Application Security –Enterprise Strategies

K. K. Mookhey, CISA, CISSP, CISM

www.niiconsulting.com

K. K. Mookhey, CISA, CISSP, CISMPrincipal Consultant

Agenda

� The Biggest Hack in History

� How the Cookie Crumbles?

www.niiconsulting.com

� Answers!

Speaker Introduction

� Founder & Principal Consultant, Network Intelligence

� Speaker at Blackhat 2004, Interop 2005, IT Underground 2005, OWASP Asia 2008,2009

� Co-author of book on Metasploit Framework

www.niiconsulting.com

� Co-author of book on Metasploit Framework (Syngress), Linux Security & Controls (ISACA)

� Author of numerous articles on SecurityFocus, IT Audit, IS Controls (ISACA)

� Conducted numerous pen-tests, application security assessments, forensics, etc.

www.niiconsulting.com

THE BIGGEST HACK IN HISTORY

Gonzalez, TJX and Heart-break-land

� >200 million credit card number stolen

� Heartland Payment Systems, TJX, and 2 US national retailers hacked

� Modus operandi

� Visit retail stores to understand workings

www.niiconsulting.com

� Visit retail stores to understand workings

� Analyze websites for vulnerabilities

� Hack in using SQL injection

� Inject malware

� Sniff for card numbers and details

� Hide tracks

The hacker underground

� Albert Gonzalez

� a/k/a “segvec,”

� a/k/a “soupnazi,”

� a/k/a “j4guar17”

� Malware, scripts and hacked data hosted on servers in:

www.niiconsulting.com

� Malware, scripts and hacked data hosted on servers in:

� Latvia

� Netherlands

� IRC chats

� March 2007: Gonzalez “planning my second phase against Hannaford”

� December 2007: Hacker P.T. “that’s how [HACKER 2] hacked Hannaford.”

UkraineNew JerseyCalifornia

Where does all this end up?

IRC Channels#cc#ccards#ccinfo#ccpower#ccs#masterccs

www.niiconsulting.com

� Commands used on IRC

� !cardable

� !cc, !cclimit, !chk, !cvv2, !exploit, !order.log, !proxychk

#masterccs#thacc#thecc#virgincc

TJX direct costs

$24 million to

$41 million to Visa

$200 million in fines/penalties

www.niiconsulting.com

$24 million to Mastercard

Cost of an incident

� $6.6 million average cost of a data breach

� From this, cost of lost business is $4.6 million

� More than $200 per compromised record

www.niiconsulting.com

On the other hand:

� Fixing a bug costs $400 to $4000

� Cost increases exponentially as time lapses

How the Cookie Crumbles

www.niiconsulting.com

www.niiconsulting.com

www.niiconsulting.com

www.niiconsulting.com

www.niiconsulting.com

www.niiconsulting.com

www.niiconsulting.com

www.niiconsulting.com

www.niiconsulting.com

www.niiconsulting.com

www.niiconsulting.com

Betting blind!

� DB Name

� Table Names

� User IDs

� Table Structure

� Data

www.niiconsulting.com

� Data

Net Result

www.niiconsulting.com

Enterprise Owned!

Other aspects

www.niiconsulting.com

• App2App interaction requires an authentication process

– Calling application needs to send credentials to target application

• Common use cases

– Applications and Scripts connecting to databases

– 3rd Party Products accessing network resources

App2App Communication

www.niiconsulting.com

– 3rd Party Products accessing network resources

– Job Scheduling

– Application Server Connection Pools

– Distributed Computing Centers

– Application Encryption Key Management

– ATM, Kiosks, etc.

Answers!

www.niiconsulting.com

Technology Solutions

� Web Application Firewalls

� Privileged Identity Management Suites

www.niiconsulting.com

� Application-Aware Firewalls

� Application-Aware SIEMS

� Database Access Management Solutions

Before we get to the technology…

www.niiconsulting.com

Design

Application Security – Holistic Solution

www.niiconsulting.com

Develop/

Manage

Test

Train

Secure Design

� Secure Designing Models

� Client Inputs

� Client Education

www.niiconsulting.com

� Client Education

� Threat Modeling

� Vulnerability Classification – STRIDE

� Risk Classification – DREAD

Microsoft’s Threat Modeling Tool

www.niiconsulting.com

Secure Coding Overview

Secure coding isn’t taught in school

� Homeland Security's Build Security In Maturity Model (BSIMM)

� Microsoft's Security Development Lifecycle

www.niiconsulting.com

� Microsoft's Security Development Lifecycle (SDL)

� OpenSAMM (Software Assurance Maturity Model)

� OWASP Secure Coding Guides

Secure Coding Principles

1. Minimize attack surface area

2. Establish secure defaults

3. Principle of least privilege

4. Principle of defense in depth

5. Fail securely

www.niiconsulting.com

5. Fail securely

6. Don’t trust input – user or services

7. Separation of duties

8. Avoid security by obscurity

9. Keep security simple

10.Fix security issues correctly

Vendor Management

� Big names != Good security

� Contractual weaknesses

www.niiconsulting.com

� Lack of vendor oversight

� No penalties for blatantly buggy code!

Secure Hosting

� Web Security

� Secured web server

� Secured application server –all components

� Web application firewalls

� Database Security

� OS Security

� Security Patches

� Users and Groups

� Access Control

� Security Policies

� Secured Login

www.niiconsulting.com

� Database Security

� Security Patches

� Users and Roles

� Access Control

� Logging

� Password Security

� Database Table Encryption

� Data Masking

� Secured Login

� Logging

Secure Testing

� Security testing options

� Blackbox

� Greybox

� Whitebox

� Source Code Review

www.niiconsulting.com

� OWASP Top Ten (www.owasp.org)

� OWASP Testing Guide

Tools of the tradeOpen source – Wikto, Paros, Webscarab, Firefox pluginsCommercial – Acunetix, Cenzic, Netsparker, Burpsuite

Training

� Back to basics

� Natural thought process

www.niiconsulting.com

� Look at larger picture

� Make it fun

� Giving back to the community

Design

Application Security Vision

www.niiconsulting.com

Develop/

Manage

Test

Train

Thank you!Questions?

kkmookhey@niiconsulting.com

Information Security Institute of Information

www.niiconsulting.com

Information Security Consulting Services

Institute of Information Security