Transcription
VERACODE GBOOKthe7 KINDS OFSECURITY
INTRODUCTIONIf you were to look at a map that showed computersecurity as a whole, from a high enough vantage pointit might look like art. The blend of arrows, symbols andcolors bunched up against serious-looking acronymswould take on an abstract quality. But get close enough,and the overwhelming detail and scope of this mapwould seem like an endless and incomprehensiblemaze of information.How to sort out this truckload of information?How to even begin?Categorizing the information by theOSI model is a good place to start.THE 7 KINDS OF SECURITY2
Before delving intothe categorizingof seven kinds ofsecurity, it willprobably help tohave an image inyour head to picturethe world of security.Imagine an ecosystem: oneof trees, birds, bugs, grass, etc.The security ecosystem, if youwill, is just like the ecosystemin your backyard. It is a studyof interdependence, limitedresources and finding just theright balance among all theplayers in the game to makeeverything work optimally.THE 7 KINDS OF SECURITY3
As you canimagine, thisis a tall order.And like an environmentaliststudying a complex ecosystem,it requires specific knowledge,expertise, tools and dedicatedeffort to find that perfect balance.THE 7 KINDS OF 4
What does this securityecosystem include?According to the OSImodel (Open SystemsInterconnection), aconceptual model of thestructure, technology andinteractions of systems,we can define layers, orkinds, of security.The Open Systems Interconnection model (OSImodel) is a conceptual model that characterizesand standardizes the communication functionsof a telecommunication or computing systemwithout regard to their underlying internalstructure and technology. Its goal is theinteroperability of diverse communicationsystems with standard protocols. The modelpartitions a communication system intoabstraction layers.The original version of the modeldefined seven layers.THE 7 KINDS OF SECURITY5
What are the 7 layers inthis security ecosystem?1.PHYSICALThis is the lowest layer where the hardware shares the same physical, real-worldspace as the user. This is where we put locks on doors to keep systems safe.2.DATA LINKAt this layer, the data is just one level above the bare metal and silicon of thehardware. Here, the data moves from software to hardware and back. Securityat this layer keeps the traffic going and the data where it’s supposed to be.3.NETWORKThink traffic control, speed limits, detours and stop signs. This is where networkaddressing, routing and other traffic control take place. Security at this layerprotects against flooding attacks and sniffing or snooping attacks to keepcriminals from accessing logins and passwords sent over the network.4.TRANSPORTThink of the post office getting mail from point A to point B reliably andwithout anyone tampering with the contents, but instead of bills and postcards,you’re dealing with data, and instead of houses and apartments, you’re dealingwith computers and networks. Denial-of-service attacks also occur here, as wellas man-in-the-middle attacks (bad guys trying to intercept the data betweenpoint A and point B).7 KINDSTHE7 KINDSOF SECURITYOF SECURITY6
What are the 7 layers in this security ecosystem? (continued)5.SESSIONThis represents the continuous exchange of information in the form ofmultiple back-and-forth transmissions. The session layer controls thedialogues (connections) between computers. Examples of attacks aredenial-of-service and spoofing.6.PRESENTATIONThe presentation layer is just below the application layer and transformsdata into the form that the application accepts. For instance, feed HTMLcode to a web browser, and you’ll get a webpage. Give it to your phone’stexting application, and you’ll get a lot of computer text that makes nosense to your friend.7.APPLICATIONThis is the layer closest to the end user and the most troublesome thesedays. Commonly, web browsers and email clients are attacked at this layer.It’s how people interact with computers and devices.7 KINDSTHE7 KINDSOF SECURITYOF SECURITY7
What does thissecurity ecosystemlook like?HUMANDATA TNETWORKTHE 7 KINDS OF SECURITY8
PHYSICAL1DATA LINK2Each layer is vulnerable todirect and indirect attacks.The layers must be continually adjustedso the ecosystem is protected and theattack surface is minimized, withoutblocking the normal flow of business.45SESSIONPRESENTATION6APPLICATIONTHE 7 KINDS OF SECURITY3NETWORK LAYERTRANSPORTAT TAC KSAT TAC KSThese layers representhow systems, softwareand networks interact andcontribute to the attacksurface (attack surface —the areas where attackscan occur).79
The prevalence ofapplications meanssecurity ecosystemsare stressed.APPLICATION LAYERAs it turns out, seven is animportant number.The seventh layer, the application layer,is the growing risk in this layer cakeof potential insecurity. Addressing thisrisk is not an easy task as applicationsecurity requires protecting all applicationsthrough design, development, upgradeand maintenance.THE 7 KINDS OF SECURITY1 2 3 4 5 6 701010101011010101010101010101011010101010110
This adjustment requires a good understandingof the interaction between the layers, theresources needed and the balancerequired to maintain securityand protect the whole.If you remove onepiece or restrictresources, or if apiece fails, theentire ecosystemcan becomeunstable orinsecure.HUMANDATA E 7 KINDS OF SECURITY11
The newness and very nature of how Internetenabled applications work, making it possiblefor companies to interact effectively andefficiently with the outside world, also meanthey are at greater risk of cyberattacks.******Source: 2014 Verizon Data Breach Investigations ReportTHE 7 KINDS OF SECURITYWEBDA T35%ILE APPSOBM BREACHAWhich is why weband mobile applicationscurrently account formore than a third ofdata breaches.12
Consider that in 2014 THERE WERE 8 MAJOR BREACHES THROUGHTHE APPLICATION LAYERRESULTING IN MORE THAN450 Millionpersonal or financial records stolenAccording to Akamai’s “State of Internet Security” report, “application-layer attacks aregrowing much more rapidly than infrastructure attacks.” Unfortunately, with companiesin all industries relying more and more on applications as a source of innovation andbusiness efficiencies, attacks against the application layer will only continue to grow.We can already see it in the growth of application-based vulnerabilities on the web.THE 7 KINDS OF SECURITY13
According to Risk Based Security’sVulnDB for 2015, there have been 595reported new web application vulnerabilitiesOF THE 595 REPORTED198HAD NO KNOWNSOLUTION OR PATCH291WERE CONSIDERED HIGH SEVERITYBY THEIR CVSSv2 SCORE18THE VENDOR DIDN’TEVEN BOTHER TO RESPONDCommon Vulnerability Scoring SystemTHE 7 KINDS OF SECURITY14
Four real-world breaches 1234Target was breachedthrough a sophisticatedattack-kill chain, whichincluded exploiting avulnerability in a webapplication used tointerface with vendors.JPMorgan Chase wasbreached through aweb application builtand hosted by a thirdparty developer. Theweb application wasdeemed non-businesscritical because itpromoted a charitableroad race and was notrelated to businessactivities.Community Healthwas breached througha software componentwith a well-publicizedvulnerability. Theinsurance companywas unable to find allinstances of the component in its applicationecosystem and, as aresult, could not patchthe vulnerability.TalkTalk was breachedthrough a common SQLinjection vulnerability.The breach resultedin the records of 76million householdsand 7 millionbusinesses beingstolen.The breach resultedin more than 4 millionpatient records lost.The breach resultedin the theft of data,including names, emailaddresses, credit cardinformation, mailingaddresses and phonenumbers, for 70 millioncustomers.THE 7 KINDS OF SECURITYThe breach resultedin the theft of names,addresses, birthdaysand financial informationfor potentially all of thecompany’s 4 millioncustomers.15
THE REALITYMany organizations assumethat their existing securitymeasures, such as networksecurity, firewalls, intrusiondetection systems or dataleakage prevention tools,protect them fromapplication-layer attacks.This is old-world thinking.The idea that lower layer securitymeasures protect higher layerssimply isn’t true.ATTACKSNETWORK SECURITY, FIREWALLS ORINTRUSION DETECTION DO NOT STOPAPPLICATION-LAYER ATTACKSATTACKSORGANIZATIONTHE 7 KINDS OF SECURITY16
According to research by Picus Security, whichtests live exploits against various infrastructureprotection devices for security effectiveness An organizationwill only stop18–43%vs72–96%of the last 24 months of exploitsof the last 24 months of exploitsWITHOUT SPECIFICAPPLICATION DEFENSESIN PLACEWITH SPECIFICAPPLICATION DEFENSESIN PLACETHE 7 KINDS OF SECURITY17
If you’re like most people, phrases like:“major breaches”“high severity”“no known solution”“didn’t have a vendor response”“only stop 18% to 43%” are the stuff of which ulcers are made. If it wasn’talready apparent, applications may be the invadingspecies in the world’s backyard.They’re growing faster than kudzu too.THE 7 KINDS OF SECURITY18
E!!!ILEGRAELIGRAILGRAFFFA security ecosystem isfragile by default. Its optimalfunctioning depends on adelicate balance of controls,interactions and vulnerabilities.Since applications tend to tie together multiplesystems across the network and across manytypes of users, application security requiresmore focus and attention than it has receivedin the past as it impacts every layer of thesecurity ecosystem.!THE 7 KINDS OF SECURITY!ELIAGILEGAFRFR!ELIAGGFRALE!IGFRA19
The introduction of application securityshifts the focus from general vulnerabilitymanagement to proactively reducingspecific vulnerabilities in applications.While both perspectives are important, applicationspresent a more alarming reality because they oftenface attacks that have no patch. This necessitatesthoroughly researching applications that willbe purchased from third parties, or addressingapplication design and security at the softwaredevelopment phase.GeneralVulnerabilityManagementTHE 7 KINDS OF SECURITYProactiveReductionof SpecificVulnerabilities20
CONCLUSIONWhen a major shift is introduced to anecosystem, like dropping a python in a mousecage, or like adding Internet-facing applications,it will be difficult to find harmony again. It’sencumbent on a business to assess how toadjust the seven types of security in theenvironment to reduce risk. Every interactionmatters to the attack surface, and applicationsbring many more and new types of interactionson all layers. Introducing application securityaddresses these interactions and benefits theentire security ecosystem, on every layer.LEARN MOREHow to ConvinceBoard AppSecis Your MostProductive SpendLOVE TO LEARN ABOUT APPLICATION SECURITY?Get all the latest news, tips and articles deliveredright to your inbox.THE 7 KINDS OF SECURITY21
THE 7 KINDS OF SECURITY 13 According to Akamai’s “State of Internet Security” report, “application-layer attacks are growing much more rapidly than infrastructure attacks.” Unfortunately, with companies in all industries relying more and more on applications as a source of innovation and
