8 MYTHS – FALSE SENSE OF SECURITY

I have witnessed many failings of organization either through ignorance or misinformed assumptions like “my security controls such as firewalls, IPS, AV are good enough to keep the attackers out” to “my traffic is SSL protected, my database is encrypted, our data is safe”. Let me share the 8 myths of false sense of security.

Myth 1: I have implemented SSL protection that prevents all types of attacks

Granted SSL provides defense against network attacks including interception and injection attacks in the network known as Man-in-the-Middle (MitM). These attacks help the attackers to hijack the encrypted communication channels and decrypt them accordingly to retrieve or inject plaintext data.

The truth is that SSL does not protect you from all types of data-stealing attacks. SSL does not provide any protection against malware that resides in the end-user system. For example, SSL does not protect us from Man-in-the-Browser (MitB) attacks in which attackers steal the data way before it is encrypted by the SSL.

Myth 2: Implementation of firewall as a network perimeter defense makes the environment bulletproof

Firewalls are designed basically for restricting the unauthorized traffic by dissecting packets at the perimeter level that are flowing to and fro from the internal network. However, firewall functionality is misunderstood in the sense that it makes the network bulletproof. A firewall definitely restricts the traffic flow by blocking ports, but the majority of Hypertext Transfer Protocol (HTTP) and HTTP Secure (HTTPS) traffic is allowed through firewalls. It is wide spread techniques that even novice hackers can easily deploy HTTP/HTTPS as a communication protocol and performs data exfiltration and management through the HTTP/HTTPS channel.

Myth 3: Custom encryption provides similar strength as standardized cryptographic algorithms

One tends to believe that encryption is good for securing data at rest and in motion. It is certainly a good practice. However, the use of custom encryption algorithms is often equivalent to having no encryption. Publicly vetted encryption (reviewed publicly and analyzed for security flaws by academic and industry researchers) is the only encryption to trust. In particular, if a scheme relies on hiding anything other than keys, it should be suspected. Users need to understand the fact that encrypting data does not mean that it is totally secure.

Myth 4: Usage of Two-factor Authentication (TFA) protects from all types of fraudulent activities

TFA mechanism is based on the concept of out-of-band authentication which is a form of multifactor authentication. It means authentication process is completed using two different channels involving two or more factors possessing some knowledge. TFA is misunderstood by users in determining that it protects from all types of frauds related to money (banking transactions or more).

This is not true, as TFA is a function of strong authentication, but it does not protect from the data exfiltration occurring through end-user systems. The second channel in TFA validates and verifies that the authentic user is performing the transaction—nothing more. If a trojan is already in your systems, the attackers could easily create a user account and perform changes on the records via reverse shell attacks. (Trojans can be easily obfuscated and undetected by current AV vendors, I have tried this on a trojan sample and it was undetected by 50 current AV engines)

Myth 5: Anti-virus (AV) engines provide robust protection

AV engines are software programs that are installed in the operating systems to prevent the execution of malware and protect legitimate installed applications against any infections. AV engines use techniques such as signature drafting, heuristics, and emulation. Some believe that AV engines protect the end-user system from all types of attacks and malware. For example, some users feel that if an AV solution is installed, they can surf anywhere on the Internet without getting infected.

Unfortunately, such users get infected based on this false sense of security. AV engines fall short of providing robust security against zero-day attacks in which attackers use exploits for undisclosed vulnerabilities. Sophisticated malware such as rootkits having administrative access can easily tamper the functioning of AV engines thereby making them inefficient. In addition, AV engines are not considered as a strong security solution to defend against malware classes using polymorphic or metamorphic code which mutates itself on every execution.

Myth 6: Deployment of an Intrusion Prevention System (IPS) or Intrusion Detection System (IDS) protects malicious code from entering my network

The majority of IPS and IDS are signature based, so detecting infection or malicious traffic requires a signature. But attackers can easily bypass IPS and IDS using techniques like Unicode encoding, canonicalization, null byte injection, overlapping TCP segments, fragmentation, slicing, and padding.

Myth 7: Malware is distributed primarily through shady and rogue web sites such as torrents and I2P

While rogue sites do distribute malware, many more-trustworthy sites also deliver malware. For example, in targeted attacks based on waterholing, legitimate and highly ranked web sites are infected with malicious code that downloads malware onto user machines through drive-by download attacks. It is hard to flag sites as secure to ensure users that they are interacting with legitimate web sites free of malware.

Myth 8: Email filtering mechanisms only allow secure and verified attachments to be delivered with emails

Email filtering is a process of filtering out the emails containing malicious attachments and illegitimate links that instantiate infections in the organization network. We have seen in recent cases that social engineered emails are used extensively in targeted attacks. In the corporate world, employees believe that their personal inboxes receive only secure emails with attachments from verified identities. This is not true because attackers can use several tactics such as social engineering with zero-day attacks to slip malware through enterprise email solutions and successfully deliver the malicious emails. The idea is to embed a zero-day exploit inside an attached file that bypasses through the filter (this can be done easily, believed me) and successfully delivers to the target. This technique has been seen in a number of recent targeted attacks.

Conclusions

All seems gloomy right? No worries, I will share some of the latest technologies, best practices on how to better protect your crown jewels in my next blog.

Stay tuned!