The TAB – software security


The TAB is OCC’s Technical Advisory Board, made up of representatives from OCC’s project and product groups. The TAB’s role includes reviewing technology developments and their impact on the company’s software development.

Security in the news

Data breaches are on the rise and the media is increasingly publishing news stories on the subject.

Some of the breaches happened years ago and are only just coming to light. For example, Yahoo had two hacks three years ago that have only recently been discovered. Hackers try to protect their hacks for as long as possible, as the data drops in value once the breach is publicised.

In 2018, the EU will be introducing the General Data Protection Regulation (GDPR) to regulate disclosure practice in case of data breaches. The GDPR will also introduce stricter and harsher fines for companies with security breaches.

It is interesting to note that as ‘internet of things’ technologies proliferate, concerns are rising in new areas, for example, the security of medical devices, such as pacemakers and insulin pumps.

Rise in cases of ransomware

“Ransomware can net crooks a conservative $84,000 a month for an investment of $6,000, a whopping 1,425 per cent profit margin,” Trustwave found last year.

Ransomware is a variation of malware where perpetrators attempt to extort a ransom in exchange for releasing their hold on the infected system. Often the infection is achieved through ‘spear-phishing’ attacks, that is, lures targeted at specific people with access to the system. For example, recent attacks directly targeted the NHS and UK schools.

There are many more examples. Sadly, people and companies often feel they have little choice but to pay up.

Ransomware usually targets open and insecure sites on the internet – for example, the default configuration of MongoDB (expanding to CouchDB, Hadoop, ElasticSearch) is insecure and has been highly abused by attackers in this way.

Physical devices can also be targeted and has resulted in people being locked in their hotel rooms and CCTV cameras being taken down.

Securing websites

SSL certificates are becoming more and more important, regardless of whether the site handles particularly sensitive data – a company’s reputation can be destroyed if malware ends up on its site.

Chrome is now showing sites that are served over http as ‘Not Secure’, while Google gives preferential treatment to sites using https. Sites without a certificate will not benefit from http/2, which can dramatically improve website loading speeds.

Thankfully, it’s now easier than ever to secure your site with a certificate. Free certificates are available from Let’s Encrypt. There are even options to help secure sites (albeit not to the fullest level) without having to deal with installing a certificate, such as those from CloudFlare.

Account security and passwords

The UK government has published password guidance containing tips on implementing a good, modern password policy. It is well worth reading the guidance and passing on the information to customers who may be less aware of the issues.

Of particular interest is the tip that ‘complex’ passwords often offer little extra protection, and can sometimes be detrimental, for example, where the user has to write down their password, or reuse it in multiple systems, in order to remember it. An alternative is to use longer but easier to remember passwords, such as 4 random dictionary words, for example, Red-Cabbage-Clever-Leopard.

The UK government now also advises against forcing password expiry as it can lead to users choosing similar or weaker passwords in order to cope with the fatigue of having to change and remember new passwords regularly.

Instead of these ineffective traditional account security measures, the recommendation is that systems implement technical measures to aid against password attacks:

  • account lockout (after x failed attempts) and login attempt throttling (one attempt per x seconds) – but beware potential denial of service, that is deliberately locking out key accounts
  • protective monitoring of logins for unusual practices – these can help protect against the impact of password breaches on other sites
  • two-factor authentication, for example:
    • mobile-generated time-based code – for example, Google Authenticator or an RSA hardware token
    • SMS messages – though not suitable for ultra-secure sites, as SMS messages can be intercepted by sophisticated hackers
    • universal 2nd factor (U2F) keys – a USB or NFC device containing authentication credentials

You can educate your customers on the problems with traditional password policies and the new recommendations, and talk to them about technical measures, including account lockout, protective monitoring and two-factor authentication.