Direct Object References
- A5 Security Misconfiguration (was formerly 2010-A6)
- A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)
- A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)
- A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)
- A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6 – Security Misconfiguration)
- A10 Unvalidated Redirects and Forwards
Along with their Top 10 Mobile Risks:
- M1: Insecure Data Storage
- M2: Weak Server Side Controls
- M3: Insufficient Transport Layer Protection
- M4: Client Side Injection
- M5: Poor Authorization and Authentication
- M6: Improper Session Handling
- M7: Security Decisions Via Untrusted Inputs
- M8: Side Channel Data Leakage
- M9: Broken Cryptography
- M10: Sensitive Information Disclosure
These are guides to help organizations understand the threats but always make sure you understand you own risks and focus on mitigating those first whether they are on the OWASP Top 10 or not. Then make sure you're covered on the rest.
So far, 2013 has been full of breaches that empties an organization's information.
- Following New York Times Breach, Wall Street Journal Says China Hacked It, Too
- US Federal Reserve confirms it was hacked during the Super Bowl
- Does Lax Network Security Lead To Cyber Attacks: 2013’s Top Hacks
- Twitter introduces 'two-factor authentication' to stop password hacking
- Motorola shows off tattoo and swallowable password hardware
- OWASP Top 10 2013 - PDF
- OWASP Mobile Security Project
|Connect with Peter:||Connect with F5:|