POODLE like it’s 1999

1999 was a pretty interesting year for the Internet and security. To jog your memory, here are just a few of the major events from the ultimate (or penultimate, depending on your point of view) year of the last millennium.

  • The Melissa Virus was infecting millions of hosts using malicious e-mails.
  • Both Napster and MySpace made their first public appearances.
  • Internet Explorer 5.0 was released for Windows 3.1, 95 and 98.
  • The TLSv1 specification was published to replace SSLv3 to improve security of Internet communications.

In the 15 years since TLS was introduced it has been widely adopted, but in many ways SSLv3 has hung on. The two specifications are very similar, but not interoperable and applications that implement TLS are often capable of falling back to SSL to support legacy servers. Cryptologists have slowly chipped away at the security of SSL over the last decade, discovering ways to reveal larger and larger pieces of information from encrypted sessions.

This week three Google researchers announced the latest attack on SSLv3 (named POODLE), which may prove to be the deathblow for this protocol. The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack allows an attacker who is already in the network path between the client and server to decrypt portions of the SSL session, including HTTP cookie data used for authentication.

As all modern browsers and most servers support TLS, this attack should only apply to a small number of connections, but that is not the case. When most browsers fail to connect using TLS, they assume the server must be expecting SSL and downgrade their connections to the vulnerable protocol.  This means that even two TLS-capable systems can be forced into using SSLv3 by an attacker who controls the network path. That attacker can then decrypt parts of the encrypted channel without the server or client’s knowledge.

The only permanent fix for POODLE is disabling the SSLv3 protocol completely. This can be done either from the server side or the client side depending on the applications. To address this issue, our IPS team issued an emergency update this morning, which contains a signature that alerts on any SSLv3 connection.

Severity ID Attack Name CVE ID
low 36815 SSLv3 Found in Server Response CVE-2014-3566

Hits on this signature do not indicate an attack is underway, but any SSLv3 session should be considered vulnerable to POODLE and potentially compromised.

[Source: Palo Alto Networks Research Center]

How To Become A CISO, Part 1

Think you’re ready for the top job? Here’s part 1 of a series to help you land that prime chief information security officer position.

So you want to be a CISO, huh? Think you’re ready to lead a small band of white knights into battle against a countless, hidden enemy? Ready to play both savior and scapegoat, depending on what the day brings? Ready to beg, borrow, and steal for the resources you need to protect your company?

Yes? OK, then, you’re ready to do the job… but can you get the job? For the next several weeks, we’re dedicating Mondays to helping you find the path to the big job, which won’t be easy to define.

“There’s not a standard path [to the CISO job] like so many other professions,” says Mark Aiello, president of the Boston cyber security staffing firm Cyber360 Solutions. “We can’t even agree on how to spell cyber security.” (Cybersecurity? Cyber-security?)

Even the words “engineer” and “administrator” don’t mean the same thing from company to company. The bad news, then, is that it is hard to know what career steps to take next.

The good news, though, is that the ladder you’re already climbing could lead you to the CISO seat.

Despite the variety of routes to the top, Aiello does identify a few consistent trends:

Most CISOs are hired from outside the company.
Following the perplexing logic that somebody you don’t know must be smarter than somebody you do know, “the vast majority” of organizations look outside their walls for a CISO, Aiello says. However, they will be more likely to hire an insider for the CISO job if it’s a newly created position.

So being in the right place at the right time may help you get that newly minted CISO gig, but beware…

A company’s first CISO has less power than its subsequent CISOs.
“That first CISO tends to not have as many teeth as the second one,” Aiello says. They’re likely to be a step below the true C-suite and report to the chief information officer.

Aiello thinks the CISO should be separate from the rest of the IT organization, because security not only impacts technology. “Security organizations are still relatively small [in size], in comparison to the IT department, but huge in terms of importance.”

Most companies want to hire a CISO who’s already a CISO somewhere else.
This raises a question: How do you get that first CISO job if you can only get one if you already have one? Aiello says you may convince a new employer to take you on if you’ve reached the highest security position at your current company — like director or vice president of security — as long as you have experience within the appropriate industry vertical: finance, healthcare, etc.

CISOs are more likely to come from a technical background.
Though there are people who rise to the security job from outside the IT department — we’ll hear some of their stories in the course of this series — Aiello says that most of today’s CISOs began their careers in an information techology job of some ilk. As the field matures and more IT functions are outsourced, that may change.

A CISSP certification isn’t necessarily required for a CISO.
In order to have climbed the infosecurity ladder high enough to be eligible for the “chief” title, you probably will have needed a CISSP already. However, if you’ve made it this far without one, you probably won’t need one now, says Aiello. A four-year college degree, however, is something a prospective employer will want.

[Is there a cyber security skills shortage? Hear what Mark Aiello and Julie Peeler of ISC(2) said on Dark Reading Radio.]

As the CISO job grows bigger and more important, Aiello says, the key is proactively gathering all the knowledge and experience you can.

“Raise your hand. Volunteer,” he says. If you’ve spent most of your career outside of the nitty-gritty, hard-core IT security world, spend more time learning about the tactical side — the day-to-day tasks of securing a business. If you are from a heavy technical background, learn as much as you can about the business side.

“Understand the problems your technology is there to solve,” he says. “Understand what [the company is] securing and why they’re securing it.”

In the coming weeks, we’ll spin out the origin stories of men and women currently holding the CISO position at a variety of organizations. Come back to Dark Reading next Monday for the first “how I became a CISO” tale.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law — a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.

[Source: Dark Reading]

Insider Threats: Breaching The Human Barrier

A company can spend all the money it has on technical solutions to protect the perimeter and still not prevent the attack that comes from within.

Undoubtedly, every InfoSec professional has heard the argument that the perimeter was broken. That was so 1995. The new rage is to break the “human barrier.” You know, those things that run the companies. Increasingly, attackers are using social engineering to target a corporation’s most vulnerable asset: the human. From there attackers hack the systems and completely own the company from the inside out.

A while back, WHMCS, an online banking and bill paying company, was attacked by an outsider with real access credentials pretending to be an insider.  It turns out, the data base administrator for the organization was pretty active on social media. From basic profiling of his public information, attackers were able to garner the answers to his security questions. After a quick phone call and password reset, attackers were able to download 1.1 Gigabytes of credit card numbers and subsequently erased the servers just for kicks. A five-minute phone call opened the window of opportunity for a dox, which turned into total ownership.

That is just an outsider acting as an insider. What about an actual insider that has ill intent towards your company?

According to the “CERT: Common Sense Guide to Prevention and Detection of Insider Threats,” 65% of all IT sabotage attacks are non technical and 84% of all attacks for financial gain were also non-technical. One call, that’s all. If organizations are unable to keep their own data safe, how can we as customers expect them to keep our data safe?

I see this highlighted daily in the work we do for clients. In a single 10-minute phone call to an enterprise chain store, a non-technical employee can provide my team with enough data to execute a virtual attack or onsite impersonation. The one vector that seems to always work is another insider, a fellow employee. Insiders are automatically trusted and automatically given answers to things that an outsider would never get. Therein lies the danger with insider attack. That trust can be exploited, that automatic authentication can be used to compromise.

Now that we’ve talked a bit about the scope of damage from insider threats it’s important for organizations to clearly understand how these threats manifest.AT&T recently disclosed that an employee was able to access and exfiltrate confidential and personal user information including social security and driver’s license numbers of thousands of customers. This is an example of a malicious insider attack, one in which the employees purposefully expose data.

Angry and disgruntled
In situations with malicious insiders, employees are either angry, disgruntled, or rogue. They are either on the way out or have already been fired and still have access to corporate logins. These attackers are extremely dangerous because they already know their way around the network and can easily access copious amounts of information, without raising a brow. While it seems little can be done about this type of insider attack, the 2014 Verizon Data Breach Report indicates that 85% of insider privilege misuse attacks used the corporate LAN. With the implementation and enforcement of access controls, network behavioral analysis, and security awareness training that encourages employees to report suspicious activity, these types of attacks can be limited.

The second type of insider threat stems from accidental data uploads, failure to dispose of documents securely, and complex interactions with unintended consequences. Regardless of how it happens, negligent insider attacks occur when employees accidentally expose data.

A negligent insider can also take the form of a partner or third-party that has been granted access and accidentally exposes data. How many breaches do we read about that were the results of a laptop, USB key, or file thrown away improperly, and that it contained thousands of records of sensitive data? These breaches are not malicious insiders, but an uneducated and thoughtless insider that causes harm to your company and to your clients.

I believe the only way for an organization to be successful in preventing insider attacks is to progress beyond the thought process that IT is responsible for all information security issues. In every case above, user education along with proper technical solutions can help reduce the results of insider threat.

You can start by asking yourself the following questions:

  • Are policies in place?
  • Does legal and senior management support IT practices?
  • Do these type of programs reward employees instead of scare them?
  • Do we conduct regular audits?

While this approach may seem unrealistic at first, I’ve seen first hand how global organizations can reduce the number of malware related incidents and shut down both insider and outsider threat with simple modifications to process and employee awareness. Organizations are only as strong as the weakest link — the humans. And as long as that simple fact remains true, attackers will always go after this low-hanging fruit. Make yourself, your employees, and your company not the easy pickings, and you might just have a chance of not being the next headline on Dark Reading.

Chris Hadnagy has over 16 years’ experience as a practitioner and researcher in the security field. His efforts in training, education, and awareness have helped to expose social engineering as the top threat to the security of organizations today. He established the world’s first social engineering framework at http://www.social-engineer.org/, providing an invaluable repository of information for security professionals and enthusiasts. That site grew into a dynamic web resource including a podcast and newsletter, which have become staples in the security industry and are referenced by large organizations around the world. Chris also created the first hands-on social engineering training course and certification, Advanced Practical Social Engineering, attended by law enforcement, military, and private sector professionals. A sought-after writer and speaker, he has spoken and trained at events such as RSA and Black Hat. He is also the best-selling author of two books: Social Engineering: The Art of Human Hacking and Unmasking the Social Engineer: The Human Element of Security.

[Source: DarkReading]

English
Exit mobile version