Cyber security series Application Security

1. 6/20/2018 1 Richard Cascarino CISM, CIA, ACFE, CRMA Cybersecurity Series – Application Security About Jim Kaplan, CIA, CFE  President and Founder of AuditNet®, the global resource for auditors (available on iOS, Android and Windows devices)  Auditor, Web Site Guru,  Internet for Auditors Pioneer  IIA Bradford Cadmus Memorial Award Recipient  Local Government Auditor’s Lifetime Award  Author of “The Auditor’s Guide to Internet Resources” 2nd Edition Page 2

2. 6/20/2018 2 ABOUT RICHARD CASCARINO, MBA, CIA, CISM, CFE, CRMA • Principal of Richard Cascarino & Associates based in Colorado USA • Over 28 years experience in IT audit training and consultancy • Past President of the Institute of Internal Auditors in South Africa • Member of ISACA • Member of Association of Certified Fraud Examiners • Author of Data Analytics for Internal Auditors 3 ABOUT AUDITNET® LLC • AuditNet®, the global resource for auditors, serves the global audit community as the primary resource for Web-based auditing content. As the first online audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the use of audit technology. • Available on the Web, iPad, iPhone, Windows and Android devices and features: • Over 2,800 Reusable Templates, Audit Programs, Questionnaires, and Control Matrices • Webinars focusing on fraud, data analytics, IT audit, and internal audit with free CPE for subscribers and site license users. • Audit guides, manuals, and books on audit basics and using audit technology • LinkedIn Networking Groups • Monthly Newsletters with Expert Guest Columnists • Surveys on timely topics for internal auditors Introductions Page 4

3. 6/20/2018 3 The views expressed by the presenters do not necessarily represent the views, positions, or opinions of AuditNet® LLC. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client relationship. While AuditNet® makes every effort to ensure information is accurate and complete, AuditNet® makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. AuditNet® specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the AuditNet® website. Any mention of commercial products is for information only; it does not imply recommendation or endorsement by AuditNet® LLC TODAY’S AGENDA • Applications Vulnerability • Application security logging and monitoring • Issues in current logging practices • Resources required by developers for security logging • Correlating and alerting from log sources • Logging in multi-tiered architectures and disparate systems • Application security logging requirements 6

4. 6/20/2018 4 APPLICATION SECURITY • Application vulnerability assessment is to identify and remediate vulnerabilities and maintain a resilient web presence. This process involves: • Web and client-server application security assessments. • Mobile application assessments across most platforms. • Software development lifecycle (SDLC) reviews • Application architecture assessments • Custom services as requested VULNERABLE APPLICATIONS RISKS • Unauthorized access to sensitive customer or company data • Theft of sensitive data to conduct identity theft, credit card fraud or other crimes • Defacement of websites; strong potential for brand damage • Manipulation of data impacting data integrity, quality and organization’s reputation • Redirection of users to malicious web sites; phishing and malware distribution • Denial of service; availability of data • Attackers can assume valid user identities • Access to hidden web pages using forged URLs • Attacker’s hostile data can trick the interpreter to execute unintended commands 8

5. 6/20/2018 5 ROOT CAUSE? 1. Developers not trained in security  Most computer science curricula have no security courses 2. Under investment from security teams  Lack of tools, policies, process, etc. 3. Growth in complex, mission critical online applications  Online banking, commerce, Web 2.0, etc 4. Number one focus by hackers  75% of attacks focused on applications - Gartner Result: Application security incidents and lost data on the rise AUTOMATED SCANNER CAN’T FIND ALL THE VULNERABILITIES • There is no “silver bullet” for identifying application security vulnerabilities. There are different classes of tools ranging from static code scanners that assess the code to dynamic scanners that analyze logic and data flow. Generally, 30% to 40% of vulnerabilities can be identified by scanners; the remainder are uncovered by other means. • Manual testing allows an informed and experienced tester to attempt to manipulate the application, escalate privileges or get the application to operate in a way it was not designed to do. 10

6. 6/20/2018 6 11 APPLICATIONS SECURITY ISSUES • Few Operating Systems But Many Applications • Because OS are harden, most attacks target applications installed on servers. • Many applications run with administrative or super user (root) privileges • Securing applications is challenging • Buffer Overflow Attacks • Most widespread vulnerabilities in application programs • Buffers are RAM areas where data is stored temporarily • If an attacker sends more data than the programmer had allocated to a buffer, a buffer might overflow, overwriting an adjacent section of RAM EDUCATING DEVELOPERS AND GETTING “BUY IN” • Establish security accountability and stds for shipping • Create a “security architect” role • Create a security community of practice • Create a secure development portal or wiki • Conduct hacking demos to demonstrate risks • Online & offline courses for secure coding • Put developers through secure coding exams • Security reviews of real applications • Pay premiums for security architects

7. 6/20/2018 7 13 GENERAL APPLICATION SECURITY • Minimize number of applications • Fewer applications on a computer, fewer attack opportunities • Use security baselines for installation • Security baselines improve security • Add application layer authentication • Important for sensitive applications • Could be password-based • Implement cryptographic systems BuildCoding SecurityQAQA IBM SOFTWARE SECURITY DEVELOPMENT ECOSYSTEM Security Auditor scanning Developers Build System Quality Assurance Testing Control, Monitor and Report Web Based Security Training

8. 6/20/2018 8 15 KEY CHALLENGES FOR APPLICATION SECURITY LOGGING 1. Lack of Security Logging Frameworks 2. Lack of guidance on what and how to log 3. Lack of requirements for security logging 4. Lack of correlation and alerting capabilities BEST PRACTICES FOR APPLICATION SECURITY 16 Adopt Secure software development life cycle (SDLC) Follow secure coding practices and conduct security code reviews Perform static code analysis and dynamic web scanning tests Build-in application level logging Embed security logging capability within applications Capture security and application transactional information in the logs Correlate application events with SIEM More accurately identify business risks closer to application transactions

9. 6/20/2018 9 WHY ARE BEST PRACTICES NOT FOLLOWED? 17 Adopt secure software development life cycle (SDLC) Slow Adoption: It takes years to train developers/testers to build in security 3rd Party Code: Cannot impose SDLC practices on 3rd parties and SAAS providers Build-in application level logging Developers accustomed to logging functional use-cases not abuse-cases Developers collect too little information in logs - not usable to assess business risk Correlate application events with SIEM Many sophisticated attacks cannot be detected by monitoring individual applications Need to correlate across multiple applications, firewalls, IPS/IDS and other sources 18 KEY CHALLENGES FOR APPLICATION SECURITY LOGGING • Many applications have poor security logs (and sometimes have none at all) • Without good security event information it is difficult to: • detect attacks • detect compromised user account • detect fraud • detect abuse of privileges and • Respond to events

10. 6/20/2018 10 19 MANY LOGGING FRAMEWORKS Java (commonly used) • Commons Logging • Log4j • Logback • SLF4J Other frameworks Craftsman Spy, Houston, jLo, Jmyra, JTraceDump, Just4log, Limpid Log, Logging Toolkit, Monolog, ObjectGuy Framework, Protomatter, RP Logging, Simple Log, SmartInspect,TraceTool .Net (commonly used) • Microsoft Enterprise Library • Log4net • Logger.NET • NLog Other frameworks C# Logger, CommonData, CSharp Dot Net Logger, DebugWriter, LogThis, NetTrace, Nspring, ObjectGuy Framework, SmartInspect, TcpTrace, Traceract, TraceRT.NET, Traffic Monitor 20 THE LEVEL OF DETAILS FOR LOGGING Log Event Data should include the following: 1. Time stamp from a trusted system component 2. Severity rating for each event 3. Tagging of security relevant events, if they are mixed with other log entries 4. Identity of the account/user that caused the event 5. Source IP address associated with the request 6. Event outcome (success or failure) 7. Description of the event

11. 6/20/2018 11 21 HIGH LEVEL SECURITY LOGGING REQUIREMENTS • Ensure log entries that include un-trusted data will not execute as code in the intended log viewing interface or software • Restrict access to logs to only authorized individuals • Utilize a master routine for all logging operations • Do not store sensitive information in logs, including unnecessary system details, session identifiers or passwords • Ensure that a mechanism exists to conduct log analysis 22 HIGH LEVEL SECURITY LOGGING EVENTS • Log all input validation failures • Log all authentication attempts, especially failures • Log all access control failures • Log all apparent tampering events, including unexpected changes to state data • Log attempts to connect with invalid or expired session tokens • Log all system exceptions • Log all administrative functions, including changes to the security configuration settings • Log all backend TLS connection failures • Log cryptographic module failures

12. 6/20/2018 12 23 WHAT TO LOG? • What level of detail is required to identify a user and reliably trace back to an unauthorized malicious action? • Where are they? • (is it a green screen internal application? An internet facing web application, a corporate desktop application?) • What technical details can be identified and logged? • (e.g. XSS, Change of IP address mid-session, data validation issues etc.) • What business level detail must be logged? • (e.g. viewing sensitive data, who did what for segregation of duties, etc.) 24 TYPES OF BUSINESS EVENTS Logical, Behavioral and Compliance • Privileged User Access • Process Violations • Segregation of Duties bypass • Bulk Downloads • Privacy Violations

13. 6/20/2018 13 25 TYPES OF BUSINESS EVENTS Influencers: • Business Owners • Internal Audit • Regulatory Bodies (PCI-DSS, SOX, Government, etc.) • Operational Risk • Fraud Teams • Security Consultants 26 CORRELATION TECHNOLOGY Security Information and Event Management (SIEM) technology provides: • Security Information Management (SIM) – log management and compliance reporting • Security Event Management (SEM) – real-time monitoring and incident management for security-related events from networks, security devices, systems and application SIEM Technology is typically deployed to support three primary use cases: • Compliance – Log management and compliance reporting • Threat Management – real-time monitoring of user activity, data access and application activity and incident management • A deployment that provides a mix of compliance and threat management capabilities

14. 6/20/2018 14 27 SOLVING THE CHALLENGES Where to start? Focus on high risks and incidents What risk or impact are you minimizing: • Reduced internal fraud • Compromised user accounts (leading to external fraud) • Process Violations • Compliance with regulatory bodies • External compromise • In software engineering, multi-tier architecture (often referred to as n-tier architecture) is a client–server architecture in which presentation, application processing, and data management functions are logically separated. For example, an application that uses middleware to service data requests between a user and a database employs multi-tier architecture. The most widespread use of multi-tier architecture is the three-tier architecture. • N-tier application architecture provides a model by which developers can create flexible and reusable applications. By segregating an application into tiers, developers acquire the option of modifying or adding a specific layer, instead of reworking the entire application. Three-tier architectures typically comprise a presentation tier, a business or data access [logic] tier, and a data tier. (Wikipedia : Multitier Architecture) Multitier architecture :

15. 6/20/2018 15 3-TIER ARCHITECTURE (APPLICATION VIEW) TYPICAL WEB-ORIENTED 3-TIER ARCHITECTURE

16. 6/20/2018 16 N-TIER ARCHITECTURE - ADVANTAGES • Scalable: • this is due to its capability of multiple tier deployment and the tier decoupling it brought. • For example, • the data tier can be scaled up by database clustering without other tiers involving. • The web client side can be scaled up by load-balancer easily without affecting other tiers. • Windows server can be clustered easily for load balancing and failover. • In addition, business tier server can also be clustered to scale up the application, such as Weblogic cluster in J2EE. N-TIER ARCHITECTURE - ADVANTAGES • Better and finer security control to the whole system: • we can enforce the security differently for each tier if the security requirement is different for each tier. • For example, • business tier and data tier usually need higher security level than presentation tier does, then we can put these two high security tiers behind firewall for protection. • 1 or 2 tiers architecture cannot fully achieve this purpose because of a limited number of tiers. • Also, for N-Tier architecture, users cannot access business layer and data layer directly, all requests from users are routed by client presenter layer to business layer, then to data layer. Therefore, client presenter layer also serves as a proxy-like layer for business layer, and business layer serves as a proxy-like layer for data layer. These proxy-like layers provides further protection for their layers below. • Better fault tolerance ability: • for example, • the databases in data layer can be clustered for failover or load balance purpose without affecting other layers.

17. 6/20/2018 17 THE DISADVANTAGES OF THE N-TIER DEPLOYMENT • The performance of the whole application • may be slow if the hardware and network bandwidth aren’t good enough because more networks, computers and processes are involved. • More cost for hardware, network, maintenance and deployment • because more hardware and better network bandwidth are needed. 34 WHAT DETAIL NEEDS TO BE LOGGED? What security people want • Time stamp • Severity rating for each event • Identity of the account/user that caused the event • Source IP address associated with the request • User context across application tiers (internal webservice, MQ, Database) • Event outcome (success or failure)

18. 6/20/2018 18 35 EVENT LOGS MONITORING TOOLS • Microsoft Log Parser 2.2 https://technet.microsoft.com/en- us/scriptcenter/dd919274.aspx • Kiwi Syslog Products: http://www.kiwisyslog.com/Syslogs • Remstats - http://remstats.sourceforge.net/release/log- server.html • Set up a Linux log server http://www.linuxsecurity.com/content/view/1175 14/49/ 36 LOG PARSER • Search for Data - Search for the logons of a specific user among the events in the Windows Event Log: C:>LogParser "SELECT TimeGenerated, SourceName, EventCategoryName, Message INTO report.txt FROM Security WHERE EventID = 528 AND SID LIKE '%TESTUSER%'" -resolveSIDs:ON

19. 6/20/2018 19 37 LOG PARSER (2) • Create Reports - Create custom-formatted HTML reports. 38 LOG PARSER (3) • Calculate Statistics -Calculate the distribution of the HTTP response status codes from your IIS log files: C:>LogParser "SELECT sc-status, COUNT(*) AS Times INTO Chart.gif FROM <1> GROUP BY sc-status ORDER BY Times DESC" – chartType:PieExploded3D - chartTitle:"Status Codes" And produce a chart formatted as desired:

20. 6/20/2018 20 39 LOG PARSER - SYNTAX Examples: LogParser "SELECT date, REVERSEDNS(c-ip) AS Client, COUNT(*) FROM file.log WHERE sc-status<>200 GROUP BY date, Client" -e:10 LogParser file:myQuery.sql?myInput=C:tempex*.log+myOutput=results.csv LogParser -c -i:BIN -o:W3C file1.log file2.log "ComputerName IS NOT NULL" Help: -h GRAMMAR : SQL Language Grammar -h FUNCTIONS [ <function> ] : Functions Syntax -h EXAMPLES : Example queries and commands -h -i:<input_format> : Help on <input_format> -h -o:<output_format> : Help on <output_format> -h -c : Conversion help 40 LOG PARSER – SAMPLE OUTPUT Server EventID Total ------- ------ ----- HKGKABS1 528 420 HKGKABS1 529 1 HKGKABS1 538 419 HKGKABS1 539 1 HKGKABS1 576 420 HKGKABS1 578 2 HKGUATS1 528 73 HKGUATS1 538 71 HKGUATS1 576 73 HKGUATS1 578 11 …………. Statistics: ----------- Elements processed: 1130 Elements output: 10 Execution time: 0.19 seconds

21. 6/20/2018 21 41 FROM LOGS DOWNLOAD TO OUTPUT REPORTS (1B) DUMPEL Usage: dumpel -f file [-s server] [-l log [-m source]] [-e n1 n2 n3..] [-r] [-t] [-d x] -d <days> Filters for event last days (number larger than zero) -e nn Filters for event id nn (up to 10 may be specified) -f <filename> Output filename (default stdout) -l <name> Dumps the specified log (system, application, security) -b Dumps a backup file (use -l to specify file name) -m <name> Filters for events logged by name -r Filters out events logged by name (must use -m too) -s <servername> Remote to servername -t Use tab to separate strings (default is space) -c Use comma to separate fields -ns Do not output strings -format <fmt> Specify output format. Default format is dtTCISucs where t - time d - date T - event type C - event category I - event ID S - event source u - user c - computer s - strings 42 EVENT LOGS REVIEW PROCESS (3) • Add the header to the beginning of the file. • Date,Time,EventID,SourceName,Dummy,Server,Descrip tion . They are used in the SQL query. • SQL Query in the EventIDDistrib_with_selected event_ID.sql: SELECT StrCat(TO_STRING(EventID),Description) as EventID_And_Source,Count(*) as Total FROM %sourcefile% To %destfile% WHERE EventID in (529; 530; 531; 532; 535; 537; 539;608; 609; 612; 613; 614; 615; 616; 617; 620; 624; 625;626; 627; 628; 629; 630; 631; 632; 633; 634; 635; 636;637; 638; 639; 640; 641; 642; 643; 644; 645; 646; 647;648; 649; 650; 651; 652; 653; 654; 655; 656; 657; 658;659; 660; 661; 662; 663; 664; 665; 666; 667; 675; 676; 677) GROUP BY EventID_And_Source

22. 6/20/2018 22 43 FINAL LOG REVIEW REPORT ELEMENT • Scope and Content • Which servers do we monitor? • Grand Total Figures: • It shows no. of logs for each event for every server • Group the events into different categories: • Appendix with detailed event statistics • Statistics with no breakdown. • Detailed statistics breakdown with log description • Appendix of selected critical events 44 GROUP THE EVENTS FOR THE MANAGEMENT REPORT Event Group Event Suspicious Finding After Following Up (Yes/No/No Occurrence) Audit Log and Policy Access/Change 517, 612 No Occurrence Account Lockout 539,644 No Failed Account Access 529-535, 537 No Account Profile Change (Normal User/Administrator) 608, 609, 624-630, 642- 647 No User Role/Group Change/Addition 631-639, 641, 648-667 No Domain Policy & User Database Change 640,643 No

23. 6/20/2018 23 45 CRITICAL EVENTS SELECTION Event ID Message Type Description Risk (H/M/L) 512 User Windows NT is starting up 513 User Windows NT is shutting down 514 User An authentication package loaded by Local Security Authority 515 User A trusted logon process registered with Local Security Authority 516 User Internal resources allocated for queuing of audit messages exhausted 517 * User Audit log cleared 518 User A notification package loaded by Security A/C Mgr 528 User Successful Logon Different parties will have different risk ranking on particular event. TOOLS AND RESOURCES • Open Software Assurance Maturity Model (OpenSAMM) – A freely available open source framework that organizations can use to build and assess their software security programs www.opensamm.org • The Open Web Application Security Project (OWASP) – Worldwide not-for-profit organization focused on improving the security of software. Source of valuable free resources www.owasp.org • Open Source or Low Cost Application Security Scanners – OWASP Zed Attack Proxy (ZAP), w3af, Mavituna Netsparker, Websecurify, Wapiti, N- Stalker, SkipFish, Scrawlr, Acunetix, and many more to do basic discovery work 46

24. 6/20/2018 24 AUDITNET® AND CRISK ACADEMY • If you would like forever access to this webinar recording • If you are watching the recording, and would like to obtain CPE credit for this webinar • Previous AuditNet® webinars are also available on-demand for CPE credit http://criskacademy.com http://ondemand.criskacademy.com Use coupon code: 50OFF for a discount on this webinar for one week THANK YOU! Jim Kaplan AuditNet® LLC 1-800-385-1625 Email:info@auditnet.org www.auditnet.org Richard Cascarino & Associates Cell: +1 970 819 7963 Tel +1 303 747 6087 (Skype Worldwide) eMail: rcasc@rcascarino.com Web: http://www.rcascarino.com Skype: Richard.Cascarino

Cyber security series Application Security

Cyber security series Application Security

Cyber security series Application Security

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados(20)

Similar a Cyber security series Application Security

Similar a Cyber security series Application Security(20)

Mais de Jim Kaplan CIA CFE

Mais de Jim Kaplan CIA CFE(20)

Último

Último(20)

Cyber security series Application Security