Three things that need to happen to scale the use of existing security information.
Our use of security information is far from efficient. Security researchers generate masses of security information, but at the same time, easy-to-fix issues discoverable by third-party security reports go unnoticed, causing havoc and dismay. badrap.io wants to change that.
Case in Point
Bob Diachenko just revealed Veeam’s marketing database, containing hundreds of millions of records with personal information available on the net (Figure 1). The culprit was unsecured MongoDB exposed directly to the Internet.
The actual web application might have been well tested. But it does not matter if the database it uses can be queried directly from the net. And these cases are not unique, as Bob confirms in his blog (Figure 2).
If the world would use available security information efficiently, leaks such as this would be easily prevented. Shadowserver has provided free vulnerability reports for network owners for ages. MongoDB has been on their scan list for 3.5 years. Shodan.io lets you look at the open services on a specific network ranges. And there are many other alternatives. Yet, there are tons of poorly configured MongoDBs out there just waiting for someone to walk in. What gives? We could throw a tantrum and yell people are not doing enough on the security front. Or we could take the next step in making things easier.
What do I mean by “Security Information”?
I’m talking about three different categories: attacker information (usually victims of malware), vulnerability information and data leak information.
When you see attacks originating from different parts of the Internet, you actually see victims.
Victims are often also attackers. Criminals turn computers into botnet zombies to hide their tracks and to attack others in scale. So when you see attacks originating from different parts of the Internet, you actually see victims.
Vulnerability information comes in many forms. Software and appliances may have generic vulnerabilities — everyone who has a vulnerable version of a software or appliance is affected. Some vulnerabilities are more specific: vulnerable configurations, default passwords and so forth. You can learn about your generic vulnerabilities by knowing what software and appliances you use. Specific vulnerabilities can be found for example by scanning.
Instead of scanning all possible vulnerabilities from a specific network, security researchers can now focus on a particular issue and scan the whole Internet.
One form of scanning has become more popular over the past years. Instead of scanning all possible vulnerabilities from a specific network, security researchers can now focus on a particular issue and scan the whole Internet. Like, say accessible MongoDBs.
Data leak information
Data leaks are happening at a record pace. Companies are offering data breach monitoring for quick data leak discovery and containment. They crawl places 1) where people accidentally leak confidential information, and 2) where stolen information gets shared.
Taking the most out of security information
Three things need to happen to scale thee use of existing security information.
Easy discovery of security information
There is a lot of security information available, even for free. But that is not enough. How many of us routinely check for new sources of information? When we hear about one, is there an easy way to immediately start reaping the benefits? I don’t mean occasional visits to a website, I mean continuously. What if finding and benefitting from a new source of information would be as easy as installing an app on your phone?
Tap into all information, focus on what is relevant
Tapping into all possible security information available out there is a great start. Usually, it is your job to figure out what information is relevant to you. But there is one exception we can learn from. The bug bounty programs. On bug bounty programs, you provide the assets you want others to review, and the bounty program produces the relevant information. If we combine the collection of all automatically generated security information with the bug bounty program’s “name your interests” -approach, we have a model which scales.
Understand what assets you have, and what are their identities
We are left with one challenge. We already have security researchers who produce information about all your assets, whether you ask for it or not. They scan the whole Internet on a continuous basis. They crawl its dark corners to find data leaks. They log all the attackers (=victims, remember) with their honeypots and darknets. It would be a waste to get information from just the subset of your assets.
To get the most out of this information, you should be able to register all your critical assets for security information correlation. All types of identities: IP-addresses, domains, email addresses, names and so forth. All locations: cloud infrastructure, hosting, marketing sites, offices, home offices, and so forth.
All Security Information for All the People
Our modest goal is this. All types of security information covered. All identity types covered. All assets covered. Easy for everyone to get started. Sounds like a bit of a challenge? If it weren’t, someone would have already done it. We’re heading there, one step at the time. Today we have IP addresses covered worldwide. So why don’t you have a peek at https://badrap.io/ and see what the security researchers already know about your home and work IP addresses? Badrap — Security Information for All.