Daily Archives: February 20, 2020

What Our Data Reveals About Security Debt

It???s a habitual practice we learn from an early age; keeping track of loans and credit card bills reduces overall debt and makes it easier to bring debt down quickly, avoiding those pesky spikes in interest. That very same practice applies to software security testing. Software is tested, vulnerabilities are revealed, and unaddressed vulnerabilities build up over time as interest in the form of extra work, which compounds into security debt that???s increasingly difficult to reduce the longer you wait.

Often, the solution is reprioritizing flaws and improving fix rates to reduce liability over time. In our 10th annual State of Software Security (SOSS X) report, we discuss how some of our findings from over 85,000 application scans correlate with mounting security debt???and why you should pay attention.

Debt dwindles with frequent scanning

Just as making consistent payments on your credit card reduces debt over time, a frequent scanning cadence can lower the amount of debt your organization carries. When surveying the findings in our SOSS X report, we saw that frequent scanners (300+) have 5x less debt than infrequent scanners and they see a 3x reduction in median time to remediation (MedianTTR), or the amount of time it takes to fix flaws.

Scanning Cadence

Misaligned remediation priorities add to interest

In SOSS X, we talk about how some developers operate on LIFO (Last In, First Out) or FIFO (First In, First Out) methods for fixing flaws. Standard remediation procedures are not one size fits all???what works for your organization may not work for another. But the data we studied shows the likelihood of a flaw being fixed in the first month is only about 22 percent. That number drops down to 10 percent for the second month and 3 to 5 percent as time goes on.

Remediation Time

It???s clear from this data that developers are prioritizing the most recently found flaws above all else. The problem with this process is that it doesn???t take into account what is actually increasing risk. Ultimately, an older Cross-Site Scripting vulnerability is just as dangerous as a more recently discovered one. However, this chart sheds light on the relationship between scanning cadence and security debt; if we???re paying more attention to recently discovered flaws, frequent scanning means additional newer flaws to address. Boosting your scanning cadence and sitting down as a team to figure out your approach to prioritizing flaws can help set you on the right path. 

Some industries are more prone to debt than others

Security debt doesn???t discriminate. It shows up in every industry, though some are more likely to accrue debt than others depending on how they prioritize fixes over time, as previously discussed. Data from SOSS X shows us that the Manufacturing and Government/Education industries carry more debt on average than other prominent industries.

Security Debt by Industry

What???s most important to note, though, are the trends over time. For example, we can see that around month four, organizations in Government and Education have an uptick in average fix rates. While Retail doesn???t carry much debt overall, companies tend to remediate the bulk of their flaws by month six or seven and contribute to debt reduction.  

Security needs vary (capturing quick payment information versus storing robust patient histories and treatment plans, for example), but data from your specific industry will help you keep a pulse on average fix rates for security debt. You and your team can then review this data on a consistent basis when creating long-term plans for eliminating flaws.

PHP and C++ build up debt the fastest

Your plans for fixing flaws and reducing debt should factor in the languages you???re using. Why? The average security debt for PHP and C++ is huge and tends to grow over time, especially when compared to .NET, Android, Java, Android, and JavaScript.

Language Flaw Debt

Issues with these two languages are the results of simplicity and age: PHP is suited for beginners and is thus susceptible to insecure coding, while C++ is a powerful language that requires some hands-on management of memory and stack control ??? vulnerabilities that are easier to introduce in C++ than in more common languages.

It???s difficult for most teams to change the language they???re using at work, but it???s important to keep in mind which languages easily add to security debt. Carrying this awareness and understanding changes in language trends will help you prepare efficient security processes throughout your career.

Cross-Site Scripting carries the heaviest liability for debt

When we look at the layers of flaw percentage by application age, it???s apparent that Cross-Site Scripting (A7-XSS) carries the largest amount of debt across applications. There???s also a slight rise in percentage as we inch closer to the 7-month mark, which tells us that XSS (among others) is a notable contributor to security debt.

Cross-site Scripting

XSS attacks occur when a malicious script is injected into a webpage and it alters the way that page behaves, opening the site up to damaging security holes open to unwanted activity, like bypassing authentication or stealing sensitive information. This prominent flaw is not picky when it comes to language, either, with notable findings in .NET, iOS, Java, JavaScript, PHP, and Python. Spanning languages with prevalence and risk, XSS is one to keep an eye on as you work towards reducing your security debt.

Read the full SOSS X report

Want more info? Check out our SOSS X page for the full report and additional data to absorb as we head into 2020. You can also listen to our podcast series with IDG, in which three of the episodes dig into security debt to drill down on different industries, why security debt grows deeper, and what's behind the buildup of unfixed flaws. 

 

Disruptive ads enforcement and our new approach


As part of our ongoing efforts — along with help from newly developed technologies — today we’re announcing nearly 600 apps have been removed from the Google Play Store and banned from our ad monetization platforms, Google AdMob and Google Ad Manager, for violating our disruptive ads policy and disallowed interstitial policy.
Mobile ad fraud is an industry-wide challenge that can appear in many different forms with a variety of methods, and it has the potential to harm users, advertisers and publishers. At Google, we have dedicated teams focused on detecting and stopping malicious developers that attempt to defraud the mobile ecosystem. As part of these efforts we take action against those who create seemingly innocuous apps, but which actually violate our ads policies.
We define disruptive ads as ads that are displayed to users in unexpected ways, including impairing or interfering with the usability of device functions. While they can occur in-app, one form of disruptive ads we’ve seen on the rise is something we call out-of-context ads, which is when malicious developers serve ads on a mobile device when the user is not actually active in their app.
This is an invasive maneuver that results in poor user experiences that often disrupt key device functions and this approach can lead to unintentional ad clicks that waste advertiser spend. For example, imagine being unexpectedly served a full-screen ad when you attempt to make a phone call, unlock your phone, or while using your favorite map app’s turn-by-turn navigation.
Malicious developers continue to become more savvy in deploying and masking disruptive ads, but we’ve developed new technologies of our own to protect against this behavior. We recently developed an innovative machine-learning based approach to detect when apps show out-of-context ads, which led to the enforcement we’re announcing today.
As we move forward, we will continue to invest in new technologies to detect and prevent emerging threats that can generate invalid traffic, including disruptive ads, and to find more ways to adapt and evolve our platform and ecosystem policies to ensure that users and advertisers are protected from bad behavior.

Stay Sharp and Squash Security Debt with Veracode’s Security Labs

???Tell me and I forget. Teach me and I remember. Involve me and I learn.??? This renowned quote from Benjamin Franklin is a powerful mantra for refining skills in any craft, coding included.

When it comes to developer training, nothing beats hands-on experience with real code customizable to the way a business runs. That???s why we???re excited to announce our new online training platform, Veracode Security Labs, crafted for developers and organizations eager to learn best practices in modern application security, deliver code on time, and reduce security debt. Whether developers lack the time for training or simply want to stay sharp, Security Labs empowers them to learn and grow backed by application security.

It isn???t a simulated experience; developers can log into the program to access a real application in a contained environment. From there, they learn how to exploit that application and practice fixing vulnerabilities with exercises on modern web applications, in their preferred languages, for a tailored and comprehensive hands-on training that helps them establish best practices. Ben Franklin would be proud.

Fast and effective learning

When a breach hits, employees can find themselves in a mad dash to patch security holes and remediate damage. Being prepared is all about incorporating security-minded processes earlier in the development cycle to avoid such headaches down the road. The interactive Security Labs experience ensures developers leave the training module ready to hit the ground running with fresh new skills that help them not only fix flaws quickly, but also write better code.  

???The future of AppSec depends on enabling developers to create more secure code from the start,??? says Fletcher Heisler, Veracode???s Director of Developer Enablement and one of the minds behind Security Labs. Using Security Labs to directly exploit and patch real code means developers can begin improving in just 10 minutes.

???Through this hands-on practice, developers gain practical AppSec skills that can be applied immediately,??? Fletcher explains. ???For Veracode customers, this means more secure code, less time spent on security debt, and developers who are overall more engaged in supporting security.???

Through progress reporting, email assignments, and a leaderboard, teams of developers feel inspired by each other to advance their secure coding skillsets. Managers can set required modules and deadlines too, with tools for tracking team completion and exporting progress reports so that they have results in hand to prove capability and compliance.

Best practices and beyond

Veracode Security Labs isn???t solely about preparing developers to tackle vulnerabilities and stay on top of compliance. At its core, this training platform bridges the gap between development and security to empower organizations with the tools they need to keep AppSec at the forefront of their operations. And with the average cost per data breach incident hitting 3.29 million in 2019, staying sharp can save money and bandwidth in the long run.

???It???s so much more costly, in terms of both dollars and time, to fix a security flaw once it has already made its way into production code,??? says Fletcher. ???Meanwhile, security teams can???t scale to the time and expertise required to review every line of code from every developer. If developers have the foundational training to write secure code from the very start, an organization will be able to deliver ??? and continue to deliver ??? applications and features on time without getting bogged down in security debt.???

Practical lessons from this hands-on program can help an organization from the ground up. And when paired with Veracode???s Static Analysis IDE Scan solution to quickly identify and remediate flaws at scale, development teams have every opportunity for risk reduction at their fingertips.

Interested in trying it out? You can find more information about Security Labs here, and request a demo to see how this solution can benefit your organization.

M-Trends 2020: Insights From the Front Lines

Today we release M-Trends 2020, the 11th edition of our popular annual FireEye Mandiant report. This latest M-Trends contains all of the statistics, trends, case studies and hardening recommendations that readers have come to expect through the years—and more.

One of the most exciting takeaways from this year’s report: the global median dwell time is now 56 days. That means the average attacker is going undetected on a network for under two months—an M-Trends first. This is a very promising statistic that demonstrates how far we’ve come since 2011 when the global median dwell time was 416 days. And yet, we know a sophisticated attacker needs only a few days to gain access to the crown jewels, so there is still plenty of room for improvement.

Another interesting statistic in the report is what we refer to as "detection by source." For the first time since 2015, the majority of organizations are being notified of compromises by external sources (53 percent) over internal teams (47 percent). This is more likely due to factors such as increases in law enforcement notifications and compliance changes, and less likely due to internal teams having lost a step.

There’s a whole lot more to look forward to in M-Trends 2020, including:

  • By the Numbers: Global median dwell time and detection by source are just the tip of the iceberg—we share a number of other statistics related to targeted industries, malware, threat techniques and more.
  • Newly Named APT Groups: Learn all about APT41, group responsible for carrying out Chinese state-sponsored espionage and financially motivated activity since as far back as 2012.
  • Trends: We take a deep dive into the latest trends involving malware families, monetizing ransomware, crimeware as a service, and malicious insiders.
  • Case Studies: With so many organizations moving to the cloud, we take a look at a breach involving cloud assets. We also take readers through a campaign where attackers were targeting gift cards.

While M-Trends 2020 contains plenty of new information, the goal of M-Trends has remained the same since the beginning: to arm security professionals with details on the latest attacks and threats we are seeing during our engagements.

Download the 11th edition of M-Trends today.

Dealing with the increased use of LOLBins in cyberattacks

Estimated reading time: 2 minutes

The next few days Seqrite will publish descriptive blogs about the forecasts from its ‘Seqrite Predictions 2020: Cyberthreats’ with the aim of educating readers about what individual threats mean. We begin with the prediction titled, ‘Increased use of LOLBins’ in the report.

As the name sounds, there is nothing humorous about LOLBins. Unlike the common parlance of ’LOL’, in this case, LOL refers to ‘Living off the Land’ and LOLBins refer to a particular type of attack technique that is creating a lot of chaos among enterprises.

The full form of LOLBin is ‘Living Off the Land Binaries’ and they refer to Windows binaries that are non-malicious in nature but are used by attackers to hide malicious activity. This is an extremely crafty way to conduct an attack without leaving any traces as the malicious activity is hidden by regular binaries. As attackers are using legitimate and benign binaries located within the operating system to hide their malicious activity, they are effectively evading cyber defences.

Exploiting legitimate files for malware

That is how LOLBins justify their name of ‘living off the land’ — using this technique, attackers do not need to inject malicious files or software in Operating Systems. Instead, they can exploit legitimate Microsoft files to conduct malicious activities like DLL hijacking, hiding payloads, process downloading, executing code and stealing passwords.

Two examples illustrate how LOLBins are used. A particular type of attack, nicknamed the Squiblydoo attack, utilizes a common Windows utility called Regsvr32.exe which is present in every Windows system and is used by power users to edit the Registry.

Using Regsvr32, malicious elements can bypass a system’s existing Application Whitelisting processes and execute malicious code that would otherwise be blocked. Hence, the system’s existing security defences are bypassed and cybercriminals can escalate their hold over a system.

LOLBins were also used in a targeted phishing campaign in 2018. The TA505 group ran a spear-phishing campaign against financial institutions using a backdoor. They used LOLBins and took advantage of legitimate Windows bundles like msiexec.exe, rundll32.exe and net.exe to deliver its malware payload, stealthily evading detection.

Used in conjunction with fileless malware

LOLBins often work in conjunction with fileless malware, making it a formidable proposition. Seqrite and Quick Heal Security Labs have analyzed a few instances of such malware —  this analysis can be found in detail here and here. These malware have some unique techniques — they use malicious script files such as JavaScript, HTA, VBA, PowerShell, etc. for in-memory or non-malware attacks.

For enterprises dealing with the twofold threat posed by fileless malware and LOLBins, it is imperative to deploy an advanced enterprise security solution that can neutralize such threats. Seqrite’s Endpoint Security Enterprise Suite recently received a BEST+++ Certificate from AVLab, an independent organization that conducts tests on security software for corporate networks and individual user devices, on the Fileless Malware Protection Test.

Other ways in which enterprises can prevent such threats include:

  • Maintaining operating system software and enterprise applications by keeping them updated. In reference to this, enterprises using Windows 7 should seriously consider upgrading to Windows 10 as Microsoft no longer offers support for Windows 7
  • Ensuring websites that are advertisement-heavy and are resource-intensive are not used by their enterprises
  • Ensuring that software on enterprise systems is only installed from legitimate sources
  • Maintaining regular and timely backups of enterprise data

The post Dealing with the increased use of LOLBins in cyberattacks appeared first on Seqrite Blog.