The recent security incident involving Oracle POS systems demonstrates once again that no system is immune to security breaches.
Oracle acted very responsibly in recommending that partners take action to prevent the accounts of MICROS users in other systems being compromised. The struggle for digital users--with the zillion accounts we all have--has resulted in many relying on one password for multiple accounts. This practice effectively supports propagation of breaches from system to system, in this case from the MICROS system to commercial web applications used by shops, hotels, and retail outlets.
It is a lesson for any organization that has sensitive information—while attempting to avoid infection and penetration, you must have other plans in place to detect and contain an infection or a breach once it happens.
Attackers will always find their way in, using a zero-day vulnerability or careless employee that opens an attachment they shouldn’t have. Anti-virus engines struggle to keep up with the modern virtual world where thousands of new viruses are being released in the wild every day, and thus incidents where malware resides in an organization network for weeks or even months are becoming routine.
The attackers are after the data, and in this situation security officers should assume that the attacker is already in, and focus on detecting existing breaches. The locations where business-critical data is stored are becoming the modern cyber battlefield, whether within the perimeter of the organization in databases and file shares, or in cloud applications on the outside.
From a web application perspective, this event is a reminder of the limited effectiveness of password policies. They are useful against brute force attacks but contribute to the one-password-many-accounts practice I previously mentioned. Moreover, they are of no use when the credentials are stolen, especially if the theft took place in another system with another account. With a database of stolen credentials in hand, the attacker can try them one by one until they find a hit – a user that used the same password for their MICROS account.
In order to prevent such attacks, web application providers should be mindful to take specific detection measures to validate the authenticity of each login to the system. Treating logins from unexpected countries or anonymous networks with caution, limiting login attempts to catch bots, and crosschecking for known stolen credentials would be an excellent place to start.
Itsik Mantin is a director of security research at Imperva.