Category Archives: Secure By Design

Three ‘Mission Critical’ Practices for any Development Team

Your company could (and should) be coding like NASA. That’s right – space-surfing, rocket-propelling, humanity-advancing, NASA. Whether you’re developing software to go to Mars or to order pizza with your sneakers, coding should follow a standard that ensures safety and security.

Nowadays, you’re likely developing a product or service that contains Personally Identifying Information (PII) or credit card information. Either that or it controls an IoT device. The fact is, these are all sensitive materials that could harm another person or location and there are three practices to consider to make sure they remain protected.

Keep humanity in mind.

If Michael Bay’s 1998 blockbuster Armageddon gave us any indication, apocalyptic asteroids are NASA’s greatest concern. This is not true as NASA spends more time protecting astronauts from its own technology than it does training boisterous oil rig workers to save the world.

Specific to coding, NASA has 10 base principles that should be considered for every product or service your organization is developing. These principles were established by Jet Propulsion Laboratory (JPL) lead scientist Gerard J. Holzmann and written with the C language in mind. Holzmann recommends C because of its long history and extensive tool support, although the rules can be generalized for coding in any programming language.

NASA’s rules are strict and add time to development if adhered to properly. That being said, NASA can’t afford to botch a project and these days, neither can tech companies. It’s this ‘measure twice, cut once’ mentality that gives Houston a sigh of relief and will prevent your company any future hiccups.

Highlight secure design.

Secure products are created when placing importance on secure design. Secure design is one step in a larger context which includes:

  1. Threat modelling.
  2. A Software Development Lifecycle (SDLC) including:
    1. Secure design.
    2. Secure coding.
    3. Secure testing and evaluation.
  3. Third party assessment of your product or service.
  4. Creation and implementation of a vulnerability disclosure and management process.
  5. Creation and implementation of an incident management process.
  6. Creation and implementation of a data breach process.

There are organizations out there that can support your company’s efforts in secure design. The International Organization of Standardization (ISO) provides world-class specifications for products, services and systems, to ensure quality, safety and efficiency. With over twenty thousand international standards and related documents published, ISO spans across almost every industry, including technology.

Another example is the Open Web Application Security Project (OWASP) – a not-for-profit organization dedicated to helping organizations conceive, develop, acquire, operate and maintain trusted applications.

OWASP has developed a number of tools to aid in secure design such as, the dependency check tool and ZAP proxy tool. Both tools help identify project dependencies and check if there are any known, publicly disclosed, vulnerabilities in both software and web applications.

Keep in mind that adding security at the front end of the product life cycle saves money on the back end for delivery when you’re calling your lawyer to deal with a lawsuit.

Teach safe ‘sets’.

Teaching an old developer new protocols is kind of like teaching an old dog new tricks – difficult. Many senior developers are set in their ways and find it hard to code with strict (but secure) guidelines. The same could be said for junior developers that graduate with great coding skills but poor security knowledge. Whether your development team is made up of seniors, juniors or both, training them to code securely is necessary to produce secure products and services.

Secure coding training is effective if implemented as part of the onboarding process. Your training should establish guiding principles and follow a secure design process. Providing a baseline for your developers and training grounds for testing is a surefire way to teach them how to code securely.

OWASP has developed another resource called WebGoat – a deliberately insecure web application maintained by OWASP to teach web application security lessons. It’s through these war games and hands-on security lessons where your developers will truly grasp the concept of secure coding.

Coding for the benefit of all.

When developing software for a product or service, think big and small. As you prepare your team for launch, make sure they’re equipped with the proper tools and protocols before all systems are go. Establish a proper baseline, training program and development plan before your developers start coding. Time, money and sensitive information will be saved. From here, highlight secure coding as ‘mission critical’ once a project is in flight.

This is easier said than done as the pace at which tech companies are expected to operate continues to accelerate. Set timelines with the rationale that when your organization does something, they do it right. Inform your clients there is more on the line than an unsuccessful project – human lives are often at stake.

Remember: whether it’s a rupture in a shuttle’s oxygen tank or a security breach in a piece of software, failure is not an option.

Written by: DarkKnight

Facebooktwittergoogle_plusredditpinterestlinkedin

Connecting the Dots for SMBs & Cybersecurity

Does your company’s private network speed ever feel like a VPN? Did someone (other than your IT director) reset your password? Have you been reading emails from the Nigerian Prince? If you’ve answered yes, it’s possible your company has fallen victim to a cyber attack.

If you’re a multinational tech giant, you’re probably fine (probably). But if you’re a SMB, cyber attacks can destroy priceless data and ravage your bottom line.

Let’s take a look at some stats: it takes most businesses somewhere between 100 and 200 days to detect an attack and to make matters worse, most SMBs find out from a third party. That means stolen data (that’s likely long gone forever) and damaged customer relationships. In addition, SMBs only have a 40 percent probability of staying in business after a security breach which are odds Han Solo wouldn’t even take.

These days, whether you sell Apple phones or apple pies your company has an attack surface. An attack surface can be anything from the Internet, to technology, to an employee and no matter how big your company may be, you need to be prepared.

You have been compromised. Now what?

In the event that your network has been attacked, react urgently but do not panic. Instead, have a plan in place. Ideally you have developed your plan before the attack, but often that is not the case.

In 2016, more than 375 million new unique malware variants were discovered globally. Cyber criminals are continuously finding new ways to breach security systems, so make sure your plan is malleable. After a cyber attack, here is the recommended plan of action:

  1. Identify the target systems and determine the data that was compromised, hopefully you had a backup of your data to be able to restore. Now perform a full system backup at the bit level to capture all files and current system state. If possible, disconnect from your network but leave the power on to preserve the system state.
  2. Take your cloned systems disks and use them for forensics in a protected environment or hand them over to your cyber security partner for analysis.
  3. Have your operating system rebuilt from scratch. At this point, you have no idea whether or not a back door has been installed. Assume that it has.

In a cyber attack, there is both a technical and human component to its path of destruction. While you work to get the technical side under control, contact your legal team and make them aware of the situation.

Start dusting off that PR handbook.

Public relations is something often neglected by SMBs. It’s important to notify your PR team as soon as possible after an attack. If you don’t have one, get one. Whether that means hiring one full time or on contract is entirely up to you.

In any business, do not try to downplay the situation. Equifax learned this the hard way when they chalked up their massive breach to “Criminals exploited a U.S. website application vulnerability to gain access to certain files.” In a blizzard of negative publicity, the story snowballed with the breach ultimately costing them close to $70 million in fourth quarter profits. Given time, the company’s hit to brand credibility will indicate its true losses.

Another PR mistake is deflecting liability. Many company executives have taken a stroll down ‘Blame Game Lane’, which almost always leaves them on the wrong side of the tracks. In 2016, Wells Fargo was fined $185 million for creating two million fake customer accounts and their CEO immediately took to blaming his 5,300 employees. By not admitting fault, one of the largest banks in the world put its internal and external reputation in serious jeopardy.

“The greatest victory is the one that requires no battle.” – Sun Tzu, The Art of War

While larger companies typically survive, it’s no wonder SMBs go out of business so fast. Cyber attacks cost time and money, both of which SMBs can’t afford to lose. Many still fail to evaluate their cyber security risks, however, boardrooms are smartening up. It’s even been a topic in NAFTA discussions. Develop a security protocol and be proactive in testing and quantifying your risks. Businesses of all sizes should test their systems and perform ‘war games’ to prepare for an attempted breach.

Put simply, two words can save your business from a cyber attack: be proactive. The most common means of cyber incursion is social engineering – using people to voluntarily but unknowingly allow a cyber attack to occur such as providing physical access or handing over system passwords. Train your employees, learn to recognize the signs of a breach and avoid opening emails from unknown sources.

Cybersecurity is unfamiliar territory for most companies these days, but one worth exploring. As you continue to evaluate your company’s security controls, just know we can help you connect the dots.

Written by: DarkKnight

Facebooktwittergoogle_plusredditpinterestlinkedin

What does the WikiLeaks announcement mean to you?

I doubt you missed it but this week but WikiLeaks announced some very serious allegations on how vulnerabilities are being used by government agencies to compromise devices then use the devices to listen to conversations and capture all data from those devices. Do I have your attention now?

If you have one of following pay attention:

a. An iPhone
b. An Android phone and/or based device (this category is very wide)
c. Windows
d. Smart TV
e. Home IoT devices
f. Fake versions of security software from McAfee, Kaspersky, and Sophos

The list goes on and on. This truly represents a significant president  that an intelligence organization has infiltrated and created a platform to compromised systems for spying. I for one am not surprised. Why????

1. Many companies do not have SDLCs that include security testing and those that do only do the minimums they are required for their particular industry.

2. Many do not threat model or conduct aggressive pen-testing that is required for many of these products.

3. Executives are more inclined to release an insecure product to get revenues versus doing the right thing and securing it from the get go. Go to many startup incubators, they only think about security and privacy when they hit several 1000 of users or larger companies start asking about the security posture. Many of the folks that fund these start-ups consider security a “patching” problem. They want their money so get the product to point where someone is going to pay big dollars for it and we can walk away.

4 .Vendors are not required to provide any assurance to their products. This is why IoT in the consumer and business markets is a bounty of either compromised or to be compromised devices that are used in pivot attacks.

So how do you protect yourself and your organization in this wild west of vulnerable software? Consider the data you collect, store and process then how it is touched by the known vulnerable products listed above. Now, start to remove your critical data from these platforms until the patches and fixes can be provided. Start asking vendors and service providers those uncomfortable questions:

a. How do you securely test and design your software or solution? Prove it!
b. Do you provide free upgraded and patches to your products?
c. When was the last time you experienced a data breach?
d. How is your source code protected and evaluated against backdoors and compromises?
e. What security training do you provide your staff on a regular basis?
f. What 3rd party evaluations have you had conducted against your products?
g. What is your vulnerability disclosure policy?

The answers to these questions are going to give you a good sense to the security posture of the vendor. If they cannot answer these immediate or have to go check. Walk away! A company that has instilled a culture of security will have the answers to all members of staff.

Additionally, I would recommend that you stay off public WiFi networks as these are used to hunt for victims. Stop making it easy for governments to gain access to your devices. This includes corporate confidential and IP data because they take that too. Harden your device as much as you can and use a IPSec VPN to project your data in transit. Finally, encrypt all your stored data. If your systems are compromise you need to have that additional level of protection.

Facebooktwittergoogle_plusredditpinterestlinkedin

What Makes Industrial Control Systems a Target for Attack?

There is a great article from Trend Micro on why attackers target Industrial Control Systems (ICS) and how the Industrial Internet of Things (IIoT) will affect it. This is worth knowing as ICS is used to describe dissimilar types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes.  ICS are used in almost every industrial sector and critical infrastructure from manufacturing, transportation, energy, and water treatment to running the power grid, regulating energy use in a building or managing the process of brewing beer.

At a presentation I gave at Cyber Security 2017: Securing the Smart City of the Future I spoke about the anatomy of an attack but didn’t get into the details as to the motivation or technicalities. ICS have been with us for more than a few years but recent modernization has created new ways for these systems to communicate with their controller. This has improved overall productivity but not security. New security issues have arisen that can be exploited by cybercriminals including:

  • Components that were not meant to be for public access are now accessible via the Internet.
  • Security and privacy features that were not considered by solution architects and engineers at design time.
  • Threat modelling not conducted either by the component manufacture or the solution provider.
  • Products that are not required to be fully tested or assessed to provide a minimum level of assurance or security.
  • Installations that were not formally evaluated for cyber risk prior to deployment.
  • An implicit trust at the systems operational level that all components are safe.

Increased aggressive targeting of these will impact many areas including smart cities, smart manufacturing, smart infrastructure projects and even our soon to be smart homes and cars unless we can get control of these issues. In many cases of these attacks data risk is the least of our worries as they could potentially result in injury or death. To deal with this comprehensively everyone in the product and service chain must play their part:

  1. Manufacturers need to ensure that their products are designed with security, privacy and safety in mind. This includes a multitude of aspects depending on the product being developed. Only through comprehensive threat modelling at design time will they fully understand how attacks can happen in the field and the necessary controls that will be required.
  1. Implementers need to conduct security testing and evaluation at all stages of the project to ensure that systems are not misconfigured or prone to attack once in the field.
  1. Customers whether they are a city manager, a building manager or an information security manager need to better understand the risks to their specific deployments including how to perform Threat & Risk Assessment (TRAs) and Privacy Impact Assessments (PIAs).

Always remember that security is more than a technology you can just implement. Attempting to protect bad coding and engineering practices with a badly configured firewall will just end up in an attack succeeding.

Lastly, the authors of the article reference the NIST Security Guide for ICS, I would recommend that you also look at IEC 62443. Why? It was written so that an ICS company (vendor, implementer or purchaser) could be evaluated and tested against stringent controls for risk. This wide series of standards covers the breath of deployment and in-field issues that need to be considered and assessed against. It forces all parties involved to get their act together and ensure they have important aspects such as integrating activities across the Software Development Life Cycle (to help discover and reduce vulnerabilities early and build security in) and operational security policies and procedures. You might be surprised how many don’t.

Facebooktwittergoogle_plusredditpinterestlinkedin

IoT is Active and Moving. Are you?

IoT is Active and Moving. Are you? 

The U.S. Department of Commerce recently cited that 200 billion connected devices will be deployed by 2020 with an accompanying economic impact in the trillions by 2025. This Internet of Things (IoT) represents a major transformation in a digital world that has the potential to affect everyone and every business.  As a result many companies are moving ahead on IoT projects with little consideration to the security or privacy issues that accompany IoT.

Many companies however do not have a specific solution in place to secure IoT devices, and some may not know if they have security policies on their devices. ForeScout® Technologies, Inc. recently announced the findings of its new “Enterprise Internet of Things (IoT) Survey.” This survey of 350+ Information Technology (IT) professionals assessed their organizations’ IoT security practices. The research revealed that while the majority of respondents acknowledge the growing number of IoT devices on their networks, they are unaware of how to properly secure them. Moreover, 85 percent of survey respondents lacked confidence in their ability to see connected devices as soon as they joined their networks, and almost a quarter of survey respondents said that they weren’t confident at all. When connected devices are left out of the security sphere, an organization’s attack surface becomes that much more vulnerable. The excuses for this scenario are many and the users of these companies solutions are potential digital crime victims; many of whom are never notified or even aware of the risks and dangers.

Today there is an added risk: spying.  As the Internet of Things (IoTs) become more commonplace more valuable data will be accessible through an ever-widening selection of entry points. Not only to hackers alone, but also to spy agencies like the National Security Agency (NSA).  So what is a developer or solution provider to do? Well it starts at the concept stage of considering how data is collected, processed, stored and destroyed. This is not only a software consideration but also hardware. At a high-level here is where you need start:

  1. What does your company policies and procedures state about your systems development life cycle (SDLC)?
  2. Does your SDLC provide at design/concept stage allocations for a Privacy Impact Assessment (PIA)  and Technical Risk Assessment (TRA) ? 
  3. Are your developers/programmers given security training?
  4. Do you perform background checks on developers/programmers?
  5. Where do you store your source code? And who has access to it?
  6. Where are your components sourced from and have you validated the firmware on these components and integrated circuits?
  7. Have you assessed the Third Party libraries for security issues and coding practices?
  8. Did you perform “threat modelling” of the proposed solution?

All of these aspects need to be considered as they are a benchmark for all of your solutions and must become part of your business culture. This also includes documenting all aspects of these elements, especially for meetings that deal with design decisions. Maintain a decision log/registry that is tied to the project. This can be referenced if and when a breach happens. It can also save your a$$ to provide you did the due diligence at design time. Your dev-ops, designers, and testers need to eat, think and breath private and secure design. Doing this up front will not only greatly reduce costs in the back end for support but also help avoid possible lawsuits.

At TwelveDot our goal is to help companies that are struggling to secure their mobile, cloud and IoT solutions. Connect with us to see how we can help you solve your security challenges.

Facebooktwittergoogle_plusredditpinterestlinkedin

Our Approach to Security is All Wrong

When I look at the time, money and resources used to protect digital assets I start to wonder as many executives do when are we going to see a turning point or a ROI?

While the problem is complex, I believe the lowest common denominator is software and more specifically the lack of time we spend testing and analyzing it prior to shipment. With many companies in a race to get to market; security and privacy is always the last thing that is considered. Many believe it gets in the way of productivity. If you want to see a disaster happening look at all the IoT solutions with little consideration to security and privacy. Then  consider all the data breaches that have happened recently. Many of these data breaches were the result to someone taking advantage of bad code to get access using an insider.

As we continue to develop substandard code, we then spend billions on security technologies in an attempt to protect it. It seems crazy when you thing about it this way. You cannot protect flawed software, it is near to impossible because without user training and detection systems there is no one to deal with signs that a system has been compromised.

I also look at how over 20+ years the expectations of software developers has changed considerably. When I first started my career I did LOTs of programming. We did not have the Internet to provide us code samples, we had to learn the language and its nuances. We also had constraints on HW given the cost of memory and systems back in the day. You had to write good clean code.

Today, many developers when they hit a snag they will search Google and perform a CTLR-C + CTRL-P…..problem fixed. In the old days we used to have structured walk-throughs and spend more time in design to figure out the code logic. Today, programmers will use 3rd party libraries and SDKs without any consideration to security implications. Specifically, where did it come from and who has touched it.

So how do we fix this mess. Well with small steps and change our mindset to how we consider software in our society. Namely, we have to do the following:

  1. Make security part of our companies and organizations. Using an ISMS provides the basis for this regardless of the widget you build. Every company is different and will have to cater their ISMS to their specific risk profile.
  2. Once done you need to determine how you build your widget. This requires the use of a SDLC to identify the threats to the widget and how you plan to dispose of all the data that this widget might collect over its usable life. These need to be fully understood prior to every writing a line of code and document, document and document. These become audit-able elements later in the life of the widget. They also serve as education material for new team members as the team grows and changes.
  3. As the first versions of the widget are created they need to be evaluated to ensure the identified threats are sufficiently addressed. Spending this time now will save you costs down the road…..trust me.
  4. Prior, to production release, ensure the widget gets a final assessment to ensure all risks are known including residual risk(s).
  5. When the widgets are in-field they need to be monitored for signs that they have been targeted for compromise. The process for this would be been created under your ISMS and will drive how your organization will handle these reports.
  6. If these are reported it is important to evaluate them and if deemed relevant then address them as possible. If you designed your widget correctly it will have a method to perform in-field updating. This includes notify users of the update.
  7. At this point, you just need to repeat this process for every revision of the widget. As the company changes you will have to ensure the ISMS is updated to deal with growing nature of your business operations.

Only by addressing the current approach to software development can we reduce the current risk landscape to all businesses, consumers and government who use this vulnerable software. With vulns being found and not disclosed they are the nuggets that are used by the digital underground to prosper. Fixing software will help reduce the targets so your widget is not targeted but your competitors is. Let a secure cost effective widget be your competitive advantage.

Facebooktwittergoogle_plusredditpinterestlinkedin