March 8, 2012 (Powerhomebiz.com) Evans Resource Group, Inc., a leading security testing and consulting company that specializes in Service Oriented Architecture (SOA) and Business Process Interconnectivity (BPIC) security, has released its inaugural 2008-2010 Interconnectivity Security Threat Report, which shows a dramatic increase in the number of data breaches and attacks on the business process interconnectivity network layer, due to misconfiguration and lack of administrative hardening.
RELATED RESOURCE: OSI Model: The 7 Layers of Network Architecture
The report summarizes that the historical result of deploying interconnectivity products such as IBM’s WebSphere Message Queue (WMQ) and Enterprise Service Bus (ESB), formerly known as WebSphere/Neon Message Broker in an “out-of-the-box” manner without configuring security parameters properly, has led to increased Distributed Denial of Service (DDoS) attacks, malware insertion, and remote code execution.
“Data security compliance is becoming increasingly more stringent and important with internet- based applications spanning industries and geographies”, said M. Ariel Evans, Managing Director of Security and Response for Evans Resource Group. “The data security triad of confidentiality, integrity, and accessibility crosses all regulatory boundaries including the Healthcare Insurance Portability & Accountability Act (HIPAA), the Sarbanes Oxley Act (SOX), EU Data Directive and the Payment Card Industry Data Security Standard.”
The BPIC layer acts as glue that binds different databases and programs on different computers, enabling multiple applications to work together in harmony. Trillions of dollars of transaction value flow weekly through this network layer and if the layer experiences any performance problems or hacks, it can wreak havoc across an organization’s entire network – resulting in compromised data security, insertion of rogue data, interrupted workflows of transactions, expensive downtime via DDOS, and possible legal action where business partners are impacted.”
“Our research and findings have uncovered a pervasive vulnerability associated with the installation and maintenance of BPIC products, including IBM’s WebSphere Application Server (WAS) and WMQ which can lead to unauthorized administrative access, a critical infrastructure vulnerability that allows hackers to own the system, “ said Ali Valdez, Vice President of Operations at Evans Resource Group. “In fact, nearly 90% of the penetration testing we’ve done has revealed access control vulnerability within the business process interconnectivity layer not just the network perimeter.”
Among the report’s key findings:
Nearly 90% of interconnectivity environments tested by Evans Resource Group are not administratively hardened with strong administrative passwords, leaving internal systems wide-open for hackers to gain unauthorized administrative access.
Misconfiguration is now one of the top 10 breach vectors according to the Open Web Application Security Project (OWASP)
BPIC misconfiguration has resulted in numerous high-notoriety attacks including the Hannaford and Heartland breaches.
The BPIC layer is a prime target for hackers
Perimeter security is not the same as interconnectivity security
A free copy of the full report is available for download at:
http://evansresourcegroup.com/wp-content/uploads/2012/01/ergtrendscecurityreportbprev2.pdf
About Evans Resource Group, Inc.
New York-based Evans Resource Group (ERG) is a global leader in Service Oriented Architecture (SOA) and Business Process Interconnectivity (BPIC) security. Our patent-pending testing, mapping and monitoring software offerings combine with our expert assessment and remediation consulting services to provide a comprehensive and holistic approach to an area of the network that is overwhelmingly lacking in security; the business process interconnectivity space. We specialize in BPIC and SOA applications and providing solutions for data security and IT governance in the government and commercial sectors. As a trusted IBM business partner and IBM WebSphere MQ specialists, we provide all levels of critical BPIC infrastructure security consulting. ERG offers a modular and sequential set of consulting offerings, including our flagship penetration-testing tool, MQSentry, that span the full information technology lifecycle for BPIC and SOA. For additional information, please visit www.evansresourcegroup.com .
All company, brand, and product names referenced herein may be trademarks or registered trademarks of their respective owners.
Highly descriptive post, I enjoyed that a lot.
Will there be a part 2?