Safeguarding Business and Government

Common Attacks and the Uncommon Defense - Protecting Confidential and Sensitive Personal Information

Verizon Business produces a very good annual report which summarizes the findings from data breach investigations performed by Verizon and the United States Secret Service. While there are many different ways a data breach can occur, the study confirms the widely accepted belief that an overwhelming majority are the result of outsiders using hacking and malware. Most records are breached through SQL Injection attacks, followed by malware delivered through web browsing and USB flash drives. Common defenses, such as firewalls, intrusion detection sensors, web filters, SPAM blockers and traditional anti-virus, are inadequate at providing a good protection against these threats.

The following action plans identify the steps that you can take shore up your defenses, many for little or no cost.

SQL Injection Defense - Action Plan

  1. Find out where your weaknesses are.
    1. Make a list of your applications that are Internet-facing and use database credentials that allow them to access Sensitive Personal Information.
    2. Use security professionals to perform penetration tests against these applications.
    3. Check the password recovery/reset functionality on these applications to see if they can be easily recovered/reset.
  2. Fix and/or monitor them (in priority order).
    1. Remove unnecessary access to the SPI if the application doesn't need it by changing database credentials and permissions (easiest).
    2. Have developers re-write the code.
    3. Log, alert and respond to critical messages (SQL syntax errors, administrator account login failures, etc.).
    4. Create/update your Incident Response Plan so you know what immediate action to take if you get any of these alerts.
  3. Prevent future coding errors from getting introduced.
    1. Train developers on secure code development (Google, local OWASP chapter, and OWASP resources, SANS courses, Austin BSides and LASCON conferences).
    2. Ensure database administrators are assigning unique accounts with limited privileges for each application.
    3. Implement a code review process to include security.
    4. Have developers perform security testing as part of code unit testing (IBM AppScan, HP WebInspect, FindBugs, manual, etc.).
    5. Have security professionals perform penetration testing prior to production implementation.
  4. Test on a regular basis.
    1. Have security professionals perform penetration testing of all your Internet-facing web applications on an annual basis.

User Web-Based Attack Defense - Action Plan

  1. Find out where your weaknesses are.
    1. Perform a full malware scan on all your systems and identify those that are infected.
    2. Maintain an accurate hardware and software inventory for every machine on your network.
    3. Make a list of all the web-executable software you have (Java, QuickTime, Adobe Reader, Flash, RealPlayer, etc.).
    4. Identify all users who have Administrative privileges.
    5. Identify all the categories of websites that are allowed which aren't needed for business purposes.
    6. Identify any systems which haven't been hardened.
  2. Fix your weaknesses.
    1. Re-image any computer which is suspected or confirmed to have an infection – no exceptions!
    2. Patch all web-executable software immediately.
    3. Remove Administrative rights from user accounts (as much as possible).
    4. Block websites that aren't needed for business purposes (especially advertising sites).
    5. Limit users time on the web.
    6. Harden your systems (start with the Federal Desktop Core Configuration standard – USGCB or CIS).
  3. Prevent future infections.
    1. Perform routine full malware scans on all your systems.
    2. Monitor security and vendor mailing lists for vulnerabilities, workarounds and patches and apply them immediately (absolutely no less than once a month).
    3. Harden all systems before they are ever deployed.
    4. Don't deploy new users with Administrative privileges (unless you must).
    5. Consider using FireFox and/or Chrome browsers w/ add-ons such as NoScript and AdBlock(requires user training).
    6. Train users to avoid clicking on bad links (bad search results, spoofed links).
    7. Teach users “Don't Click on That”.

User Web-Based Attack Defense - Action Plan

Follow the User Web-Based Attack Defense Action Plan above, plus:

  1. Disable AutoRun/AutoPlay on all of your Windows systems (part of system hardening).
  2. Identify all users who require the use of USB Flash Drives.
  3. Disable the USB ports for all users those who don't (a Windows registry key).
  4. Provide all those who do with an encrypted flash drive (e.g. IronKey).
  5. Implement a policy prohibiting the use of personal flash drives in your organization's computers, and vice-versa.