Blog 11: SQL Injection

In my effort to increase security awareness and obtain a cultural acceptance, I wanted to bring a focus on a topic called SQL Injection.  

Structured Query Language, or SQL, has been around since the 70's and is heavily utilized in today's connected web of data access. The purpose of SQL is to provide the instructions to interact with the data residing within database systems. These back-end database systems can hold important information that may be personal and confidential to the organization, as well as the organization's customers, and should only be viewed by authorized individuals. 

However, many attacks have been reported over the years that have jeopardized the data held within these systems, called SQL Injection. SQL injection is a technique used to "inject" malicious SQL code/queries, generally within a web form input box, to gain unauthorized access or harvest information from a database server. For example, VTech, a company that sells a plethora of kid's toys and more, was one of the largest attacks in 2015 that utilized SQL injection (ThompsonM, 2015). VTech's database servers were compromised during this attack allowing the hacker full authorization and control of the data.     

Even though organizations have built a level of awareness around this issue, SQL injection vulnerabilities are among the most exploited flaws (Baker, A. 2013). In fact, a survey conducted from Ponemon Institute is claiming SQL injection as the number one attack vector for 2015 and OWASP has it listed as a top ten threat category (Paganini, P. 2014). The impact of this type of vulnerability could lead to the internal compromise of a database that could tarnish an organizations trust and brand with its customers, as it did with VTech. 

Some of the primary defenses to consider for SQL injections attempts are; parameterized queries, stored procedures, least privilege, and input validation. Parametrized queries allows the database to distinguish between code and data by having the developers define all of the SQL code before passing the parameters to the query, regardless of the input that is supplied. Additionally, stored procedures can be utilized to prevent user input, as they are called directly from within the application. Another simple, yet effective defense that could be applied is the principal of least privilege. This method minimizes the privileges assigned to every database account to provide users with the permissions required to perform their job function, but nothing more. Lastly, providing input validation to detect unauthorized input prior to the application processing it could assist in preventing an injection attack.        

With the many internal and customer-facing applications spanning the Internet to support business initiatives, it is exceptionally important to provide methods to protect the confidentiality and integrity of this data. To assist in this effort, OWASP has provided tips in the form of a Prevention Cheat Sheet that can be viewed, modified, and implemented. The link to the Cheat Sheet can be found here (SQL Injection Prevention Cheat Sheet. n/d). 

Thank you for reading! Until next time, remember that you don't have to become a victim of a threat to become aware of a threat!

References:

Baker, A. (2013, August 22). 14 Years of SQL Injection and still the most dangerous vulnerability. Retrieved February 25, 2016, from https://www.netsparker.com/blog/web-security/sql-injection-vulnerability-history/

Paganini, P. (2014, April 18). Ponemon study – SQL Injection attacks too dangerous for organizations. Retrieved February 27, 2016, from http://securityaffairs.co/wordpress/24094/cyber-crime/ponemon-sql-injection-attacks.html

SQL Injection Prevention Cheat Sheet. (n.d.). Retrieved February 27, 2016, from https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

ThompsonM. (2015, December 03). VTech Hack Reminds Us that SQL Injection Can Have Serious Consequences. Retrieved February 25, 2016, from http://coar.risc.anl.gov/consequences-of-sql-injection-attacks/

Blog 10: Security's Weakest Link (Social Engineering)

In my effort to increase security awareness and obtain a cultural acceptance, I wanted to bring a focus on a topic called Social Engineering. Social Engineering is a technique that can be used to manipulate individuals for a desired outcome. It is a form of human trickery and has been called one of the weakest links in security.

Unlike technical controls, that are built on rules and algorithms, humans revolve around feelings, and emotions. These human responses make up our natural instincts to trust and feel the need to help others. For most of us, we have been raised to "love thy neighbor", or to "do unto others as you would have them do unto you." These types of actions and response are exactly what a skilled social engineer is counting on to breach the human firewall and bring unsuspecting individuals to a potential cybercrime event.

To illustrate, in 2015, Ubiquiti Networks, a San Jose based technology company, fell victim of an email based social engineering attack that resulted in the loss of $39.1 million dollars (Honan, B. 2015). As stated by Honan (2015), "it appears a member of staff in one of its subsidiary companies based in Hong Kong fell victim to what is known as a "CEO scam", which is where a social engineer impersonates a senior staff member within the organization. By successfully impersonating a senior staff member, individuals tend to fall back to their natural human response of trust. In this case, the natural response created a devastating monetary and brand repercussion for the organization. One of the most powerful ways for these social engineers to penetrate the human firewall is through phishing attempts, as it takes less time and efforts to achieve their desired results (Mijares, A. 2015).

These types of attacks are on the rise, however, with the right amount of training, awareness, and guidance, the people within the organization can become an exceptional defense against social engineers who seek to exploit the human firewall for malicious purposes. Instead of accepting an email or unknown individual at "face value", learn to overcome the natural instincts we have and verify the information before opening the "ports" of your human firewall. 

For more information on protecting against social engineering attacks, spend some time on Google and possibly the book The Art of Deception, by Kevin D. Mitnick, William L. Simon, and Steve Wozniak (Review of the Art of Deception, n/d). You will find a plethora of information designed to give you the information you need to put a training program together for your organization.

Thank you for reading! Until next time, remember that you don't have to become a victim of a threat to become aware of a threat!

References:
Honan, B. (2015, August 6). Ubiquiti Networks victim of $39 million social engineering attack. Retrieved February 18, 2016, from http://www.csoonline.com/article/2961066/supply-chain-security/ubiquiti-networks-victim-of-39-million-social-engineering-attack.html

Mijares, A. (2015, October 22). Social engineering: Employees could be your weakest link. Retrieved February 18, 2016, from http://www.computerworld.com/article/2996606/cybercrime-hacking/social-engineering-employees-could-be-your-weakest-link.html

Review of The Art of Deception. (n.d.). Retrieved February 18, 2016, from http://www.techsoc.com/deception.htm

Blog 9: Tales from the Crypt(ography)

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

In my effort to increase security awareness and obtain a cultural acceptance, I wanted to bring a focus on the importance of utilizing the science of cryptography to secure your data and communication channels with the implementation of encryption techniques. 

The main focus for this post is to provide the reader with an understanding of the basic science behind cryptography. To do this, we will look at a fairly simple encryption algorithm called the Substitution Cipher, to see how it can be applied against a basic clear text messages to produce a ciphertext for secrecy. To decrypt the message, the recipient will need to have the algorithm, as well as the associated key.

In the days before microcomputers, messages were passed in written form, such as ink on a scroll, and carried by a soldier on a horse for delivery to the intended recipient. In these days, specific methods were put in place to protect the confidentiality of the message by manipulating the placement of the words to make it appear as nonsense to an individual who may intercept the message maliciously or unintentionally. However, for the intended recipient, the method could be reversed to allow the message to be interpreted, as long as the algorithm and key were shared. 

These methods are knows as the science of cryptography, which is the art of secret writing with the implementation of an algorithm and key to a message to make it difficult, if not impossible, to view the original information. In addition, it is called encrypting and decrypting the message.

To illustrate, let's begin with the Substitution Cipher. This algorithm applies a key to shift the original letters of the message a number of spaces to the right. The number associated with how many shifts to the right is the "key" within the algorithm. For example, a "Rot 3" (Rotate 3) would have you shift the first letter of our cleartext message below, which is M, three spaces to the right, which would be P.

By utilizing the image below, we will begin with what is known as the plaintext, or original message, and apply the algorithm against it to produce a ciphertext. The algorithm we will use is the Substitution Cipher with the Rot 5 key and the plaintext I have chosen is:

MEET ME AT FOUR PM ON ELM STREET TODAY

Image Produced by Troy Bevans

To encrypt the plaintext, thus making it a ciphertext, simply start with the first letter of the message, which is M. Since we are using the Rot 5 algorithm, find M in the top portion of the grid where the alphabet is written in the shaded gray area. Once you have found M, select the number directly below it, which is R, to make your first letter of your encrypted ciphertext. Once you have completed the entire message, your encrypted ciphertext will look as follows:

RJJYRJFYKTZWURTSJQRXYWJJYYTIFD

As you can see, if this message was received with out understanding what encryption algorithm was applied, it would be difficult to decipher. For example, let's say you were aware that the Substitution Cipher was used, but did not know which key, such as Rot 3, 4, or 5. In this case, it would take a little time to decrypt the ciphertext back to cleartext. This value of knowing which Rot # was used is called the key. The use of the Substitution Cipher is the algorithm and knowing how many letters to shift (Rot 5) is the key. By applying all of this together, you can encrypt and decrypt your message, thus applying a layer of protection, for the confidentiality of the message the soldier is carrying on the horse, along it's path to the intended recipient.

Encryption algorithms have come a long way since the days of the scroll and delivery by horse. With that in mind, I am sure glad my computer does all of this encrypting/decrypting for me!!! Aren't you?!   

Thank you for reading! Until next time, remember that you don't have to become a victim of a threat to become aware of a threat!

Blog 8: One Person's Trash is Another Person's Treasure (Dumpster Diving)

Image courtesy of keerati at FreeDigitalPhotos.net

In my effort to increase security awareness and obtain a cultural acceptance, I wanted to bring a focus on the importance of properly disposing personal items, such as equipment, documents, and data, to prevent individuals from snooping through your trash looking for personal information. As the title of the blog states, one person's trash is another person's treasure.

I remember when I was around 9 years old, my brother and I were walking down the street, on a hot Summer day, towards the playground. It just so happened to be trash day and everyone had their items to be disposed of sitting nicely on the curb in front of their homes. Some of the items were in large bins, some in bags, while others were in their regular form staring right back at us as we walked by. 

As we continued towards the playground, a particular item caught the attention of my brother. He stopped abruptly and strongly nudged me in the side to take a look. After yelling "OUCH!" and attempting to nudge him back (typical sibling love), I focused in the direction of the object of interest. Lo and behold, sitting right in front of us, waiting to be taken by the sanitation engineer, was the first color television my family would own (sure glad it wasn't the last). That's right, I am either that old, or we were that poor!    

Now, this television didn't have any personal identifiable information (PII) relating back to the original owners, nor were we looking for any items of reference whatsoever. In fact, we weren't even looking for a television on that day. However, it is an example of how one person's trash can become another person's treasure. In this case, the treasure was a color television that only required 2 to 3 kicks in the side to make it turn on.

If we were to fast forward a couple of decades, we may be able to change the story from a disposed television to a personal computer. In this situation, the computer could have a hard drive that may hold several pieces of personal data within the magical platters of the metal box. If a malicious user were to obtain this data, they could potentially learn a lot about the previous owner of the computer, even PII. Even more, and moving forward another decade, we may find a thumb drive nestled deep in the bottom of a trash bin, which may hold some interesting information as well, such as financial, tax, and password documentation. Would the "treasure" be the computer/thumb drive, or the data discovered within the devices?  

Once you have decided the device no longer serves your purpose, and to reinforce confidentiality, they need to be properly disposed of, including the wiping of all traces of digital data. Corporations generally have a contract with specific businesses that can provide these types of services. As a consumer, research the correct way to protect your digital data and dispose of your equipment safely, effectively, and securely.

Digital data is not the only item to keep in mind when it comes to garbage day. The items of "ink on paper" are exceptionally easy targets for malicious users to obtain personal information for potentially malicious deeds. Even though some may feel this is the "digital age", many organizations and individuals exchange hard copies of "ink on paper" every day. Some examples of common documents are; tax records, banking financials, health records, bills, invoices, customer receipts, vacation records, and more. Once these documents have been consumed by the viewer, and are no longer required, they tend to be crumbled into a ball and used as a free throw shot off a wall (Yay! 2 points!!). The old saying, "out of sight, out of mind", does not apply here as these document can easily be viewed by an individual diving through your dumpster. In fact, they really do not require any specific tools to obtain this information, other than some gloves and a nose plug.

An easy way to prevent the "ink on paper" from being exposed, to the eyes of another, is to implement a practice of shredding your paper documents. Corporations may also have agreements with businesses that provide secure document shredding services, but as a consumer, pay attention to the type of shredder you utilize for yourself, such as the strip-cut and cross-cut. You want to ensure the document cannot turn into a puzzle that could easily be solved. Instead, make it your goal to reflect the appearance of Ramen Noodles. I have added a picture showing you the difference between the two shredding capabilities below.

Even though that first color television is long gone, I can at least enjoy watching the news about dumpster diving, and other cybersecurity events, in color on my new LED smart TV...which brings a whole new level of security problems of its own!

Thank you for reading! Until next time, remember that you don't have to become a victim of a threat to become aware of a threat!