Data Center Security Lessons from Heartbleed and Target

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.datacenterknowledge.com/archives/2014/05/07/data-center-security-lessons-from-heartbleed-and-target/

Data center security is of increasing concern, with data breaches and cyber
vulnerabilities more and more in the news headlines. The recent Symantec’s
threat report \highlighted more “zero day” attacks in 2013 than in the two
previous years combined. Verizon’s Data Breach Investigations Report  shows
data breached and  cyber attacks at levels substantially above previous
years.

While this dire news can leave one feeling helpless, it’s useful to look
deeper into the causes of some of the more prevalent cyber events to
understand what proactive roles we can play in preventing or mitigating
them, both from the standpoint of our industry and from the standpoint of
business responsibilities.

Two of most infamous and far-reaching cyber-security events of recent
memory are the Point of Sale attack on Target  during the 2013 Holiday
season and the even more recent Heartbleed vulnerability discovered in the
OpenSSL library. Both affected millions of people’s information privacy,
were well publicized, and were preventable by known, low cost and common
best practices.

In the case of Target, as is still the case with many companies, the
responsibility for information security was reported to have fallen to many
individuals. Although not explicitly stated, it’s reasonable to guess that
none of the many executives had information security as their primary job
role.

In an excellent podcast, Eric Cole highlights why this is a problem. In his
example, the CIO is primarily responsible for system availability. While
availability is certainly important, it is only one-third of the CIA-triad
of Confidentiality, Integrity and Availability. Information security
mandates these interests be balanced, and the only way to ensure split
organizational incentives to not get in the way, Cole argues, is to ensure
the CSO and CIO work at peer levels. Could simple organizational change
have helped Target? It’s impossible to say in retrospect, but Target does
appear to be heading in that direction.

The case of Heartbleed is even more important to understand the root
causes. According to many reports, the vulnerability was exposed when a new
version of the code was “checked in” which neglect to do a check on the
keep alive heartbeat data length. Allowing data fields to exceed their
intended length is one of the most basic kind of attack. In fact, it is
such a common an basic coding practice that even the most basic security
audit would expose the vulnerability.

Why was it missed? Nobody knows for sure. But as The New York Times
reported , the attention and funding given OpenSSL was far less than other
important elements of the open source world. The assumption is that because
the code is “open,” many eyes will quickly discover all vulnerabilities.
But the result again was the same; when everyone is responsible, nobody is.
Security for whatever reason was not given the attention it was due.

Both Heartbleed and the Target breach share a common root cause:
preventable vulnerabilities. If we adopt the frame of mind that “all
vulnerabilities are preventable” we can see that shared responsibility,
whether among multiple individuals or a single individual with too many
responsibilities, can diminish the attention needed to do a thorough job.
And as the above examples highlight, detecting vulnerabilities is serious
work, for the consequences of failure can be quite severe.

What is the lesson learned and challenge for your company? It all boils
down to risk management. Who has the responsibility to identify and manage
information security risk in your company and do they have adequate
resources to do their job effectively? If the answer is not an easy, “yes,”
it may be worth a deeper look, lest your company end up in what may be a
long series of headlines.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!