23 posts from July 2012
July 31, 2012
 Database security: At rest, but not at risk
Pin It

At Black Hat, former FBI agent Shawn Henry spoke on a new security paradigm which was based on the idea that "It is not enough to watch the perimeter."  Almost exactly a year ago, we outlined how one of our customers uses database controls to mitigate spear phishing since they assume, as Mr. Henry does, that a compromise has taken place.

Today, IDG published a great article on database security that underscores why perimeter security isn't enough:

Database security is starting to show up on the radar of C-level execs, and no wonder. According to Verizon's "2012 Data Breach Investigations Report," 174 million corporate records were compromised in 2011 (the highest since 2004, according to the company), and in a survey by the Independent Oracle Users Group, 31 percent of respondents anticipated a major data breach this year.

The article provides several real-world anecdotes on securing databases, including this one:

Richard Isenberg, Fiserv's VP of security engineering, turned to Imperva for tools to handle segregation of duties, vulnerability scanning and blocking suspicious activity. "The databases themselves don't have enough security baked in to meet our compliance initiatives around tracking and understanding everything that privileged users do and alert us when they're doing something we don't want," he says.




July 26, 2012
 Confessions of Commercial WAF Vendor
Pin It

Yesterday at Black Hat Ivan Ristic gave a talk on WAF evasion. 

Ivan began his talk by correctly noting that WAFs are an essential part of an appsec strategy.  With the growth apps and their increasing complexity, code review and pen testing aren’t sufficient.  A WAF is the only appsec technology that is always on. 

In reality, the talk should have been titled, “ModSecurity Evasion.”  Ivan even said early in the presentation, “No commercial products were tested.”  This is a key distinction which was missed in many press articles the overhyped this talk.  More importantly, this is a key distinction when considering WAFs as part of your appsec strategy.  For example, Ivan’s paper makes the point:

There are a bunch of other things that I could have tried here. Omitting the Host request header or using a nonexistent hostname often works. A WAF may be configured to select sites and policies based on the hostname, whereas the backend server may always simply fall back to the default site when the hostname is not recognized."

This is a typical issue with Apache based WAFs, the policies are configured within the Apache <VirtualHost> directive as a way to determine which site gets what WAF protection. This configuration directive is complex and its behavior is often misunderstood by the users and possibly by the WAF developers as well. Apache was designed to serve well behaved users and may not behave ideally when facing malicious ones. Commercial WAFs that rely on a proprietary stack have better control of all the network layers, from capturing packets at the NIC level (L2) to profiling application usage (L7).





 SharePoint Security Playbook [eBook]
Pin It

Imperva_sharepoint_security_playbookToday, we conclude our blog series on SharePoint security, where each day we took a closer look at the five lines of defense you need to secure your SharePoint environment from both internal and external threats.


Here is a PDF of all five blog posts, plus our SharePoint security checklist. Download the complete eBook via Slideshare.

All posts in this series:
Challenge #1:Ensure access rights remain aligned with business needs.
Challenge #2:Address compliance mandates.
Challenge #3:Respond to suspicious activity in real time.
Challenge #4:Protect Web applications from attack.
Challenge #5:Take control when migrating data.



July 24, 2012
 SharePoint Security Challenge #5: Take Control When Migrating Data
Pin It

“SharePoint 2010 deployments grew 5x in the past six months.” -Global 360 2011

SharePoint Security Gap:

SharePoint enforces access controls for files using Access Control Lists (ACLs). What makes native permissions challenging, however, is that SharePoint lacks an automated way to ensure that ACLs remain aligned with business needs.

The Play:

Identify where excessive access rights have been granted, and use file activity monitoring to locate stale data that can be archived or deleted.

The Advantage:

  • Keep rights aligned with business needs.
  • Free up storage space and reduce the amount of data that must be actively managed.


(This is a page from the SharePoint Security Playbook. Download complete eBook.)


Previous and upcoming posts in this series:
Challenge #1: Ensure access rights remain aligned with business needs.
Challenge #2: Address compliance mandates.
Challenge #3: Respond to suspicious activity in real time.
Challenge #4: Protect Web applications from attack.
Challenge #5: Take control when migrating data.
Download: SharePoint Security Playbook [eBook]


 Is that Googlebot Hitting Your Website?
Pin It

Great blog on how hackers are emulating Google when they hit your site.


July 23, 2012
 Gamigo Breach
Pin It

Forbes is reporting that gaming website Gamigo was breached.  The article notes:

When this breach originally happened, the data wasn’t released, so it wasn’t a big concern. Now eight million email addresses and passwords have been online, live data for any hacker to see.

There is a more likely scenario.  The article should have said:

When this breach originally happened, the data was revealed to the hackers and whomever they give it to which is a major concern. After a while, when the original hackers were done with it, they released to the community which means this data is probably worthless by now.

Another point:  this breach has some similarities to LinkedIn breach.  Specifically, a few million hashed passwords which were disclosed to It’s very likely that the full leak of LinkedIn data including email addresses and login names would surface a few months from now.




 SharePoint Security Challenge #4: Protect Web Apps from Attack
Pin It

“31% of organizations are using SharePoint for externally facing Web sites, and another 47% are planning to do so." -Forrester Research, Inc. 2011

SharePoint Security Gap:

Native SharePoint does not include Web application firewall protection.

The Play:

Deploy a proven Web application firewall (WAF) technology.

The Advantage:

  • Provide a powerful defense against common attacks, such as SQL injection and cross-site scripting.
  • Streamline and automate regulatory compliance.
  • Mitigate data risk.


(This is a page from the SharePoint Security Playbook. Download complete eBook.)

Previous and upcoming posts in this series:


 Gambling with File Security
Pin It

Here we have a good lesson in file security from Las Vegas' Palms casino: The IT department reported that on April 14, Hemingway had emailed from her Palms email address to a personal email address extensive amounts of Palms data from a system called the ''Super Playmate'' database, including:

  • The ''Palms’ High Worth Customer List,'' containing data on 86 of the property’s largest customers with $11.7 million in play history. This included their play records and credit amounts.
  • A telemarketing list naming 419 more ''high worth customers'' with a combined credit line of more than $12 million.
  • A February slot tournament list with information on 1,050 players.
  • A list with information on 6,000 players who qualified for invitation to the Palms 2012 Super Bowl party.
  • A list of 4,000-5,000 inactive players.
  • A 2011 marketing document covering the property’s entire special events and marketing campaign for out-of-town customers.
  • The Palms said this information wasn’t readily available to Hemingway and that she had no authority or reason to possess it.

Both file and database breaches often show some similar characteristics that security teams should note:

  • Proper access rights reviews were not occurring. Think back to Manning's access of Hillary's files that enabled WikiLeaks.
  • Security policies to layer additional access controls could have blocked or at least alerted on the activity.


July 20, 2012
 SharePoint Security Challenge #3: Respond to Suspicious Activity
Pin It

"96% of breaches were avoidable through simple or intermediate controls." - Verizon Data Breach Report 2011

SharePoint Security Gap:

Native SharePoint activity auditing does not provide the ability to automatically analyze access activity and respond with an alert or block.

The Play:

Use a policy framework to build rules across SharePoint's Web, file, and database components to identify suspicious behavior and complement native access controls.

The Advantage:

  • Monitor, control, and respond to suspicious activity in real time.
  • Balance the need for trust and openness with security concerns.


(This is a page from the SharePoint Security Playbook. Download complete eBook.)

Previous and upcoming posts in this series:


 Top Ten Black Hat Pick Up Lines
Pin It

It's that time of year again:

10. How about we go home and validate my input?

9.  Your pen testing lab, or mine?

8.  Your mouth says, ‘Spam’, but your eyes say, ‘Breach me.’

7.  I wrote a special version of Stuxnet designed to make you go nuclear.

6.  Care to audit my log file?  You’ll be compliant before you know it and I swear there’s no
     performance impact.

5.  You won’t care about antivirus when you get infected with my Flame.

4.  Let’s go someplace private and we can make a bot army.

3.  My Low-Orbit-Ion-Canon is available for “up and down” load.

2.  Give me your credentials and I’ll show you how privilege escalation REALLY works.

1.  I gave Lady Gaga her first SQL injection.  She didn’t have a poker face and neither will you.



Find Us Online
RSS Feed - Subscribe Twitter Facebook iTunes LinkedIn YouTube
Monthly Archives
Email Subscription
Sign up here to receive our blog: