If you wade through the hype and hyperbole, dig into the details of the most prolific intrusions in recent history you'll notice one thing that shines like a neon sign.
"Source code" is the new hotness on the hacker market. It's quite interesting to see this evolution primarily because many of us are used to defending the 'endpoints'... because that's where the data is, right? I think we may be seeing a shift here.
Much like the tectonic plates that cause earthquakes, there are some though-forces that are currently colliding deep under the surface and may cause certain mayhem.
"There are no borders"
For many years now, much like you I've been reading articles and hearing talks about how the enterprise attack surface is fractured and splintered -causing an ever-increasing opportunity for breach from the bad guys.
For the record, I don't disagree... in fact, it's entirely too obvious to disagree with... but there's this subtle point that's been quietly going largely un-noticed. Attacking endpoints may get you at end-user data... but its in exploiting these endpoints as stepping-stones that will get you into the inner sanctum of an organization where the real good stuff is kept tightly locked up (or so we would hope).
So the idea of a borderless enterprise is scary for multiple reasons: valuable data walks out with the various gadgets a user may have, and exploitation of those end-points will likely lead to a larger, much more serious compromise.
"Work Anywhere, Any Time"
Much to the painful grin of the enterprise security manager, the corporate CIO wants the enterprise 'network' to be everywhere. Some companies go as far as to let employees bring their own devices and allow them to work from those devices.
Pulling at the extensions in the corporate network is the continually expanding need for people to be able to work remotely, effectively, and at any time. Interestingly enough the extension of corporate applications that have traditionally been installed as binaries on the corporate desktops to web-based applications accessible through a browser has caused serious issues for enterprises big and small.
That mainframe application was quite good at user control, access provisioning, and so on -but once you turn it into just a database and abstract the access controls to the logic which runs the web application... all bets are off.
It's All About the Source Code
Looking at these opposing forces, and factoring in recent high-profile breaches ... it really does seem to be all about the source code. Specifically it's all about the secrets behind some of the more compelling software that runs security solutions on grand scales.
RSA was attacked and source code was presumably stolen because millions of users world-wide use their tokens and access control mechanisms to gain access to corporate resources and highly guarded corporate secrets.
Think about it... how much more sense does it make to concentrate your energy, as an organized attacker, to penetrate and pilfer a security vendor so you can then either find flaws in their source code OR use that source code to understand their systems better? Answer: a lot.
The reason we're seeing security companies as a big, bright, shining target recently is attackers finally had that "light bulb goes on" moment where someone realized that they were sick of hitting each target individually - and wanted a way to hit millions of high-valued corporate safes all at once, potentially.
Think about that.
Now think about where your source code, your corporate secrets, are stored. They're on desktops, laptops, servers, tablets and if you're really unlucky even on PasteBin.net (remember PasteBinFail?)... my point is that the source code that governs the security solutions is the next target.
So if you've got the source code which stands between an attacker and a large customer or a big target - check your systems. You may already be a statistic.
Contributed By: Rafal Los