2016 DBIR & Application Security: Let's Get Back to the Basics Folks

Last updated at Wed, 27 Sep 2017 18:41:12 GMT

This is a guest post from Tom Brennan, Owner of ProactiveRISK and serving on the Global Board of Directors for the OWASP Foundation.

In reading this year's Verizon Data Breach Investigations Report, one thing came to mind: we need to get back to the basics. Here are my takeaways from the DBIR.

1. Remain Vigilant

Recently, data relating to 1.5 million customers of Verizon Enterprise were for available for sale. Some would say this is ironic, but what it means to me is that everyone is HUMAN. SEC_RITY requires “U” to be vigilant in all aspects of its operations from creation, deployment, and use of technology.  I was very happy to see the work of the Center of Internet Security (CIS) Top 20 Security Controls referenced. These are important proactive steps in operating ANY business and I'm proud to be one of the collaborators on this important project.

CIS Top 20 Security Controls

1: Inventory of Authorized and Unauthorized Devices
2: Inventory of Authorized and Unauthorized Software
3: Secure Configurations for Hardware and Software on Mobile Device Laptops, Workstations, and Servers
4: Continuous Vulnerability Assessment and Remediation
5: Controlled Use of Administrative Privileges
6: Maintenance, Monitoring, and Analysis of Audit Logs
7: Email and Web Browser Protections
8: Malware Defenses
9: Limitation and Control of Network Ports, Protocols, and Services
10: Data Recovery Capability
11: Secure Configurations for Network Devices such as Firewall Routers, and Switches
12: Boundary Defense
13: Data Protection
14: Controlled Access Based on the Need to Know
15: Wireless Access Control
16: Account Monitoring and Control
17: Security Skills Assessment and Appropriate Training to Fill Gaps
18: Application Software Security
19: Incident Response and Management
20: Penetration Tests and Red Team Exercises

2. All software security issues are software quality issues.

Unfortunately, finding fault is what some humans do best, having adequate controls is what IT defending is actually about. The sections in the Verizon report that discussed attack vectors should remind everyone that not all software quality issues are security issues, but all software security issues are software quality issues. Currently one of the greatest risks to software is third party software components.

3. What type of Attacker are you Defending Against?

What has not changed since 1989 when I first used ATDT,,,  to wardial by modem off an 8-bit for the first time is that it's STILL people behind the keyboards. People on a wide ethical spectrum are still using keyboards to harm, steal, deface, intimidate, and wage cyber attacks/wars, and ALL criminals need is means, motive, and opportunity.

Every organization needs to be asking what TYPE of attacker are they defending against (Threat Modeling). For example: "My business relies on the internet for selling widgets, the adversary is an indiscriminate bot/worm, or a random individual with skills, or a group of skilled and motivated attackers. This is where OWASP's Threat Risk Modeling workflow can really help when proactively defined with OWASP's Incident Response Guidelines.

Modern and resilient businesses should conduct mock training exercises to educate and prepare the team. Business is about taking risks, and not all survive. Some lack the number of customers they need to survive, others struggle to move enough product, and now for many, the eventuality a business could be hacked and unable to recover is a concern whether you are a Small Business or sitting on the Board of Directors of a Fortune 50 organization. You can use insider threat examples, outsider and 3rd party vendor risks, all are different and based on a tolerance threshold decisions need to be made.

4. OWASP - Get Involved! It's free and it's helpful!

As the 2016 Verizon Data Breach Investigations Report shows, web applications remain a primary vector of successful breaches. I encourage everyone to get involved with the OWASP Foundation where I spend a great deal of time. OWASP operates as a non-profit and is not affiliated with any technology company, which means it is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies and other organizations worldwide. Operating as a community of like-minded professionals, OWASP issues software tools and documentation on application security. All of its articles, methodologies and technologies are made available free of charge to the public. OWASP maintains roughly 250 local chapters in 110 countries and counts tens of thousands of individual members. The OWASP Foundation uses several licenses to distribute software, documentation, and other materials. I encourage everyone to review this OPEN resource and ADD to the knowledge tree.

I really enjoyed the 2016 Verizon DBIR for the data. Their perspective in this report is based on wide array of both customer engagements and data from nearly 70 partners. The average reader that uses a credit card at a hotel, casino, or retail store may feel uneasy about the risk of trusting others with their data. If your business is dealing with confidential data you should be concerned and proactive about the risks you take.

If you haven't already, take a look at the Defender's Perspective of this year's DBIR, written by Bob Rudis.