web trends stats and how to defend
DESCRIPTION
Web Trends Stats and How to DefendTRANSCRIPT
-
Web Hacking Incidents Revealed:Trends, Stats and How to Defend
Ryan BarnettSenior Security Researcher
SpiderLabs Research
-
Copyright Trustwave 2010 Confidential
Ryan Barnett - Background
Trustwave Senior Security Researcher
Web application firewall research/developmentVirtual patching for web applications
Member of the SpiderLabs Research TeamWeb application firewall signature lead
ModSecurity Community ManagerInterface with the community on public mail-listSteer the internal development of ModSecurity
Author Preventing Web Attacks with Apache
-
Copyright Trustwave 2010 Confidential
Ryan Barnett Community Projects
Open Web Application Security Project (OWASP) Speaker/Instructor Project Leader, ModSecurity Core Rule Set Project Contributor, OWASP Top 10 Project Contributor, AppSensor
Web Application Security Consortium (WASC) Board Member Project Leader, Web Hacking Incident Database Project Leader, Distributed Open Proxy Honeypots Project Contributor, Web Application Firewall Evaluation Criteria Project Contributor, Threat Classification
The SANS Institute Courseware Developer/Instructor Project Contributor, CWE/SANS Top 25 Worst Programming Errors
-
Copyright Trustwave 2010 Confidential
Session Outline
The Challenge of Risk Analysis for Web Applications Risk Rating Methodology How to quantify risk?
WASC Web Hacking Incident Database (WHID) What is it? Goals Recent Project Changes and Updates
2010 Semiannual Report (July December) Incidents By Attacked Entity Field Incidents By Outcome Incidents By Attack Methods Incidents By Application Weakness Comparing the OWASP Top 10 vs. the WHID Top 10
Incidents of InterestConclusion
-
The Challenge of Risk Analysis for Web Application Security
-
Copyright Trustwave 2010 Confidential
OWASP Risk Rating Methodology
#Step 1: Identifying a Risk
#Step 2: Factors for Estimating Likelihood
#Step 3: Factors for Estimating Impact
#Step 4: Determining Severity of the Risk
#Step 5: Deciding What to Fix
#Step 6: Customizing Your Risk Rating Model
http://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
-
Copyright Trustwave 2010 Confidential
OWASP Risk Rating Methodology
-
The Challenge of Risk Analysis for Web Applications:Analyzing Public Incidents
-
Copyright Trustwave 2010 Confidential
Risk Rating Problem
Instead of being concerned about what CAN happen (theoretical scenarios), perhaps we should first be dealing with what IS happening (analysis of real-world web compromises)
-
Copyright Trustwave 2010 Confidential
Publicly Quantifying Web Incidents is Challenging
Incidents are not detected ~156 day lapse between
compromise and detection* Vast majority of cases the merchant
did not identify the intrusion a 3rd party did based on fraud detection (card brands and banks)*
Logging Issues - poor logging and/or no one reviewing them for signs of compromise
https://www.trustwave.com/downloads/whitepapers/Trustwave_WP_Global_Security_Report_2010.pdf
-
Copyright Trustwave 2010 Confidential
-
Copyright Trustwave 2010 Confidential
Publicly Quantifying Web Incidents is Challenging
Victims hide breaches Defacement (visible) and information leakage
(regulated) are publicized more than other breaches
Example - Banks are not forced to disclose when individual customer funds are stolen
-
Web Hacking Incident Database (WHID)
-
Copyright Trustwave 2010 Confidential
WASC Web Hacking Incident Database (WHID)
http://projects.webappsec.org/Web-Hacking-Incident-Database
-
Copyright Trustwave 2010 Confidential
Tracking Public Web Compromises
-
Copyright Trustwave 2010 Confidential
WHID Goals
Raise awareness of real-world, web application security incidents
Provide data for the following Risk Rating steps: #Step 2: Factors for Estimating Likelihood
What application weaknesses are actively being targeted?
#Step 3: Factors for Estimating ImpactWhat outcome are you worried about?
#Step 5: Deciding What to FixPrioritized listing of remediation issues
#Step 6: Customizing Your Risk Rating ModelCustomized view based on your vertical-market
-
Copyright Trustwave 2010 Confidential
WHID Data
Data Samples (statistically insignificant) Focus on % rather than raw numbers
Inclusion Criteria Only publicly disclosed, web related incidents
Incidents of interest Defacements of High Profile sites are included
Ensure quality and correctness of incidents Severely limits the number of incidents that get in
-
Copyright Trustwave 2010 Confidential
WHID Data: Community Submittal Form
Community incident submission leverages crowdsourcing
Project team validation ensures quality
http://projects.webappsec.org/Web-Hacking-Incident-Database#SubmitanIncident
-
Copyright Trustwave 2010 Confidential
WHID Database Content
~222 incidents for 2010Incidents since 1999Each incident is classified
Attack type Application Weakness Outcome Country of organization
attacked Industry segment of
organization attacked Country of origin of the
attack (if known) Vulnerable Software
Additional information: A unique identifier: WHID
200x-yy Dates of occurrence and
reporting Description Internet references
-
Copyright Trustwave 2010 Confidential
Real-Time Statistics
http://projects.webappsec.org/Web-Hacking-Incident-Database
Browse real-time data Drill down in to incident details Pivot on key variables (year/vertical market)
-
Copyright Trustwave 2010 Confidential
Real-time, Searchable DB
WHID data is available year-round
Useful for application developers and researchers
Search by
Attack method
Outcome
Source geography
and many more
http://projects.webappsec.org/Web-Hacking-Incident-Database#SearchtheWHIDDatabase
-
Copyright Trustwave 2010 Confidential
Geographic Views
-
Copyright Trustwave 2010 Confidential
Monitoring WHID Updates
http://projects.webappsec.org/Web-Hacking-Incident-Database#RSSFeed
@wascwhid
-
WHID 2010 Biannual Status Report:July-December
-
Copyright Trustwave 2010 Confidential
What Vertical Markets are Attacked Most Often?
-
Copyright Trustwave 2010 Confidential
What are the Goals for Web Hacking?
-
Copyright Trustwave 2010 Confidential
What Attack Methods do Hackers Use?
-
Copyright Trustwave 2010 Confidential
Which Application Weaknesses are Exploited?
-
#Step 5: Deciding What to FixPrioritized listing of remediation issues
-
Copyright Trustwave 2010 Confidential
OWASP vs. WHID Top 10OWASP Top 10 WHID Top 10
1 Injection Insufficient Anti-Automation (Brute Force and DoS)
2 Cross-site Scripting (XSS) Improper Output Handling (XSS and Planting of Malware)
3 Broken Authentication and Session Management Improper Input Handling (SQL Injection)
4 Insecure Direct Object Reference Application Misconfiguration (Detailed error messages)
5 CSRF Insufficient Authentication (Stolen Credentials/Banking Trojans)
6 Security Misconfiguration Insufficient Process Validation (CSRF and DNS Hijacking)
7 Insecure Cryptographic Storage Insufficient Authorization (Predictable Resource Location/Forceful Browsing)8 Failure to Restrict URL Access Abuse of Functionality (CSRF/Click-Fraud)
9 Insecure Transport Layer Protection Insufficient Password Recovery (Brute Force)
10 Unvalidated Redirects and Forwards Improper Filesystem Permissions (info Leakages)
-
Top Trends
-
Copyright Trustwave 2010 Confidential
Denial of Service
-
Copyright Trustwave 2010 Confidential
Layer 4 DDoS Attacks
-
Copyright Trustwave 2010 Confidential34
http://www.cert.org/reports/dsit_workshop.pdf
Layer 4 DDoS Attacks - Botnets
Reach bandwidth or connection limits of hosts or networking equipment.
Fortunately, current anti-DDOS solutions are effective in handling Layer 4 DDOS attacks.
-
Copyright Trustwave 2010 Confidential
Layer 7 DDoS Attacks
-
Copyright Trustwave 2010 Confidential
Layer 7 DDoS Attacks
Legitimate TCP or UDP connections. Difficult to differentiate from legitimate users => higher obscurity.
Requires lesser number of connections => higher efficiency.
Reach resource limits of services. Can deny services regardless of hardware capabilities of host => higher lethality.
We will focus on protocol weaknesses of HTTP or HTTPS.
HTTP GET => Michal Zalewski, Adrian Ilarion Ciobanu, RSnake (Slowloris)HTTP POST => Wong Onn Chee
-
Copyright Trustwave 2010 Confidential
http://www.owasp.org/index.php/OWASP_HTTP_Post_Tool
-
Copyright Trustwave 2010 Confidential
-
Copyright Trustwave 2010 Confidential
-
Copyright Trustwave 2010 Confidential
Application Performance Monitoring Dashboard
-
Copyright Trustwave 2010 Confidential
Excessive Access Rate Detection
-
Copyright Trustwave 2010 Confidential
-
Copyright Trustwave 2010 Confidential
Cross-site Scripting (XSS) Defense
-
Copyright Trustwave 2010 Confidential
Banking Trojans
-
Questions?
Web Hacking Incidents Revealed:Trends, Stats and How to DefendRyan Barnett - BackgroundRyan Barnett Community ProjectsSession OutlineThe Challenge of Risk Analysis for Web Application Security OWASP Risk Rating MethodologyOWASP Risk Rating MethodologySlide Number 8Risk Rating ProblemPublicly Quantifying Web Incidents is ChallengingSlide Number 11Publicly Quantifying Web Incidents is ChallengingSlide Number 13WASC Web Hacking Incident Database (WHID)Tracking Public Web CompromisesWHID GoalsWHID DataWHID Data: Community Submittal FormWHID Database ContentReal-Time StatisticsReal-time, Searchable DBGeographic ViewsMonitoring WHID UpdatesSlide Number 24What Vertical Markets are Attacked Most Often?What are the Goals for Web Hacking?What Attack Methods do Hackers Use?Which Application Weaknesses are Exploited?Slide Number 29OWASP vs. WHID Top 10Slide Number 31Denial of ServiceLayer 4 DDoS AttacksLayer 4 DDoS Attacks - BotnetsLayer 7 DDoS AttacksLayer 7 DDoS AttacksSlide Number 37Slide Number 38Slide Number 39Application Performance Monitoring DashboardExcessive Access Rate DetectionSlide Number 42Cross-site Scripting (XSS) DefenseBanking TrojansQuestions?