tech talk: preventing data breaches with risk-aware session management

1 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

Tech Talk: Preventing Data Breaches with Risk-Aware Session Management

Security

SCT25T

@TwitterHandle

#CAWorld

Herb Mehlhorn

CA Technologies

Advisor, Product Management


For Informational Purposes Only

Terms of this Presentation

© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The presentation provided at CA

World 2015 is intended for information purposes only and does not form any type of warranty. Some of the specific slides with customer

references relate to customer's specific use and experience of CA products and solutions so actual results may vary.

Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights

and/or obligations of CA or its licensees under any existing or future license agreement or services agreement relating to any CA software

product; or (ii) amend any product documentation or specifications for any CA software product. This presentation is based on current

information and resource allocations as of November 18, 2015, and is subject to change or withdrawal by CA at any time without notice. The

development, release and timing of any features or functionality described in this presentation remain at CA’s sole discretion.

Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in

this presentation, CA may make such release available to new licensees in the form of a regularly scheduled major product release. Such

release may be made available to licensees of the product who are active subscribers to CA maintenance and support, on a when and if-

available basis. The information in this presentation is not deemed to be incorporated into any contract.


Agenda

THE PROBLEM

WHAT CAN BE DONE TODAY

LOOKING FORWARD

1

2

3


There are many ways that attackers can hijack user sessions

There are several attack vectors:*

• Predictable session token

• Session Sniffing

• Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc);

• Man-in-the-middle attack

• Man-in-the-browser attack

* https://www.owasp.org/index.php/Session_hijacking_attack

Source: Enterprise SSO Administrators


The more things change…The OWASP Top 10 Most Critical Web Application Security Risks

https://www.owasp.org/images/c/ce/OWASP_Top_Ten_2004.dochttp://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf

Unvalidated Parameters

Broken Access Control

Broken Account and Session Management

Cross-Site Scripting (XSS) Flaws

Buffer Overvlows

Command Injection Flaws

Error Handling Problems

Insecure Use of Cryptography

Remove Administration Flaws

Web and Application Server Misconfiguration

2003

Injection

Broken Authentication and Session Management

Cross-Site Scripting (XSS)

Insecure Direct Object References

Security Misconfiguration

Sensitive Data Exposure

Missing Function-Level Access Control

Cross-Site Request Forgery (CSRF)

Using Known Vulnerable Components

Unvalidated Redirects and Forwards

2013

The Latest

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit, other implementationflaws to assume others’ identities.

https://www.owasp.org/images/c/ce/OWASP_Top_Ten_2004.doc

http://owasptop10.googlecode.com/files/OWASP Top 10 - 2013.pdf


A Multi-layer problem

Application–specific session tokens

• JsessionID in WebSphere

• Mysapsso2 in SAP

Cross-domain single sign-on solution

• Federation token

Single sign-on solution

• SMsession


Agenda

THE PROBLEM


LOOKING FORWARD

1

2

3


Defense approaches

Implement strong authentication

Use SSL to secure the communication channel

Protect against XSS by using best practices in application development

Set browser configurations


Session Hijacking is not new, but protecting against it requires new approaches

Covert Redirect Flaw in online login

protocols could be used to: steal data, redirect users to malicious websites

No concerted and coordinated response

Heartbleed Bug OpenSSL exploited to steal

active, authenticated session token

Circumvented multi-factor authentication on VPN

What’s next?


The current State of the art is Considerable discussion on new

authenticators. However, there has

been little progress on eliminating the

password. Many companies use

hardware tokens for some small set of

users.

The decision process here is

largely based on fixed

policies.

Q&A usage is on the decline and is

being replaced by One Time

Password (OTP) over SMS or email.

Confirmation via push notification

is gaining ground.

Initial Authentication

Authorize?

Follow-Up Authentication

Deny Allow

Continue

Step Up


Schema for a New Approach

Introduce continual risk assessment

Manage session

Initial Authentication

Evaluate Risk

Follow-Up Authentication

Deny Allow

Continue

Step Up


Risk Score

Continuous Device Identification Risk-Based Authorization

0 100

Low Risk High Risk

Two Methods for Ensuring Session Security


User initially authenticates

Unique device identifier is captured

User Session

0Time: 10 20 30

Device check at specified interval



User requests

SSO access to

Office 365

User requests

SSO access to Finance

App

No additional

check required

Additional device check

Continuous Device Verification During a Session


CA Single Sign-On Methods

Type of Protection Settings

Prevent exposure of SMSession UseHttpOnlyCookies

UseSecureCookie

UseSecureCPCookies

CSSChecking

StoreSessionInServer

ValidateTargetDomain

Preventing use of a hijacked session TransientIPChecking/PersistentIPChecking

TrackSesisonDomain

ServerOnly session cookie

BadURLChars/BadQueryChars

Enhanced Session Assurance with DeviceDNA™


Hacker(Andre)

User(Ben)

Application Access Management

Benabcd1234

Andrezzz999

Application

Success!“Hello, Ben!”

Denied!Access

Attempt

Andre logs in with Ben’s stolen cookie

Ben’sDevice

Andre’s Device

Unique!

Ben logs in

Unique

Device

Verification

Continuous Verification Protects Sessions


A Multi-layer Solution

Application–specific session tokens

• JsessionID in WebSphere

• Mysapsso2 in SAP

Cross-domain single sign-on solution

• Federation token

Single sign-on solution

• SMsession


Agenda

THE PROBLEM


LOOKING FORWARD

1

2

3


Solution Vision – ID Analytics

Device Geolocation Velocity User history Fraud patterns

REJECT/STEP-UP AUTH

Risk assessment at authentication

Content

Risk assessment during access

decision

Increases security without inconveniencing end users

Detects and blocks fraud with real-time risk analysis

Improves security and reduces security admin costs

Value to your business

Partners

Customers

Employees

Reporton access

ID Analytics

Risk


Q & A


For More Information

To learn more, please visit:

http://cainc.to/Nv2VOe

CA World ’15

http://cainc.to/Nv2VOe

http://bit.ly/1wbjjqX

tech talk: preventing data breaches with risk-aware session management

Technology