Eliminating security blind spots

The recent hacks of LinkedIn and Yahoo’s password lists have put the spotlight on glaring gaps in application security. Experts believed that a security layer is the way out. By Mehak Chawla

A few weeks back, LinkedIn, one of the largest professional social networking sites in the world was busy sending out email notifications to about 6.5 million users. The subject of that email was an urgent plea to reset their passwords, as a Russian hacker had got the better of LinkedIn’s security apparatus.

The breach came shorty after LinkedIn’s struggle with its mobile app became apparent. An opt-in calendar feature in LinkedIn’s Android and iOS mobile apps was sending user data back to LinkedIn servers as plain text. The application was allegedly sending unencrypted calendar entries, such as phone numbers and passwords for conference calls, to LinkedIn servers without the users’ knowledge. The breach which was discovered by Web security researchers forced the social media giant to change its security policies, though that did not prevent hackers from stealing 6.5 million passwords.

Close on the heels of that announcement came the news that the breach could include Gmail passwords as well, although there was no official announcement from Google. The history of hacks has been turbulent in the past too. Yahoo was grappling with password hacking a few weeks back and even NASA and the US government have repeatedly been targeted. Google too has not been spared and its controversial exit from China that was heavily reported (though it eventually stalled) was on account of the domino effect of repeated attempts at a breach. Incidents like these lead us to question the data protection and encryption strategies that public sites, dealing with enormous user databases, are employing.

Passwords happen to be the weakest link in the security ecosystem. As mobility, BYOD etc burgeon, things will only get worse unless something is done.

Application level breaches
According to Vishak Raman, Regional Director, India & SAARC, Fortinet, the LinkedIn breach occurred at the application level and not at the network level. Though most large enterprises are focusing on network security, application security often gets relegated to the back seat.

According to VG Sundar Ram, VP, Technology Sales Consulting, Oracle India, “The existence of multiple applications, with their own security rules, accessing a single database is complicating the situation. Putting security at each layer is not only time consuming but also an inflexible approach.”

He cited the fact that 92% of stolen records were from database servers, 89% were stolen with simple SQL injection attacks and 86% were compromised due to lost or stolen credentials.

“While there are lots of different tools that people are deploying to address security, when we examine what’s actually happening, we find that the threats are mostly against applications and data,” he added.

According to Raman, there could be several ways to secure applications. These include Web application firewalls, real time application monitoring and two factor authentication. However, just securing applications or the network isn’t going to help. “Organizations must secure the network at the application, endpoint, database and device levels,” he said. He added that companies that were on the hit list of attackers needed to divest from the traditional security route and take up an intrusion prevention approach. “A DDoS device, beyond a traditional UTM device, could be considered,” he remarked.

The other thing with application level security is that defining security protocols for each and every application could bring in a certain amount of rigidity into the process of delivering IT. Kartik Shahani, Country Manager, India & SAARC, RSA, agreed that flexibility often ended up being compromised thanks to security measures. “An organization needs to find the right balance between security and flexibility. Some security environments can rob an organization of their flexibility.”

Security fragmentation
If there is one factor that CIOs and security strategists are dealing with today, it is that of the multiplicity of devices, applications and networks that need to be secured. There are lots of elements that are entering the organizational canvas from the outside and complicating the security equation.

BYOD is perhaps the biggest instigator of this fragmentation in the security landscape. With employees increasingly choosing to access organizational information from their personal devices,blind spots are being created in the security framework. Shahani said, “Mostly, the laptop or tablet that an organization gives to its employees is secure. However, when an employee accesses the company VPN through his/her own device, a common phenomenon today, security could be compromised.”

Since it is impossible for organizations to control applications on employees’ devices, the chances of malicious content seeping onto a company’s systems and networks is on the higher side. Sundar Ram of Oracle commented, “48% of breaches are caused by insiders. With all the monitoring, almost half of breaches are caused by people who have either excessive access or even legitimate access to the data in question.”

“Fragmentation is the biggest threat to security. BYOD is only one of a series of components that are fragmenting a company’s security strategy,” added Sundar Ram. Mobility and the Cloud are also necessitating attention to a company’s security posture.

Adopting a layered approach
Given the proliferation of entry points that enterprises have to secure nowadays, CIOs are starting to focus on an integrated security set up. That is where the security platforms or layers enter the frame. “With so many devices to control, securing access has become a top priority for organizations,” said Sundar Ram.

Organizations are now looking to spread their risks rather than having isolated points of entry. Shahani of RSA elaborated, “The option for a layered security approach could be one way to detect and isolate these threats. In such a setup, each layer has an overlap over the previous layer. In this manner, what gets missed in the first layer is caught by the second.”

Sundar Ram concurred, “Unified security is the way out for organizations. We have to extract security rules from the individual apps and put them into a security layer. That’s why having a security layer or platform makes immense sense for an enterprise.”

This security layer, that sits of top of apps, defines enterprise security standards and not just application or network security. Given the threat perception, a lot of vendors are beefing up their security platform offerings. An example is Oracle’s newly launched Identity Management 11g Release 2.

Other than a layered approach to security, organizations are also beginning to look at things like hashing, salting and stronger encryption in order to prevent LinkedIn like calamities. Though the breached LinkedIn member passwords were all hashed, or masked, using a hashing protocol known as SHA-1, the protocol is by no means considered foolproof by experts.

Therefore, many organizations are falling back upon a process known as salting, where a random string of characters are appended to a password before it is hashed in order to make password cracking that much harder. The process ensures that even if two passwords are identical, their hashes will be unique.

However, the task remains of ensuring that hackers are unable to access an organization’s password databases in the first place.

Internal breaches and lack of awareness on part of consumers as well as employees make the situation murkier. It is not uncommon to find employees using the same password for their organizational and personal applications. Similarly, a majority of users have the same password across social media sites. Customer and employee awareness is, therefore, becoming an essential part of security strategy.

Shahani of RSA concluded, “Security is about technology. However, it has also got a lot to do with people and behavior around technology.”

Other than deploying sophisticated technology to prevent intrusions, training employees to make them understand the implications of their actions is also vital.

Comments (0)
Add Comment