The growing list of recent red-letter security vulnerabilities—Beast, Heartbleed, Shellshock—was recently extended with a new threat, POODLE. No matter how fluffy your associations with this word are, the term sends shivers down the spine of those who use SSLv3 protocol.
POODLE stands for Padding Oracle on Downgraded Legacy Encryption, which is an attack targeting an obsolete SSLv3 protocol (a legacy protocol used to establish secure Web communication, HTTPS). It is not limited to either Windows or Linux operating systems.
As you may derive from the full name, POODLE is a variation of an infamous Padding Oracle attack. Appearing by design in SSL version 3, this vulnerability provides an attacker with an opportunity to decipher SSLv3 encrypted HTTPS transmissions on behalf of the victim. It is possible to disable CBC encryption mode, however it is a smarter idea to completely turn off SSLv3 on your servers and browsers.
More than 95 percent of websites and Web clients rely on SSLv3 protocol, so the chances that POODLE may visit you are higher than you might expect. Believe it or not, POODLE has already destroyed a whole bunch of admins’ nerve cells. So having been taught a cyber-security lesson, we collected four tips not only for this specific vulnerability, but for all the security management processes.
Update, Configuration and Patch Management Are Your Friends
To get a clue what and why, let’s get back to basics. POODLE vulnerability appeared as a result of an incorrect update and configuration handling. It’s easier said than done, but any system administrator should constantly look for new available updates and recommendations to prevent any potential threats before it is too late. Do not think that having more than 100 servers is an excuse in this case, though.
As a recommendation, such configuration management utilities as Puppet and Chef may come in handy. These tools have one thing in common: They both aim to turn patching and configuration of dozens or even thousands of servers into a much smoother process.
Do Not Underestimate the Power of WAF/IPS
POODLE is not the only problem in the world, so the best practice to decrease the risk level of getting "infected" is to install additional security tools, such as Web application firewalls (WAF) and intrusion prevention systems (IPS). By its nature, WAF performs the role of a proxy between a user and an app itself. To put it simply, WAF applies regular expressions on traffic between them to seek for malicious payloads (such as SQLi and XSS), or any suspected malicious activity (like parameter fuzzing).
In turn, IPS is a tool that detects malicious activity within a network or a website (as in the case of Web IPS), prevents it from happening and notifies an administrator about the malicious attempt. Combined with IPS, WAF-protection promises to be the next big thing in the IT security field.
Make Sure You Have a Backup Incident Response Plan
Imagine this situation: You are the owner of a system and you were hacked despite the fact that you were armed with dozens of security tools and your administrator’s attempts to handle the system as securely as possible. What would you do?
Well, in this case, you would regret being irresponsible enough to not come up with an incident response plan. Also, you would try to answer a range of rhetorical questions: What should I do after the system is hacked? Should I have backups? How may I recover? Who will handle forensics to detect an attacker?
Make sure all of these questions are answered beforehand.
A Security Group Is a Must
The previous three lessons lead to the last one. Any company should have a well-trained security team that is in the position of handling such problems. Without real experts, even the most primitive attack may lead you to a financial crash and reputation disaster.
Vulnerabilities like POODLE make us re-think our attitude to security and seek proper ways to manage our system processes. With security breaches (and POODLE, in particular) being one of the buzzing trends in today’s market, there’s no way your company can tolerate the absence of a proper security team.
Nazar Tymoshyk and Stanislav Breslavskyi are both security engineers at SoftServe Inc. and regular contributors to the SoftServe United blog. Nazar holds a Ph.D. in information security from the State University, Lviv Polytechnics and is an expert in multiple security disciplines including computer forensics, malware analysis and intrusion detection. Stanislav is also a graduate of the State University, Lviv Polytechnics with a bachelor’s degree in information security. Stanislav focuses on network solutions development, specifically security-related development.