29 October 2020

Seatbelts, Airbags and your Cybersecurity

Charlie Waterhouse

Seatbelts are something we take for granted today with well over 90% of US drivers using them. Airbags are similar – we don’t do anything, but they are there if we need them. When you think about airbags  though, they are odd. They are a safety system, but they are passive – they don’t keep you from speeding, being in a wreck or flipping the vehicle. There is no reduction of the number of accidents because of airbags or seat belts but few of us would buy a car now without them. What they do is protect you when a mistake is made. 

So what does this have to do with cybersecurity? Seatbelts, airbags, smoke detectors and the like are a defense in depth solution. They help us prevent further damages if a mistake or accident happens. If a mistake is made, a firewall rule forgotten or an old code call is used, it can help prevent a worse case scenario for an organization. They are your security foundation, and are critical.

Here at Synack our commitment to the attacker mindset approach to security is obvious. It’s why our customers hire us – they want to find out what an attacker can do. However, it’s important for all organizations to consider the attacker mindset when thinking about defense in depth. Scanners can’t proactively think like a hacker so scanning with a popular tool isn’t enough. We need creative, motivated human minds to consider the possible threats and consequences. As a security researcher myself, one of my favorite questions when looking at a new target is “What is this client’s nightmare scenario?”, because I want to find a bogeyman to make that happen. All organizations can benefit from the help of a world-class bogeyman or woman showing us how to avoid this nightmare scenario. It hits at the core of what is valuable and how we will minimize the risk. 

Security is about balancing value versus risk. The questions about what is valuable and what the risk is are not universal, but individual to each asset and requiring careful analysis. I advised a family member recently that their website is likely vulnerable, but not to worry about it. Why would I do that? Well, the website was mostly informational, and there was nothing really valuable to the information they were sharing. Additionally, a small business owner is unlikely to come across nation state actors. It just didn’t make sense with the analysis to spend $6k or more on a custom site and then thousands more to test it. 

On the other hand, let’s assume a large school district has a website. They have details on children, their home situations, the current tech being used and who is remote learning during our current COVID-19 restrictions. I can’t imagine the chill down the spine of a school administrator who found out a child predator got in and found all of those details. It would be a disaster to say the least. Not to mention a site that would be the target of a nation state, like a national election website, where the stakes are huge and an adversary with the right access can steer an entire country. These are also systems that Synack helps analyze through our Secure the Election initiative so those are also questions we look at. 

The point of all of this is that we all have a different level of risk and analysis we need to think about from an attacker perspective. Who is coming after you and what do they want? Just because we are vulnerable does not mean we are really at risk. Just because we have security doesn’t mean we are secure. We need to assess our own specific situation and the potential of our nightmare scenario. 

It is easy to forget that our nightmares don’t start in a vacuum. The flood in our basement starts as a small leak, and hackers rarely get in through a big open door, but get a foothold in a crack. This is where redundant security systems come in to make a smaller attack surface that is extremely hardened. Synack Missions is a product we use to help optimize security from the view of defense in depth and address small cracks that may lead to a larger issue. Synack Missions enable our crowd of the world’s best ethical hackers, Synack Red Team, to conduct specific tasks. One of the most common task categories is conducting security checks for flaws. This is what a client should do for optimizing the hardening of the attack surfaces and defending against the nightmare scenario. We look at security frameworks and test details. These aren’t usually our big flashy vulnerabilities that could result in taking over the network. Instead, they are the security basics – they are often simple, but critical, things like session cookie flag settings and ensuring that you have strong password policies. They are your seatbelts.

We use framework checks through missions for a couple of reasons. The first is compliance checks for auditors for standards such as NIST, FedRamp, ISO 27001, PCI and others. These are things for our clients to show auditors that use them to help assess the overall security posture of the organization. The second is to check for attack surface hardening. After looking at over 32,000 recent missions we see a 13.5% failure rate of Synack Missions. These are the small cracks, the footholds that attackers can leverage such as flaws in HSTS or token configurations. It’s worth noting that these are mostly enterprise and government clients, so they are built with serious security in mind. They may not be full vulnerabilities yet, but they are where there are weaknesses and where, as an attacker, I would start looking. This is data in clients’ hands on how to harden their systems and seal these weaknesses. They are our keys to redundant defense in depth that can act as our seatbelts in case of a failure somewhere else. They can limit the damage and access an attacker can get into the system or make the attacker’s job significantly harder. Treating issues surfaced in these missions seriously makes it harder for other attacks to succeed. Consider the common vulnerability class Cross-site scripting. A website with improperly set cookie flags that has a cross-site scripting vulnerability makes it simple to take over user accounts by stealing session cookies. A website that has a cross-site scripting issue which has properly configured cookie flags adds a barrier that an attacker needs to overcome before they will be able to take over user accounts.  These are the things that can seem boring on the face, but really do have a large impact if placed together to harden a site. 

I see vulnerabilities daily that could have been prevented fairly simply by efficiently harnessing an attacker mindset approach. If a website has its headers and CSRF tokens set right, CSRF and CORS gets a lot harder for an attacker. If you filter properly in the firewall, a lot of things are made exceedingly difficult. That said, just one layer isn’t enough – notice I didn’t say in the last few sentences that it could stop all attacks. The tough truth is none of us is 100% secure – we need to make it hard enough that the attacks coming against us just aren’t worth it. Defense in depth is another layer that makes it harder. Would you rather update the server now, or in 6 months when a new public exploit drops on Friday at 5pm? How about your programmers who keep using deprecated functions from the repository? Did they just set up your shiny new website with a function call that you knew was vulnerable on your other site? Synack Missions address these things to help you secure your infrastructure against attack.

Let’s look at two of our favorite things that frustrate us all at some level. I personally am annoyed when I have to reset a password that is 8 digits or more, upper case, lower case, a special character, can’t be my last 5 passwords… How am I supposed to come up with a new one I can remember? Now I need to do a CAPTCHA??? I get annoyed, but realize why. If an attacker knows my email (and who doesn’t just give that out?), they can try tens of thousands of guesses against my account in minutes. That’s why the CAPTCHA is significant as it mitigates this. If you have looked at https://haveibeenpwned.com/ you will notice how many of your personal emails have been in data breaches. These could easily have shown your favorite go-to password. It’s why they make you change it. Defense in depth may not be fun or glamorous, but neither is brushing your teeth. Good security hygiene goes a long way. If you are a current customer, ensure that you study and address the mission results – they may not be full vulnerabilities, but they can help guide you and be damaging if not addressed. Conducting regular checks helps you achieve a new level of defense in depth for your security and lets you know you are doing everything you can to harden your assets. If you are not a Synack customer make sure the layered solution you are using offers you the best of humans and technology to give you defense in depth. 

Defense in depth isn’t the glamour job. It doesn’t get people excited like a new site, product or functionality. It does help ensure that those new shiny things don’t result in a breach though. I would encourage you to seek defense in depth, whether it is through Synack Missions or other avenues. After all, we are all speeding down the internet highway, so please wear your seatbelt.