It seems as though the latest rash of threats and attacks all have a familiar ring to them: they’re all aimed at social networking sites like Twitter and Facebook, which is interesting, because smart attackers will use whatever means possible to get to the stuff that really counts – enterprise data.
As we routinely hear about these attacks and as we see how they happen, the bulk of our research on Team SHATTER is focused in the database. That’s not to say it’s unimportant to know exactly how and where an attacker compromises an entry point on your network, it’s just that we target our research directly to where they are headed to extract what’s going to make them money – and that isn’t typically photos of your Memorial Day BBQ you posted on Facebook.
Clickjacking, XSS (cross site scripting) and CSRF (cross site request forgery) are up-and-coming methods for hijacking user input to launch malware or take control of users pointing at certain web sites. It can launch a slew of unfortunate mishaps for users after code is inserted, usually using iFrames to create multiple UI layers, masking input elements with, for example, a band page. And social networking sites are susceptible simply because the average user interacts heavily with those pages without thinking much about security. We’re seeing a major uptick here.
The real danger in here is not taking it seriously and safeguarding against it – which means instituting policies in usage of social networking sites. It’s not those apps themselves that the attackers are into, it’s what is at the core of your company’s network that they’re after. And if social site represents an opportunity, hey whatever works right?
So really, what we’re seeing is that attackers are up to their same old tricks, albeit with some slightly different twists on how they’re infiltrating systems. Once they have created a path into your critical infrastructure, sophisticated attackers will use this method to overlay and take advantage of known vulnerabilities on enterprise applications like large CRM deployments, enterprise webmail applications and of course, the databases backing these systems.
It’s important to note that a browser-based application is what organizations should be most concerned with because these methods have the opportunity to enter bad data – almost like a backdoor into your systems without having direct access. Other methods like XSS (Cross-site scripting) help attackers use one site to jump to another site and take information from each one along the way. This fits in nicely with how social networks are designed.
As we have a dedicated team looking at vulnerabilities and attack methods every day, what stands out is that organizational security policies need to be well-developed and thorough. If an attacker can break in through some sort of web-based method like clickjacking, the CISO has to know who has rights on the database and other critical web applications. They also need to know which sets of data they have access to and how they received those privileges, whether it’s IP or Social Security numbers. That is the beginning of a proactive approach to securing the most prized asset at any company – sensitive information.
Alex Rothacker is the manager of Application Security’s Team SHATTER research group.