Web Applications Perspective of a Hacker - Challenges … · Web Applications Perspective of a...
Transcript of Web Applications Perspective of a Hacker - Challenges … · Web Applications Perspective of a...
Web ApplicationsPerspective of a Hacker - Challenges for ContinentalThomas Ullrich (CSO), Dr. Bernhard Thomas (CTO)
2012-09-14
Introduction Continental
Attackers, Threats and Vulnerabilities
Introduction IT Security @ Continental
Web Pentests
2 © Continental AG
IT Security Overview Agenda
Introduction Continental
Attackers, Threats and Vulnerabilities
Introduction IT Security @ Continental
Web Pentests
3 © Continental AG
IT Security Overview Agenda
Our VisionYour Mobility. Your Freedom. Our Signature.
4 © Continental AG
Highly developed, intelligent technologies for mobility, transport and processing make up our world.
We want to provide the best solutions for each of our customers in each of our markets.
All of our stakeholders will thus come to recognize us as the most value-creating, highly reliable and respected partner.
Continental CorporationOverview 2011
5 © Continental AG
Since 1871 with headquarters in Hanover, Germany
Sales of €30.5 billion
163,788 employees worldwide
269 locations in 46 countries
One of the top 5 in the automotive supplier industry
*pro formaStatus: December 31, 2011
Continental – Achieving Success From Inner StrengthOur Values
7 © Continental AG
Our four values form the basis of our joint actions.
Together with our vision and mission, our values stand for what drives us forwardand how we want to work together.
None of the values takes precedence over any of the others – all four are of equal importance for our sustained success.
We live out our values on a day-to-day basis, bringing our own behaviour into line with them − all employees are role models for their fellow colleagues as well as for business partners, customers and all other stakeholders.
Introduction Continental
Attackers, Threats and Vulnerabilities
Introduction IT Security @ Continental
Web Pentests
8 © Continental AG
IT Security Overview Agenda
IT SecurityAttackers – Threats - Goals
9 © Continental AG
Information in IT systems are available to authorized persons when required.
Criminals Hactivists Nations/States
Threats
Confidentiality AvailabilityIntegrity
Atta
cker
s
Go
als
Criminals
money mules, packet mules
hacking to make money
steal data to sell data
buying and selling infected computers
Hactivists
Sony (hacked 37 times in 2011 due to one disgruntled customer)
Anonymous
Nations / States
China, Russia
Stuxnet
APT
10 © Continental AG
IT SecurityThe Enemy - „The bad guys“
“Over the years, the hackers downloaded business plans, research and development reports, employee emails and other documents.”
Introduction Continental
Attackers, Threats and Vulnerabilities
Introduction IT Security @ Continental
Web Pentests
11 © Continental AG
IT Security Overview Agenda
IT SecurityProcess for IT Security Management @ Continental
12 © Continental AG
• Legal requirements• Customer requirements• Business strategy • IT strategy• Threat landscape
• Define scope, boundaries and principles of ISMS
• Define and document security organization, processes and controls in security policy
• Get management* approval of ISMS
• ISMS scope and principles (stmt of applicability)
• Management Approval• Security policy (policies and
manuals) documenting security organization, security processes and security controls
• Get approval of security policy
• Publish and train security policy
• Implement security organization**, security processes and security controls
• Approved and published security policy
• Security plan and implementation of information security organization, processes and controls
• ISMS scope and principles• Management approval• Security policy
• Security policy• Security controls
• Monitor security controls• Conduct security audits• Analyze changes in threat
landscape• Review ISMS
• Security metrics regarding operation of security controls
• Security audit reports including location audits, screenings and penetration tests
• Activities and actions resulting from audits
• Security metrics• Security audit reports and
activity list• Changes in requirements
• Manage security exceptions• Implement activities from
audits• Evaluate if security
organization, processes and controls are still applicable
• Communicate to stakeholder
• Records of changes in security organization, processes and controls due to new requirements
• Information security enhancement plan
• Log of security exceptions
Inpu
tO
utpu
tA
ctiv
ity
4. Maintain & Improve3. Monitor & Review2. Implement1. Plan & Establish
*) Executive board (for all
Core Processes
**) incl. mgmt. of resources
IT SecurityFramework
13 © Continental AG
Security Rules (Policies, Manuals, Appendices)
Security Organisation
Defense-In-Depth:Security Measures on Multiple Layers
Risk Management
Security Awareness
Physical
Application
Network
SystemContent
Introduction Continental
Attackers, Threats and Vulnerabilities
Introduction IT Security @ Continental
Web Pentests
14 © Continental AG
IT Security Overview Agenda
IT SecurityThe Attack Process Approach
15 © Continental AG
ReconnaissanceGathering information
about the target
Enumeration Scanning
Finding areas of attack for targets
ExploitationAttacking
vulnerabilities
DocumentationDelivering report
Selling data
Application environment for tires to manage rewards for tire dealers
Users are tire dealers
Has connection to SAP backend systems
To be tested:
Black box approach, only URLs are given
Can a non tire dealer access the app?
Can a tire dealer access the data of his competitor?
Can data be falsified (to „steal“ rewards)?
Is the system vulnerable to denial of service attacks?
Is it possible to get to the backend through web app vulnerabilities?
16 © Continental AG
IT SecurityTarget application
Vulnerabilties that need to be analysed are not specific to Continental
A typical list of vulns can be found at the Open Web Application Security Project (OWASP):
Injection (especially SQL and LDAP)
Cross Site Scripting
Weak authentication and session management
Insecure direct object reference
Cross Site Request Forgery
Security Misconfiguration
Insufficient Cryptographic Storage
Failure to restrict URL access
Insufficient Transport Layer Protection
Unvalidated redirects and forwards
17 © Continental AG
IT SecurityVulnerabilities to be evaluated
Result consists of
a presentation
a very detailed report with remediation tasks
support in understanding the issues
There were findings
Severity, numbers and details will not be given here
18 © Continental AG
IT SecurityResults of pentest
Security Issues by Classification:The more „0“s the better
Coverage is reduced to a sample of the complete webapp environment
Select good target systems („crown jewels“)!
Only known vulnerabilities will be detected, no 0-day-attacks
Don‘t think you are 100% secure after remediation of all vulnerabilities!
You will „only“ be more secure!
Is only effective in a culture of openness and trust
If you will be blamed for found vulnerabilities, a pentest is not for you!
If you just to pentest to comply to internal rules, it will not increase IT security!
A pentest is a spot check at a specific time. Vulnerabilities will change. However issues based on basic principles can be identified.
Do not „just“ remediate findings!
Learn from the findings and try to remedy general issues!
Find a pentester that helps to understand and learn from findings!
19 © Continental AG
IT SecurityHow to use Pentests