My apologies for the lapse in Security Corner Posts. The next one will continue the series on building an Information Management Plan for clients.
There has been a lot of talk the past couple of weeks about the recently-discovered session renegotiation vulnerability in SSL. If you are interested in the details, here is a link to a .pdf of the original research. Here is a link to another article discussing the vulnerability. Mr. Google can find many more for you. This week’s episode of Security Now! will be devoted to this subject as well.
What does this mean to us and to clients? What are the real risks? These questions are difficult to answer at this point, because not all of the details have been made public. Initial reports focused on SSL connections that employ client-side certificates, which would not include most connections. Ironically, client-side certificates are generally considered more secure. However, since the protocol allows for more session renegotiation when using client-side certs, the risk is increased. There are more recent reports of attacks that do not involve client-side certs.
All versions of this attack require a successful MITM (man-in-the-middle) attack to be established first. This means that WIFI connections, especially on a public network, do present a real risk. A wired connection to a home or office network presents little risk, as does a well-secured wireless connection.
There have been reports of attacks “in the wild”, and at least one successful attack against twitter.
All browsers and all web servers are affected, but there is already a patch available for OpenVPN that addresses the issue. it will be a while before there are patches for all browsers and web servers. I will keep tabs on this and post news as it develops. In the meantime, even SSL connections are not necessarily secure when in on a public network.
Here are some interesting stats from a webinar on cloud security that I attended today:
The average “hard cost” (not including the cost of lost business or damaged reputation) of a data breach is $202 PER RECORD. The “less tangible” costs, such as loss of business, are often much higher. Remember this when advising clients about data protection, which has a cost. The cost of not protecting data can be much higher.
65% of data losses are caused by someone with privileged access (employees, contractors, etc). This includes malicious acts and errors.
40% of losses are caused by a third-party service supplier or contractor.
We focus a lot of thought and energy on hackers and outside attacks, but these are certainly not the only threats.
Dennis H in West Virginia, US
November 20, 2009
5 years ago I told nerds that we needed to brace for 6 months of a cyber crime spree and protect clients that choose to be protected. Little did I know that 5 years later, we...