You can't secure what you don't acknowledge.SM

Saturday, December 17, 2011

WebInspect: How SQL injection testing *should* be done

SQL injection is arguably the grandest of all security vulnerabilities. It can be exploited anonymously over the Internet to gain full access to sensitive information - and no one will ever know it occurred. Yet time and again it's either:
  1. overlooked by people who don't test all of their critical systems from every possible angle
  2. overlooked by people who haven't learned how to properly use their Web vulnerability scanners
  3. overlooked by people who chose to only perform PCI-DSS-type vulnerability scans that don't go deeply enough
  4. And, perhaps worst of all, overlooked by tools that can't test for - or properly exploit - SQL injection

Certain automated tools for SQL injection testing/exploitation have been around for years but I've never seen a tool that actually finds SQL injection as frequently or is as simple to use as HP's WebInspect. As shown in the following screenshots, with WebInspect it's a simple two-step process from initial scan to data extraction:

Step 1: Run the vulnerability scan to find SQL injection flaws. Finding it is half the battle. Most vulnerability scanners have no clue of its existence.

Step 2: Right-click on the finding, load the SQL Injector tool to confirm the injection and then click Pump Data to automatically siphon data out. Yes, it's that simple. (Note: in this test instance, extraction was not possible but it is in at least half of the SQL injection flaws I come across).

At your option, you can also use WebInspect's Vulnerability Review function to go back and test the SQL injection flaws once a fix is put in need for a full rescan. Love it.

Folks, this is something that cannot be taken lightly. I'm not just talking about SQL injection itself but the fact that your tools may not be providing you the right information you need. As I've said before, You cannot secure what you don't acknowledge. In this case, I'll tweak that a bit and say You cannot secure what you cannot find. Just because the tools you're using aren't finding or exploiting SQL injection doesn't mean it's not a problem. Trust but verify.

Friday, December 16, 2011

AlgoSec & what happens when you don't look for flaws from every angle

I recently had the opportunity to see how well AlgoSec's Firewall Analyzer performs in a real-world security assessment. Long story short, Firewall Analyzer found a weak password on an Internet-facing firewall that would've gone undetected otherwise. A traditional vulnerability scanner didn't find it nor did two different Web vulnerability scanners. Nothing was uncovered via manual analysis either.

Only AlgoSec's Firewall Analyzer found the doubt a flaw that would've been exploited eventually.

Folks, information security is about piecing things together. We're never going to find it all but we darn sure need to use every means possible to check for flaws from every possible angle. Underscope your assessments and you're screwed - at best you're living a delusional world. Case in point, I just reviewed a vulnerability assessment report that looked at every single external and internal IP address belonging to a business but not a single marketing site, e-commerce application or intranet portal was tested. And everything checked out "OK". The result that the executives saw was Low Risk Overall.


Just like I tweeted about today regarding what Qualys finds in vulnerability scans versus much of the "free" and commercial competition (there's no comparison)...I honestly believe that some big data breaches that have already occurred and have yet to happen will be related to using the wrong tools...or not enough tools...that combined with people not testing all the systems that matter. People aren't looking at the whole picture.

I know, you can't rely on tools alone but by golly you'd better make sure you're not only looking at everything that matters but you're also using the best tools possible when doing your security testing. Here's a new bit I wrote that covers this very subject:
Good Web Security Tools and Why They Matter

Thursday, December 15, 2011

Big-data-retention-storage-security...what a mess!

I've written some new bits on storage security and data retention that you may be interested in...especially as your move your "big data" to the cloud in 2012. You are going to do that, right? ;-) Enjoy!

Data security and backup encryption remain critical

Secure data storage strategies and budget-friendly security tools for SMBs

Heading in the Wrong Direction with Data Protection?

As always, be sure to check out for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Going green's tie-in with infosec

If you've been following my blog and my principles for even a short period of time you've probably figured out that I pull no punches when it comes to personal responsibility and limited government. There's hardly anywhere I'm more passionate in this regard than the marketing smoke and mirrors of "Going Green" and the religion of "global warming". I should say "climate change"; that covers warming and cooling for the anti-Capitalist movement, right?.

Bandwagon jumping aside, I do believe that it's up to all of us to take reasonable care of the environment through recycling, minimizing the energy we use and so on. In fact, I strongly believe that if we all just did a little bit in terms of personal and business recycling and being smarter about energy consumption that we could make a huge difference for future generations.

Ditto with information security. I truly believe if we all just did a little bit more...if management exercised more common sense, if users clicked on fewer unsolicited links and if IT managers and developers fixed the low-hanging fruit - the basics of what's continually exploited - just imagine how much more secure our information would be..

The problem is getting people to take personal responsibility for their actions. There's a big, big hurdle with that though and therein lies the problem.

Be it heads in the sand over information security or society slowing dismantling the very essence of what's given us our standard of living in the name of "global warming", as Ayn Rand said: We can evade reality but we cannot evade the consequences of evading reality.

Monday, December 12, 2011

Why uninterruptible power supplies have higher quality than Web apps

I recently purchased an APC uninterruptible power supply for my office and noticed something peculiar in the packaging. It was a small piece of paper that says "QUALITY ASSURANCE TEST". It has the time, date, operator ID and other identifying information for the specific piece of hardware.

As you can see in the image, this QA test sheet has 33 unique tests that were performed on the unit presumably before it shipped. Everything from polarity checks to AC line calibration to beeper tests were performed on this system.

Then it occurred to we actually demand better quality from uninterruptible power supplies like this than we do from the Web applications that power our businesses? I don't know that we *demand* it but it sure is coming across that way!

Sure, there's unit testing, functional testing, user acceptance testing and so on around any given Web application, but where's the real quality when it comes to security and overall application robustness.

I know companies like APC wouldn't dare let a low-quality uninterruptible power leave the building yet so many companies of similar size and visibility do this every single day with their software. Numerous studies are done each year on security being a missing component of software quality...yet the problem continues on as if it's someone else's problem. I see it in my work every day and we're all impacted when data breaches occur.

Where are we failing ourselves here? Our priorities are misplaced to say the least.

Sunday, December 11, 2011

Windows security exploits, all over again

There's a good bit brewing in the Windows world regarding security and I suspect 2012 will make for an interesting year...Here are some new pieces I've written for TechTarget along these lines where I cover Windows 8 and SharePoint security, using Metasploit to exploit flaws as well as some Windows security oversights I see in practically every internal security assessment I do. Enjoy!

Patching and continuous availability in Windows Server 8

SharePoint security should not be an afterthought

Five Windows environment security flaws you may be forgetting

As always, be sure to check out for links to all of my information security whitepapers, podcasts, webcasts, books and more.