Copyright 2009 © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

The Rise of Threat Analysis and the Fall of Compliance in Mitigating Web Application Security Risks

Marco MoranaOWASP Cincinnati Chapter Leadmarco.m.morana@gmail.com

Tony UcedavelezOWASP Atlanta Chapter Leadtonyuv@versprite.com

LA and OC ChaptersSept 2009 Meetings

OWASP

Meeting Agenda “Status quo” of security compliance in

mitigating cybercrime risksCompliance data vs. data breach dataBusiness impact of data breachesCritical view of how compliance drives security

Threat modeling techniques for the analysis of cybercrime threats Attack tree analysis Use and misuse cases Attack vectors analysis Data flow/architecture analysis

Risk mitigation strategies against cybercrime attacks

2

OWASP

Status Quo of Security Policy and Regulatory Compliance in Mitigating Risks

3

OWASP

Biggest Fraud in History

4

170 million card and ATM numbers

used sql injection and packet sniffers

Companies mentioned in the indictments (3) include:TJX CompaniesHeartland Payment Systems (HPY)Hannaford Bros

OWASP

Let’s look at PCI-DSS COMPLIANCE and data breach reported (datalossdb.org):

5

Heartland Payment Systems (HPY) WAS PCI COMPLIANT at the time of the breach (August 2007) and is currently PCI COMPLIANT Passed Inspection in April 2008 (Trustwave QSA) After an audit, Heartland uncovered Malware (the data-

sniffing kind) to capture CC or ATM numbers

94 ML CCN ( Reported January 7 2007)

4.2 ML CCN and ATM data(reported March 17 2008)

TJX was fined for NOT BEING PCI COMPLIANT during the data breach (May 2006-December 2007) VISA allowed them to continue processing Poor network security and use of weak encryption

Hannaford Bros WAS PCI COMPLIANT while being hacked (November 2007) Compliant with protect CCH data in storage and in transit

over public/open networks

130 ML CCN (reported January 20 2009)

OWASP

So How Compliance Drives Security?

6

Regulations such as PCI, Gramm-Leach Bliley Act (GLBA), FFIEC, HIPAA, SB 1386, AB 1950 drive security via an adversarial approach, some examples:Fail audit => additional fines, restrictions

and controlsLeak of PII => public information disclosure

in most US states (SB1386)Running afoul of PCI => can’t do business

using credit cards, can’t do business with Wal-Mart

Generally is security by FUDFear of backlash, private suits, etc

OWASP

PCI DSS: Protection of CCH and Sensitive Credit Card Authentication Data

7

[PCI-DSS] 3.2 Do not store sensitive authentication data subsequent to authorization (even if encrypted)[PCI-DSS] 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). [PCI-DSS] 3.4 Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs)

OWASP 8

OWASP

Underground economy for stolen credit card and bank account credentials

9

OWASP

Monetize The Losses ? Ask TJX CFO

The cyber attack on the retailer Marshalls and TJ Maxx (disclosed in January 2007): after-tax cash charge of approximately $118 million, or $.25 per share.

The company increased its estimate of pre-tax charges for the compromise to nearly $216 million.

According to some experts, TJX may have to spend in the end a total of more than $500 million, including litigation fees and government fines.

10

OWASP

Another Way to Look at Business Impact Of Data Breaches : Correlate Drop in Stock Price With Bad News (chart from datalossdb.org)

11

130 ML CCN (reported January 20 2009)

OWASP

Cost Estimate Of Web Application Data Breach Due to SQL Injection Attack Probability of attack by type and attack

vector incident (identity theft) data:13 % of incidents involving breaches of web

channel (datalossdb.org) x 19 % of incidents that use SQL injection as attack vector (WHID) = 2.5 % as the probability that a SQL injection vulnerability will cause identity theft data loss

Estimate business impact of attack (SQL injection) by multiply probability of attack x number of losses x cost of one data loss $ 691 per each individual theft case (Javelin) X 130

million individual ID theft cases x 2.5 % attack ID theft probability = $ 2.2 Billions

12

OWASP

A Critical View of Compliance and Security Is compliance = security ?

Plenty of compliant firms have recently been hit with major security breaches

Increased number of stolen credit card and bank account credentials available in the black market

Is compliance cost and risk effective?Derail security effort from strategyC-Levels question the value to what they

perceive as 'extra' or 'misguided' effortsCost vs. benefit is cost of non-compliance fines

vs. benefit (savings) of not implementing controls

13

OWASP

Did PCI compliance auditors failed Hearthland?

14

OWASP

Non Compliance From Risk Perspective

15

Regulatory noncompliance is by it self a business risk: assessing the likelihood and potential costs of a particular threat against the cost of preventing or mitigating that threat

OWASP

Threat modeling techniques for cybercrime threats

16

OWASP

Application Threat Modeling And The Cybercrime Attack Surface

Standards Compliance Gap Analysis

Penetration Testing

Attack Tree Analysis

Cybercrime Intelligence

DFD/Secure Architecture Analysis

Use and misuse cases

Security By Design

Risk Mitigation Strategies

Attack Vector Analysis

Source Code Analysis

OWASP

Cybercrime Threat Intelligence and Analysis: Attacks Against Financial Services and Online retailers

18

THREAT INTELLIGENCE:Attack “xp_cmdshell on MSQL server to upload sniffers to capture CC transactions and ATM PINs from DB, HSMTHREAT MITIGATION ANALYSIS:1.Disable xp_cmdshell,2.Deny extended URL, escape “”, 3.Use store procedures, 4.Run SQL Server and IIS under non-privilege,5.Do not use “sa” hardcoded, 6.Lock account on mainframes against brute force7.Use minimum privileges on AD/SQL server, restrict access by IP,8.Use proxy server for internet access, 9.Implement firewall rules 10.Ensure HSM are not responsive of any commands with PIN in the clear

OWASP

Cybercrime Threat Intelligence: Attacks Against Online Bank Customers

19

ZBOT THREAT INTELLIGENCE (from Secureworks article):1)The attack vector is email spear phishing and the payload is an IFRAME browser exploit that deploys malware/spyware on the desktop2)The malware connects back to the hacker botnet C&C for commands and configuration files targeting specific on-line banking sites3)The targeted bank malware performs MiTM attacks against the bank customer to get banking credentials and log into the banking site and perform transactions such as wire transfers 4) A keylogger logs keystrokes and supplies them to the site by defeating fraud monitoring controls

OWASP

Cybercrime Intelligence And Analysis Goals Understand cyber threats and how they

may affect your business: What cyber threats are relevant to your industry?

20

Learn from cyber criminals motives and the most likely attack scenarios:

Become your enemy ! Build the right attack tree to walk through probable attack scenarios.

Plan defenses for the attack vectors being used by your enemy:

Based on the likely attack patterns for each branch of the attack tree, identify which application vulnerabilities can be exploited via which attacks

OWASP

Attack-Threat Tree Analysis

21

OWASP

Threat Tree For Credit Card Attacks

22

Credit Card Data

Compromise

Man In The Middle/Browser

Attack

Automated SQL Injection Attack

To upload malware

Serve malicious IFRAME to

victim visiting the web site

Phishing Email/Social

Engineering

SQL Injection Exploit

Alter Query To Get CC

data

Exploit Weak Session

Management

Insecure Cryptographic

Storage/Transit

Impersonate user to get

access to CC data

Upload Sniffer To Get

CC data

Session Fixation to

get access to CC data

Attack User/Browser

Attack Web Application

Clickjacking

Serve Invisible Frame that runs

malware

Take Credentials and

CC data from user

Capture Non-Encrypted CC

Data

OWASP

Threat Tree For ATM Attacks

23

Attack ATM and ATM Networks

Capture ATM track 1&2 data (CVV)

and valid PIN using a skimming device

Capture ATM Data By Exploiting ATM

Software Vulnerabilities

Commit Fraud by using of a Cloned/Forged ATM Card

Buy PINs, CVV + CC# from Dark

Market(30 $)

Phish Online Banking Customers for ATM Customer

For ATM Data

DOS ATM by attacking ATM Network (SQL

Slammer)

Capture/Guess ATM Data By Attacking On-Line Banking

Site

Harverst/Validate ATM Data Against Customer Online

Banking Validations

Get valid ATM in Someone else Name (assume identity theft)

Sniff ATM Data in transit From

Payment Processing

Servers

OWASP

Use and Abuse Cases

24

OWASP

Use And Abuse Cases For Multi Factor Authentication

25

User

Fraudster

Enter Username andpassword

Web Application

Validate User andMFA Credentials

Includes

Threatens

Browser CookieGeneration

Includes

Guess Answers FromPublic Profiles, MITM

IncludesIncludes

MiTM gets the OTP and isused to login within

milliseconds

Threatens

Phishing 2.0 (BotnetMITM) MFA Attacks

Enter MFAcredential

Valicate machinetagging and IP geolocation

User Validation OfPicture and Text (RSA

Passmark)

Validate One TimePassword Token

ValidateChallenge/Questions (KBA)

Includes

Includes

MITM proxy set the IP same as theISP of the user’s computer.

Spoofing of HTTP header tagging info

Capture image and text afterharvesting usernames and

cookie hijacking, MITM

Hijacks cookieand copy onthe attacker PC to

impersonate user/device

Threatens

Includes

Threatens

Threatens

Includes

Includes

Includes

Includes

Includes

OWASP 26

Use and Abuse Cases For Logins

User

Hacker/Malicious User

Brure ForceAuthentication

Enter Username andpassword

Validate PasswordMinimum Length and

ComplexityApplication/Server

Includes

Mitigates

User Authentication

Includes

Includes

Includes

Mitigates

Threatens

Show Generic ErrorMessage

Includes

Includes

Lock Account After N.Failed Login Attempts

Harverst (e.g. guess)Valid User Accounts

Dictionary Attack

Mitigates

Mitigates

OWASP

Attack Vector Analysis

27

OWASP

Attack Vector Analysis

Derive a list of attack vectors that can be used for the threat/attack analysis of the application

Start with code injection attacks library:SQL injection attacks HTML (IFRAME) injection attacks Script injection (e.g. cross-site scripting) attacks Command shell injection attacks File injection attacks Server pages injection attacks (e.g. ASP, PHP) Cookie poisoning attacks XML poisoning attacks

28

OWASP 29

Common Code Injection Attack Vector

From: www.technicalinfo.net/papers/Phishing.html

OWASP

Cybercrime HTML-IFRAME Injection Attack Vectors

30

Intended Site Ad withEmbedded iFrame

Malicious Site

IFRAME injection (In-Line Frame Injection)

Browser vulnerabilities in handling iFrame tags

Trusted sites with malicious banner ads Leverages blackhat in order to drive

traffic to vulnerable sites Growing attack vectors for malware

propagation Blackhat SEO fueled Rogue Software

Campaigns. over 1 Million links all targeting the Ford

Motor Company. Mislead search engines to falsely

promote malicious pages to the top of the search results. user visits one malicious sites, prompted to download and install a

malicious "codec",

OWASP

Architecture analysis via threat modeling

31

OWASP

DFD/Architecture Threat Analysis Objectives

1. Identify entry and the exit points and the access levels

2. Enumerate the threats to the application elements and map to countermeasures

3. Identify the vulnerabilities that can be exploited by threat using the most likely attack vectors

4. Select and locate countermeasures in the application architecture

32

OWASP

Users

Request

Responses

DM

Z (U

se

r/We

b S

erv

er B

ou

nd

ary

)

Message Call

Account/ TransactionQuery Calls

Web Server

ApplicationServer

Application Calls

Encryption +Authentication

Encryption + Authentication

Financial Server

Authentication Data

Re

stric

ted

Ne

two

rk(A

pp

& D

B S

erv

er/F

ina

nc

ial S

erv

er B

ou

nd

ary

)

DatabaseServer

Application Responses

FinancialData

Auth Data

MessageResponse

SQL Query Call

CustomerFinancial

Data

Inte

rna

l (We

b S

erv

er/ A

pp

& D

B S

erv

er B

ou

nd

ary

)

Mapping DFD Components to STRIDE Threats to Find Countermeasures

33

Access Level

External

Access Level

Internal

Access Level

Restricted

I. SpoofingII. Repudiati

on

I. TamperingII. RepudiationIII. Info

DisclosureIV. Denial OF

service

I. AuthN, Encryption

II. Digital signatures, HMAC, TS,

I. AuthN, Encryption

II. Digital signatures, HMAC, TS,AuthZ Audit

III. Encryption, AuthZ

IV. Filtering, AuthN

OWASP

Mapping of Threats, Attacks, Vulnerabilities and Countermeasures

34

Users

Request

Responses

DM

Z (User/W

eb Server Boundary)

Message Call

Account/ TransactionQuery Calls

Web Server

ApplicationServer

Application Calls

Encryption +Authentication

Encryption + Authentication

Financial Server

Authentication Data

Restricted N

etwork

(App &

DB

Server/Financial Server Boundary)

DatabaseServer

Application Responses

FinancialData

Auth Data

MessageResponse

SQL Query Call

CustomerFinancial

Data

Internal (Web Server/ A

pp & D

B Server B

oundary)

<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT>

Injection flaws CSRF,Insecure Direct Obj. Ref, Insecure Remote File Inclusion

NSAPI/ISAPI FilterCustom errors

OR ‘1’=’1—‘,

Prepared Statements/Parameterized Queries,Store ProceduresESAPI Filtering,Server RBACForm Tokenization

XSS, SQL Injection, Information Disclosure Via errors

Broken Authentication, Connection DB PWD in clear

Hashed/Salted Pwds in Storage and Transit

Trusted Server To Server Authentication, SSO

Trusted Authentication,Federation, Mutual Authentication

Broken Authentication/ Impersonation, Lack of Synch Session Logout

No PK exposed as URL parameter

Encrypt Confidential PII in Storage/Transit

Insecure Crypto Storage

Insecure Crypto Storage

"../../../../etc/passwd%00"

Cmd=%3B+mkdir+hackerDirectory

http://www.abc.com?RoleID

Phishing,Privacy Violations,Financial LossIdentity TheftSystem Compromise, Data Alteration, Destruction

OWASP

Secure By Default Application Measures

35

Data TierIs the layer responsible for data storage and retrieval from a database or file systemQuery commands or messages are processed by the DB server, retrieved from the datasourceand passed back to the lo the logical tier for processing before being presented to the user

Presentation TierRepresents the top most level of the application. The purpose of this tier is to translate commands from the user interfaceinto data for processing to other tiers and

present back the processed data

Logic TierThis layer processes commands and makes decisions based upon the application business logic It also moves and processes data

between the presentation and the data tier

`

browser

`

browser

Storage

Servers

Query

Servers

Account#, Balance,

Transaction History

> Get MY Account Info And Account

Activity

> Account#:***8765Balance: 45,780 $Last Transaction:

5/25/09

Database

Securing The Web server:1) Hardening and Locking2) Secure Configuration Mgmt.3) Auditing and Logging

Securing The DB Server:1) Hardening, remove extended store

procedures2) Enforce Access Privileges3) Protect PII and sensitive data in storage

and transit (S/ODBC)4) Auditing and logging

Securing The App Server:1) Server to server authentication2) Message security3) Secure Session Management,4) Auditing & Logging

Securing The Browser1) AV, AS, Browser updates2) Hardening, sandboxing3) Use EV SSL enabled browsers

OWASP

Secure By Design Architecture Principles

36

1. Implement Authentication With Adequate Strength

2. Enforce Least Privilege3. Protect Sensitive Data In Storage, Transit And

Display4. Enforce Minimal Trust5. Trace and Log User Actions And Security Events6. Fail Securely And Gracefully7. Apply Defense in Depth8. Apply Security By Default9. Design For Simplicity, KISS Principle10.Secure By Design, Development and

Deployment11.Secure As The Weakest Link12.Avoid Security By Obscurity

OWASP

Mitigation strategies against cybercrime attacks

37

OWASP 38

OWASP

Cybercrime Situational Awareness Questions

Are your organization mitigations against threats mostly driven by security audit and compliance? Is compliance a factor for business risk ? What is your appetite for risk? Is your glass

half full ('What is BofA doing?' or 'What does Gartner say?‘) or half empty Build you (Devil's Advocate)

39

Do you know HOW threats will affect your data assets? For example:HOW transactions can be can be abused for

fraud ?WHAT are possible ways in which you

application can leak sensitive/credit card data ?

OWASP

Application Layer Cybercrime Threats Mitigation StrategyMitigate against known threats that

exploit common vulnerabilities (e.g. OWASP T10) at the application layer

Stay ahead of cybercrime threats: adopt cyber-intelligence and cyber threat analysis to learn about new threats and attack vectors

Apply Threat Modeling to new and existing applications to identify countermeasures in the application architecture

Drive security into applications following secure architecture design principles

40

OWASP 41

Q&Q U E S T I O N SQ U E S T I O N SA N S W E R SA N S W E R S