Monthly Archives: November 2020

The Need to Close the Cultural Divide between Application Security and Developers

A security risk that many organizations are not dealing with is the cultural divide between application security and developers. In this research sponsored by ZeroNorth, we refer to the cultural divide as when AppSec and developers lack a common vision for delivering software capabilities required by the business—securely. As a result, AppSec and developers are less likely to work effectively as a team and achieve the goals of building and delivering code in a timely manner with security integrated throughout the application development process.

Ponemon Institute surveyed 581 security practitioners who are involved in and knowledgeable about their organization’s software application security activities and 549 who are involved in and knowledgeable about their organization’s software application development process.

Following are findings that reveal why the cultural divide exists and its effect on the security of applications

  • Who is responsible for the security of applications?  Developer and AppSec respondents don’t agree on which function is ultimately responsible for the security of applications. Only 39 percent of developer respondents say the security team is ultimately responsible for application security. In contrast, 67 percent of AppSec say their teams are responsible. This lack of alignment demonstrates the potential for security to simply fall through the cracks if ownership is not clearly understood.
  • AppSec and developer respondents admit working together is difficult. AppSec respondents say it’s because the developers publish code with known vulnerabilities. They also believe developers will accept flaws if they believe the application will be a big seller. Developers say security does not understand the pressure they have to meet their deadlines. Developers also believe working with the AppSec team stifles their ability to innovate. It’s clear that today, priorities, goals and objectives across these two teams are not aligned and this disconnect drives a wedge between the functions.
  • Now more than ever AppSec and developers need to work as a team. Digital transformation is putting pressure on organizations to develop applications at increasing speeds, potentially putting their security at risk. Sixty-five percent of developer respondents say they feel the pressure to develop applications faster than before digital transformation. Fifty percent of AppSec respondents agree.
  • AppSec respondents see serious problems with application security practices in their organization. Seventy-one percent of AppSec respondents say the state of security is undermined by developers who don’t care about the need to secure applications early in the SDLC. Sixty-nine percent of AppSec respondents say developers do not have visibility into the overall state of application security. As evidence of the tension between security and developers, 53 percent of AppSec respondents say developers view security as a hindrance to releasing new applications. Here again, competing priorities—speed for developers, security for AppSec—are often at odds.
  • Security respondents and developers disagree on whether the application security risk is increasing. Only 35 percent of developer respondents say application security risk in the organization is significantly increasing or increasing. In contrast, 60 percent of AppSec respondents say application security risk is increasing. This raises a question: which teams have clear visibility into the security posture of an application throughout its lifecycle?

Conclusion
As shown in this research, technology alone cannot bridge the cultural divide. Rather, senior leadership needs to understand the serious risks to business-critical applications as a result of admissions in this research by AppSec and developers that working together is very difficult.  A first step to closing the cultural divide is for senior leadership to create a culture that encourages teamwork, collaboration and accountability.

Please download the full report at the ZeroNorth website.

What’s it really like to negotiate with ransomware gangs?

Bob Sullivan

It might be the worst-kept secret in all of cybersecurity: the FBI says don’t pay ransomware gangs. But corporations do it all the time, sending millions every year in Bitcoin to recover data that’s been taken “hostage.” Sometimes, federal agents even help victims find experienced virtual ransom negotiators.

That’s what Art Ehuan does.   During a career that has spanned the FBI, the U.S. Air Force, Cisco, USAA, and now the Crypsis Group, he’s found himself on the other side of numerous tricky negotiations.

And he’s only getting busier. According to Sophos, roughly half of U.S. corporations report being attacked by ransomware last year.  The gangs are becoming more organized, and the attacks are getting more vicious. The days where victims could simply pay ransom for an encryption key, unscramble their data, and move on are ending. Now that some companies have managed to avoid paying ransom by restoring from backup, the gangs have upped their game. Their new trick is to extract precious company data before encrypting it, so the attacks pack a one-two punch — they threaten embarrassing data breaches on top of crippling data destruction.

Ransomware gangs also attack companies when they are at their most vulnerable  — during Covid-19, they have stepped up their attacks on health care firms, for example, adding a real life-or-death component to an already stressful situation.  By the time Ehuan gets involved, victims just want to put their computers and their lives back together as quickly as possible.  That often means engaging the gang that’s involved, reaching a compromise, making a payment, and trusting the promise of a criminal.

It can sound strange, but during a recent lecture at Duke University, Ehuan said there were “good” cybercriminals — gangs that have a reputation for keeping those promises. After all, it’s their business. If they were to take the Bitcoin and run, security firms would stop making payments.  On the other hand, you can’t trust every criminal — only the “good” ones.

This is the murky world where Ehuan works. During his lecture, Ehuan talked in broad strokes about the major issues facing companies trying to stay safe in an increasingly dangerous digital world.

After the lecture, I asked him to share more about what it’s like to deal with a ransomware gang (as part of my new In Conversation at Duke University series — read the series here). Who makes the first move? Are you sending emails? Talking on the phone? How do you know which criminals to “trust?” How do you gain their trust? Do they ever accuse you of being law enforcement?  Here’s his response:

Art Ehuan

“When the malware is deployed there is also information provided on how to contact (the crime gang) to pay the fee that they are looking for and receive the key to unencrypt the data.

“Our firm, and others like it, will then have a discussion with the client and counsel to decide if they will pay and how much they are willing to pay. Once authorized by counsel/client, contact is made with the TA (gang) on the dark web to advise them that systems are impacted and we would like to discuss getting our data back, or data not being released to public sites, etc.  We provide them with a known encrypted file to make sure they are able to unencrypt and provide us back the known file to ensure that actually have the decryptor.  We have a discussion with the TA over the dark web to lower price due to funds the client has available, etc.,

“There is good success in negotiating a fee lower than what was initially asked by these groups.  Once the fee is agreed and payment made, most often than not by bitcoin, TA sends the decryptor that is then tested in an isolated environment to make sure that it does what it is supposed to do and not potentially introduce other malware into the environment.  Once evaluated, it is provided to the client for decryption of their data.  If the negotiation is for them not to release the data, they will provide proof of the files being deleted on their end (we have to take their word for it that they haven’t kept other copies).  Sometimes this takes several days due to the time difference between U.S. and Eastern Europe when communicating.

“Even with the decryptor, unencrypting the data is a painful and costly experience for a company.  My continuous message to clients is to secure and segment their infrastructure so these attacks are not as successful. That is cheaper than the response efforts that occur with a breach.

“Hopefully, this provides at a high-level process that is taking place.”

(Read the full conversation here.)