In an era where data is more valuable than gold, cyberattacks in its multiple manifestations have dominated global headlines with account hijacking and injection attacks. Be it credential theft, brute force attacks, social engineering thefts or access control misconfiguration, the sophistication and damages are rising by the day. While the type of attackers may vary between ‘spray and pray’ opportunistic ones looking for easy pickings or high-profile targeted government espionagers, the business impact by these breaches is rummaging through to trillion of dollars.

The shift to a remote workforce in 2020 has highlighted the need for an approach to app development that has security built-in from inception. In the current digital landscape, security is essential to achieving business resiliency and maintaining quality while developing at the speed of DevOps. Prioritising speed without security in app development can lead to an uptick in critical vulnerabilities with disastrous results. To avoid this, organisations must address security earlier in the software development life cycle.

Cybersecurity Ventures¹ media notes several eye-opening statistics which puts into perspective the importance of security in the new normal. Cybercrime damage costs are predicted to hit $6 trillion annually by 2021 and ransomware attacks on healthcare organisations — often called the No. 1 cyber-attacked industry — expected to quadruple. Cybersecurity Ventures expects that a business will fall victim to a ransomware attack every 11 seconds in 2021, up from every 14 seconds in 2019. This makes ransomware the fastest growing type of cybercrime. The recent attacks by SolarWinds and FireEye underscores that no organisation is immune to threats and attacks. Attackers are looking for ways to evade IT attention, bypass defences, and exploit emerging weaknesses. The fallout from this attack will likely capture a large proportion of attention of governments and Fortune 500 cybersecurity teams in 2021 and will result in rollout of more stringent cybersecurity policies especially targeting supply chain vulnerabilities.

 

Security by design – in the DNA

A few hundred years ago, the Greeks, Romans and other mighty empires prided themselves on building impenetrable fortresses around their kingdom to protect themselves from outside invaders. There seems to be a similar theme when corporations in the 21^st century invest heavily in perimeter security to insulate their ‘business data’ empire from outside threats. To some extend this does protect attackers from infiltering, however with the advent of a new era of Apps and IoTs and now with an accelerated change to ways of working during a global pandemic, the concept of only having a best-in-class perimeter security has received a timely wake-up call.

“Application security is really a partnership. In the past years, security has often been seen as a silo. And what we’ve learned along the way is that we need to have better alignment between software development and the security that we’re trying to put into it. And we have to be able to build that in throughout versus trying to bolt it on at the end.”, notes Robert Cuddy, Global AppScan Evangelist, HCL Software.  He says “We need to understand and identify risk earlier when it’s easier to mitigate it and it certainly costs less to do that earlier in the process. That encompasses a whole gamut of things around visibility, reducing false positives – which we spend an awful lot of time doing, providing information for targeted remediation etc.” Cuddy observes that while we go with defence in depth and put in firewalls, network security and identity access management among a host of other things, organisations have to think both ‘outside-in’ and ‘inside-out’ which is where the application security piece comes into effect.

In his insightful blog² Cuddy, rightfully observes that Security needs to be a business enabler, not just a gatekeeper. That means the Security professional needs to have alignment to the business. He goes on to explain that when great security practices are well-integrated throughout the software development lifecycle (SDLC), and meaningful, actionable feedback is provided to teams at all stages then risk is better monitored, managed, minimised and mitigated.

Security is a fundamentally foundational need that everyone involved in developing software has to embrace. This starts with developers and QA who have to provide data on whether a software or app can be made secure before committing to a release. The DevSecOps team must actively identify and manage risk through proactive planning, developing agile methods for continuous testing and making security a part of the overall product strategy. How to achieve Agile AppSec requires a focus on usability and accessibility to ensure the end user experience is functional, intuitive, and secure. The DevSecOps team must enable continuous testing and incorporate security as part of the process from design, development, through testing, and into the DevOps cycle.

Thinking like a hacker is probably the best way to do threat modelling to create mitigation strategies and security controls. Some of the usual threats to applications are broken authentication and session management, cross-site scripting (XSS), security misconfiguration, injection, cross-site request forgery (CSRF) etc. Being compliant, contrary to popular beliefs, does not make the environment ‘secure’. In fact, there is sometimes a false sense of security when compliance is not achieved with the right context of risk and threat mitigation.

 

False Positives – numbers that hurt

The levels of sophistication and pace of attacks by malicious actors are increasing rapidly and security teams are doing their best to respond and recover from these attacks. The problem that analysts are facing are high volumes of alerts and noises which might more often than not be a false positive. A whitepaper³ by Netsparker finds that eventually developers and testers lose faith in vulnerability scanners that generate false alarms, and they begin to ignore a whole class of problems over which the scanner triggers false alarms. A vulnerability report means additional work, say 2-3 problems are reported as false alarms by certain tools, and human nature dictates that everyone starts ticking boxes and making mistakes, going so far as to consider a single false alarm as a huge problem of magnitude. Worse, if one of the remaining problems is a critical vulnerability that goes unnoticed, it will send a flood of false alarms into production without being caught and repaired, at high cost for later manual testing.

However, when dealing with a false positive, a lot more testing can be necessary until the developer decides that it’s a false alarm. Crucially, someone has to take personal responsibility for ruling against the scanner and signing off code where potentially serious issues have been flagged as false alarms.

In an agile development environment, automation is king – and manual security processes are not a feasible option at scale. DevOps and CI/CD teams rely on their automated tools to do the legwork so they can focus on tasks that require the creativity and problem-solving skills of highly qualified specialists. False positives in vulnerability testing can force testers and developers to put their streamlined automated processes on hold and laboriously review each false alarm just like a real vulnerability.

False positives can also be detrimental to team dynamics. Every time the security team reports a vulnerability, the developers have extra work investigating and fixing the issue, so reliability and mutual trust are crucial to maintaining good relations. This makes false alarms particularly aggravating, and if the vulnerability scan results burden the developers with unnecessary workloads, the working relationship may quickly turn sour. The dev team may start treating the security people as irritating timewasters, leading to an “us vs. them” mentality – with disastrous consequences for collaboration and the entire software development lifecycle.

The National Institute of Standards & Technology (NIST) conducted a series of studies on the effectiveness of Static Application Security Testing (SAST) tools. The study⁴ revealed that on average, AppSec tools have a false positive rate of an astonishing 30% of which another 36% was insignificant. False positives have been identified as one of the leading obstacles to implementing tools, with 90% of developers willing to accept false positives at a rate of 5%. The false positive issue creates an obstacle to the introduction of AppSec tools for developers.

 

Nuggets for thought

Some guidelines to best practices in AppSec⁵ noted by CBTnuggets are shared below and these can be evolved to best suit the needs of your organisation in the ever changing fast and furious world of Information Technology:

1. Follow secure coding practices
2. Enforce minimum permissions
3. Automate security functions
4. Testing! Testing! Testing!
5. Patch your web servers
6. Inspect all traffic
7. Encrypt everything
8. Learn about new vulnerabilities
9. Focus on key threats
10. Create a plan

When it comes to advancing DevOps practices and patterns for enterprises, human transformation is the most critical success factor. According to Jayne Groll, CEO of the DevOps Institute and author of the 2020 Upskilling Report⁶, “With the rise of hybrid (remote/in-office) product teams, upskilling and online training initiatives will expand. As the pressure continues to rise to sell products and services through e-commerce sites, apps, or SaaS solutions, the lines between product and engineering teams will rapidly blur, giving rise to cross-functional, multidisciplinary teams that must learn and grow together. Each member will need to develop a wider combination of process skills, soft skills, automation skills, functional knowledge, and business knowledge, while maintaining deep competency in their focus areas. Product and engineering teams will be measured on customer value delivered, rather than just features or products created “. He continues to explain that traditional upskilling and talent development approaches won’t be enough for enterprises to remain competitive because the increasing demand for IT professionals with core human skills is escalating to a point that business leaders have not yet seen in their lifetime. This beckons an update for our humans through new skill sets as often, and with the same focus, as our technology.

 

References

1. Cybersecurity Ventures¹ – Cybersecurity Ventures article
2. insightful blog² – Blog on the new security employee
3. Whitepaper³ by Netsparker
4. The study⁴ – by National Institute of Standards & Technology (NIST)
5. best practices in AppSec⁵ – by CBTnuggets
6. 2020 Upskilling Report⁶ – Report by DevOps Institute

With the disruptions in operations caused by the COVID-19 global pandemic, most organisations in the APAC region have been prioritising keeping the lights on. “They’ve been focused on keeping operational resilience and access to resources for employees who are obviously working from home”, noted Andrew Milroy principal adviser at Ecosystem Research during a recent virtual roundtable hosted by Focus Network and Beyond Trust.

Milroy pointed out that every day, the AV-TEST Institute registers over 350,000 new malware and potentially unwanted applications (PUA) and fighting against this giant enemy with traditional, reactive cybersecurity measures is challenging.

Early this month, Morey Haber CISO and CTO at BeyondTrust, and author of three books on the matter,  offered his “unique perspective” at the virtual roundtable to about 20 leading CISOs and heads of IT security from Singapore, Thailand, and Indonesia. According to Haber, CIOs and CISOs are faced with their weakest links being their “users”. About 99 per cent of compromises are due to end users interacting with systems, primarily phishing attacks — they’re clicking on unknown links.

In 2020, more than 850 vulnerabilities were found in Microsoft products. The OS is full of vulnerabilities, that includes the latest Windows 10, which is used on 70.98 per cent of Windows computers as of March 2020.

The end-user is running programs they shouldn’t; and they’re basically being socially engineered to give up information or do something that could be detrimental to the environment.

Haber gave an interesting example of where an employee might get an email from human resources, requesting an update to their information — just in case there’s a COVID crisis. The employee clicks on the link thinking they are entering a standard response to update their HR information; however, they’ve clicked on a website that’s stealing their credentials.

That’s why users are a common challenge for the cybersecurity community today and considered even by Verizon’s data breach report – to be the number one attack vector.

Removing admin rights from endpoints with optimum application control

During the virtual roundtable, the discussion centred around changes to the work environment and how a CISO must tackle cyber security beyond the office building and the desktop. Which brings a whole set of challenges for privileged access security, application control, and the threats that have evolved.

According to Haber, COVID-19 and other environmental factors have people working from home posing a potentially greater risk for unsecure networks and unsecure wireless networks.

Haber noted these workers might have to be given admin rights while working from home so they can add their home printer or conduct other business-related tasks with their own machines. However, CISOs and CIOs won’t necessarily have visibility into the hardware. Other users might also be operating on a BYOD device or other types of problems that might have verifying compliance.

Kok Fong Lee SVP risk and control from Singapore DBS, noted the organisation didn’t have an issue with BYOD because it doesn’t allow outside hardware. “Remote workers anywhere or contractors use our company laptops,” he said. “We’ve been mobilising staff for many years as part of our transformation journey.”

For those who haven’t mobilised staff like Singapore DBS, many of the employees working from home and uses privileges with admin rights to do administration in the cloud, or on-premise, said Haber.

“Privileged users are at home, but they still need to log in as an administrator, or even as a database owner to perform their tasks,” he said. “Those are all attack vectors that are ripe for threat actors and represent new and evolving challenges to cyber security that we have to consider.”

BeyondTrust’s Microsoft Vulnerability Report 2020 brings key findings that shed some light in this matter.

“Microsoft announced 192 critical vulnerabilities in 2019 across every major Microsoft product, from Internet Explorer, Edge, Office, Server to workstation,” Haber stated. “[These] could have been prevented just by removing admin rights. Think about it for a minute — if I remove admin rights from end users — whether on the server, or on desktop/laptop, that I’ve issued while they’re working remotely, I can mitigate the vulnerability exploit combination for 77 per cent of these vulnerabilities.”

Haber recommends that least privilege tactics of removing admin rights from endpoints is an effective mitigation strategy, but people aren’t doing it more often because of the mistaken perception that doing so is complex and troublesome. This is also why users get secondary local admin accounts or put into admin group. “By deploying least privilege techniques people can get things done and it doesn’t become a burden on the help desk,” he said. “If I can reduce all users them to standard users, I can buy myself some time for patching and potentially mitigate those risks; especially for attacks using phishing that are using a vulnerability exploit combination.”

According to Haber the IT team are dealing with admin rights everywhere. Everything from the workstations; to automation; Cloud to remote workers; to mobile devices; and next gen technology, the placement of Microsoft technology is almost everywhere.

“When we remove admin rights as part of a mitigation strategy, we break it down by product realised that for Internet Explorer — 33 critical vulnerabilities were present; for Microsoft Edge 86; for Windows itself – 170,” he said. “There’s about 177 critical ones in Microsoft Office; and 171 across the server product line.”

Let’s talk about Windows

Mohamed Zubair, VP cyber security intelligence from GIC Pro Limited, told the virtual roundtable the organisation typically runs applications admin, and users will need admin credentials to log in and do the installation.

Organisations need to consider any Windows Seven or 2008 servers, or older systems, within the environment. The placement of the technology and the mitigation that can be gained by removing it from servers; by removing it from remote workers; by pulling it out from critical infrastructure; by not including admin rights in automation, he said.

“When you do that you find that 100 per cent of Internet Explorer vulnerabilities could be mitigated just by removing admin rights,” said Haber.

He believes there’s three main reasons why everyone isn’t doing it. The first is the perceived negative impact on end user productivity.

“People actually feel punished if you take away their admin rights, when in fact you’re trying to improve end user security,” he said. “There are tools and techniques of privileged access management that actually increase productivity.”

For example, if the end user is given two accounts; their standard login account as a standard user; and their secondary account as an ex-admin. According to Haber, they get multiple UAC pop ups during the day that requests admin credential to do their job, they spend five to 10 seconds every single time that comes up.

“The perception of negative impact on end user productivity is false. You can increase productivity by not having them type in their secondary credential and improve security by not even giving it to them in the first place,” he said.

The second reason is it’s quicker and easier to give everyone admin rights. If you throw everyone in the admin group, everybody works, everything is happy. “But you also have incredible amounts of risk, and your risk surface is massive”, said Haber.

“When you consider on-premise/off-premise Cloud, next gen technology, IoT and everything, giving everyone admin rights completely unacceptable,” Haber said. “We must find a model that works for the business where we’re only giving the administrative rights that are necessary when they need it, for only as long as they need it”.

“They continue to be productive and we don’t have this problem of making it quick and easy,” Haber said. “Just giving everyone admin rights as part of their identity governance – don’t do that. Let’s find a better way to truly manage them.”

Going from reactive to proactive

Common problems that people think about when they remove admin rights, is the potential for endless calls to the helpdesk.

Haber noted that shifting from a reactive to a proactive approach to mitigating critical Microsoft vulnerabilities means adopting least privilege and just-in-time privileged access management models that help you remove admin rights, while making it easier for people to do their job.

“I’m going to mitigate the risks from those critical Microsoft vulnerabilities to buy myself time for patching, to make sure I’m not a part of the next zero-day exploit and actually be safe from all the different types of malware threats that are out there,” he said.

The virtual roundtable took an interesting turn when Haber pointed out how adopting a proactive approach to cyber security allowed employees to be more functional and productive, but also reduced their rights at the same time. He noted that there was no downside to removing admin rights.

Explosion of privileged accounts

The adoption of new technologies has resulted in an explosion of privileged accounts. According to Haber, 20 years ago organisations only had privileged accounts in the data centre, and no-one cared if they had the password because they had to be within the building and within that network to use those credentials.

“Today we have cloud, we have hypervisors and we have IoT and we’re also embarking on DevOps processes,” he said. “We have privileged accounts everywhere and it’s an explosion that is affecting our entire universe.

From cameras to alarm systems and anything that’s network device connected – everything has a privileged account that can be leveraged for a botnet surveillance or compromise the organisation.”

According to Haber those privileged accounts need to be removed when possible. When dealing with them on endpoints — the critical vulnerabilities on Microsoft operating systems — many of them can be mitigated just by removing the end user’s interaction.

“We do this with BeyondTrust Endpoint Privilege Management solution,” he said. “It is the removal of admin rights on Windows, Mac OS, Unix, Linux, and even network devices, as side solutions. We also do password management to check-in, check-out passwords; automatic rotation; and remote access technology..”

According to Haber this is great for people that are working remotely – for contractors; employees; vendors; and those operating remotely who need to get into the organisation to interoperate with internal resources without the need for VPN.

 

 

 

 

 

 

 

 

(Reuters) – Britain’s data watchdog and its Australian counterpart said they launched a joint investigation into the personal information handling practices of facial recognition technology company Clearview AI.

The investigation will be conducted by UK’s Information Commissioner’s Office (ICO) and the Office of the Australian Information Commissioner (OAIC), focussing on the New York-based company’s use of “scraped” data and biometrics of individuals.

Clearview did not immediately respond to Reuters’ request for comment.

The company is also under investigation in Canada, where Clearview said it would no longer offer its facial recognition services.

Clearview AI bills itself as a tool for law enforcement, scraping the internet for publicly available photos and using facial recognition to identify potential suspects.

Critics in some countries have raised concerns about the lack of consent of those searched, and the potential for misuse of the service.

(Reporting by Muvija M in Bengaluru; Editing by Anil D’Silva)