Taming The Security Weakest Link(s)

Overview

The security level of a computerized system is as good as the security level of its weakest links. If one part is secure and tightened properly and other parts are compromised, then your whole system is compromised, and the compromised ones become your weakest links. The weakest link fits well with attackers’ mindset which always looks for the least resistant path to their goal. Third parties in computers present an intrinsic security risk for CISOs, and in general, to any person responsible for the overall security of a system. A security risk is one that is overlooked due to a lack of understanding and is not taken into account in an overall risk assessment, except for the mere mention of it. To clarify, third-party refers to all other entities that are integrated into yours, which can be hardware and software, as well as people who have access to your system and are not under your control. A simple real life example can make it less theoretical: Let’s say you are building a simple piece of software running on Linux. You use the system C library, and in this case, plays the 3rd party role. If the C library has vulnerabilities—then your software has vulnerabilities. And, even if you make your software bulletproof, it still won’t remove the risks associated with the C library which becomes your software weakest link. Zooming out on our imaginary piece of software then, you probably already understand that the problem of the 3rd party is much bigger than what was previously mentioned, as your software also relies on the operating system and other installed 3rd party libraries, and the hardware itself, and the networking services, and the list goes on and on. I am not trying to be pessimistic, but this is how it works. In this post, I will focus on application integration-driven weakest links for the sake of simplicity, and not on other 3rd parties such as reusable code, non-employees, and others.  

Application Integration as a Baseline for 3rd Parties

Application integration has been one of the greatest trends ever in the software industry, enabling the buildup of complex systems based on existing systems and products. Such integration takes many forms depending on the specific context in which it is implemented.

Mobile World

In the mobile world, for example, integration serves mainly the purpose of ease of use where the apps are integrated into one other by means of sharing or delegation of duty, such as integrating the camera into an image editing app—iOS have come a long way in this direction with native FB and Twitter integration, as well as native sharing capabilities. Android was built from the ground up for such integration with its activity-driven architecture. 6a010536b66d71970c01b7c754ea16970b-pi  

Enterprise Systems

In the context of enterprise systems, integration is the lifeblood of business processes where there are two main forms of integration: one-to-one such as software X “talking” to software Y via software or network API. The second form is many-to-many, such as in the case of software applications “talking” to a middleware where later the middleware “talks” to other software applications. 6a010536b66d71970c01bb07f8b814970d-pi

Personal Computers

In the context of a specific computer system, there is also the local integration scenario which is based on OS native capabilities such as ActiveX/OLE or dynamic linking to other libraries – such integration usually serves code reuse, ease of use and information sharing. 6a010536b66d71970c01b8d0de35f0970c-pi  

Web Services

In the context of disparate web-based services, the one-to-one API integration paradigm is the main path for building great services fast. 6a010536b66d71970c01b7c754ea7f970b-320wi

All In All

Of course, the world is not homogeneous as is depicted above. Within the mentioned contexts you can find different forms of integration which usually depend on the software vendors and existing platforms.

Integration Semantics

Each integration is based on specific semantics. This semantics are imposed by the interfaces each party exposes to the other party. REST APIs, for example, provide a rather straightforward approach to understanding the semantics where the interfaces are highly descriptive. The semantics usually dictate the range of actions that can be taken by each party in the integration tango and the protocol itself enforces that semantics. Native forms of integration between applications are a bit messier than network based APIs where there is less capability to enforce the semantics allowing exploits such as in the case with ActiveX integration on Windows which has been a basis for quite a few attacks. The semantics of integration also includes the phase of establishing the trust between the integrated parties, and again, this varies quite a bit regarding implementation within each context. It varies from a zero trust case with fully public APIs such as consuming an RSS feed or running a search on Google with an Incognito browser up to a full authentication chain with embedded session tokens. In the mobile world where the aim of integration is to increase ease of use, the trust level is quite low: the mobile trust scheme is based mainly on the fact that both integrated applications reside on the same device such as in the case of sharing, where any app can ask for sharing via other apps and gets an on-the-fly integration into the sharing apps. The second prominent use case in mobile for establishing trust is based on a permission request mechanism. For example, when an app tries to connect to your Facebook app on the phone, the permission request mechanism verifies the request independently from within the FB app, and once approved, the trusted relationship remains constant by use of a persisted security token. Based on some guidelines, some apps do expire those security tokens, but they last for an extended period. With mobile, the balance shift remains between maintaining security and annoying the user with many too many permission questions.  

Attack Vectors In Application Integration

Abuse of My Interfaces

Behind every integration interface, there is a piece of software which implements the exposed capabilities, and as in every software, it is safe to assume that there are vulnerabilities just waiting to be discovered and exploited. So the mere existence of opening integration interfaces from your software poses a risk.

Man In the Middle

Every communication among two integrated parties can be attacked using a man in the middle (MitM). MitM can first intercept the communications, but also alter them to either disrupt the communications or exploit a vulnerability on either side of the integration. Of course, there are secure protocols such as SSL which can reduce that risk but not eliminate it.

Malicious Party

Since we don’t have control of the integrated party, then it is very difficult to assume that it has not been taken over by a malicious actor which now can do all kind of things: exploit my vulnerabilities, exploit the data channel by sending harmful or destructive data, or cause a disruption of my service with denials of service attacks. The other risk of a malicious or under attack party is about availability, and many times with tight integration your availability strongly depends on the integrated parties availability. The risk posed by a malicious party is amplified due to the fact a trust is already established, and many times a trusted party receives wider access to resources and functionality than a non-trusted party, so the potential for abuse is higher.

Guidelines for Mitigation

There are two challenges for mitigating 3rd party risks: the first one is visibility that is easier to achieve, and the second is what to do about each risk identified since we don’t have full control over the supply chain. The first step is to gain an understanding of which 3rd parties your software is reliant upon. This is not easy as you may have visibility only over the first level of integrated parties—in a way this is a recursive problem, but still, the majority of the integrations can be listed out. For each integration point, it is interesting to understand the interfaces and the method of integration (i.e. over the network, ActiveX), and finally, trust establishing a method. Once you have this list, then you should create a table with four columns:
  • CONTROL - How much control you have over the 3rd party implementation.
  • CONFIDENCE - Confidence in 3rd party security measures.
  • IMPACT - Risk level associated with potential abuse of my interfaces.
  • TRUST – The trust level required to be established between the integrated parties before communicating with each other.
These four parameters serve as a basis for creating an overall risk score where the weights for each parameter should be assigned at your discretion and based on your judgment. Once you have such a list, and you’ve got your overall risk calculated for each 3rd party, then simply sort it out based on risk score, and there you've got a list of priorities for taming the weakest links. Once you know your priorities, then there are things you can do, and there are actions that only the owners of the 3rd party components can do so you need some cooperation. Everything that is in your control, which is the security of your end in the integration and the trust level imposed between the parties (assuming you have control of the trust chain and you are not the consumer party in the integration), should be tightened up. For example, reducing the impact of your interfaces towards your system is one thing in your control as well as patching level of dependent software components. MITM risk can be reduced dramatically with the establishment of a good trust mechanism and implementation of secure communications, but not completely mitigated. And lastly, taking care of problems within an uncontrolled 3rd party is a matter of specifics which can’t be elaborated upon theoretically.

Summary

The topic of 3rd party security risks is a large one to be covered by a single post, and as seen within each specific context, the implications vary dramatically. In a way, it is a problem which cannot be solved 100%, due to lack of full control over the 3rd parties, and lack of visibility into the full implementation chain of the 3rd party systems. To make it even more complicated, consider that you are only aware of your 3rd parties, and your 3rd parties also have 3rd parties—which in turn also have 3rd parties…and on and on…so you can not be fully secure! Still, there is a lot to do even if there is no clear path to 100% security, and we all know that the more we make it hard for attackers, the costlier it is for them, which does wonders to weaken their motivation. Stay safe!

A Tectonic Shift in Superpowers or What Sony Hack Uncovered to Everyone Else

Sony hack has flooded my news feed in recent weeks, everyone talking about how it was done, why, whom to blame, the trails which lead to North Korea and the politics around it. I’ve been following the story from the first report with an unexplained curiosity and was not sure why since I read about hacks all day long. A word of explanation about my "weird" habit of following hacks continuously, being a CTO of the Ben-Gurion University Cyber Security Labs comes with responsibility, and part of it is staying on top of things:) Later on, the reason for my curiosity became clear to me. As a background, to the ones who are deep in the security industry, it is already well known although not necessarily spoken out loud that attackers are pretty far ahead of enterprises regarding sophistication. The number of occurrences of reported cyber attacks in recent two years shows a steep upward curve and if you add to that three times non-reported incidents than anyone can see it is exploding. And although many criticized Sony for their wrong security measures still I don’t think they are the ones to blame. They were caught in a game beyond their league. Beyond any enterprise league. The reasons attackers have become way more successful are:

  • They know how to better disguise their attacks, using form changing techniques (polymorphism) and others.
  • They know quite well the common weaknesses in enterprises IT. You can install almost any piece of software in your lab and just look for weaknesses all day long.
  • They have more money to pour into learning the specifics of their targets and thanks to that they build elaborated and targeted attacks. In the case of state-sponsored attacks, the funds are unlimited.
  • Defensive technologies within the enterprise are still dominated by tools invented ten years ago, back then attacks were more naive if such can be said. Today we are in a big wave of new emerging security technologies which can be much more effective though enterprises enough time to get adopted.
So it is fair to say that enterprises are in a way sitting ducks for targeted attackers and I am not exaggerating here. And the Sony story was different than others for two main reasons:
  • The source of attack is allegedly originated and backed by a specific nation. And I am saying allegedly because unless you found the evidence in the computers of someone you can’t be sure and even then that person could have been entrapped by the real attackers. Professionals can quite easily cover up their traces, and the attackers here are professionals.
  • The results of the attack are devastating, and their publicity turned them into a nightmare for any CEO on earth. Some warning sign to the free world.
And Sony due to their bad luck got caught in the middle. 6a010536b66d71970c01bb07cb8c50970d-800wi Image is taken from http://www.politico.com/story/2014/12/no-rules-of-cyber-war-113785.html

The End of Superpowers

From a high-level view, it does not matter whether it was North Korea or not. The fact that such an event happened where potentially a state attacked a private company and its consequences and lack of ramifications are quite clear then this opens the path for the future to happen again and again and that what's makes it a game changer. Every nation in the world understood now they have got a free ticket to a new playground with different rules of engagement and more important different power balance. In the physical world power has always been attributed to the amount of firepower you’ve got, and naturally, the amount of firepower has a tight correlation with the economic strength of the nation. The US is a superpower. Russia is a superpower. In the cyber world these rules do not necessarily apply where you can find a small group of very smart people, and with very simple cheap tools they can wreak havoc on a target. It is not easy but possible. The attackers many times are only limited by their creativity and nothing else. In the cyber world, size matters less. Our lifestyle and lifeblood have become dependent on IT, our electricity, water, food, defense, entertainment, finance and almost everything else is working only if the underlying IT is functioning properly. Cyber warfare means attacking the physical world by digital means and the results can be no less devastating than any other type of attack. They can be worse since IT also presents new single points of failure. So if cyber wars can cause harm as real wars and size matter less wouldn’t that mean the rules of the game have changed forever?

Question of Responsibility

As soon as I heard that North Korea might be responsible for the attack I understood that Sony was caught into an unfair game and the big question is about the role of the government in defending the private sector, how and to what extent. Going back again to the physical world, in the case of a missile that is launched from North Korea onto the headquarters of Sony then the story and reaction were very much different and predictable. This comparison is valid since the damage which can be caused by such missile to the company is probably lesser from the economic perspective, not taking into account, of course, human casualties. I am not saying cyber attacks can’t cause casualties; I am just saying that this one did not. So why is there a difference in the stance of the US government? Why did Sony not ask for help and nationwide defense? The era of cyber warfare removes the clear distinction between criminal acts vs. nation wise offensive acts and a new line of thought should emerge.

So what the future holds for us?

  • A big wave of cyber attacks coming from everywhere on the globe. The “good” results of this attack will surely provide a sign of hope for all the people in the world who felt inferior from a military perspective. The attackers always go to the weakest links, so we will see more enterprises being attacked like Sony in a more severe way. A long, complicated, stealthy war.
  • A big wave of security technologies which aim to solve these problems, coming from the private and government sector. Security startups and established players in a way “enjoy” these developments where the need for new solutions is uprising steeply. I know personally some startups in Israel which can take the current advantage attackers enjoy technologies such as polymorphic cyber defense. I will elaborate on that in a future post since it deserves one on its own.
  • A long debate about who is responsible for what and what measures can be taken meanwhile - cutting down the internet across the globe won’t help anyone since there is today many ways to launch attacks from different geographic places, so location doesn’t matter anymore. It won’t be easy to create a solution which will be effective on the one hand and not limit the freedom to communicate on the other hand.

Meanwhile, you can gaze a bit at the emerging battleground

6a010536b66d71970c01b7c7271f5c970b-800wi Taken from a live attacks monitor on IPVKing

Site Footer