SlideShare uma empresa Scribd logo

Threats, Threat Modeling and Analysis

I
Ian G

I'm Ian. I do that geek thing. This is an introductory deck on why an SDL or quality/secure software program is a good idea. I can be found here: http://gorrie.org @gorrie

Tecnologia
1 de 46
Threats, Threat Modeling and Analysis 1 Super high level presentation of stuff everyone should already know who is developing applications, infrastructure, and operations! :D
Today’s Current Threats 2 Some mention of current threatspace and how to formulate a defense for your code and/or service.
The Hard Truth 2008: 285+ million records compromised 3 http://www.verizonbusiness.com/us/products/security/risk/databreach/ http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf http://www.verizonbusiness.com/resources/security/reports/rp_2009-data-breach- investigations-supplemental-report_en_xg.pdf
The Hard Truth 91% of all compromised records were attributed to organized criminal groups 99.6% of records were compromised from servers and applications 74% resulted from external sources 4 http://www.verizonbusiness.com/us/products/security/risk/databreach/ http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf http://www.verizonbusiness.com/resources/security/reports/rp_2009-data-breach- investigations-supplemental-report_en_xg.pdf
The Hard Truth 69% were discovered by a 3rd party 67% were aided by significant errors 32% implicated business partners 5 http://www.verizonbusiness.com/us/products/security/risk/databreach/ http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf http://www.verizonbusiness.com/resources/security/reports/rp_2009-data-breach- investigations-supplemental-report_en_xg.pdf
The Hard Truth an average of $202 per compromised record 6 http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20US %20Cost%20of%20Data%20Breach%20Report%20Final.pdf
Common Threats SANS Top Risks OWASP Top 10 for 2010 The OWASP Code Review Top 9 7 http://www.sans.org/top-cyber-security-risks/ http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project http://www.owasp.org/index.php/The_Owasp_Code_Review_Top_9
SANS Application vulnerabilities Webapp attacks Slow patching 0days Not having good configs 8 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
SANS Mostly stuff anyone everyone here has heard about 9 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
Typical Targeted Attack Malware placed somewhere 10 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
Typical Targeted Attack Executed 11 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
Typical Targeted Attack HTTPS or some other common tunnel back to control console 12 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
Typical Targeted Attack Credential dump, keylogger, or sniffing for example 13 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
Typical Targeted Attack Escalation and looting 14 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
OWASP Top 10 Stands for Open Web Security Project Focused on Webapps 15 http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project ■ A1: Injection ■ A2: Cross-Site Scripting (XSS) ■ A3: Broken Authentication and Session Management ■ A4: Insecure Direct Object References ■ A5: Cross-Site Request Forgery (CSRF) ■ A6: Security Misconfiguration ■ A7: Insecure Cryptographic Storage ■ A8: Failure to Restrict URL Access ■ A9: Insufficient Transport Layer Protection ■ A10: Unvalidated Redirects and Forwards
OWASP Top 10 A1: Injection A6: Security Misconfiguration A2: Cross-Site Scripting (XSS) A7: Insecure Cryptographic Storage A3: Broken Authentication and Session Management A8: Failure to Restrict URL Access A4: Insecure Direct Object References A9: Insufficient Transport Layer Protection A5: Cross-Site Request Forgery (CSRF) A10: Unvalidated Redirects 16 http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
The Owasp Code Review Top 9 Input validation API usage Source code design Best practices violation Information leakage and Weak Session improper error handling Management Direct object reference Using HTTP GET query strings Resource usage 17 http://www.owasp.org/index.php/The_Owasp_Code_Review_Top_9 The Nine Source Code Flaw Categories ■ Input validation ■ Source code design ■ Information leakage and improper error handling ■ Direct object reference ■ Resource usage ■ API usage ■ Best practices violation ■ Weak Session Management ■ Using HTTP GET query strings
Defending from Attackers Simple Threat Modeling Reactive Defense Proactive Defense Defense in Depth 18
Simple Threat Modeling It’s simplified Glorified brainstorming Better than nothing A worthwhile exercise 19 Really a simplified brainstorming activity
Reactive Modeling Driven by: Blackbox testing Grey/Whitebox testing Code audit Operational/ performance bugs Assessment and mitigation/patch/fix 20 Really a less simplified brainstorming activity Performed at the end of development or post-deployment when code finished Hamster wheel of pain. Expensive in time and resources. Difficult. Never ending.
Reactive Modeling Driven by: Blackbox testing Grey/Whitebox testing Code audit Operational/ performance bugs Assessment and mitigation/patch/fix 21 Really a simplified brainstorming activity Performed at the end of development or post-deployment when code finished Hamster wheel of pain. Expensive in time and resources. Difficult. Never ending.
Proactive Modeling Driven by: Data Flow Diagrams [DFD] Data classification Secure coding practices Continuous testing/ improvement Rugged software design 22 Cheeseball but appropriate Sun Tsu quotation: So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself. Fixing problems before they are created is an enormous cost and time savings This method prevents bugs from happening instead of remediating them after the fact http://en.wikipedia.org/wiki/Proactive_Cyber_Defence http://en.wikipedia.org/wiki/Operational_risk#Methods_of_operational_risk_management http://en.wikipedia.org/wiki/Risk_modeling (beware use or financial risk management in complex systems) Rugged Software Manifesto: http://ruggedsoftware.org/ http://www.owasp.org/index.php/SAMM_-_Threat_Assessment_-_1
Data Flow Diagram [DFD] 23 http://en.wikipedia.org/wiki/Data_flow_diagram
Data Flow Diagram [DFD] 24 http://en.wikipedia.org/wiki/Data_flow_diagram
Data Flow Diagram [DFD] 25 http://en.wikipedia.org/wiki/Data_flow_diagram
Data Flow Diagram [DFD] 26 http://en.wikipedia.org/wiki/Data_flow_diagram
Threat Model Defining a set of attacks to consider What can you trust? What can you not mitigate in the code or environment? Think defense in depth here 27 http://en.wikipedia.org/wiki/Threat_modeling http://www.owasp.org/index.php/Threat_Risk_Modeling
Threat Model Three types: Attacker centric Software centric Asset centric 28 http://en.wikipedia.org/wiki/Threat_modeling
Attacker What do they want? What resources do they have to get it? 29 This is likely of little interest to us in this context http://www.egadss.org/security.html
Software Anticipate possible attacks Can do beyond secure code Validating inputs Least privilege Fail closed 30 http://www.owasp.org/index.php/Threat_Risk_Modeling
Software Attacks and code countermeasures Methodologies STRIDE / DREAD CVSS OCTAVE 31 http://www.owasp.org/index.php/Threat_Risk_Modeling STRIDE http://msdn.microsoft.com/en-us/magazine/cc163519.aspx CVSS http://www.first.org/cvss/ OCTAVE http://www.cert.org/octave/
Asset Start modeling with things with asset tags Webservers Disk arrays Databases Routers Data channels 32 For those who aren’t programmers, but want to perform some operational threat modeling and risk mitigation, this is a popular choice.
Change Management A good name. Goals: Eliminate unauthorized changes Eliminate unauthorized access and vulnerability exposure Raise communication and awareness Leads to better security 33 Many incidents are caused by a gap in proper configuration. This speaks to an immature change management program Photo: www.flickr.com/photos/ spursfan_ace/2328879637/
Change Management Related important activities: Patching Known-good or gold standard configurations and builds System security Role-based access and least privilege controls 34 http://en.wikipedia.org/wiki/Principle_of_least_privilege
Security Controls Covers what software does not Reinforces what software does cover Defense in depth They are best when they are fed data 35 A nice ancient picture from our friends at the RAND corporation
Security Controls Physical access control Auditing of changes and user access Intrusion detection/ prevention Monitoring 36 There are more, these are just examples
Security Controls Anomaly detection Incident management and handling Single Sign-on 37 ..and much much more
Security Development [SDL] In Seattle most like Microsoft. At Microsoft, they like their SDL Flavors available: Classic Agile Light 38 http://www.microsoft.com/security/sdl/ There are other models and I have my favorites. Ask me if you can’t get enough of this SDL business.
Security Development [SDL] In a nutshell: Requirements Verification Design Release Implementation 39 With the optional stage zero of Training and a post-release stage of Response
Security Development [SDL] OWASP SDL: OpenSAMM Open and free Scoring maturity in skill/ process zones Like all things OWASP, pretty awesome 40 http://www.opensamm.org/2009/03/samm-10-released/ http://blogs.gartner.com/neil_macdonald/2009/08/04/another-excellent-application- security-maturity-model/
Security Development [SDL] Program quality scored from 0 to 3 0 representing none 3 representing comprehensive mastery 41
Security Development [SDL] Figure it out yourself Make your process fit your business needs and team skillsets Define more or less based on your in house framework or other needs 42 http://securosis.com/blog/firestarter-secure-development-lifecycle-your-doing-it-wrong/ Same failing argument used against QA 20 years ago: http://erratasec.blogspot.com/2010/05/you-may-not-need-sdl.html Do what you can do well and farm the rest out or delegate to someone who can do better.
Horrible Consequences Something didn’t work out There was an incident The breach was on the news What might happen now? 43
Horrible Consequences You may be called to a meeting to explain Your company brand or stock price may suffer There may be truly amazingly large fines Businesses can fold over such things 44 Whatever happens, you will not like them, no one will be pleased, and life will not be cool.
The Unexpected Unintended uses for software Landscapes change Future hard to predict Dependencies Legacy 45 Example: IP over HTTP and DNS Futurists thought that we would be on Mars and communicating with telepathy by now. It’s no wonder there is no trust model in TCP/IP. Smurf (and other amplification attacks) and IP spoofing likely not in the TCP/IP design considerations. Try to think about possible applications of the infrastructure you’re developing as, if you do it well, it may be around for a long time.
Thanks Ian Gorrie 46 I am Ian. http://gorrie.org @gorrie

Recomendados

MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
DevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat ModellingDevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat ModellingzeroXten
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_applicationUmut IŞIK
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 

Recomendados

MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
DevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat ModellingDevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat ModellingzeroXten
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_applicationUmut IŞIK
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testingecmee
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingPriyanka Aash
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modelingShantanu Mitra
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat ModelingMiriam Celi, CISSP, GISP, MSCS, MBA
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingRochester Security Summit
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testingMohit Belwal
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREADchuckbt
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training briefBill Nelson
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 ProjectMuhammad Shehata
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Null bachav
Null bachavNull bachav
Null bachavNaga Venkata Sunil Alamuri
 
Attack modeling vs threat modelling
Attack modeling vs threat modellingAttack modeling vs threat modelling
Attack modeling vs threat modellingInvisibits
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best PracticesSource Conference
 
Opportunity and Threat Analysis
Opportunity and Threat AnalysisOpportunity and Threat Analysis
Opportunity and Threat AnalysisPaul Schumann
 

Mais conteúdo relacionado

Mais procurados

Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testingecmee
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingPriyanka Aash
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modelingShantanu Mitra
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testingMohit Belwal
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREADchuckbt
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training briefBill Nelson
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Attack modeling vs threat modelling
Attack modeling vs threat modellingAttack modeling vs threat modelling
Attack modeling vs threat modellingInvisibits
 

Mais procurados (20)

Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
 
Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modeling
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training brief
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Null bachav
Null bachavNull bachav
Null bachav
 
Attack modeling vs threat modelling
Attack modeling vs threat modellingAttack modeling vs threat modelling
Attack modeling vs threat modelling
 

Destaque

Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best PracticesSource Conference
 
Opportunity and Threat Analysis
Opportunity and Threat AnalysisOpportunity and Threat Analysis
Opportunity and Threat AnalysisPaul Schumann
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
The Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence MatrixThe Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence MatrixFrode Hommedal
 
Opportunity and Threat of External Environment
Opportunity and Threat of External EnvironmentOpportunity and Threat of External Environment
Opportunity and Threat of External EnvironmentNoonamsom
 

Destaque (6)

Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
 
Opportunity and Threat Analysis
Opportunity and Threat AnalysisOpportunity and Threat Analysis
Opportunity and Threat Analysis
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
The Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence MatrixThe Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence Matrix
 
Opportunity and Threat of External Environment
Opportunity and Threat of External EnvironmentOpportunity and Threat of External Environment
Opportunity and Threat of External Environment
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 

Semelhante a Threats, Threat Modeling and Analysis

Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs💻 Javier Garza
 
OWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application AssessmentsOWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application AssessmentsInternet Security Auditors
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For CybersecurityNathan Anderson
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Vaibhav Gupta
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problemskiansahafi
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securitysudip pudasaini
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti MohulCsa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti MohulCloud Security Alliance, UK chapter
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxkarthikvcyber
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - IntroductionSQALab
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 

Semelhante a Threats, Threat Modeling and Analysis (20)

How websites are attacked
How websites are attackedHow websites are attacked
How websites are attacked
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs
 
OWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application AssessmentsOWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application Assessments
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
HackMiami-Final
HackMiami-FinalHackMiami-Final
HackMiami-Final
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti MohulCsa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 

Último

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 

Último (20)

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 

Threats, Threat Modeling and Analysis

  • 1. Threats, Threat Modeling and Analysis 1 Super high level presentation of stuff everyone should already know who is developing applications, infrastructure, and operations! :D
  • 2. Today’s Current Threats 2 Some mention of current threatspace and how to formulate a defense for your code and/or service.
  • 3. The Hard Truth 2008: 285+ million records compromised 3 http://www.verizonbusiness.com/us/products/security/risk/databreach/ http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf http://www.verizonbusiness.com/resources/security/reports/rp_2009-data-breach- investigations-supplemental-report_en_xg.pdf
  • 4. The Hard Truth 91% of all compromised records were attributed to organized criminal groups 99.6% of records were compromised from servers and applications 74% resulted from external sources 4 http://www.verizonbusiness.com/us/products/security/risk/databreach/ http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf http://www.verizonbusiness.com/resources/security/reports/rp_2009-data-breach- investigations-supplemental-report_en_xg.pdf
  • 5. The Hard Truth 69% were discovered by a 3rd party 67% were aided by significant errors 32% implicated business partners 5 http://www.verizonbusiness.com/us/products/security/risk/databreach/ http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf http://www.verizonbusiness.com/resources/security/reports/rp_2009-data-breach- investigations-supplemental-report_en_xg.pdf
  • 6. The Hard Truth an average of $202 per compromised record 6 http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20US %20Cost%20of%20Data%20Breach%20Report%20Final.pdf
  • 7. Common Threats SANS Top Risks OWASP Top 10 for 2010 The OWASP Code Review Top 9 7 http://www.sans.org/top-cyber-security-risks/ http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project http://www.owasp.org/index.php/The_Owasp_Code_Review_Top_9
  • 8. SANS Application vulnerabilities Webapp attacks Slow patching 0days Not having good configs 8 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
  • 9. SANS Mostly stuff anyone everyone here has heard about 9 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
  • 10. Typical Targeted Attack Malware placed somewhere 10 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
  • 11. Typical Targeted Attack Executed 11 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
  • 12. Typical Targeted Attack HTTPS or some other common tunnel back to control console 12 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
  • 13. Typical Targeted Attack Credential dump, keylogger, or sniffing for example 13 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
  • 14. Typical Targeted Attack Escalation and looting 14 http://www.sans.org/top-cyber-security-risks Typical exploitation attack: http://www.sans.org/top-cyber-security-risks/#tutorial Step 0: Attacker places content on trusted site Step 1: Client-side exploitation Step 2: Establish reverse shell backdoor using HTTPS Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot Step 5: Pass the hash to compromise domain controller Steps 6 and 7: Exfiltration Tools make this nearly point and click easy now thanks to tools such as Metasploit and itʼs add-on modules www.metasploit.com
  • 15. OWASP Top 10 Stands for Open Web Security Project Focused on Webapps 15 http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project ■ A1: Injection ■ A2: Cross-Site Scripting (XSS) ■ A3: Broken Authentication and Session Management ■ A4: Insecure Direct Object References ■ A5: Cross-Site Request Forgery (CSRF) ■ A6: Security Misconfiguration ■ A7: Insecure Cryptographic Storage ■ A8: Failure to Restrict URL Access ■ A9: Insufficient Transport Layer Protection ■ A10: Unvalidated Redirects and Forwards
  • 16. OWASP Top 10 A1: Injection A6: Security Misconfiguration A2: Cross-Site Scripting (XSS) A7: Insecure Cryptographic Storage A3: Broken Authentication and Session Management A8: Failure to Restrict URL Access A4: Insecure Direct Object References A9: Insufficient Transport Layer Protection A5: Cross-Site Request Forgery (CSRF) A10: Unvalidated Redirects 16 http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  • 17. The Owasp Code Review Top 9 Input validation API usage Source code design Best practices violation Information leakage and Weak Session improper error handling Management Direct object reference Using HTTP GET query strings Resource usage 17 http://www.owasp.org/index.php/The_Owasp_Code_Review_Top_9 The Nine Source Code Flaw Categories ■ Input validation ■ Source code design ■ Information leakage and improper error handling ■ Direct object reference ■ Resource usage ■ API usage ■ Best practices violation ■ Weak Session Management ■ Using HTTP GET query strings
  • 18. Defending from Attackers Simple Threat Modeling Reactive Defense Proactive Defense Defense in Depth 18
  • 19. Simple Threat Modeling It’s simplified Glorified brainstorming Better than nothing A worthwhile exercise 19 Really a simplified brainstorming activity
  • 20. Reactive Modeling Driven by: Blackbox testing Grey/Whitebox testing Code audit Operational/ performance bugs Assessment and mitigation/patch/fix 20 Really a less simplified brainstorming activity Performed at the end of development or post-deployment when code finished Hamster wheel of pain. Expensive in time and resources. Difficult. Never ending.
  • 21. Reactive Modeling Driven by: Blackbox testing Grey/Whitebox testing Code audit Operational/ performance bugs Assessment and mitigation/patch/fix 21 Really a simplified brainstorming activity Performed at the end of development or post-deployment when code finished Hamster wheel of pain. Expensive in time and resources. Difficult. Never ending.
  • 22. Proactive Modeling Driven by: Data Flow Diagrams [DFD] Data classification Secure coding practices Continuous testing/ improvement Rugged software design 22 Cheeseball but appropriate Sun Tsu quotation: So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself. Fixing problems before they are created is an enormous cost and time savings This method prevents bugs from happening instead of remediating them after the fact http://en.wikipedia.org/wiki/Proactive_Cyber_Defence http://en.wikipedia.org/wiki/Operational_risk#Methods_of_operational_risk_management http://en.wikipedia.org/wiki/Risk_modeling (beware use or financial risk management in complex systems) Rugged Software Manifesto: http://ruggedsoftware.org/ http://www.owasp.org/index.php/SAMM_-_Threat_Assessment_-_1
  • 23. Data Flow Diagram [DFD] 23 http://en.wikipedia.org/wiki/Data_flow_diagram
  • 24. Data Flow Diagram [DFD] 24 http://en.wikipedia.org/wiki/Data_flow_diagram
  • 25. Data Flow Diagram [DFD] 25 http://en.wikipedia.org/wiki/Data_flow_diagram
  • 26. Data Flow Diagram [DFD] 26 http://en.wikipedia.org/wiki/Data_flow_diagram
  • 27. Threat Model Defining a set of attacks to consider What can you trust? What can you not mitigate in the code or environment? Think defense in depth here 27 http://en.wikipedia.org/wiki/Threat_modeling http://www.owasp.org/index.php/Threat_Risk_Modeling
  • 28. Threat Model Three types: Attacker centric Software centric Asset centric 28 http://en.wikipedia.org/wiki/Threat_modeling
  • 29. Attacker What do they want? What resources do they have to get it? 29 This is likely of little interest to us in this context http://www.egadss.org/security.html
  • 30. Software Anticipate possible attacks Can do beyond secure code Validating inputs Least privilege Fail closed 30 http://www.owasp.org/index.php/Threat_Risk_Modeling
  • 31. Software Attacks and code countermeasures Methodologies STRIDE / DREAD CVSS OCTAVE 31 http://www.owasp.org/index.php/Threat_Risk_Modeling STRIDE http://msdn.microsoft.com/en-us/magazine/cc163519.aspx CVSS http://www.first.org/cvss/ OCTAVE http://www.cert.org/octave/
  • 32. Asset Start modeling with things with asset tags Webservers Disk arrays Databases Routers Data channels 32 For those who aren’t programmers, but want to perform some operational threat modeling and risk mitigation, this is a popular choice.
  • 33. Change Management A good name. Goals: Eliminate unauthorized changes Eliminate unauthorized access and vulnerability exposure Raise communication and awareness Leads to better security 33 Many incidents are caused by a gap in proper configuration. This speaks to an immature change management program Photo: www.flickr.com/photos/ spursfan_ace/2328879637/
  • 34. Change Management Related important activities: Patching Known-good or gold standard configurations and builds System security Role-based access and least privilege controls 34 http://en.wikipedia.org/wiki/Principle_of_least_privilege
  • 35. Security Controls Covers what software does not Reinforces what software does cover Defense in depth They are best when they are fed data 35 A nice ancient picture from our friends at the RAND corporation
  • 36. Security Controls Physical access control Auditing of changes and user access Intrusion detection/ prevention Monitoring 36 There are more, these are just examples
  • 37. Security Controls Anomaly detection Incident management and handling Single Sign-on 37 ..and much much more
  • 38. Security Development [SDL] In Seattle most like Microsoft. At Microsoft, they like their SDL Flavors available: Classic Agile Light 38 http://www.microsoft.com/security/sdl/ There are other models and I have my favorites. Ask me if you can’t get enough of this SDL business.
  • 39. Security Development [SDL] In a nutshell: Requirements Verification Design Release Implementation 39 With the optional stage zero of Training and a post-release stage of Response
  • 40. Security Development [SDL] OWASP SDL: OpenSAMM Open and free Scoring maturity in skill/ process zones Like all things OWASP, pretty awesome 40 http://www.opensamm.org/2009/03/samm-10-released/ http://blogs.gartner.com/neil_macdonald/2009/08/04/another-excellent-application- security-maturity-model/
  • 41. Security Development [SDL] Program quality scored from 0 to 3 0 representing none 3 representing comprehensive mastery 41
  • 42. Security Development [SDL] Figure it out yourself Make your process fit your business needs and team skillsets Define more or less based on your in house framework or other needs 42 http://securosis.com/blog/firestarter-secure-development-lifecycle-your-doing-it-wrong/ Same failing argument used against QA 20 years ago: http://erratasec.blogspot.com/2010/05/you-may-not-need-sdl.html Do what you can do well and farm the rest out or delegate to someone who can do better.
  • 43. Horrible Consequences Something didn’t work out There was an incident The breach was on the news What might happen now? 43
  • 44. Horrible Consequences You may be called to a meeting to explain Your company brand or stock price may suffer There may be truly amazingly large fines Businesses can fold over such things 44 Whatever happens, you will not like them, no one will be pleased, and life will not be cool.
  • 45. The Unexpected Unintended uses for software Landscapes change Future hard to predict Dependencies Legacy 45 Example: IP over HTTP and DNS Futurists thought that we would be on Mars and communicating with telepathy by now. It’s no wonder there is no trust model in TCP/IP. Smurf (and other amplification attacks) and IP spoofing likely not in the TCP/IP design considerations. Try to think about possible applications of the infrastructure you’re developing as, if you do it well, it may be around for a long time.
  • 46. Thanks Ian Gorrie 46 I am Ian. http://gorrie.org @gorrie