Pages

Thursday, August 15, 2013

Will we ever learn? Big Data: Same security issues different technology

One thing stuck with me over the years that my history professor told me. "Only thing from History we have learned is that we have never learned anything from History"

Think about that for a moment and now let me provide you the context. Remember 1980's when Internet was hot new thing and people were just so excited about the new frontier. We never thought about security. Fast forward in 1990's we got this amazing application servers which serves up content to the user. We never thought about security when we developed those.
Then we did the same thing with new protocols and services we developed on top of the existing infrastructure. Then to secure Network, Operating System, Applications and databases we started bolting on the security such as Firewall, IPS (Host and network), Web application firewalls, Database monitoring and virtual patching and so on that resulted in "Good Enough" Security.

I am sure right now you are frowning at the use of word "Good Enough" security, because definition of that is very subjective and depends on the person to person and title to title.

Everytime we come up with new shiny toy we look at the business benefits of the toy, forget about the security and then all hell break lose when that toy is ubiquitous.

Big Data is going through the same cycle. Everyone wants to implement Hadoop and do something with it. They want to bring in every single click , every single network flow and every single repository to uncover the hidden information in the data.

Very seldom companies are thinking about security of this huge data set which contains personally identifiable information (PII), Credit card information. Just because it is in HDFS doesn't make it secure. What about encrypting that information? How many of you are actually doing it?


You might think that SQL-injection type of attacks are only for the databases. With Big Data comes MDX injection. Concept remains the same, name changes ! You should definitely read the paper on MDX injection that was presented at BlackHat 2013. Paper can be found here

In summary, if you are pen tester, don't get blinded by shiny big data platforms. If you are an auditor your audit checklist still remains the same, if you are a developer your considerations are still the same about bound checking, input sanitation, and other secure application development practices.

This is our chance to learn something from history and instead of waiting for someone to bolt security on top of the platform we incorporate security within the platform.
If you want to take away one thing from this post then here it is...
1. BIG DATA platform is still growing and we can embed security in the platform.