O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

Implementing a comprehensive application security progaram - Tawfiq

Próximos SlideShares
Advanced Persistent Threat
Advanced Persistent Threat
Carregando em…3

Confira estes a seguir

1 de 79 Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)


Semelhante a Implementing a comprehensive application security progaram - Tawfiq (20)

Mais recentes (20)


Implementing a comprehensive application security progaram - Tawfiq

  1. 1. www.niiconsulting.com Implementing a Comprehensive Application Security Program Taufiq Ali Manager – Security Assessment
  2. 2. www.niiconsulting.com Agenda  The Biggest Hack in History  How the Cookie Crumbles  Answers!  Technology Solutions  Strategies  Q&A
  3. 3. www.niiconsulting.com Information Security View from the Trenches
  4. 4. www.niiconsulting.com Recent News
  5. 5. www.niiconsulting.com Paradigm Shift – Part I APT & The Season of Hacks 6
  6. 6. www.niiconsulting.com What is APT APT = Advanced Persistent Threat APT is defined as a group of sophisticated, determined and coordinated attackers that have been systematically compromising U.S. Government and Commercial networks for years. The vast majority of APT activity observed has been linked to China. APT is a term coined by the U.S. Air Force in 2006 7
  7. 7. www.niiconsulting.com APT Objectives  Political  Includes suppression of their own population for stability  Economic  Theft of IP, to gain competitive advantage  Technical  Obtain source code for further exploit development  Military  Identifying weaknesses that allow inferior military forces to defeat superior military forces 8
  8. 8. www.niiconsulting.com Targeting and Exploitation Cycle
  9. 9. www.niiconsulting.com How RSA was hacked  RSA is one of the biggest security companies in the world  Rivest Shamir Adelman – iconic founders  Created a multi-billion $ enterprise 10
  10. 10. www.niiconsulting.com Initial Intrusion into the Network  Specific email IDs were discovered from public sources and social engineering  Spoofed email was sent  The email subject line read “2011 Recruitment Plan.”  The attachment was a backdoor Excel file, titled “2011 Recruitment plan.xls.  It exploited a 0-day vulnerability - Adobe Flash vulnerability (CVE-2011-0609)
  11. 11. www.niiconsulting.com Establish a Backdoor into the Network  Attempt to obtain domain administrative credentials . . . Transfer the credentials out of the network  The attackers then established a stronger foothold in the environment by moving laterally through the network and installing multiple backdoors with different configurations.  The malware is installed with system level privileges through the use of process injection, registry modification or scheduled services.  Poison Ivy variant set in a reverse-connect mode that makes it more difficult to detect
  12. 12. www.niiconsulting.com Obtain User Credentials  The attackers often target domain controllers to obtain user accounts and corresponding password hashes en masse.  The attackers also obtain local credentials from compromised systems  The APT intruders access approximately 40 systems on a victim network using compromised credentials  Analysts have seen as few as 10 compromised systems to in excess of 150 compromised systems
  13. 13. www.niiconsulting.com Conclusion  The APT is everyone’s problem. No target is too small, or too obscure, or too well-known, or too vulnerable. Its’ not spy- vs.-spy, but spy-vs.- everyone.  This is a war of attrition against an enemy with extensive resources. It is a long fight, one that never ends.  They steal information to achieve economic, political and strategic advantage.  They establish and maintain an occupying force in their target’s environment.  They steal between $40 billion to $50 billion in intellectual property from U.S. organizations each year.
  14. 14. www.niiconsulting.com Conclusion  These are real and they are on a spree  Your applications and end points are key entry points for such attacks
  15. 15. www.niiconsulting.com THE BIGGEST HACK IN HISTORY
  16. 16. www.niiconsulting.com Gonzalez, TJX and Heart-break-land  >200 million credit card number stolen  Heartland Payment Systems, TJX, and 2 US national retailers hacked  Modus operandi  Visit retail stores to understand workings  Analyze websites for vulnerabilities  Hack in using SQL injection  Inject malware  Sniff for card numbers and details  Hide tracks
  17. 17. www.niiconsulting.com The hacker underground  Albert Gonzalez  a/k/a “segvec,”  a/k/a “soupnazi,”  a/k/a “j4guar17”  Malware, scripts and hacked data hosted on servers in:  Latvia  Netherlands  IRC chats  March 2007: Gonzalez “planning my second phase against Hannaford”  December 2007: Hacker P.T. “that’s how [HACKER 2] hacked Hannaford.” Ukraine New Jersey California
  18. 18. www.niiconsulting.com Where does all this end up?  Commands used on IRC  !cardable  !cc, !cclimit, !chk, !cvv2, !exploit, !order.log, !proxychk IRC Channels #cc #ccards #ccinfo #ccpower #ccs #masterccs #thacc #thecc #virgincc
  19. 19. www.niiconsulting.com TJX direct costs $24 million to Mastercard $41 million to Visa $200 million in fines/penalties
  20. 20. www.niiconsulting.com How the Cookie Crumbles
  21. 21. www.niiconsulting.com OWASP TOP 10 A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards
  22. 22. www.niiconsulting.com Injection – 0wning the Enterprise  Identifying SQL Injections  Getting to all the data inside the database  Reading Sensitive data inside the database like system users, users, password etc.  But how do you own the enterprise  Cracking the password hashes  Running OS level commands  Escalating privileges  Adding the user with administrators role  Enterprise Owned!
  23. 23. www.niiconsulting.com Identifying SQL Injection Identifying SQL Injections [06:19:58] [INFO] TESTING FOR SQL INJECTION ON GET PARAMETER 'ID' [06:20:10] [INFO] target url appears to have 2 columns in query [06:20:10] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable GET PARAMETER 'ID' IS VULNERABLE. DO YOU WANT TO KEEP TESTING THE OTHERS (IF ANY)? [Y/N]
  24. 24. www.niiconsulting.com Database on the Web Server
  25. 25. www.niiconsulting.com
  26. 26. www.niiconsulting.com
  27. 27. www.niiconsulting.com
  28. 28. www.niiconsulting.com
  29. 29. www.niiconsulting.com
  30. 30. www.niiconsulting.com What is Next?  Running OS level commands  Escalating privileges  Adding the user with administrators role  Taking remote access to the system
  31. 31. www.niiconsulting.com Net Result Enterprise Owned!
  32. 32. www.niiconsulting.com XSS to 0wning the Enterprise  XSS is a client side attack  Attacking your client base  Browser bugs are most popular targets for compromising end point  Java and Adobe Flash  End points are entry into the network  So what happens when you find Zero day bug in most popular software’s like Java?
  33. 33. www.niiconsulting.com XSS to 0wning the Enterprise
  34. 34. www.niiconsulting.com Java Zeroday  This exploit has been tested successfully against multiple platforms,  Internet Explorer  Firefox  Safari  Chrome  Fully Patched operating systems  Windows  Ubuntu  OS X  Solaris
  35. 35. www.niiconsulting.com
  36. 36. www.niiconsulting.com It was raining shell’s
  37. 37. www.niiconsulting.com Chaining multiple issues How other OWASP can be lethal when put together
  38. 38. www.niiconsulting.com Death by thousand cuts (Rsnake Case Study)  #1 - webmail is easily located  #2 - easily discoverable and plentiful email addresses  #3 - forgotten passwords are sent in plain text  #4 - system will allow users to change email address to any email address they want (with no verification)  #5 - XSS vulnerabilities in the application  #6 - usernames are email addresses  #7 - recommendation engine sends custom emails  #8 - login redirection issue  #9 - function to detect valid users.  #10 - change email function is vulnerable to CSRF
  39. 39. www.niiconsulting.com Death by thousand cuts - Attack  Detect Valid user on the website (2#, 6# and 9#)  Now change my email address to one of the email addresses of a corporate user (#4) that's NOT a user on the system  Finding valid users using the change email function (#9)  Send an email to one of the valid users on the system (#2) using the recommendation engine (#7).
  40. 40. www.niiconsulting.com Death by thousand cuts - Attack  The link is a link to the login function (#8) that redirects the user to an XSS hole (#5).  Now the user has logged in and their browser is under our control.  Forward the user invisibly to the change email function and force them to change their email address through CSRF (#10) to another email address that we've got control over.  Then I have their browser submit the forgot password function (#3) which delivers their password to my inbox.
  41. 41. www.niiconsulting.com Take away..  Often minor issues are overlooked but even in some cases the smallest issues can mount into huge compromises in security  Even minor issues that are regularly dismissed in security assessments can be leveraged by a determined attacker to compromise a corporation
  42. 42. www.niiconsulting.com Other aspects
  43. 43. www.niiconsulting.com Problem Background Lack of Business Risk Perspective – US Department of Homeland Security: “Most penetration testing processes and tools do little, if anything, to substantively address the business risks... This is largely due to the fact that the tools and the testers view the target systems with “technology blinders” on... Although many testing tools and services claim to rank vulnerabilities in terms of technical severity, they do not typically take business risk into account in any significant sense. At best, the test teams conduct interviews with the business owners of the applications and the application architects in an attempt to ascertain some degree of business impact, but that connection is tenuous. …the business perspectives, however limited, that these processes can determine are all post facto. That is, they make their business impact rankings after the test is completed...This is a key shortcoming of penetration testing practices today.” https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/penetration/655- BSI.html Software Security – building security in, Chapter 6 on “Penetration Testing Today” “The problem? No clue about security risk. No idea whether the most critical security risks have been identified, how much more risk remains in the system, and how many bugs are lurking in the zillions of lines of code”
  44. 44. www.niiconsulting.com The challenge “Penetration testing is dead. The concept as we know it is on its death bed, waiting to die and come back as something else.” - Brian Chess, Co-Founder, Fortify Software
  45. 45. www.niiconsulting.com LET’S START AT THE BEGINNING Some theory
  46. 46. www.niiconsulting.com Approach  Pre-sales Approach  Client: “Please provide quote for black-box penetration test”  SP: “Hang on...”  SP: “I’d first like to know…”  Pre-sales approach evolved  Client: “Please provide quote for black-box penetration test”  SP: “Hang on...”  SP: “I’d first like to know…”
  47. 47. www.niiconsulting.com Traditional vs. Risk-based Security Testing Traditional Testing Risk-based Testing Focus is on technical vulnerabilities Focus is on business risks Requires strong technical know- how Requires both technical and business process know-how Having the right set of tools is critical Understanding the workings of the business and applications is critical Is usually zero-knowledge Requires a person who understands the business process to play a significant role – usually an insider Understanding the regulatory environment is good Understanding the regulatory environment is mandatory
  48. 48. www.niiconsulting.com Traditional vs. Risk-based Pentesting Traditional Pentesting Risk-based Pentesting Severity levels are based on technical parameters Severity levels are based on risk to the business Risk levels in report are assigned post facto Risk levels in report reflect the levels assigned prior to testing Test cases are build based on testing methodologies or generic testing processes Tests cases additionally build on risk scenarios Audience for the report is usually the IT and Security teams Audience for the report also includes the business process owners and heads of departments
  49. 49. www.niiconsulting.com Case study  Corporate Banking Platform – allows 3 logins  Maker who enters the transaction into the system  Verifier who checks the transaction data  Authorizer who authorizes the final payment  Each screen in the web application is different based on privilege level of logged in user  Security implemented by:  Restricting access to URLs that allow certain transactions  Parameters that trigger certain transactions
  50. 50. www.niiconsulting.com Case study  RA Phase  Understand business process  Understand business risks  Define test cases  Can maker do what verifier does  Can verifier do what authorizer does  Can client’s admin do what bank’s admin does  So forth  Pentesting discovers  http://www.bankPay.co.in/BankPayApp/authorizePaymentAction. action is available only to Authorizer  But what if Maker puts it in his browser?  Transaction still doesn’t get authorized  Further investigation reveals a parameter:  Filter=‘block’  When this value is changed to:  Filter=‘submitToPay’
  51. 51. www.niiconsulting.com Vertical Privilege Escalation
  52. 52. www.niiconsulting.com Authorization controls broken
  53. 53. www.niiconsulting.com Submission to pay – not allowed
  54. 54. www.niiconsulting.com Changing the parameter…
  55. 55. www.niiconsulting.com Understanding the business  Who are the key actors – employees, departments, customers, partners, vendors, investors, brokers, franchisees, resellers?  What applications do they use?  What data do they access through these applications?  What are the risks if any of these actors turns bad?  What possibilities exist if an actor should decide to misuse the data – building fraud scenarios?
  56. 56. www.niiconsulting.com Regulations that drive webapp testing  PCI DSS  For all credit card processing merchants  Quarterly, semi-annual, annual network scans and penetration tests  Focus on web application security  Requires high-level of protection of credit card data  There are no fines for non-compliance but breaches of security could put you out of business  HIPAA  For healthcare and pharma providers  Requires high-level of protection for patient records and medical history  Fines for non-compliance are usually high  Breaches could put you out of practice/business
  57. 57. www.niiconsulting.com Answers!
  58. 58. www.niiconsulting.com Technology Solutions  Web Application Firewalls  Privileged Identity Management Suites  Application-Aware Firewalls  Application-Aware SIEMS  Database Access Management Solutions
  59. 59. www.niiconsulting.com Before we get to the technology…
  60. 60. www.niiconsulting.com Design Develop/ Manage Test Train Application Security – Holistic Solution
  61. 61. www.niiconsulting.com Secure Design  Secure Designing Models  Client Inputs  Client Education  Threat Modeling  Vulnerability Classification – STRIDE  Risk Classification – DREAD
  62. 62. www.niiconsulting.com Microsoft’s Threat Modeling Tool
  63. 63. www.niiconsulting.com Secure Coding Overview Secure coding isn’t taught in school  Homeland Security's Build Security In Maturity Model (BSIMM)  Microsoft's Security Development Lifecycle (SDL)  OpenSAMM (Software Assurance Maturity Model)  OWASP Secure Coding Guides
  64. 64. www.niiconsulting.com Vendor Management  Big names != Good security  Contractual weaknesses  Lack of vendor oversight  No penalties for blatantly buggy code!
  65. 65. www.niiconsulting.com Secure Hosting  Web Security  Secured web server  Secured application server – all components  Web application firewalls  Database Security  Security Patches  Users and Roles  Access Control  Logging  Password Security  Database Table Encryption  Data Masking  OS Security  Security Patches  Users and Groups  Access Control  Security Policies  Secured Login  Logging
  66. 66. www.niiconsulting.com Secure Testing  Security testing options  Blackbox  Greybox  Whitebox  Source Code Review  OWASP Top Ten (www.owasp.org)  OWASP Testing Guide
  67. 67. www.niiconsulting.com Training  Back to basics  Natural thought process  Look at larger picture  Make it fun  Giving back to the community
  68. 68. www.niiconsulting.com Ground Realities!
  69. 69. www.niiconsulting.com Ground realities  Business priorities  Expand, grow, market share!!  Developer illiteracy  Unaware of security implications  Shortcut fixes  Vendor apathy  Problem re-enforced by weak contracts  Unclear budgets  Lip service by management towards information security  CISO left fighting the battle alone without adequate resources
  70. 70. www.niiconsulting.com Strategize! Use Triage
  71. 71. www.niiconsulting.com Applications’ Triage / 1  Application Risk Assessment  Regulatory  PCI DSS  DOT  HIPAA/SOX/etc.  Legal  Contractual  Business Impact  Reputation Impact
  72. 72. www.niiconsulting.com Applications’ Triage / 2  Nature of the Application  Internal  External  Mixed  Number of registered users  Revenue generating / Business process supporting / Back-office / Reporting  Data that it deals with  Financial  PII  Corporate  Other
  73. 73. www.niiconsulting.com Applications Triage / 3  Developed In-house  Currently being supported  Developers have moved on  Outsourced  Within the country  Externally  Commercial Off the Shelf  High Level of Customization  No Customization  Vendor Leverage  Code/Libraries in Escrow  Existing Vendor Relationship  Dormant/Dead Vendor Relationship
  74. 74. www.niiconsulting.com Application Classification
  75. 75. www.niiconsulting.com Sample Strategies / A FINPRO Financial Processing – Accessible over Internet COTSE – Heavily Customized Isolate System in the Data Center Vendor Relationship - Dormant Revive Vendor Relationship Implement PIM & WAF Determine Alternatives
  76. 76. www.niiconsulting.com Sample Strategies / B ATLAS Claims Processing – Agents Access Over Internet In-house Developed Implement & Enforce Internal SLAs Active Development Team Regular Secure Coding Training Emphasis on Secure Coding Libraries Secure Hosting
  77. 77. www.niiconsulting.com Take-Aways  Application security has a long way to go for most large organizations  The threat is ever-present and sustained  Not all applications can be dealt with in the same manner  Strategizing helps direct limited resources towards high-risk problems  Vendors, business units, and information security have to co-ordinate efforts, and stop the blame-game
  78. 78. www.niiconsulting.com Ensure – this never happens!
  79. 79. www.niiconsulting.com Thank you! Questions? taufiq.ali@niiconsulting.com Information Security Consulting Services Institute of Information Security