APTs Are So Tomorrow: Enterprises Need to Take Care of the Basics Like SQL Injection and Cross Site Scripting Before Worrying About More Sophisticated Threats
“Step right up folks! Behold the child what has four legs! Marvel at bearded lady and the wolf faced boy! Gaze upon the smallest man in the world, who fits into his giant friend’s hand!”
Circus freak shows are testimony to our fascination with the unique, the bizarre. APTs ignite the same obsession as they confound us with feats of teleportation past “128 bit encrypted firewalls”, as they say in the movies. Certainly the legends of nation states exploiting zero day vulnerabilities to break into the electrical grid are the articles we gawk over during our morning news intake while SQL injection (SQLi) and cross site scripting (XSS) are banished to the virtual back pages of technology current events.
And yet, according to the observations of IBM’s X-Force in the 2013 Mid-Year Trend and Risk Report, and data going back years, dull exploits like XSS and SQLi are still the top vectors for data breaches.
It seems as though the security administrators are suffering from attention deficit. We know how to prevent XSS and SQL injection—perform input sanitization and use parameterized queries and stored procedures—but many organizations have failed to take care of the basics before moving on to the next, hot security threat, whether it’s cloud, mobile, or APTs.
I acknowledge that it’s not as simple as focusing on one thing, getting it right, and tackling the next phase of the security program. (Fans of M*A*S*H might recognized a bit of Charles Emerson Winchester there: “I do one thing at a time, I do it very well, and then I move on”). But years have passed since the introduction of SQLi and XSS; even in the midst of the most hectic multitasking, all medium and large enterprises should have a process to identify and mitigate those vulnerabilities before they’re exploited.
So what does that mean, practically speaking?
- Identify your external facing assets.
Often this is easier said than done because of cloud deployments, shadow IT, and web sites deemed not important enough to bother to report as official inventory (think marketing website at a hosting provider). Techniques to help include using vulnerability scanners to find assets (obviously), referencing DNS zone files, and asking procurement for expenses related to services, such as cloud. While the focus is on finding external systems, don’t forget malicious insiders are also a threat as well. Also, external actors who manage to penetrate your outer defense may discover tasty data on vulnerable internal systems, or at least find those systems a perfect home base from whence to perform surveillance and stage attacks to gain broader access.
- Scan the assets for vulnerabilities.
Using black box or glass box testing, organizations can determine where the application weaknesses are. For custom applications, organizations can perform automated source code evaluation and fix security vulnerabilities before the application is deployed.
- Mitigate those vulnerabilities.
If applications can’t be modified, there are a few techniques for mitigating input validation and data query vulnerabilities. Database access monitoring solutions can identify suspect queries and prevent them from executing in the context of the back-end database system. IBM’s XGS offers “virtual patching” and can integrate with AppScan: if a vulnerability is found during an application scan, the intrusion prevention system can be notified and restrict that exploit string from reaching the vulnerable application. And QRadar can identify suspect activity, such as a database administrator login to a table containing credit card data after business hours.
Mature organizations wrap a manageable process around the technology controls, including change management that tracks the procurement and connection of all new systems and changes to existing systems, and testing them before they’re put into production. But don’t let perfect be the enemy of good: start where you can and chip away at the process. You can never move on from the basics, but you can reduce your effort as that part of your security program matures and becomes a routine that can be offloaded to junior staff—with supervision, of course.
The reality is that we’ll never be able to prevent a well-funded and persistent adversary from compromising our defenses. The best we can do is put up large speed bumps to make it exceedingly difficult for the enemy to achieve their goals and to detect their efforts as soon as possible—ultimately before they steal or destroy data. Sometimes the saying, “You don’t have to swim faster than the shark, you only have to swim faster than your dive buddy” holds true and the attacker will move on if you screw up their economics, but even if they are firmly fixated on you as the target, there’s no reason to give up and lay out a red carpet and a warm plate of cheese by not taking care of the basics.