Friday, March 07, 2008

100% secure websites

I think we all can agree that 100% security is impossible, even when adding layer upon layer of defenses, systems will fail eventually. Furthermore too much emphasis on obtaining “perfect” security will result in diminishing returns. When you get right down to it though what we’re really trying to do is keep the bad guys from compromising our websites and that doesn’t necessarily require 100% security. The challenge is finding the right balance between resources put in (time / money) and adequately reducing (not eliminating) the likelihood of getting hacked. Still often people mistakenly try to accomplish one by doing the other.

From my experience in website security there are two predominant types of “bad guys,” troublemakers and the financially motivated. Troublemakers I’ve found are the most difficult to defend against. They’ll often spend an extraordinary amount of effort (day, weeks, months, and sometimes years) to pull off a defacement, achieve administrative level access, cheat at a game, alert(‘xss’), disrupt user experience, and so on. To successfully defend against a troublemaker you must have perfect security all the time (impossible) while they just have to exploit one issue. Fortunately the result of their antics are unlikely to result in substantive reputation or financial loss and mostly will just annoy you and waste time.

Interestingly the financially motivated, the ones we really have to worry about, are easier to deal with since they conform to an ROI model. Financially motivated bad guys follow the path of least resistance by targeting the softer and more potentially lucrative websites. They’re after credit card numbers, social security numbers, passwords, and other forms of useful sensitive information. Whatever will help them pull off a fraudulent transaction. They might spend as much as a couple of days in sweeping attacks or a few weeks on targeted attacks if the reward looks promising, but probably no more as other websites would prove easier. So if your website is too hard to hack, the bad guys will move on, probably to your competitors/peers.

There’s a funny joke that lends context:

Two guys are hiking and suddenly a bear starts chasing them...
The first guy says, "Are you crazy!? We can’t outrun a bear!”
The second guy says, "I don't have to outrun the bear... I only have to outrun you!"

(In Hawaii we have a similar variant with surfers and sharks.)

The challenge in website security is knowing exactly how fast the bear and other guy are, plus they tend to get faster over time. WhiteHat Security plans to release some statistics around this area soon. Apart from that a good rule of thumb is if XSS, SQLi and few other attack classes can be found in your website within a few minutes/hours, then its probably one of masses playing Russian Roulette.

13 comments:

Anonymous said...

Don't forget the 3rd type of hacker. The 202/8 - china / state sponsored hacker which will at all costs invest in obscure exploits, research, steal cisco source, sell pirated ios, and backdoor 802.11 chipsets.

Jeremiah Grossman said...

You know, that's a really good point. I think I forgot about them since I'm not used to dealing with those types of adversaries. I think I'd rank their skill/drive as equal to or more than the average troublemaker. They'd be difficult, if not impossible, to keep out. I also think they have more defined targets as you've described. I wouldn't think the state sponsored bad guy would be targeting ecommerce of financials would you?

Anonymous said...

What about a fourth one:
Hired Hacker to break a specific target (website, company,...)
It's a hybrid between the first one and second one since he will take the necessary time to achieve his goal FOR financial gain.
They can be:
- spy for another company
- detective/hacker to obtain information about something/someone
- hacker being hired by a disgruntled employee seeking revenge
- And many others...

Francois L

Jeremiah Grossman said...

@Francois, thanks, yep thats another little variant in there. Perhaps we can combine the state-sponsored and the one you mentioned in "hired hacker" class. While the two might have different targets typically, their skill/motivation is probably relatively the same.

dre said...

Jeremiah: I think your logic is globally irresponsible. If I spent most of my time running from bears and let my friends take the fall - I wouldn't have many friends.

Here's a question for you: what if all my friends ran at the same pace? If everyone is a WhiteHatSec customer, then you guys get to decide who has security and who does not.

Also - for those who have read Geekonomics, the book speaks to the "Broken Windows" theory. This theory states that less broken windows around the neighborhood creates less crime. If we want to reduce Internet crime, we have to reduce all software weaknesses, not just the top ten or the most critical.

Perfect security isn't 100%, it's to be as CWE-free as possible with your applications, especially the most visible ones. Perfect security is perfect enough for your applications, taking in the risk and repair factors.

Jeremiah Grossman said...

> Jeremiah: I think your logic is globally irresponsible.

And I think your logic in impractical and naive.

> If I spent most of my time running from bears and let my friends take the fall - I wouldn't have many friends.

I have no idea have many friends you have.

> Here's a question for you: what if all my friends ran at the same pace?

Then they’d defy the laws of physics. Besides, believing that every website will have equal security ever is rather silly anyway.

> If everyone is a WhiteHatSec customer, then you guys get to decide who has security and who does not.

As much as I and my investors would enjoy this result, I don’t think its rational to expect it.

> Also - for those who have read Geekonomics, the book speaks to the "Broken Windows" theory. This theory states that less broken windows around the neighborhood creates less crime. If we want to reduce Internet crime, we have to reduce all software weaknesses, not just the top ten or the most critical.

I think the same book categorically dismissed that theory as a fallacy. How it applies here I have no idea either.

> Perfect security isn't 100%, it's to be as CWE-free as possible with your applications, especially the most visible ones. Perfect security is perfect enough for your applications, taking in the risk and repair factors.

see comment #1

Anonymous said...

For sure if your website is less attractive and harder to break in, most of hackers are going to move on to an other target.

You can improve your security architecture to reduce the impact when being hacked.
But how can an e-commerce website avoid stocking their clients private information?

The idea is good but in most cases not feasible.

Plus they are new ways of earning money from hacking using basic vulnerabilities.

Yousif Yalda said...

Good post Jeremiah, I agree with what you have said. My quote is "There Is No Such Thing As Security" and in all means, it's fairly true. I've had a customer before that defined against "There's no point in securing your website if it's not hacker-proof". I thought it was rather false. The para dime is always changing and there's no factual way to secure anything 100%, but we can surely elevate this to a stable and effective level.

Anonymous said...

I'm assuming that the troublemakers don't send you Christmas cards and the the financially motivated don't call you at home. So other than falling back on "experience", can you substantiate any of your comments in this blog post about the behavior of troublemakers and financially motivated or are you making broad generalizations (again *sigh*) without being able to back it up?

Jeremiah Grossman said...

@Yousif, "effective level", yep that's the key. The trouble is figure out how to quantify and measure what exactly that is.

@Anonymous,

> I'm assuming that the troublemakers don't send you Christmas cards and the the financially motivated don't call you at home.

Not so far.

> So other than falling back on "experience",

My experiences are my own and may or may not be representative of the masses. That's one reason why I allow comments here, so people can share their unique experiences as drive towards better understanding.

> can you substantiate any of your comments in this blog post about the behavior of troublemakers and financially motivated or are you making broad generalizations (again *sigh*) without being able to back it up?

Not sure I understand your question. Meaning, do the types of attackers we've defined here exist? Or were you asking whether they actually do the things I described? In any event, I guess you are asking for some kind of report, in which case there are tons around you might Google for.

Anonymous said...

Hi, just a curious question, how come these comments are dated only the time and not the day as well, like March 8/08 etc...??

Jeremiah Grossman said...

Hmph, I never noticed that before. I just updated the settings.

Anonymous said...

Good Job! :)