Dynamic, sophisticated and potentially deadly - Imperva details security trends for 2011

Wed, 17th Nov 2010

FYI, this story is more than a year old

Imperva’s Application Defence Centre (ADC), led by Imperva CTO Amichai Shulman, focuses exclusively on advancing the practice of data security to help companies shield themselves from the threat of hackers and insiders. In 2010, the ADC predicted many of the key issues that would plague security teams in 2010 and beyond. For 2011, the ADC has assembled its most comprehensive set of predictions. The first three follow.

TREND : Mobile devices compromise data security

The proliferation of sophisticated mobile devices (SmartPhones, Tablets, etc.) is going to have a substantial effect on application and data security in the coming years. In particular, we will see organisations struggle to accommodate the increase in number and variety of these devices, while maintaining traditional data and application security practices.

The past couple of years have witnessed a dramatic surge in the number of sophisticated mobile devices being used as access points to online services and enterprise networks. At the same time, these devices acquired more capabilities in terms of storage size and web technology adoption. Apple’s iPhone comes with up to 32GB of internal storage, while its bigger sibling iPad can accommodate up to 64GB of memory. (For context, one million records holding names, addresses, and social security numbers will occupy approximately 0.5GB.) Mobile devices are no longer mere address books or mail readers.

Add to the mix a growing variety of applications that are a gateway to enterprise systems, including CRM, ERP, and document management. While we are used to concerning ourselves with lost or stolen laptops, it turns out that missing mobile devices may be just as big a pain point.

However, the storage of sensitive information is not the only new concern with mobile devices. As mobile devices become mainstream, online service providers must accommodate their offerings for these platforms; creating a special version of the applications to match each devices’ capabilities. In this process, it is not uncommon to see older vulnerabilities surface once again. We have witnessed the online versions of well-protected mobile device applications display common vulnerabilities: the CitiGroup incident in 2009, a more recent CityGroup issue, and AT&T’s well publicised mishap with respect to iPad owners. In particular, many mistakes are made around identification and authentication, where application programmers mistakenly trust attributes of the data stream that can be forged by an attacker without the particular mobile device. Thus, the applications themselves become more vulnerable.

Furthermore, some assumptions regarding ‘strong’ multifactor authentication schemes are becoming obsolete. Take, for example, applications that use a one-time password (OTP) for validation of sensitive transactions, where the OTP is delivered through SMS to a phone number provided by the user. If the user is employing a smart mobile device for accessing the application, and that device is infected by a Trojan, then that Trojan is able to access the OTP delivered through SMS.

Don’t be surprised by the mention of Trojans in the context of your mobile phone. Mobile devices rely on sophisticated operating systems running complex applications. Malicious code is available for these platforms (e.g. Zitmo) and the complex applications (not to mention the usual human flaws) make it easy, if not easier, to infect a mobile device with malware, as with any standard desktop platform.

We expect exponential growth in the number of incidents related to mobile devices in the next few years. From theft or compromise of information in these devices, through massive infection campaigns, and up to frequent exploit of the vulnerabilities introduced into the server side.

Organisations need to start planning to secure the devices and their interaction with the enterprise networks. Tools and procedures need to be put into place, such as anti-malware, encryption, and authentication. Special monitoring requirements should be set for access of these devices to enterprise resources (databases, files, intranets). On the other hand, application providers need to get their act together with respect to serving these devices, including vulnerability mitigation, re-evaluation of trust, and incorporation of new authentication/authorisation channels.

TREND: Data security goes to the cloud

We expect to see more application security offerings in the cloud throughout 2011, and predict some early data security in the cloud offerings. Offerings will need to respond to private and public clouds that are either self-serviced or managed as a service. This trend is a late response to the move of many applications and data stores to cloud technologies, and the industrialisation of hacking, which dragged many smaller online businesses into the threat zone.

The past couple of years brought an extensive increase in the use of cloud technologies (and a definite abuse of the term ‘cloud technologies’). Each of these technologies contributes a different set of challenges with respect to data and application security. Cloud applications (SFDC.com, Gmail, MS BPOS, SuccessFactors) challenge their operators to maintain a bullet proof partition between data sets of different customers. At the same time, it challenges customers with respect to protecting data from the prying eyes of service administrators (e.g. European regulations require that PII will not be handed over to non EU individuals or entities).

Private clouds (in layman terms - clustered servers running virtual machines) create a challenge by having the same application or database server operate from a different physical server at different points in time, thus making it harder to monitor the communication path to the application.

Public clouds (hosting providers) challenge their operators to maintain partitions between applications and datasets of different users, and at the same time manage application and data security for a large multitude of different applications.

Self-service clouds (aka ‘platform as a service’ or ‘infrastructure as a service’ such as Amazon EC2 or MS Azzure) challenge their users with a new virtual platform and the need to protect data from cloud administrators.

Taking together all the types of cloud forms (private and public, SaaS, PaaS and IaaS) we can see a set of challenges for both providers and consumers. These can be summarised as follows:

Maintaining bullet proof partitions between datasets of different customers.
Providing different levels of data security to applications sharing the same logical or physical platforms.
Protecting customer data from the prying eyes of cloud administrators.
Providing solutions that operate over a specialized infrastructure (VM, Amazon AMI).
Managing application and data security for a large number of applications inside the cloud.

In the past year, we have become aware of numerous attempts by security providers and cloud providers to solve the conundrum of application and data security in the cloud. Traditional application security vendors are starting to provide their solutions over virtual platforms (VMWare, Amazon), while new vendors are creating models for application security solutions that are cloud-based (they route all traffic for their customers).

We expect that in 2011 good technical solutions for application security in the cloud will be available and gain traction, while data security solutions (protecting data stores in the cloud) will lag behind. Scale of manageability and different levels of security for applications that share the same platform will remain a major challenge for application security solutions. Data security solutions will continue to struggle with creating the right security model.

Organisations can now accelerate their adoption of cloud offerings without giving up on the security of their information by choosing the right solutions. Larger enterprises with private clouds will adopt the offerings of traditional vendors over virtual platforms. Smaller organisations may choose a cloud provider that is capable of delivering applications in a protected manner (managed application security), or choose to have their applications delivered by one provider and their application security by a dedicated security-in-the-cloud provider.

TREND : Misanthropes and anti-socials - privacy vs. security in social networks

In 2011, we will see prominent social networks and tools placing more efforts into security over privacy. This is not the result of resolved privacy issues, but rather an understanding of the real threats to the existence and proliferation of social networks.

In recent years, social networks and tools—Facebook, LinkedIn and Twitter—have invaded our personal and professional lives at a phenomenal pace and ignited numerous privacy complaints. Voices called out the ‘promiscuous’ default settings, the lack of granular control, and even the entire interaction model. ‘Incidents’, where personal details of users were ‘accidentally’ disclosed, took centre stage. Even the simple revelation that Facebook’s public directory was available for download—doesn’t the word ‘public’ mean anything?—grabbed media attention. As a consequence, and an attempt to avoid public whipping, a great deal of effort has been invested—rather unsuccessfully—in preserving privacy of information. Facebook, for example, revamped its privacy setting scheme, implementing at least one major change in 2009 and another in the spring of 2010 that resulted in a very granular yet complex model.

Surprisingly, it seems that privacy issues have not had a detrimental effect on the rate at which users have joined social networks, or the amount of personal information that they are willing to provide. It turns out that people often join social networks to promote random interactions with other users, spurred by the information provided in profiles. With this in mind, it may be safe to say that if a user indicates their religion, or ethnicity, they do so because they want other users to know this information and are willing, even implicitly, to take the chance that a (hypothetical) KKK classification application will have access to it as well. It may also be safe to say that people who post a named defamation of their boss on their wall, or their friend’s wall, are willing to take the chance that their boss may see the post.

Aside from privacy issues, additional factors will come into play in the coming year that may affect the development of social networks. The decrease in growth will not be a measurement of the number of members, but rather the inability for social networks to penetrate deeper into both our personal and professional lives.

There are two key factors at stake: security and trust. While privacy concerns the ability to keep personal information hidden from other application users, security operates with a much broader scope. Security controls the way in which people use the information of others. It is a way to ensure that people cannot invoke functionality on behalf of other users, and that delinquents cannot use the system to distribute malware. It is a way to make it difficult to hack into someone’s account using a brute-force attack. Security enables us to integrate social networking applications into our business environment without affecting the integrity and confidentiality of business data. Trust, on the other hand, impacts our ability to make decisions based on the information we receive through social networks, such as the decision to accept requests from applications that have access to our information.

In today’s social networking platform, both security and trust are in danger. Cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities are quickly translating into massive worm out brakes. Examples:

Even basic best practices, such as the use of SSL for authentication purposes, are not closely followed. Trust evaluation tools are non-existent. Actually, if you ask users who contemplate installing a Facebook application, their measure of trust is often the number of other users who have already signed-up for the application. Clearly, anyone with an army of drone accounts can easily influence such decisions.

Nevertheless, we are starting to feel the winds of change. Recently, Facebook made changes to account security to reduce account hijacking incidents (device profiling, concurrent session sign out, and SMS OTP). Next year, we expect social platforms to invest more resources in improving the security posture of the platform, rather than continuing to struggle with controlling information overflow. These measures will provide improved protection against application layer attacks, stronger authentication and account control features, and better malware detection systems. Research into trust models is still in its early stages. Only a handful of companies have disclosed commercial offerings. We, therefore, do not expect to see much progress with trust in 2011.

About Imperva

Imperva is the global leader in data security. With more than 1,200 direct customers and 25,000 cloud customers, Imperva’s customers include leading enterprises, government organisations, and managed service providers who rely on Imperva to prevent sensitive data theft from hackers and insiders. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring for databases, applications and file systems. For more information, visit www.imperva.com, follow us on Twitter or visit our blog.

For more information

Grenadine Lau

Imperva

Phone: +65.6749 4482

Mobile: +65.9666 1886

Email: Grenadine.Lau@Imperva.com

David Frost

PR Deadlines Pty Ltd, for Imperva

Phone: +61.2.4341 5021

Mobile: +61 (0) 408 408 210

Email: davidf@prdeadlines.com.au