SQL Injections

A Q&A with Branden Williams, CTO of Marketing at RSA
SQL (Structured Query Language) is a standardized language for interrogating relational database systems, which are found in most companies for business applications (especially web-facing apps). SQL injection is one of the most common technical exploits used to perpetrate the theft of sensitive information. To understand a little bit more about how it works and how companies can prevent it, I spoke with Branden Williams, CTO of Marketing at RSA, the security division of EMC in Dallas, TX.

What is SQL injection, in layman’s terms?
If you look at the word “injection” and think about how it’s used medically that’s an easy enough analogy to start with. Basically, in this situation someone is looking at input fields in a website and “injecting” or typing in characters that will force the system/application to do things on the back end. They might use it to extract information from the web application or to execute other commands. They might codify information, delete information or create a backdoor to get into the database. Any field can be exploited any time there’s an opportunity to enter something. This is a malicious attack that can be performed with very little touch from a human being. It’s been going on for over a decade and it’s an easy way in, providing the developer has been sloppy and hasn’t covered all the bases. SQL injection is a significant threat, as far as remote attack threats go, due to the rapid nature by which software applications evolve; however, companies these days tend to be more concerned about threats from social engineering—data breaches with insider help.

How can I tell if my internet-facing applications are susceptible?
The easiest way to tell is to perform source code analysis and have a third party—a security firm or a consultant—take a look at penetrating the application. A penetration test alone can come up with certain telltale signs that the applications could be vulnerable. However, the challenge is that you can run into consultant analysis time issues. Someone on a delivery budget might not be looking at the site long enough to find the vulnerability, and analyzing the code versus in the context of a front end analysis is going to be faster and more effective. If you have a serious vulnerability on the site most tools can find it quickly, but it’s the problems that are buried deeper that might be harder to find. It can be an expensive review.

How can companies mitigate or prevent this threat exposure?
The best way—and unfortunately it kind of sounds really easy when it isn’t— is just performing input validation on any piece of data that comes in. Your applications should reject characters they don’t recognize. It’s helpful to know what special characters are out there—the apostrophe, for instance, is often used in SQL injection. Implementing validation can be done manually or through automated tools. There are advantages and disadvantages to both, depending on the system. In addition, companies are starting to deploy firewalls at the database level as an added layer of defense.

In conclusion…
Thanks, Branden. It’s very important for companies to recognize the threat and display some ongoing vigilance to hardening their internet-facing applications to prevent SQL injection since history has taught us it’s a favorite method for attackers who have successfully breached an untold number of major businesses to date—including TJX, Hannaford, 7-Eleven and Heartland Payment Systems (see story)—acquiring sensitive personal information about their customers. For more information, download Branden’s presentation from last year’s NetDiligence® Cyber Risk & Privacy Liability Forum called The Basics of SQL Injection – And How to Prevent It!

Vendor Data Breach Exposure: Dos and Don’ts

A Q&A with David Navetta, Founding Partner of Information Law Group
When an organization outsources their computing or allows a third party to retain care, custody and control of their private data, they are exposing themselves to risk. I talked to David Navetta, founding partner of Information Law Group, about the precautions that organizations can take to protect themselves from vendor mishaps.

What cyber risk exposures or legal liabilities should a business worry about when outsourcing to a consultant, partner or cloud provider?
The key thing to realize is that in most cases when a vendor or third party is given access to a company’s or data owner’s sensitive information, the company is still responsible and legally liable for that information. So the data owner needs to know ahead of time what kind of controls are in place for security, who owns the information, and what will happen during a security event. All of this should be established up front so that if, and when, there is actually a security breach, the response will be swift and cooperative.

Contractually, how can an organization mitigate its risk exposures?
I usually recommend the inclusion of a data security schedule or some sort of exhibit that lists preventive controls and the requirements to implement these controls—for instance, encryption that would prevent a security breach from happening in the first place. There are actual laws that dictate that companies handling information must have a security program so you want to put those controls into the contract. You also want to do an assessment or audit during the term of contract—obviously, you want to look at the company at the beginning and do some due diligence and ask questions. But over the course of a long-term contract controls and measures can become obsolete or new types of attacks and vulnerabilities can emerge and may need to be addressed. That’s why you want to put in audit rights and assessment rights that allow you to look under the hood to make sure the vendor is keeping up to speed with current threats over time.

What are some must-have legal/contract items to include in any service level agreement or outsourcing agreement?

  • Incident response procedures: Providers or outsourced vendors have their own process for handling data breaches but that process needs to be looked at and it needs to be as seamless as possible between customer and vendor. That’s why you must put contract terms in place and lay out a procedure that allows the customer to respond to a breach as if it’s happening internally. This should include forensic assessment, a specialized IT investigation of what happened in the breach and what data may have been exposed. Sometimes service providers don’t want customers poking around in their IT systems—but you can address that in the contract terms so it’s in place. You may get pushback from vendor, and you might have to try negotiation—a lot of that depends on the leverage and power of the parties involved, and the size of the contract.
  • Liability is another issue: Most service providers put a limitation of liability clause into the contract—the vendor’s liability might be limited to six months’ worth of fees for a data breach, and the vendor can’t be held responsible for consequential damages. But that might not be anywhere close to what the loss is for the customer and then the customer gets left holding the bag, even though the breach was the vendor’s fault. It’s a huge negotiating point and even bigger companies find it difficult to get leverage on limitations of liability. From the vendor viewpoint, if a breach happens it might impact 100 customers, so if they don’t limit liability, they might have all 100 of those customers threaten a lawsuit.
  • The concept of reasonable security: Laws often require certain controls, such as encryption, firewalls or access controls, and it’s not uncommon to see those listed out in a contract with a vendor. In addition, a lot of laws say you need to have “reasonable,” “appropriate” or “adequate” security—this is not necessarily defined because what’s reasonable on day one might not be effective down the line. A “reasonable security” standard should be in the contract to ensure the company is holding the vendor up to modern-day standards of security.
  • Assessment and audit rights, including forensic assessment: If there’s a breach, you want to be able to have someone go in, take images of hard drives and go onsite to find out what’s going, so that should be in the contract.
  • Indemnification and reimbursement: If there’s a lawsuit due to a security breach on the vendor side or the vendor failed to comply with requirements for either security or privacy, an indemnification clause allows the customer to not have to pay for attorney fees, or costs related to judgment or regulatory action. I usually put in a clause for reimbursement for personal information data breaches and there are five different types of costs it covers: attorney fees, forensic investigation, credit monitoring services, call center services, and PR-related expenses.
  • Insurance: There should be a clause requiring the vendor to purchase cyber insurance to cover a breach, especially for smaller vendors who may not have a lot of money.

In conclusion…
Thanks, Dave. In summary, as more clients consider leveraging online third party-controlled applications (e.g., cloud providers) for their computing and storage, it’s crucial to plan for an inevitable data breach incident. After all, statistics show that most companies will experience a data breach at some point in time. As such, it’s paramount to have in place a granular process that will give you some direct rights and control over the future breach investigation, remedy and notification to your customers.

 

Cloud Security

A Q&A with Robert Krauss, Partner at Director of Enterprise Sales and Alliances at BitDefender
Whether they are looking for robust third party business applications, cost-effective storage, or saving on IT operational maintenance, businesses are increasingly thinking about outsourcing their computing to the cloud (i.e., remote computing and storage environments). As cloud technology is gaining some acceptance, however, organizations should be aware of the risks that it poses. I spoke to Robert Krauss, director of enterprise sales and alliances at BitDefender, about some basic security concerns and strategies for safe cloud usage.

What are some legitimate security concerns about Cloud Computing?
Encryption
is a concern, since many providers don’t offer native encryption for data at rest. These days most providers are pushing customers to a third-party solution. This way, if an organization requests the data for a legal order the provider can hand over scrambled 0s and 1s and say that the organization will need the key from the end user. This cuts down on the resources required to service every request on the provider’s end. If I was implementing a solution today, I wouldn’t have all of my eggs in one basket. For example, I might have the cloud service provider host the data, but I would have the keys generated onsite or via the encryption solution provider, with my organization controlling the key generation. This way no one has all the control.

IDS/ Logging is another concern. If you want to implement IDS, you may be handicapped by the provider’s terms of use and the inability to sniff LAN traffic.
It’s true that there’s a limit to what you can get from the network from cloud service providers. You can do host-based IDS through a variety of vendors, or this functionality can be made available from the cloud service provider for an added fee.

I hear all the time from customers that their current vendors say that their applications should work exactly the same in the cloud. This isn’t always true, especially around security. There are many new products that are optimized for virtualized, cloud environments. So I would say don’t take a vendor’s response at face value.

What are some common misconceptions about security and cloud computing?
I think that the idea that the cloud offers a single point of failure is one of the biggest misconceptions out there. Actually, I think the cloud provides way more redundancy at a fraction of the cost of in-house data storage. Most cloud providers can provide better zonal coverage, which equals redundancy. For example, Amazon has five regions on four continents with redundancy in each. To do this in-house would be a massive undertaking and expense when it’s not a core part of the customer’s business.

Another issue is access controls. People often think that there is generally only minimal user authentication required for shared access. I disagree as access in the cloud is typically user configurable, and organizations can apply the same levels of authentication if they use the right tools, and there are many out there now.

People also tend to be concerned about timely patch management and this is another area that I actually think is easier in the cloud. Again, this comes back to how your organization does these activities today. The cloud provider doesn’t know or care what OS or applications you are running, so ultimately it’s the user’s responsibility to make sure there is adequate protection.

What security concerns are the same for cloud and private networks?
Here, too, there are many misconceptions. Most people believe that control of the data is more of an issue in the cloud, because when you have your data behind a firewall and on your servers, you know where it’s stored. However, I would say that if you take precautions to protect your applications and data you have similar control in the cloud as you do elsewhere.

Another concern that I’d argue is the same in the cloud as in private networks is data segregation. It is true that there’s a shared underlying infrastructure in the cloud. Do I worry about co-mingling of data or data being leaked? No, or at least not more than I would if the data was stored in-house. What’s to say a disgruntled employee at your organization couldn’t steal or leak data? It’s perhaps even easier when it’s in-house because that employee probably knows what he’s looking for. Keep in mind, too, that there are variations between cloud providers. Sure, you can go into your cloud service provider and pay for basic service. However, most offer options for dedicated storage and data encryption.

Back-up and retention of records involve the same risks whether you use the cloud or not. As with an organization’s physical network, all of the back-up functionality is built into the cloud. It is up to the organization to decide what gets backed up, and to where, and who internally has access.

The cloud can offer redundancy, so there should not be a threat of a prolonged outage resulting in business interruption. Again, this is exactly the same as if you provided the network in-house. It becomes a question of architecture. Months ago, we saw a cloud provider have an outage, and some of its customers were unaffected because they planned failover into their architectural decisions.

As far as SLAs go, most providers can provide higher security assurances for you, but you’ll pay more. Most providers have done compliance for PCI, SOC1, and will provide access to audit reports so you know what the vendor is responsible for.

What are some security solutions for cloud computing?
In terms of encryption, there is Trend Micro’s SecureCloud, and your readers should look at SafeNet for encryption as well. In general, the key here is that organizations should start slow with an application to get their feet wet, and avoid any data with confidential information at first. If an organization is going to put confidential information out there, they absolutely should use some sort of encryption technology. They should expect a slight overhead in the range of 8-10%.

In addition to protecting their data, organizations should leverage technology from organizations like BitDefender, which are specially designed for this sort of environment. Users need to think about this process in terms of protecting themselves from the hypervisor up. It’s not just about protecting data but the OS and the applications that interact with the data. Keep in mind that different infrastructure as a service (IaaS) providers offer different services. For example, AWS provides the core infrastructure. However, they provide a whole ecosystem of solutions for organizations to work with directly. Others like GoGrid can help you bundle solutions specific to your requirements.

In conclusion…
There are some concerns pertaining to cloud-based services that insurers and clients should strive to understand, but one may argue that for a small or medium-sized organization, a cloud provider may have the resources to protect network assets and information in a stronger manner than if the organization internalized that responsibility and function. Mr. Krauss did a nice job of summarizing some emerging third-party encryption solutions that can help organizations protect their outsourced data. Should a hacker breach occur they could still have some protection, including legal “safe harbor” to mitigate their data breach (liability) risk exposure.

 

Crisis Data Breach Response: Legal Counsel

A Q&A with Jon Neiditz, Partner at Nelson Mullins
As part of an ongoing series of posts, I’m talking to experts in the field about the true costs associated with “crisis” data breach response services. Today we’re looking at legal counsel, and I spoke with Jon Neiditz, partner at Nelson Mullins and the founder and coleader of its Information Management practice.

When and how do clients engage with your services?
In the best-case scenario, I’ve already been helping the organization develop their information security and incident response program. But I often get calls from an organization that I don’t have a prior relationship with. They’ve had a data breach and they’ve called their broker or insurer and the broker or insurer sends them to me. In general, I like to be involved from moment one.

What happens after the call?
First of all, you need to focus on identifying and containing the incident and harm. Second, you need to access regulatory requirements and legal exposure in all 50 states plus international laws. And then you need to think about every contractual relationship with your vendors. I basically act as a breach coach—I’m not setting up the call center or the credit monitoring or mailings, but I’m making sure all these things happen in a seamless way that enhances trust and communication. I generally advise people not to use a single vendor but to use whichever ones offer the best service, and most are generally good at one thing.

What problems or hurdles do you typically encounter?
In general, there really aren’t that many problems these days. People seem to be willing to do what they need to do. That being said, if there’s not an incident response program in place, decisions are not made in an efficient way. You have to have the right forensic resources with a plan. One thing that can be a problem is if there’s an outside PR firm that doesn’t understand breach-related risk. They need to be in sync with everyone else. The other problem is that companies need to be careful about contacting vendors because there are many ways that vendors can charge lots of money in these situations where they don’t need to. Vendors, not excluding lawyers, will try to take advantage, so negotiating things up front and creating caps on fees can be very important. One way to save money, for instance, is to pay for credit monitoring on an enrollment basis rather than a per-record basis—only 10 percent of people will actually enroll in the service, so that way you’re not paying for services people aren’t using.

What are the approximate costs for legal counsel for a data breach?
I’m astonished whenever I see the costs that are put out there. I have never, in the largest breaches I’ve dealt with, come close to US $100,000 in total legal costs. Small ones are $1,000 to $2,000 and medium sized ones are between $10,000 to $30,000. If you handle a lot of these cases as I have, you can make the services very cost-effective for clients and that’s what I try to do.

In conclusion…
Thanks, Jon, for sharing your experience. At NetDiligence®, we have found that a privacy lawyer (a.k.a. Breach Coach®) such as Mr. Neiditz can be a valuable first call for some clients in the initial crisis phase following a data breach event. Often, the client is panicking, and rightfully so—not many companies are pros at handling these types of emerging incidents and we know that they can turn catastrophic if they’re not dealt with properly. Moreover, some grounded/expert legal advice can often help the client calm down and review their response and legal compliance duties in conjunction with the actual breach facts at hand (and there’s a kneejerk response that’s costly and unnecessary for both the business and their victimized customers).

No more posts.