Clerkendweller : Web Security, Usability and Design

Phishing Metrics

2012-05-16T08:55:00+01:00

The Anti-Phishing Working Group has published its latest bi-annual Global Phishing Survey of Domain Name Use and Trends.

Key metrics from Global Phishing Survey: Domain Name Use and Trends in 2H2011, which analysed 83,000 attacks against users of banks, e-commerce sites, social networking services, ISPs, government tax bureaus, online gaming sites, postal services, securities companies, etc include:

The average uptime of phishing websites is 2 days
The top 20 targets accounted for 78% of the world's phishing attacks
Chinese e-commerce websites are the primary global target
Phishers attacking Chinese institutions were responsible for 70% of all malicious domain name registrations made in the world
93% of the malicious domain registrations were in just four TLDs: .TK, .COM, .INFO, and .IN.

The report is available as a free PDF download from their website, together with details about reporting phishing attacks, APWG's educational activities and projects, including the e-Crime Reporting and Incident Sharing Project.

Logging Strategically

2012-05-13T10:21:00+01:00

Last month I discussed application logging from an implementation viewpoint. Rafal Los (Wh1t3Rabbit) has published a helpful series of posts on his Following the White Rabbit blog regarding the drivers, motivation and strategic considerations when undertaking application logging.

a series of posts ... that will cover the untapped wealth that is your corporate logs

The four posts are:

My own implementation notes are written up in the OWASP Application [Security] Logging Cheat Sheet.

Application Security Training and Conference

2012-05-08T08:38:00+01:00

Yesterday, the training programme was announced for OWASP AppSec Research 2012 in Athens, Greece.

This is Europe's premier application security event, and I am very pleased to have been selected to provide the course Application Attack Detection & Response A Hands-on Planning Workshop, which I developed for, and delivered in, AppSec USA 2011 in Minneapolis. The course participants last year were very generous in their positive feedback, and I have made some minor modifications to the running order based on their comments.

The course lasts a single full day and is suitable for technical members of development teams (e.g. software architects, lead developers), development management and those involved with procurements of software applications. Participants who already have some familiarity with common web application attacks will gain most from the day. It will follow the structure:

Course Introduction
Preliminary Requirements
Application Logging Practices
Standard Detection Points
Custom Detection Points
Model Creation
Model Optimisation
Attack Analysis
Response Actions
Response Threshold Specification
Implementation Plan
Optional Course Assessment Test

Paper-based exercises will be undertaken in small teams of between 4 and 6 people, to develop application intrusion detection and protection (IDP) plans. Each exercise during the day will be the continuation of the previous one, so the teams build up a complete IDP plan for an example project.

On the next day (11th July), I would recommend the course Elite Web Defense How to Build Robust and Secure Web Applications, which will complement my course very well. It is being given by two well-respected application security experts — Jim Manico and Eoin Keary — and who are both great trainers.

Following the training, there is a two day conference programme, which will be announced in due course.

Information Security Breaches Survey 2012

2012-05-06T10:22:00+01:00

The week before last, PwC/BIS published the 2012 UK Information Security Breaches Survey.

45% of large organisations breached data protection laws in the last year (and this happened at least once a day at one in ten of them)

The report contains plenty of useful data, and helpfully the findings are generally grouped by smaller and larger organisations to aid understanding of their significance to other groups. It is difficult to tease application-specific data from the report. I probably found the pages about the impact of serious security breaches where business disruption and incident response costs, direct, indirect and reputational costs are described. "Serious" was not defined and left to the respondents to decide what it meant to them. The total costs of an incident was found to be £15,000-£30,000 for small businesses and £110,000-£250,000 for large organisations.

The usual warnings apply about understanding the survey respondent base (see page 1 of the report), and any bias in the questions or data relating to the statistics shown.

OWASP London Environs AppSec Double-Bill

2012-05-01T21:56:00+01:00

Next week there are two London-based Open Web Application Security Project (OWASP) events.

On Thursday 10th May, there is an Application Security One-Day Conference organised jointly with ISSA UK. It is being held at Bletchley Park from 09:45 hrs and is free to members of OWASP London, ISSA-UK and the Charities Security Forum (CSF). Prior registration is required. The presentations include:

ISO/IEC 27034-1 and OpenSAMM software assurance frameworks
Third party application analysis
OWASP Mobile Top Ten
HTML5 web security
Cost & business justification models for AppSec

There is also an opportunity for a guided tour of Bletchley Park to see the site of the secret British code-breaking activities during WWII and birthplace of the modern computer.

In the evening there is another OWASP event organised by OWASP Royal Holloway University of London (RHUL) at RHUL's main campus in Egham. The presentations start at 18:30 hrs and will be about:

Websecurify web security testing technology
Online habits and digital trails
Making security invisible for developers

There is just about time to attend both meetings for a very full and informative day.

Security B-Sides London and Mobile Phone Apps

2012-04-29T20:52:00+01:00

On Wednesday (25th April 2012) I attended Security B-Sides London, held at the rambling and inelegant Barbican Centre in central EC1, and which overlapped with the schedule for Infosec Europe way out on the west side of London.

I must say the two cinemas used for the day's presentations were most suitable, with good visibility, clear sound systems and comfortable seating. The organisers should be thanked for planning and executing such a great day. Every session I went to was of a high quality and in each I learned new things. I listened to Stephen Bonner talking about elegant security, Ian Maxted about social engineering, Thorn Langford about site-based risk assessments, Brian Honan on getting the security message across to senior management, Abraham Aranguren on exploratory web application testing and Sandro Gauchi on escalating privileges in web applications.

However, I'd like to focus on two mobile phone app related sessions by David Rook (aka Security Ninja). David is well known for his generous contributions to the application security community, especially his efforts to promote secure development principles, Agnitio the code review tool and Windows Phone App Analyser.

His presentation about Windows Phone 7 Platform and Application Security Overview was the only talk I actually took extensive notes at during the day. Following an introduction to Windows 7 place in the market and development using Visual Studio using the .Net compact framework, he discussed platform and application security in detail. Wonderful. It will save me days of research. I think he mentioned on Twitter, that the slides will be made available online shortly.

Mid-afternoon I attended his workshop on using his self-built software tool Agnitio, which helps arrange, track and monitor code review processes within development teams. The focus of the workshop was to walk through version 2.1 and especially the in-built code searching and examination functions. These can be used to help identify higher-risk functionality, or code which has to meet development guidelines, using a powerful extensible list of patterns cross-referenced to the code review checklist items. The tool has improved greatly since I last reviewed it in 2010, and I am looking forward to using it to develop custom checks for some of my clients. I was very impressed with its ability to decompile Android code and then run a standard set of tests against it.

Both Agnitio and Windows Phone App Analyser are free to download and use.

David Rook had won SC Magazines' Rising Star Award the previous evening. It was much deserved, and I must say reflects very well on Realex Payments who appear to be supportive of his activities to improve application security — and clearly not just within their own company, but for their customers, competitors and the wider market. I am sure many other companies would not be so enlightened.

Guide to Application Security Event Logging

2012-04-23T22:31:00+01:00

Application logging, and in particular, application security logging may not sound the most exciting of subjects, but it really can be a very useful tool that helps during development and operation.

If you remember, I have written about application security logging a number of times before. I have now consolidated all that information, and more, into a new document for the OWASP cheat sheet series about application logging that explains the benefits and details:

Design, implementation and testing
- Event data sources
- Where to record event data
- Which events to log
- Event attributes
- Data to exclude
- Customisable logging
- Event collection
- Testing
Deployment and operation
- Release
- Operation
- Protection
- Monitoring of events
- Disposal of logs

The cheat sheet guide is a wiki page, so if you have any contributions, please add them. If you know any other good reference articles, I would like to hear about them.

This week I will be at Security B-Sides London, which my company is co-sponsoring. If you are there too on Wednesday, say hello.

Website Security ICO Enforcement Action Roundup

2012-04-21T13:18:00+01:00

The UK's Information Commissioner's Office (ICO) publishes details of its prosecutions, monetary penalties, undertakings and enforcement notices.

This week, two additional undertakings were published:

Brecon Beacons National Park Authority for disclosure of personal data via its web site in two separate cases (undertaking, 18th April 2012)
Toshiba Information Systems UK Ltd for unrestricted access to the personal data of 20 customers on its web site over a two-month period (undertaking, 17th April 2012)

The Toshiba incident is interesting because it specifically mentions lack of access control and the weakness of insecure direct object references. There's a good write-up about the Toshiba issue on the Web Application Security - From the Start blog.

The other most recent ICO actions relating to web sites (rather than paper, laptops, USB devices, email, fax, etc) were:

Durham University's disclosure of personal data via its web site (undertaking, 1st March 2012)
Dumfries and Galloway Council's disclosure of employee personal data online (undertaking, 17th October 2011)
Child Exploitation Online Protection Centre (CEOP) and the Serious Organised Crime Agency (SOCA) for lack of encryption in transit of extremely sensitive data when using a web form (undertaking, 15th September 2011)
Lush Cosmetics personal data and cardholder data loss via its ecommerce web site (undertaking, 9th August 2011)
Andrew Jonathan Crossley/ACS Law loss of data from its web site (monetary penalty notice, 10th May 2011)

What can we learn about the ICO's specific expectations for organisations' online application compliance with the seventh data protection principle to protect against unauthorised and unlawful processing, accidental loss, destruction, and/or damage? The enforcement notices above suggest:

There must be a policy for processing of personal data and staff must be made aware of it and given training which is monitored (Durham University)
There must be a policy for the retention, storage and use of personal data and staff must be trained how to follow the policy (Brecon Beacons NPA)
Publication of information must not contravene any relevant legislation regarding information disclosure (Brecon Beacons NPA)
Some personal data (organisation dependent) must never be published on a website (Durham University)
Access to personal data must require authentication and must have adequate authorisation checks (Brecon Beacons NPA, Toshiba, Dumfries and Galloway Council)
Security of personal data must be considered when selecting suppliers of services (Andrew Jonathan Crossley/ACS Law)
Third parties involved with developing/maintaining/operating web sites must be made aware of their requirements and responsibilities for protecting personal data (CEOP/SOCA)
Contracts with third parties must define data protection responsibilities (CEOP/SOCA)
There must be regular checks to ensure web sites remain secure, and any potential weaknesses must be identified very promptly (CEOP/SOCA)
There must be measures in place, appropriate for the potential harm that could occur, to prevent accidental personal data loss (Andrew Jonathan Crossley/ACS Law)
The risk to online systems must be re-assessed as threats change (Andrew Jonathan Crossley/ACS Law)
Compliance with data protection and IT security policies must be verified and monitored (Durham University, Dumfries and Galloway Council)
Expert advice must be sought when large amounts of personal data are being stored, processed or transmitted online (Andrew Jonathan Crossley/ACS Law)
The findings of audits and security reviews must be assessed by management and implemented or the risk formerly accepted (Dumfries and Galloway Council, CEOP/SOCA)
There must be technical measures to detect authorisation failures (Toshiba)

We can also draw additional expectations from the ICO's Data Sharing Code of Practice section on security. Those might be summarised as:

Technical security measures must be appropriate for the system in use and the type of data held and processed (Data Sharing Code of Practice)
When data encryption is used, it must be selected, implemented and managed appropriately (Data Sharing Code of Practice)
The most common security risks must be identified (Data Sharing Code of Practice)
There must be suitable access control (authentication, authorisation and session management) with appropriate assignment of privileges based on a "need-to-know" basis (Data Sharing Code of Practice)
Information in transit must be protected (Data Sharing Code of Practice)

These are just my own interpretation and of course. They will not be all the ICO's expectations, but are the ones which we are now aware of. Additionally, data in online applications may also be exposed in related processes (often email, or transfers between systems, and during development, testing and operation where data may exist on paperwork, in mobile devices and in archives & backups). Examine the other enforcement notices for the ICO's expectations in these other channels.

If you want to keep up-to-date with application (and other) data loss incidents that subsequently lead to regulatory action in the UK (typically by the FSA or ICO), use Breach Watch. For further afield, the Web Hacking Incident Database (WHID).

Data Breach Investigations Report 2012

2012-04-17T19:05:00+01:00

At the end of March, Verizon published their 2012 Data Breach Investigations Report. Again it is packed full of useful, well-presented, data.

The report shows that many breaches are the results of more than one threat action (malware, hacking, social, misuse, physical, error and environmental). However, hacking accounted for 81% (58% for larger organisations with over 1,000 employees) of breaches and 99% of data records (same for larger organisations), and as the chart above (Figure 22) shows remote access/desktop services was the most common hacking vector, followed by backdoor or control channel, and thirdly web applications.

Figures 32 and 33 provide some great data on the scale of records lost for different varieties of data (authentication credentials, bank data, classified, copyright, medical information, organisation data, payment card data, personal data, systems information, trade secrets). From these we can get a feel for the average size of a breach for each data type. Unsurprisingly the number of records lost per "trade secret" event is about 1. For personal data it is around 2 million.

The data on timespan of events by percent of breaches (Figure 40) continues to show the short time from initial attack to initial compromise and initial compromise to data exfiltration (both in minutes), the long average time to discovery (several weeks), and from then until containment/restoration (weeks).

There is perhaps too much emphasis on counts of records lost, but of course this is a "data breach" report. The report states that it makes "no claim that the findings of this report are representative of all data breaches in all organizations at all times ". There is clearly a heavy bias to retailers (e.g. type of staff roles, recommendations referencing point of sale), and thus those organisations within scope of standards from the Payment Card Industry Security Standards Council (PCI SSC). However, data was gathered not only from Verizon but also from Australian Federal Police, the Dutch National High Tech Crime Unit, the Irish Reporting and Information Security Service, the UK's Police Central e-Crime Unit, and the United States Secret Service. So it is not just Verizon's paying clients.

Remember, you don't need to lose data to have an incident or a loss. I'd like to see reports titled:

2012 Attacks Without Data Loss Investigations Report
2012 Data Alteration and Destruction Report
2012 Breachless Fraud & Misuse Report
2012 Undetected Incidents Report
2012 Service Unavailability Investigations Report
2012 Reputation, Risk and Resolve

We have that data, yes? Oh, ...maybe not.

Cloud Service Provider Monitoring

2012-04-13T08:20:00+01:00

The European Network and Information Security Agency (ENISA) has published a new guide on monitoring the security of cloud services throughout the project life-cycle.

Procure Secure: A Guide to Monitoring of Security Service Levels in Cloud Contracts defines an ongoing security monitoring framework comprised of:

Service availability
Incident response
Service elasticity and load tolerance
Data life-cycle management
Technical compliance and vulnerability management
Change management
Data isolation
Log management and forensics

The concept is to provide continuous cloud-specific service level metrics in-between one-off or periodic assessments (e.g. using information technology audit standards such as ISO 2700x, SSAE 16 or ISAE 3402). For each suggested monitoring parameter examples are provided to help guide what to measure, how to measure it, how to obtain independent measurements, alerting & reporting thresholds and customer responsibilities.

Although there is a focus on public procurement, the issues are equally relevant in the private sector. There is also a 9-page checklist guide to the document "if you have little time available".

Subject Access Requests and Disproportionate Effort

2012-04-10T07:56:00+01:00

What functionality do your applications include to support subject access requests? During operation and after decommissioning?

The concept of disproportionate effort in section 8(2) of the Act applies only to the task of responding to a subject access request by providing a copy of the information in permanent form. It does not apply to the effort required to locate the personal data.

At the end of last month the UK's Information Commissioner's Office (ICO) published updated guidance on what is meant by the term "disproportionate effort" under an organisation's obligation to comply with subject access requests.

The ICO recognises that searching for personal data on live systems should be easier, that doesn't negate the need to identify relevant personal data in terminated, offline, backup and archival systems and locations. Data controllers can only use the "disproportionate effort" qualification in respect of "supplying a copy", not in regard to "locating" the information in the first place.

Under the UK's Data protection Act 1998, organisations processing personal data must comply with the eight data protection principles

So, apart from ensuring the personal data your applications are processing is being processed fairly and lawfully, has been obtained for one or more specific purposes, is adequate, relevant and not excessive, is accurate and, where necessary, kept up to date, is not be kept for longer than is necessary, is processed in accordance with the rights of data subjects and is secure... do you applications allow for accurate data identification and extraction? How do your applications track where data are exported to?

Quite a collection of requirements there then.

ISO/IEC 27034 Application Security

2012-04-07T11:06:00+01:00

ISO/IEC 27034 Application Security is an international standard designed to help organisations build security into their application software development life cycles (SDLCs).

ISO/IEC 27034-1 — Part 1: Overview and Concepts — was published in November 2011 and we are awaiting the completion and publication of the remaining parts:

ISO/IEC 27034-2 - Organization Normative Framework (ONF)
ISO/IEC 27034-3 - Application security management process
ISO/IEC 27034-4 - Application security validation
ISO/IEC 27034-5 - Protocols and application security control data structure
ISO/IEC 27034-6 - Security guidance for specific applications

Today, over on the Open Software Assurance Maturity Model (SAMM) blog, I published a mapping cross-referencing SAMM business functions and practices with ISO/IEC 27034.

ISO/IEC 27034-1:2011 Application Security Part 1 can be bought from International Organization for Standardization (ISO) or national standards bodies.

HTML5 Security

2012-04-04T08:09:00+01:00

Two of my posts last year concerning HTML5 security information sources appeared to be amongst the most popular entries on this blog. In October I mentioned three important well-maintained HTML5 Security resources, and in December an extensive Guide to HTML5 Security.

If you would prefer a slighter higher-level overview of the issues and types of attack, or need inspiration for your own security verification work, I would also recommend reading HTML5 Security - A Look at HTML5 Attack Scenarios by Robert McArdle (Trend Micro).

Application Security Gap Study

2012-03-30T09:20:00+01:00

A new report from Ponemon Institute describes the results from a survey of developers and information security employees in the United States.

Key finding: Application security is often not a priority

2012 Application Security Gap Study: A Survey of IT Security & Developers provides useful data on the viewpoints from these important groups, and of course isn't necessarily encouraging reading. A very small proportion of the IT security budget is spent on application security, most do not have a standardised way of building security into new applications and security is most often addressed in later stages of the software development life cycle (SDLC). See the overview on the ISACA website.

The information could be used to help compare secure software development life cycle (S-SDLC) maturity, but the input of other groups such as product owners, architects, testers, QA, audit and operations would also provide useful data, and hopefully senior management might be able to provide an oversight of the all the processes and the organisation's needs and risk profile.

Privacy Economics

2012-03-27T07:45:00+01:00

ENISA, the European Network and Information Security Agency, has published a report on the economics of privacy.

Study on Monetising Privacy - An Economic Model for Pricing Personal Information examines approaches used to analyse the interaction of personalisation, privacy concerns and competition between online service providers. The report describes existing work on the economics of privacy, discusses a theoretical model and the results of experiments to validate versions of different the model.

The research found that consumers are making economic decisions based on personal data exposure, but there is a need for flexibility from regulators and transparency in services, to enable a more efficient privacy market.