SRG Information Security Blog
Security Program Maturity Workshop and the "Breach of the Day", by Chris Banta (11/8/2018)
Security Considerations and Low-code/No-code Application Platforms, by Christopher Dorr (11/13/2018)
Security Considerations and Low-code/No-code Application Platforms - 11/13/2018
By: Christopher Dorr, Director of Advisory Services - Third-Party Risk
Are you familiar with “Low-code/No-Code Application Platforms”? I wasn’t until a few months ago, when I ran into them at a couple of client locations. I had to go look up what they actually were, and how they worked. What I found was fascinating. These applications (referred to by Gartner as “High-productivity application platform as a service", or hpaPaas, which just rolls off the tongue) are sprouting up all over, offering cloud-based rapid application and database development platforms for “Citizen Developers” (i.e. business users without a background in IT), who can create highly sophisticated applications that can be instantly deployed to a large number of users, across many platform types. What could possibly go wrong with that?
And they are indeed proliferating. According to BusinessWire, sales of these platforms are rising from $4.3 billion in 2017 to an expected $27.2 billion in 2022, which is consistent with what we have been seeing “in the wild”. And this is concerning, because these platforms offer some entirely new threats to your information security:
- Development that is often performed by non-IT professionals who may not have a sound understanding of development practices.
- Lack of security considerations in development, and lack of available security controls.
- Multi-tenant architectures and database segmentation issues.
- Complicated technology stack. Often these applications and built on a platform like Appian or QuickBase, which in turn is built on AWS or Azure, which in turn brings in other platforms and technologies. Ever layer in the stack adds risk.
- These technologies lend themselves to “Shadow IT”, in which business units, consultants, or other non-IT specialists may develop and deploy applications that are inexpensive and can “sneak in” outside of the IT governance process.
- Weak access and user rights-management components.
- Lack of development or test environments, and poor testing and validation.
- Applications that “look” like sophisticated enterprise applications, but that have very few of the controls expected of enterprise applications.
I’m going to explore some of these topics in a series of blog articles, but first I wanted to introduce some of the players.
As I noted, this is a burgeoning space. Some of the players are well known, such as ServiceNow and Salesforce (both of which are in the top-right “leaders” quadrant of Gartner’s 2018 Magic Quadrant for this sector), Microsoft, Oracle, Google and Fujitsu.
Others may not be so well known, including Appian, Zoho, Quick Base, Airtable and Betty Blocks.
And while there are many different approaches within this space, there are several characteristics that seem common among all or most of these players:
- Multi-platform (including in many cases, automatic versions for phone, table, and web)
- Low/no expertise in development required (“Citizen Developer” focus)
- High degree of data abstraction
- High reliance on subservice providers (AWS, Azure)
- Template and drag-and-drop design functionality
- Developer controllable access and user provisioning (often not very granular)
- Very rapid deployment (within hours)
- Immediate access, with a credit card
- Highly variable pricing, ranging from a few dollars per year to tens of thousands of dollars per year
And while my overview of this topic will take a few blog entries, I wanted to give a quick story that gives a demonstration of some of the security issues that these platforms may bring. The names and details have been changed to protect the guilty.
A Short Tale of Woe
As part of an audit at a midsized company, an email had been sent to the heads of several departments asking them if there had been any major changes to their use of IT, and especially if they had either stopped using, or added the use of any business-critical application systems.
One of the managers had responded that they were now using a system they called “CREDIM” for “Commercial Real Estate Data and Information Manager”, which was used to help process some activities related to the sale, lease and use of commercial real estate. Further, the business manager indicated in the email that he didn’t think the system “contained any very sensitive data”, since it was primarily a workflow management system.
When the Director of IT was asked about this system, he had never heard of it, nor had his applications or helpdesk staffers. When asked about the system, the business unit owner responded that they needed a system to help manage the workflow associated with their processing of these commercial real estate transactions, and that they had brought in a consultant (budgeted the previous year) to help them with the process management and workflow. And, lo and behold, this consultant had developed a workflow system that was inexpensive and did exactly what (he told them) they needed to do. In fact, they could just roll the annual cost (just several thousand dollars) into the consulting contract renewal itself and save a great deal of time in terms of acquisition and integration costs, and after all, this manager *did* have the authority (he asserted) to approve contracts below a certain amount.
When CREDIM was examined, it was found to be based on a low-code platform, which in turn relied upon AWS. And this program that did not contain “much sensitive data” did store, in uploaded and unencrypted PDFs, highly sensitive financial data, including financial projections, and in some cases, individual, unredacted income tax statements (of the principals of partnerships and trusts).
But the most interesting find was when the system was looked at in depth. It contained an “administrative console” where a representative of this company (in this case an administrative assistant) could perform some user management functions. She could not directly create or remove accounts; that had to be requested through a request form. But the administrator *could* reset passwords. The process was poor; the admin would log in, go to a special “Administrator” menu, select a submenu, and reset the password; the user could not change the password him or herself.
On the menu where the admin could change a password, there was a button that dropped down the users that she could change the password for. When asked to change a password, she clicked on the button, and a list of users appeared for whom she could change users.
A list of ALL users. ALL users, in ALL of the organizations that were using this multitenant database. Any admin, from any of the companies (about 15 in total) that the consultant had sold this system to could change the password of any user in any company.
Which obviously meant, that he or she could then log into ANY other company’s database (since it was a single database that displayed what the user was supposed to have right to see based on a single, simple filter) and obtain this highly sensitive data, including tax records and financial projections.
When asked about this issue, the consultant admitted that he had never tested that; he had only tested that the password change worked.
In this one case, there was several major security issues that occurred, and I am certain that at least some of these issues are much more common than many think:
- Shadow IT control issues, in which end users and business groups can “go around” IT’s controls
- Payment for IT services via contracts that will never cross IT’s desk
- Terrible segmentation of access in multi-tenant databases
- Utter lack of testing of applications, especially failure and negative-case testing
- Lack of understanding, on the business unit’s part, of the sensitivity of data stored in a given system
- Shockingly poor systems design, because the creator had zero expertise in IT, and especially in application development
In my next blog, I’ll go into more detail about some of the architectures and technology stacks used by these ever-more-available systems.
Security Program Maturity Workshop and the "Breach of the Day" - 11/8/2018
By: Chris Banta, Senior Partner
I have several meetings each week with security professionals across many different industry verticals each asking my opinion as to “where and what should we be focusing our efforts and budgets on”? Of course there is no perfect answer for this question, and often times I find myself making the shift from consultant to lawyer as I offer up my “ it depends” answer. If you really want to know where to focus your efforts and where you can get the biggest return on your Information Security spend, let’s talk! At SRG we have designed our Security Program Maturity Workshop to give you the answer to those questions and give you a complete 360 degree view of how your organization stacks up against industry recognized best practices. Take the guess work out of your 2019 strategic information security plan and turn to SRG’s team of experienced advisors to help you build a custom tailored strategic roadmap that will keep your program moving in the right direction for years to come!
Secure vs. Compliant
I often hear the word Compliant being used synonymously with Secure. So to demystify this for myself I looked them both up. Webster defines Compliance as “conformity in fulfilling official requirements”. Sounds pretty good to me, so what about Security then, what does it mean and how does it differ? Again I turn to my good friends at Webster who tell me it means “free from danger, risk, or loss”. Obviously these are not synonymous terms here... Both areas are important to your business however Compliance in and of itself although important does not ensure for your long term security. To be successful in the fight against the continuously evolving threat landscape, there are three foundational security elements that you will need to focus on in order to start developing your plan - Scope, Risk & Gap. Scope - What is it that you are protecting? Risk - What are your organizational, operational, industrial and geographical threat vectors? Gap - Do you have your bases covered, what policies, processes, procedures, controls do you have in place, what is missing? In summary it’s all about SRG, so why not reach out to us and take that first step towards building a robust security program.
For many of my close friends and associates, you know my family and I spent the better part of the first few months of this year dealing with a critical illness impacting my Father. As we would spend time at the hospital, I observed the plethora of life sustaining equipment that makes up an ICU ward. For those of you lucky enough to never have found yourself in an ICU, this might come as a shock, but many of the very devices we depend on to save lives are WI-FI connected for management and update purposes from the manufacturers. I was shocked to see that virtually all of this equipment was internet connected, then I got to thinking about all the other aspects of my daily life that are also “on the net” and reality sets in. Think about your commute for instance, if the traffic lights were to be hijacked, or the mass transit system in your town was taken over in a cyber-attack, not only would it be inconvenient for the morning commute, but what about the potential for collisions leading to loss of life? IoT has a lot to offer and has made modern life convenient, but I ask you, are we really doing enough to secure those often over looked yet critical aspects?
Each morning as I sip my cup of coffee, I like to read about the breach of the day. Some unfortunate organization has been hacked, data has been lost (sometimes to the tune of millions of records). I have had my personal data stolen, my credit card data exposed, my dear friends at the VA have given away my records not once, not twice, but thrice - my morning cup has become a morning carafe! When we think about breaches and how they occur, most of us think about hard core hackers, organized crime, or some form of clandestine operation that has targeted a well-known company or brand. In reality these type of attacks are not generally behind these breaches. The hard truth is that the real cause is a lack of good security hygiene and maturity. So today I am spearheading a new campaign to help organizations rethink their approach to information security. Over the next several weeks I will be publishing a series of educational posts that will provide some tips and techniques to help mature your security program and help you to be better prepared for the breach du’jour. Join me in my fight and together let’s get back to a single cup morning.