Today, on the last day of RSA2013, InformationWeek has published an article that analyzes the security spend of companies vs the problems that they need to tackle. While referencing OWASP Top 10 Threats, they cover some of the more modern vectors of attack, focusing mainly on SQL Injection.

To quote our CTO, Amichai Shulman, “SQL Injection should have died years ago. Sadly, it didn’t.” SQL injection is one of the biggest threats and easiest vectors for an attacker to steal data and compromise an organization. Not only that, it has become industrialized, with tools like Havij,  SQLmap and others automating the attack and “dumbing it down” to make the it easier to approach by non-experts.

Today, even in the largest organizations, CIO’s still focus spending on fixing problems from the past: viruses and network threats that used to be acute. What is interesting is that companies did so well in spending in the right place in the past, and putting the right controls around their assets to fix the old problems, that the problem has moved. Hackers are now lurking in new places. It’s a classic example of “win the battle and lose the war.”

Nowdays, hackers are all about data and how to get it for profit. When that is the case, you should always expect them to look for the weakest point in your organization, because easy money is the best kind of money. SQL Injection is an easy way to get data.

What should you I do ?

• Dork yourself, check what SQL Injection really is and what is your threat.
• Check your access control, is your organization dealing with SQL Injection?
• Verify that you evaluate your online assets and applications to make sure that you are safe
• Regularly schedule “clean ups” to remove nasty bits.
• Put proper Web Application security controls such as Web Application Firewalls in place.

On January 29^th we released our Hacker Intelligence Initiative Report (HII) which covered the Yahoo hack via third party code that was compromised via a cloud partnership. In the HII we raised the problem that organizations have when they include third party alliance software or service within their own offering.

The cloud opens opportunities for businesses to grow using third party platforms, and embedding their services within their own platforms saving time, money and stepping up their offering.

Yesterday, In a Blog post by Zendesk they disclose the fact that they have been compromised and that the data of their customers may have leaked. Some of their customers are Tumblr, Twitter, Pinterest as revealed by Darkreading. This means that if you are a user of these companies, your data might have been compromised.

What should companies do ?

When a company builds its security model it usually does not take into account elements that are not in their control, which creates the security hole.

Companies should:

• Implement policies both on the legal and technical aspects to control data access and data usage.
• Require third party applications to accept your security policies and put proper controls in place
• Monitor.

We are not saying that you should avoid third parties. These services are pure business enablers and help your organization drive revenue with less cost to it. But when you do that, wear your security hat on!

Last week I attended an OWASP conference in Israel and participated in a panel about WAFEC. This panel is part of the currently ongoing effort to generate the second version of the WAF evaluation criteria standard. The panel gave me an opportunity to express my major concern about WAF evaluation today – the lack of measuring tools and in particular the continuous disregard towards measuring false positives.

I've already expressed these concerns in the last OWASP US conference where I presented a tool that might help the community overcome these issues.  The tool called WAF Testing Framework (WTF) is easily configurable with traffic samples that represent attacks (in a stateful manner) and good traffic. It then communicates according to this configuration with a bundled web application, assuming a WAF is installed in the way. The tool is able to measure the response of the WAF to each one of the requests and display a chart that includes information on False Negatives as well as False Positives.

We've decided to make this tool available to the community as open source. Initially it is available on our site Here. We will probably open an open source project for it on one of the standard repositories soon.

Oracle has released its Critical Patch Update, which is focused on fixing a major Java exploit. Java vulnerabilities are clearly on the rise. Currently, they represent more than 10 percent of all reported vulnerabilities this year (see Nist.gov) and are reported to be the root cause of some of the high profile compromised insider incidents.

What can I do to protect my organization?

In a perfect world, we would advise administrators to disable Java on all browsers, but generally speaking, having IT administratively disable ANY software component on “all user machines” is nearly impossible, especially in today’s bring your own device (BYOD) IT environment. The current case of disabling Java components is no different.

The lesson the world should have already learned from incidents such as the Stuxnet attacks is that protection should be around data rather than around devices. Closely monitoring and controlling data at the source is one part of the solution. Another solution is to look for abusive access patterns to data or patterns that reflect the behavior of an outsider within our perimeter. Coupled with data encapsulation, organizations can achieve true mitigation of such risks.

Additionally, individual users should turn off Java 7 browser plug-ins and only enable them specifically to trusted site (such as the mentioned “Java-powered line of business applications”). See the following link for instruction on how to do so in Google’s Chrome browser here.

In a Blog we posted a few months ago, we observed how hackers use social networking sites to develop target lists for phishing scams. We even had an unfortunate example of how such a scam targeted the White House.

Recently, in October 2012, Research by Deloitte identified that 82% of CISOs see phishing & pharming as their greatest cyber security threat.

Modern Phishing

It is important to note that modern phishing and pharming techniques are just as effective and scary malware infection vectors as more traditional threats, such as SQL injection.

Pharming attacks can hit an organization by impersonating or imposing on a software vendor, an open source organization or a user forum, where malicious code is hidden or redirected to from the offending Web site.

For example, a pharming infection might:

1. Either hack an existing site (a common practice) or build a site offering an open-source “plugin-for-something-great” and make sure that the link redirects to malicious software
2. Users that need this piece of software will download the payload, or hacker will use a 0-day to infect them directly from the browser.
3. Infect.

The Facebook Incident

Today, Facebook disclosed that several of its developers got Hacked. The infection vector as stated, was a drive-by malware exploit that was hidden on a mobile site the developers were using. The attack used a 0-day Java vulnerability to infect their computers.

Although Facebook denies having any data loss because of this incident, it is almost impossible to know that is really the case.

What does this incident teach us?

In Facebook’s case they claim no data loss, which is difficult to guarantee, unless data access is regulated with proper controls. Controlling data access in your organization ensures that incidents such as this do not result in data loss, even when malware 0-days cannot be prevented – you can prevent data loss and business deep hit.

Facebook is considered a young company employing brilliant minds that are very good at what they do, and as a technology driven company most of its employees would be considered technology aware. And yet, a malware drive-by has caused a breach.