Securing Information in the Construction Industry
Now is the time to tighten up your security and lock down your environments. The…
Preventing Cybercrime in the AECO Industry
February 18, 2022
By Johnathon Kinville
Due to recent cyber attack events, information security is on the top of the minds of business leaders around the world. This is especially true for the AECO industry. According to governance, risk and compliance consulting firm Kroll, in 2021 the AECO industry saw an uptick of 800% in data breaches and cybercrime incidents, the second highest increase of any industry.
As the AECO industry continues to advance technology, security is lagging behind.
Impact of cybercrime on the AECO industry.
Sixty seven percent of Kroll survey respondents from the AECO industry say cybercrime “had a significant impact on their business”. This data shows that the AECO industry is a major target for cyber criminals mainly due to the amount of data generated and the lack of security in a modernizing industry. Everyone working in this industry should understand how to protect against security threats.
How are cyber criminals getting in?
Many of these breaches resulted from vulnerabilities in the software solutions employees use for their day-to-day job. Industry leaders need to understand these potential threats to their business, and how their software vendors are actively working to prevent these vulnerabilities. This might seem daunting to business leaders who do not live in the world of cyber security every day, but there is a straightforward way to understand common threats to internet-based software. It’s called the Open Web Application Security Project® (OWASP for short).
What is OWASP?
The Open Web Application Security Project (OWASP) is a non-profit global community that strives to promote application security across the web. The OWASP knowledge base is freely and easily accessible on their website. With its tens of thousands of members and hundreds of chapters, OWASP is considered highly credible. Developers, security managers, and IT professionals have come to count on it for essential web application security guidance.
The "top ten" ways cyber criminals’ attack.
Every few years, OWASP revises and publishes its list of the top 10 web application vulnerabilities. The list includes not only the OWASP Top 10 threats but also the potential impact of each vulnerability and how to avoid them. The comprehensive list is compiled from a variety of expert sources such as security consultants, security vendors, and security teams from companies and organizations of all sizes. It is recognized as an essential guide to web application security best practices. Any company that touches the internet in any way should be aware of the main vulnerabilities and understand how the software they use works to mitigate them.
1. BROKEN ACCESS CONTROLS (people have access to stuff they shouldn’t)
Website security access controls should limit visitor access to only those web pages or sections needed by that type of user. For example, administrators of an ecommerce site need to be able to add new links or add promotions. These functions should not be accessible for other types of visitors.
Newforma handles this by using role-based access. Each role has the least privilege it needs to complete its job. Further, Newforma fully audits all activities on these roles. It is important for all companies to limit the access they give to users as well.
2. CRYPTOGRAPHIC FAILURES (sensitive data is in plain sight)
Sensitive data such as passwords, credit card numbers, health records, and personal information — require extra protection due to the potential for cryptographic failures (sensitive data exposures). This failure occurs when data encryption is weak or data is not encrypted at all. This is especially true if the data falls under any of the privacy laws such as General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), The Health Insurance Portability and Accountability Act (HIPAA), and others. Are you sending any sensitive data in plain text? Are the keys used for encryption insecure or outdated?
Newforma solves this by encrypting all data. We use the latest and most current encryption techniques. Users should ensure that the software solutions they are evaluating use proper encryption techniques.
3. INJECTION (sounds bad? It is…hostile data is injected into your software)
Injection vulnerabilities can occur when a query or command is used to insert untrusted data into commonly used code. The hostile data injected through this type of attack tricks the code to make the application do something it was not designed for, such as generating unintended commands or accessing data without proper authentication.
Newforma uses a safe Application Programming Interface (API) rather than use code that has unsafe parameters whenever possible. Where we cannot use a safe API we have a robust Intrusion Detection System that our security and infrastructure team monitors and tests regularly.
4. INSECURE DESIGN (code design is bad)
Insecure design is a broad term that encompasses a variety of flaws and is defined as “missing or poor control design.” Threat modeling, secure design patterns, and reference architectures are used to prevent this.
Newforma has an in-depth code review process where security is considered. Further, we use tools to scan our code for vulnerabilities. When features are designed security is considered as a top priority by our product team. Finally, the security team regularly reviews and educates developers and product team members on security issues and secure design.
5. MISCONFIGURED (mostly due to human error)
Gartner estimates that up to 95% of cloud breaches are the result of human errors. Security setting misconfigurations are one of the prime drivers of that statistic, with OWASP noting that this vulnerability being the most common.
Newforma’s infrastructure teams have strict policies on what configurations can be used. The team has automation that monitors our infrastructure configuration. When setting up internal IT systems, it is important to ensure that they are configured for only what they need and nothing more.
6. VULNERABLE AND OUTDATED (using sketchy code)
Modern distributed web applications often incorporate open-source components. Open-source code is code that is publicly accessible and anyone can modify it. Any component with a known vulnerability becomes a weak link that can impact the security of the entire application. Although the use of open-source components with known vulnerabilities ranks low in terms of severity, it is #1 when ranking the OWASP Top 10 by how often a vulnerability was the root cause of an actual data breach.
Newforma monitors the outdated open-source components and updates them as needed. Newforma suggests that everyone updates their software tools they use as soon as possible to avoid these issues in their own IT infrastructure.
7. IDENTIFICATION AND AUTHENTICATION FAILURES (criminals assume your identity)
When applications incorrectly execute authentication functions, intruders may be able to compromise passwords, security keys, or session tokens and permanently or temporarily assume the identities and permissions of other users.
Newforma does not allow users to use default credentials. We also enforce a strong password policy and use secure session management. Newforma suggests that all IT solutions also rotate their credentials regularly and use password policies that require strong passwords.
8. SOFTWARE AND DATA INTEGRITY FAILURES (untrusted sources)
Code and infrastructure that does not guard against integrity violations is referred to as software and data integrity failure. A program that uses untrusted code sources is an example of this. Finally, many programs now have auto-update capabilities that allow updates to be obtained without necessary integrity checks that were applied to previously trusted applications. Attackers could potentially distribute and run their own updates across all systems with this functionality.
Newforma uses code signing for all code that is deployed and ensures any data being sent between users is signed. Each user has a trusted signature from their computer. We can ensure that everyone is who they say they are through this method.
9. INSUFFICENT LOGGING AND MONITORING (it takes too long to detect the attack)
Studies indicate that the time from attack to detection can take up to 200 days, and often longer. This window gives cyber thieves plenty of time to tamper with servers, corrupt databases, steal confidential information, and plant malicious code.
Newforma logs all activity that occurs within our applications and Newforma on premises offerings also allow for in-depth logging. Further, our logging is automated to create alerts for our security team based on any anomalies it detects. For security reasons, Newforma suggests that all IT infrastructures are monitored for anomalies.
10. SERVER-SIDE REQUEST FORGERY (allows attacks to systems behind firewalls)
Server-side request forgery is a security flaw that allows an attacker to make the server do anything the attacker wants it to do. The server basically becomes their server. Even if the program is secured by a firewall, VPN, or another sort of network access control list, an attacker can force it to send a forged request to an unexpected location.
Newforma performs validation on all inputs. We also use an IP Allow List that only allows input from certain IP addresses and only allows input for trusted domains. Further, the Newforma on-premises solution can also be configured by administrators to allow for the same safety.
So, what can you do about it?
For someone who doesn’t actively work in IT or security, these topics can be daunting. There are some simple ways you can help protect your business against these threats.
First, be aware. Reading this blog post increases your awareness of the topic. Also be aware of how the software you are using for your business handles these vulnerabilities. Most security-focused software vendors will be happy to discuss how they handle security.
Secondly, spread your awareness, make sure your team understands these issues. One of the best solutions to cybercrime is awareness.
Finally, make sure you are handling these issues on your end, and your IT is up to snuff. Not all of topics on this list relate to code. Things like misconfigured routers, poor password hygiene, and outdated software can be great ways for cyber criminals to gain access to your network.