security compliance web application risk management
Post on 14-Sep-2014
5.247 views
DESCRIPTION
The Rise of Threat Analysis and the Fall of Compliance in Mitigating Web Application Security RisksTRANSCRIPT
Copyright 2009 © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
The Rise of Threat Analysis and the Fall of Compliance in Mitigating Web Application Security Risks
Marco MoranaOWASP Cincinnati Chapter [email protected]
Tony UcedavelezOWASP Atlanta Chapter [email protected]
LA and OC ChaptersSept 2009 Meetings
OWASP
Meeting Agenda “Status quo” of security compliance in
mitigating cybercrime risksCompliance data vs. data breach dataBusiness impact of data breachesCritical view of how compliance drives security
Threat modeling techniques for the analysis of cybercrime threats Attack tree analysis Use and misuse cases Attack vectors analysis Data flow/architecture analysis
Risk mitigation strategies against cybercrime attacks
2
OWASP
Status Quo of Security Policy and Regulatory Compliance in Mitigating Risks
3
OWASP
Biggest Fraud in History
4
170 million card and ATM numbers
used sql injection and packet sniffers
Companies mentioned in the indictments (3) include:TJX CompaniesHeartland Payment Systems (HPY)Hannaford Bros
OWASP
Let’s look at PCI-DSS COMPLIANCE and data breach reported (datalossdb.org):
5
Heartland Payment Systems (HPY) WAS PCI COMPLIANT at the time of the breach (August 2007) and is currently PCI COMPLIANT Passed Inspection in April 2008 (Trustwave QSA) After an audit, Heartland uncovered Malware (the data-
sniffing kind) to capture CC or ATM numbers
94 ML CCN ( Reported January 7 2007)
4.2 ML CCN and ATM data(reported March 17 2008)
TJX was fined for NOT BEING PCI COMPLIANT during the data breach (May 2006-December 2007) VISA allowed them to continue processing Poor network security and use of weak encryption
Hannaford Bros WAS PCI COMPLIANT while being hacked (November 2007) Compliant with protect CCH data in storage and in transit
over public/open networks
130 ML CCN (reported January 20 2009)
OWASP
So How Compliance Drives Security?
6
Regulations such as PCI, Gramm-Leach Bliley Act (GLBA), FFIEC, HIPAA, SB 1386, AB 1950 drive security via an adversarial approach, some examples:Fail audit => additional fines, restrictions
and controlsLeak of PII => public information disclosure
in most US states (SB1386)Running afoul of PCI => can’t do business
using credit cards, can’t do business with Wal-Mart
Generally is security by FUDFear of backlash, private suits, etc
OWASP
PCI DSS: Protection of CCH and Sensitive Credit Card Authentication Data
7
[PCI-DSS] 3.2 Do not store sensitive authentication data subsequent to authorization (even if encrypted)[PCI-DSS] 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). [PCI-DSS] 3.4 Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs)
OWASP 8
OWASP
Underground economy for stolen credit card and bank account credentials
9
OWASP
Monetize The Losses ? Ask TJX CFO
The cyber attack on the retailer Marshalls and TJ Maxx (disclosed in January 2007): after-tax cash charge of approximately $118 million, or $.25 per share.
The company increased its estimate of pre-tax charges for the compromise to nearly $216 million.
According to some experts, TJX may have to spend in the end a total of more than $500 million, including litigation fees and government fines.
10
OWASP
Another Way to Look at Business Impact Of Data Breaches : Correlate Drop in Stock Price With Bad News (chart from datalossdb.org)
11
130 ML CCN (reported January 20 2009)
OWASP
Cost Estimate Of Web Application Data Breach Due to SQL Injection Attack Probability of attack by type and attack
vector incident (identity theft) data:13 % of incidents involving breaches of web
channel (datalossdb.org) x 19 % of incidents that use SQL injection as attack vector (WHID) = 2.5 % as the probability that a SQL injection vulnerability will cause identity theft data loss
Estimate business impact of attack (SQL injection) by multiply probability of attack x number of losses x cost of one data loss $ 691 per each individual theft case (Javelin) X 130
million individual ID theft cases x 2.5 % attack ID theft probability = $ 2.2 Billions
12
OWASP
A Critical View of Compliance and Security Is compliance = security ?
Plenty of compliant firms have recently been hit with major security breaches
Increased number of stolen credit card and bank account credentials available in the black market
Is compliance cost and risk effective?Derail security effort from strategyC-Levels question the value to what they
perceive as 'extra' or 'misguided' effortsCost vs. benefit is cost of non-compliance fines
vs. benefit (savings) of not implementing controls
13
OWASP
Did PCI compliance auditors failed Hearthland?
14
OWASP
Non Compliance From Risk Perspective
15
Regulatory noncompliance is by it self a business risk: assessing the likelihood and potential costs of a particular threat against the cost of preventing or mitigating that threat
OWASP
Threat modeling techniques for cybercrime threats
16
OWASP
Application Threat Modeling And The Cybercrime Attack Surface
Standards Compliance Gap Analysis
Penetration Testing
Attack Tree Analysis
Cybercrime Intelligence
DFD/Secure Architecture Analysis
Use and misuse cases
Security By Design
Risk Mitigation Strategies
Attack Vector Analysis
Source Code Analysis
OWASP
Cybercrime Threat Intelligence and Analysis: Attacks Against Financial Services and Online retailers
18
THREAT INTELLIGENCE:Attack “xp_cmdshell on MSQL server to upload sniffers to capture CC transactions and ATM PINs from DB, HSMTHREAT MITIGATION ANALYSIS:1.Disable xp_cmdshell,2.Deny extended URL, escape “”, 3.Use store procedures, 4.Run SQL Server and IIS under non-privilege,5.Do not use “sa” hardcoded, 6.Lock account on mainframes against brute force7.Use minimum privileges on AD/SQL server, restrict access by IP,8.Use proxy server for internet access, 9.Implement firewall rules 10.Ensure HSM are not responsive of any commands with PIN in the clear
OWASP
Cybercrime Threat Intelligence: Attacks Against Online Bank Customers
19
ZBOT THREAT INTELLIGENCE (from Secureworks article):1)The attack vector is email spear phishing and the payload is an IFRAME browser exploit that deploys malware/spyware on the desktop2)The malware connects back to the hacker botnet C&C for commands and configuration files targeting specific on-line banking sites3)The targeted bank malware performs MiTM attacks against the bank customer to get banking credentials and log into the banking site and perform transactions such as wire transfers 4) A keylogger logs keystrokes and supplies them to the site by defeating fraud monitoring controls
OWASP
Cybercrime Intelligence And Analysis Goals Understand cyber threats and how they
may affect your business: What cyber threats are relevant to your industry?
20
Learn from cyber criminals motives and the most likely attack scenarios:
Become your enemy ! Build the right attack tree to walk through probable attack scenarios.
Plan defenses for the attack vectors being used by your enemy:
Based on the likely attack patterns for each branch of the attack tree, identify which application vulnerabilities can be exploited via which attacks
OWASP
Attack-Threat Tree Analysis
21
OWASP
Threat Tree For Credit Card Attacks
22
Credit Card Data
Compromise
Man In The Middle/Browser
Attack
Automated SQL Injection Attack
To upload malware
Serve malicious IFRAME to
victim visiting the web site
Phishing Email/Social
Engineering
SQL Injection Exploit
Alter Query To Get CC
data
Exploit Weak Session
Management
Insecure Cryptographic
Storage/Transit
Impersonate user to get
access to CC data
Upload Sniffer To Get
CC data
Session Fixation to
get access to CC data
Attack User/Browser
Attack Web Application
Clickjacking
Serve Invisible Frame that runs
malware
Take Credentials and
CC data from user
Capture Non-Encrypted CC
Data
OWASP
Threat Tree For ATM Attacks
23
Attack ATM and ATM Networks
Capture ATM track 1&2 data (CVV)
and valid PIN using a skimming device
Capture ATM Data By Exploiting ATM
Software Vulnerabilities
Commit Fraud by using of a Cloned/Forged ATM Card
Buy PINs, CVV + CC# from Dark
Market(30 $)
Phish Online Banking Customers for ATM Customer
For ATM Data
DOS ATM by attacking ATM Network (SQL
Slammer)
Capture/Guess ATM Data By Attacking On-Line Banking
Site
Harverst/Validate ATM Data Against Customer Online
Banking Validations
Get valid ATM in Someone else Name (assume identity theft)
Sniff ATM Data in transit From
Payment Processing
Servers
OWASP
Use and Abuse Cases
24
OWASP
Use And Abuse Cases For Multi Factor Authentication
25
User
Fraudster
Enter Username andpassword
Web Application
Validate User andMFA Credentials
Includes
Threatens
Browser CookieGeneration
Includes
Guess Answers FromPublic Profiles, MITM
IncludesIncludes
MiTM gets the OTP and isused to login within
milliseconds
Threatens
Phishing 2.0 (BotnetMITM) MFA Attacks
Enter MFAcredential
Valicate machinetagging and IP geolocation
User Validation OfPicture and Text (RSA
Passmark)
Validate One TimePassword Token
ValidateChallenge/Questions (KBA)
Includes
Includes
MITM proxy set the IP same as theISP of the user’s computer.
Spoofing of HTTP header tagging info
Capture image and text afterharvesting usernames and
cookie hijacking, MITM
Hijacks cookieand copy onthe attacker PC to
impersonate user/device
Threatens
Includes
Threatens
Threatens
Includes
Includes
Includes
Includes
Includes
OWASP 26
Use and Abuse Cases For Logins
User
Hacker/Malicious User
Brure ForceAuthentication
Enter Username andpassword
Validate PasswordMinimum Length and
ComplexityApplication/Server
Includes
Mitigates
User Authentication
Includes
Includes
Includes
Mitigates
Threatens
Show Generic ErrorMessage
Includes
Includes
Lock Account After N.Failed Login Attempts
Harverst (e.g. guess)Valid User Accounts
Dictionary Attack
Mitigates
Mitigates
OWASP
Attack Vector Analysis
27
OWASP
Attack Vector Analysis
Derive a list of attack vectors that can be used for the threat/attack analysis of the application
Start with code injection attacks library:SQL injection attacks HTML (IFRAME) injection attacks Script injection (e.g. cross-site scripting) attacks Command shell injection attacks File injection attacks Server pages injection attacks (e.g. ASP, PHP) Cookie poisoning attacks XML poisoning attacks
28
OWASP 29
Common Code Injection Attack Vector
From: www.technicalinfo.net/papers/Phishing.html
OWASP
Cybercrime HTML-IFRAME Injection Attack Vectors
30
Intended Site Ad withEmbedded iFrame
Malicious Site
IFRAME injection (In-Line Frame Injection)
Browser vulnerabilities in handling iFrame tags
Trusted sites with malicious banner ads Leverages blackhat in order to drive
traffic to vulnerable sites Growing attack vectors for malware
propagation Blackhat SEO fueled Rogue Software
Campaigns. over 1 Million links all targeting the Ford
Motor Company. Mislead search engines to falsely
promote malicious pages to the top of the search results. user visits one malicious sites, prompted to download and install a
malicious "codec",
OWASP
Architecture analysis via threat modeling
31
OWASP
DFD/Architecture Threat Analysis Objectives
1. Identify entry and the exit points and the access levels
2. Enumerate the threats to the application elements and map to countermeasures
3. Identify the vulnerabilities that can be exploited by threat using the most likely attack vectors
4. Select and locate countermeasures in the application architecture
32
OWASP
Users
Request
Responses
DM
Z (U
se
r/We
b S
erv
er B
ou
nd
ary
)
Message Call
Account/ TransactionQuery Calls
Web Server
ApplicationServer
Application Calls
Encryption +Authentication
Encryption + Authentication
Financial Server
Authentication Data
Re
stric
ted
Ne
two
rk(A
pp
& D
B S
erv
er/F
ina
nc
ial S
erv
er B
ou
nd
ary
)
DatabaseServer
Application Responses
FinancialData
Auth Data
MessageResponse
SQL Query Call
CustomerFinancial
Data
Inte
rna
l (We
b S
erv
er/ A
pp
& D
B S
erv
er B
ou
nd
ary
)
Mapping DFD Components to STRIDE Threats to Find Countermeasures
33
Access Level
External
Access Level
Internal
Access Level
Restricted
I. SpoofingII. Repudiati
on
I. TamperingII. RepudiationIII. Info
DisclosureIV. Denial OF
service
I. AuthN, Encryption
II. Digital signatures, HMAC, TS,
I. AuthN, Encryption
II. Digital signatures, HMAC, TS,AuthZ Audit
III. Encryption, AuthZ
IV. Filtering, AuthN
OWASP
Mapping of Threats, Attacks, Vulnerabilities and Countermeasures
34
Users
Request
Responses
DM
Z (User/W
eb Server Boundary)
Message Call
Account/ TransactionQuery Calls
Web Server
ApplicationServer
Application Calls
Encryption +Authentication
Encryption + Authentication
Financial Server
Authentication Data
Restricted N
etwork
(App &
DB
Server/Financial Server Boundary)
DatabaseServer
Application Responses
FinancialData
Auth Data
MessageResponse
SQL Query Call
CustomerFinancial
Data
Internal (Web Server/ A
pp & D
B Server B
oundary)
<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT>
Injection flaws CSRF,Insecure Direct Obj. Ref, Insecure Remote File Inclusion
NSAPI/ISAPI FilterCustom errors
OR ‘1’=’1—‘,
Prepared Statements/Parameterized Queries,Store ProceduresESAPI Filtering,Server RBACForm Tokenization
XSS, SQL Injection, Information Disclosure Via errors
Broken Authentication, Connection DB PWD in clear
Hashed/Salted Pwds in Storage and Transit
Trusted Server To Server Authentication, SSO
Trusted Authentication,Federation, Mutual Authentication
Broken Authentication/ Impersonation, Lack of Synch Session Logout
No PK exposed as URL parameter
Encrypt Confidential PII in Storage/Transit
Insecure Crypto Storage
Insecure Crypto Storage
"../../../../etc/passwd%00"
Cmd=%3B+mkdir+hackerDirectory
http://www.abc.com?RoleID
Phishing,Privacy Violations,Financial LossIdentity TheftSystem Compromise, Data Alteration, Destruction
OWASP
Secure By Default Application Measures
35
Data TierIs the layer responsible for data storage and retrieval from a database or file systemQuery commands or messages are processed by the DB server, retrieved from the datasourceand passed back to the lo the logical tier for processing before being presented to the user
Presentation TierRepresents the top most level of the application. The purpose of this tier is to translate commands from the user interfaceinto data for processing to other tiers and
present back the processed data
Logic TierThis layer processes commands and makes decisions based upon the application business logic It also moves and processes data
between the presentation and the data tier
`
browser
`
browser
Storage
Servers
Query
Servers
Account#, Balance,
Transaction History
> Get MY Account Info And Account
Activity
> Account#:***8765Balance: 45,780 $Last Transaction:
5/25/09
Database
Securing The Web server:1) Hardening and Locking2) Secure Configuration Mgmt.3) Auditing and Logging
Securing The DB Server:1) Hardening, remove extended store
procedures2) Enforce Access Privileges3) Protect PII and sensitive data in storage
and transit (S/ODBC)4) Auditing and logging
Securing The App Server:1) Server to server authentication2) Message security3) Secure Session Management,4) Auditing & Logging
Securing The Browser1) AV, AS, Browser updates2) Hardening, sandboxing3) Use EV SSL enabled browsers
OWASP
Secure By Design Architecture Principles
36
1. Implement Authentication With Adequate Strength
2. Enforce Least Privilege3. Protect Sensitive Data In Storage, Transit And
Display4. Enforce Minimal Trust5. Trace and Log User Actions And Security Events6. Fail Securely And Gracefully7. Apply Defense in Depth8. Apply Security By Default9. Design For Simplicity, KISS Principle10.Secure By Design, Development and
Deployment11.Secure As The Weakest Link12.Avoid Security By Obscurity
OWASP
Mitigation strategies against cybercrime attacks
37
OWASP 38
OWASP
Cybercrime Situational Awareness Questions
Are your organization mitigations against threats mostly driven by security audit and compliance? Is compliance a factor for business risk ? What is your appetite for risk? Is your glass
half full ('What is BofA doing?' or 'What does Gartner say?‘) or half empty Build you (Devil's Advocate)
39
Do you know HOW threats will affect your data assets? For example:HOW transactions can be can be abused for
fraud ?WHAT are possible ways in which you
application can leak sensitive/credit card data ?
OWASP
Application Layer Cybercrime Threats Mitigation StrategyMitigate against known threats that
exploit common vulnerabilities (e.g. OWASP T10) at the application layer
Stay ahead of cybercrime threats: adopt cyber-intelligence and cyber threat analysis to learn about new threats and attack vectors
Apply Threat Modeling to new and existing applications to identify countermeasures in the application architecture
Drive security into applications following secure architecture design principles
40
OWASP 41
Q&Q U E S T I O N SQ U E S T I O N SA N S W E R SA N S W E R S