I highly recommend reading a report published yesterday titled The Financial Management of Cyber Risk.   This 76 page document is the result of industry and government cooperation and provides a practical and comprehensive guide for management of cyber risk.  This document covers the following topics: the cost of a data breach, creating an organizational culture of security, recommended processes, incident response planning and much more.  This framework should be required reading for corporate executives…not just CISOs and security executives.  Download….and please let me know what you think.

According to a recent article in Dark Reading entitled Organizations Rarely Report Breaches to Law Enforcement, we still have a long way to go in the battle to secure our networks.  The facts are simple, malicious users work collaboratively on their exploit tactics while the majority of corporations/vendors work alone on maintaining individual network security.  There is a sophisticated underground community of hackers that share vulnerability information, attack vectors and patterns, login credentials, and the like.  This community of for-profit hackers is well aligned to wreak havoc, sometimes widespread and other times very well targeted.  Their two biggest advantages come down to a single word….sharing.  Hackers are constantly sharing, while those trying to stop hackers aren’t sharing enough in terms of frequency and substance.

Despite the good efforts of law enforcement (local, state, Fed) and regulations (industry and governmental), as a society we still have a general unwillingness to disclose (in)security information.  Data breaches result in form letters and free credit monitoring.  Organizations keep their security partners/vendors in virtual stovepipes even though an integrated defense-in-depth approach is a well accepted best practice.  Capitalism prevents organizations from sharing “secrets” (aka attack data, detection/prevention techniques) that might just benefit the common good.  Everybody seems to be fighting their own little battle on an individual front while the bad guys continue to win the war.

Breach is actively working with industry leaders, application security experts, the open source community, and our partners to share vulnerability and protection information and techniques.  Breach Security Labs is conducting leading edge research on web hacking and sharing that information in our semi-annual reports and more frequent blogging and tweeting.  We invite you to join us and encourage you to establish your own sharing forums.  It’s time for the good guys to start collaborating.

Have you heard about Rugged Software?  Do you believe?  Are you embracing it personally and within your organization?  To take a web application specific view on this, here is the problem:

• Code is complex, web applications are dynamic.
• Hackers are more sophisticated, more collaborative, and more driven by cold hard cash.
• Performance and availability trump security in the eyes of most application owners and developers.  You can’t win when playing with a losing hand.
• Web application security experts are scarce in both application development and security teams. 
• Finding vulnerabilities is interesting, blocking attacks is more interesting, real and lasting remediation is most interesting.  Easier said then done of course when you have millions of lines of code and you don’t own or have code-level access to many mission critical applications.
• The list of challenges goes on….and on….

To secure our application infrastructure, we need to change how we think.  We need to build a culture of security inside organizations.  We need to collaborate at least as well, ideally better, as our adversaries do.  We need to focus on long-term solutions, not band-aids to discovered vulnerabilities.  We need to think in terms of overall risk management; not just security, not just compliance…but risk.

The spirit of Rugged Software is not new to Breach.  In fact, over the last few years we have participated in hundreds of conversations with customers, partners, and industry leaders about the need for a paradigm shift.  We need to break away from the reactive world of detection and prevention.  We need to embrace a world around holistic risk management where security is a deeply ingrained part of the corporate culture from design and development through production.  We need mission critical web applications to be Rugged in terms of security, application health, compliance, performance and the list goes on.  We need to hold ourselves and our partners to a higher standard.  I am pleased that the folks behind Rugged have formalized this important initiative.  I encourage you to learn more and to Make It Rugged.

This week’s RSA Conference pinpointed a common problem surrounding PCI compliance: companies treat compliance as a point in time. Specifically, once PCI compliance is “achieved” via an audit or code review, IT professionals move on to the next priority and maintaining compliance is forgotten.

Many companies fail to understand that audits and code reviews are outdated the moment they are completed. Web applications continue to be developed and altered, and as a result, continued compliance can’t be ensured with the “one-time look” that occurs with audits and code reviews. And it would certainly be cost-prohibitive to conduct an audit or review with each application change.

Fortunately, continuous PCI compliance can be achieved using a web application security solution that provides real-time, continuous security for all protected web applications. In addition, Breach WebDefend secures the entire web application, provides factual information on vulnerabilities and serves as a “virtual patch” that protects each application’s vulnerabilities.

In today’s compliance landscape, it’s simply not enough to know that a problem exists. Sophisticated web application security solutions help companies mitigate problems. Organizations need to have a real-time solution – not just a single look in time – to be truly secure and PCI compliant.

Here is more information on how vulnerability scans and code reviews compare to web application firewalls:

An increase in identity theft and online data breaches, such as the Heartland Payment Systems breach, has left consumers distrusting of online transactions and corporate data security safeguards. This message has resounded in the halls of this week’s RSA Conference.

Many factors contribute to consumers losing faith in the security of online transactions. Broken links, error messages and other web application failures all play a role in a consumer’s online experience with your company. Unfortunately, what many consumers don’t know is that broken links and other failures often provide hackers with code or other information that can be used to capture sensitive cardholder and consumer data for profit. 

This means that web application failures hurt your brand, your customers’ trust and loyalty, and the safety of their sensitive information. Real-time web application security, such as Breach’s WebDefend appliance, enables you to restore consumer trust by not only identifying, but quickly remediating vulnerable web applications. Learn more about protecting your company’s brand from web application threats by downloading this white paper.

Cloud computing is a hot topic at this week’s RSA Security Conference in San Francisco. The amount of time the conference has designated to discuss, explore and debate the numerous security issues surrounding cloud computing is proof positive that more business – and supporting technologies – are taking place in the cloud.

But as more business technologies utilize cloud computing, new opportunities have emerged for hackers and cybercriminals to exploit vulnerabilities and profit from business applications using outdated security solutions for protection. In short, the evolution of business technologies using cloud computing means that security solutions must follow suit – now.

Rapidly changing security needs require the benefits and advantages that Software-as-a-Service (SaaS) and cloud computing provides. Security providers that don’t leverage cloud technology are quickly becoming antiquated as all technology – business and security – moves into the cloud.

Using SaaS or cloud computing provides security technology with distinct technological advantages, such as making security updates and code changes instantly available to clients. In addition, new security technology needs to be developed specifically for the protection of business conducted in the cloud. The technology landscape has changed and security needs to keep up by including cloud security needs and requirements at the forefront of the development process.

Breach Security is working with partners, such as Akamai, to provide web application security in the cloud. For example, when deployed with Akamai’s Web Application Firewall service, Breach’s WebDefend Global Event Manager is the first web application security management solution to defend against global application security threats by enabling customers to make distributed cloud and data center defense-in-depth architectures operational.

Breach and Akamai are guarding their clients against security threats in the cloud. Are you protected?

The financial loss was due to Heartland paying charges of $23.7 million related to settlement costs over a late 2008 data security breach on Heartland’s computer network. $23.7 million to Visa credit and debit card issuers…that is a big price to pay.

So what should we learn from this.

1. The network of cyber-criminals is sophisticated and targeted cyber attacks pose a lethal threat to organizations. 
2. Online business applications are easy targets. The combination of ubiquitous web access, dynamic web applications, and poor application-specific visibility in most organizations makes for fertile ground for malicious users. 
3.  Compliance isn’t the answer. Just checking the box and getting sign-off on a PCI ROC (report on compliance) isn’t the answer. Compliance does not lead to a good security posture. The counterpoint however is true. A good security posture will lead to achieving compliance. 
4.  Defense-in-depth is a must and those layers must include specific and dedicated controls for web applications. The short-cut to compliance can cut both ways. Work with vendors and partners specialized in web application security.

The Heartland breach put the spotlight on PCI Compliance and the severity of financial and corporate brand damage when security systems fail. We don’t need another wake up call.

Breach Security values and respects the customer’s or prospective customer’s expectation of confidentiality. Safeguarding the non-public personal information and the confidential financial information of our customers is essential in maintaining the public trust. It is the policy of Breach Security that such confidential information acquired by the company or its employees through their employment must be held in the strictest confidence. Such information is to be held for Breach Security internal purposes only and not as a basis for gain by the company or any employee.

One of our marketing partners notified us last week that it is currently investigating a breach. This company is a well-known marketing industry ASP site where Breach Security holds a private account that stores contact names and email addresses. We are reviewing the additional preventative security steps taken by this specific vendor to assure that these problems do not happen again. We explained this situation to a privacy blogger who contacted us.

As a security company we are fully committed to the protection of your data and hold ourselves and our partners to the highest standards. We believe in transparency on this issue and look forward to hearing your thoughts.

If you have any questions about our privacy policy, please contact us at: webmaster@breach.com or write to us at:

Webmaster
Breach Security, Inc.
2141 Palomar Airport Road, Suite 200
Carlsbad, CA 92011, USA

We thank you for your continued support.

Submitted by Darryl Gordon 2/24/09

Our recently released Web Hacking Incidents Database (WHID) 2008 Annual Report found that a new type of SQL injection attack successfully compromised more than 500,000 web sites in 2008. Was your web site one of them? The report confirmed that the web application security landscape continued to evolve last year with SQL injection attacks that plant malware on target web sites ranking as the #1 security attack for online criminals last year.

For most of you, protecting your customers is of the utmost concern. Breach’s WHID report noted a shift in attack methods as hackers focused more on a web site’s large customer base in 2008 instead of targeting sensitive information within the web site’s database. Unfortunately, this attack method turns a web site into a malware launching point when legitimate users visit your site.

It’s simply not enough to complete the occasional code review or vulnerability scan. Today’s companies need to know where the threat or defect is, and know that they’re protected. To download a copy of the WHID report, please visit www.breach.com/2008WHID.

On January 20, 2009, Heartland Payment Systems Inc. disclosed that they were the latest victim of an immense data breach. Seeing as Heartland processes more than 100 million card transactions per month, this breach will likely surpass the size of the TJX Companies 2007 breach. They are still researching the incident but at this point it looks like the offenders successfully were able to steal credit card data over the network by planting malicious software. This malicious software was most likely intercepting and stealing the data from the magnetic strip on the back of cards. Read more about the Heartland breach.

Heartland isn’t alone – unfortunately many businesses fail to secure magnetic strip data when complying with Payment Card Industry (PCI) Data Security Standard (DSS). What many businesses fail to realize is that the magnetic strip data is more dangerous in the hands of hackers than just credit card numbers because the stripe includes personal data, expiration date, the cardholder’s name and security code information. Armed with this information, hackers can easily duplicate credit cards and the “duplicate” cards are inexpensive to buy in bulk.

Here at Breach Security we have added masking capabilities of sensitive payment account data, to better serve our customers. Administrators that use WebDefend can now mask full magnetic strip data, preventing it from being stored or displayed anywhere within the WebDefend software, including in audit logs and within the management console. Read how Breach Security advances protection of payment card authentication data.