tech talk: preventing data breaches with risk-aware session management
TRANSCRIPT
1 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Tech Talk: Preventing Data Breaches with Risk-Aware Session Management
Security
SCT25T
@TwitterHandle
#CAWorld
Herb Mehlhorn
CA Technologies
Advisor, Product Management
2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
For Informational Purposes Only
Terms of this Presentation
© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The presentation provided at CA
World 2015 is intended for information purposes only and does not form any type of warranty. Some of the specific slides with customer
references relate to customer's specific use and experience of CA products and solutions so actual results may vary.
Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights
and/or obligations of CA or its licensees under any existing or future license agreement or services agreement relating to any CA software
product; or (ii) amend any product documentation or specifications for any CA software product. This presentation is based on current
information and resource allocations as of November 18, 2015, and is subject to change or withdrawal by CA at any time without notice. The
development, release and timing of any features or functionality described in this presentation remain at CA’s sole discretion.
Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in
this presentation, CA may make such release available to new licensees in the form of a regularly scheduled major product release. Such
release may be made available to licensees of the product who are active subscribers to CA maintenance and support, on a when and if-
available basis. The information in this presentation is not deemed to be incorporated into any contract.
3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Agenda
THE PROBLEM
WHAT CAN BE DONE TODAY
LOOKING FORWARD
1
2
3
4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
There are many ways that attackers can hijack user sessions
There are several attack vectors:*
• Predictable session token
• Session Sniffing
• Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc);
• Man-in-the-middle attack
• Man-in-the-browser attack
* https://www.owasp.org/index.php/Session_hijacking_attack
Source: Enterprise SSO Administrators
5 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The more things change…The OWASP Top 10 Most Critical Web Application Security Risks
https://www.owasp.org/images/c/ce/OWASP_Top_Ten_2004.dochttp://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf
Unvalidated Parameters
Broken Access Control
Broken Account and Session Management
Cross-Site Scripting (XSS) Flaws
Buffer Overvlows
Command Injection Flaws
Error Handling Problems
Insecure Use of Cryptography
Remove Administration Flaws
Web and Application Server Misconfiguration
2003
Injection
Broken Authentication and Session Management
Cross-Site Scripting (XSS)
Insecure Direct Object References
Security Misconfiguration
Sensitive Data Exposure
Missing Function-Level Access Control
Cross-Site Request Forgery (CSRF)
Using Known Vulnerable Components
Unvalidated Redirects and Forwards
2013
The Latest
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit, other implementationflaws to assume others’ identities.
6 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
A Multi-layer problem
Application–specific session tokens
• JsessionID in WebSphere
• Mysapsso2 in SAP
Cross-domain single sign-on solution
• Federation token
Single sign-on solution
• SMsession
7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Agenda
THE PROBLEM
WHAT CAN BE DONE TODAY
LOOKING FORWARD
1
2
3
8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Defense approaches
Implement strong authentication
Use SSL to secure the communication channel
Protect against XSS by using best practices in application development
Set browser configurations
9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Session Hijacking is not new, but protecting against it requires new approaches
Covert Redirect Flaw in online login
protocols could be used to: steal data, redirect users to malicious websites
No concerted and coordinated response
Heartbleed Bug OpenSSL exploited to steal
active, authenticated session token
Circumvented multi-factor authentication on VPN
What’s next?
10 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The current State of the art is Considerable discussion on new
authenticators. However, there has
been little progress on eliminating the
password. Many companies use
hardware tokens for some small set of
users.
The decision process here is
largely based on fixed
policies.
Q&A usage is on the decline and is
being replaced by One Time
Password (OTP) over SMS or email.
Confirmation via push notification
is gaining ground.
Initial Authentication
Authorize?
Follow-Up Authentication
Deny Allow
Continue
Step Up
11 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Schema for a New Approach
Introduce continual risk assessment
Manage session
Initial Authentication
Evaluate Risk
Follow-Up Authentication
Deny Allow
Continue
Step Up
12 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Risk Score
Continuous Device Identification Risk-Based Authorization
0 100
Low Risk High Risk
Two Methods for Ensuring Session Security
13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
User initially authenticates
Unique device identifier is captured
User Session
0Time: 10 20 30
Device check at specified interval
Device check at specified interval
Device check at specified interval
User requests
SSO access to
Office 365
User requests
SSO access to Finance
App
No additional
check required
Additional device check
Continuous Device Verification During a Session
14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA Single Sign-On Methods
Type of Protection Settings
Prevent exposure of SMSession UseHttpOnlyCookies
UseSecureCookie
UseSecureCPCookies
CSSChecking
StoreSessionInServer
ValidateTargetDomain
Preventing use of a hijacked session TransientIPChecking/PersistentIPChecking
TrackSesisonDomain
ServerOnly session cookie
BadURLChars/BadQueryChars
Enhanced Session Assurance with DeviceDNA™
15 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Hacker(Andre)
User(Ben)
Application Access Management
Benabcd1234
Andrezzz999
Application
Success!“Hello, Ben!”
Denied!Access
Attempt
Andre logs in with Ben’s stolen cookie
Ben’sDevice
Andre’s Device
Unique!
Ben logs in
Unique
Device
Verification
Continuous Verification Protects Sessions
16 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
A Multi-layer Solution
Application–specific session tokens
• JsessionID in WebSphere
• Mysapsso2 in SAP
Cross-domain single sign-on solution
• Federation token
Single sign-on solution
• SMsession
17 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Agenda
THE PROBLEM
WHAT CAN BE DONE TODAY
LOOKING FORWARD
1
2
3
18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Solution Vision – ID Analytics
Device Geolocation Velocity User history Fraud patterns
REJECT/STEP-UP AUTH
Risk assessment at authentication
Content
Risk assessment during access
decision
Increases security without inconveniencing end users
Detects and blocks fraud with real-time risk analysis
Improves security and reduces security admin costs
Value to your business
Partners
Customers
Employees
Reporton access
ID Analytics
Risk
19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Q & A
20 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
For More Information
To learn more, please visit:
http://cainc.to/Nv2VOe
CA World ’15