[BreachExchange] The Impact of the Vault 7 Breach Will Be with Us for Years

Audrey McNeil audrey at riskbasedsecurity.com
Fri Mar 17 15:49:05 EDT 2017


https://dzone.com/articles/the-impact-of-the-vault-7-
breach-will-be-with-us-f

It’s safe to say that the security teams at the US Central Intelligence
Agency are busy assessing the damage to their cyber surveillance
capabilities now that Wikileaks has dumped what is believed to be the
Agency’s hacker toolkit into the wild. For any Nation-State, it’s a
devastating event to have their secret weapons suddenly made public for all
to see and use.

Every malicious hacker dreams of getting their hands on the CIA’s tools.
While the popular press has focused on the ability to turn IoT devices into
surveillance tools and the privacy risks that represents, the real danger
here is the potential for a tidal wave of Zero Day attacks aimed at
enterprises, especially enterprise web applications.

But, for every person’s dream, there is a companion nightmare scenario.
While network security gets all the attention, malicious hackers' number
one attack target is applications which more often than not contain known
and unknown software flaws. The release of an entire library of previously
unknown attack vectors means that under-resourced and over-worked
application (and network) security teams must prepare for the inevitable –
tools intended for government intelligence being directed at businesses of
all sizes.

Unplugging your Amazon Echo and smart TV fixes the issue for most consumers
who are concerned. However, it will take enterprise security teams and
software vendors months, weeks, or years to address the new exploits headed
their way over the next year or longer (Data thieves are a notoriously
patient lot and are more likely than not to drag out the release of these
exploits for years).

Simply put, the good guys are about to be outgunned. There are, though,
steps enterprise security teams can take today and in the coming weeks to
prepare for what could be a prolonged period of never-seen-before attacks.

Stop blindly trusting your software. Software flaws don’t just occur in the
code your team writes and you should be looking for and protecting against
vulnerabilities in every part of your software stack, including the
platform itself. Add security controls throughout your software supply
chain and software stack, and perform security code reviews on all code
that receives user input.
Prioritize patches. For most organizations, the vulnerability find-to-fix
ratio is 5-10:1. In larger enterprises, that can represent tens of
thousands of vulnerabilities across hundreds of applications and instances.
Finding the flaws is not the issue – protecting against them as fast as
possible without service disruption is. Look to virtual patching as a means
to provide immediate protection while you prioritize the flaws that need to
be physically patched.
Harden your applications. Virtually every web application includes unused
and unneeded APIs and other software code that your team did not develop.
You can reduce the attack surface by turning off the software elements you
don’t need. This will dramatically improve your defense against any Zero
Day attack arising from Vault 7.
Add deterministic-based defenses, not heuristics. There is a public policy
debate in the US about whether the government should require/request
software firms to include undisclosed backdoors that may now be open to
exploitation. While that debate rages above all of our pay grades, security
teams can address many of these issues by imposing a rules-based approach
to security instead of the current guesswork-based heuristic defenses.
That’s a longer-term approach, but worthy of immediate evaluation.
Separate privileges and run the software using the lowest privileges. In
most cases, attackers escalate their privileges after initial access to
cause more damage to the compromised system and access restricted
information/functionality. To avoid such scenarios the system must be
compartmentalized, its trust boundaries and data flows must be identified,
and separate privileges need to be defined for each trust boundary. This
usually requires an in-depth architectural analysis of the software system,
but software tools can help automate this task.

Each of the past five years has set records for the number and severity of
attacks. Thanks to the Vault 7 breach, 2017 may be the worst yet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170317/f6e4db9b/attachment.html>


More information about the BreachExchange mailing list