• Save
Benefits of In-depth Security Testing for the Enterprise
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Benefits of In-depth Security Testing for the Enterprise

on

  • 2,564 views

we45's CTO, Abhay Bhargav, delivering a talk on the benefits of In-depth Security Testing for the Enterprise at the Bangalore Cyber Security Summit 2011

we45's CTO, Abhay Bhargav, delivering a talk on the benefits of In-depth Security Testing for the Enterprise at the Bangalore Cyber Security Summit 2011

Statistics

Views

Total Views
2,564
Views on SlideShare
2,032
Embed Views
532

Actions

Likes
2
Downloads
0
Comments
0

8 Embeds 532

http://www.we45.com 350
http://www.abhaybhargav.com 137
http://we45.com 34
http://www.slideshare.net 3
http://www.we45.in 2
http://we45.in 2
http://www.slashdocs.com 2
http://infosec.abhaybhargav.com 2
More...

Accessibility

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

Benefits of In-depth Security Testing for the Enterprise Presentation Transcript

  • 1. Breaking ! Wall.. Benefits of In-Depth Security Testing for the EnterpriseCopyright © we45 Solutions India Pvt. Ltd.
  • 2. we45 - An Introduction • we45 = “we” + Fortify (45) • Focused Information Security Consulting Company • Research oriented Security Company • Showcased as one of Karnataka’s Top 20 Startups in 2010Copyright © we45 Solutions India Pvt. Ltd.
  • 3. Y#rs Truly... • Co-author of ‘Secure Java For Web Application Development’ • CISSP, ISO27001:LA, CISA, GWAPT, CPA • Specialization in Web Application Security • Trainer and Workshop Lead for Security Training Workshops • URL: abhaybhargav.com • we45’s Website: we45.comCopyright © we45 Solutions India Pvt. Ltd.
  • 4. Why test for Secu%ty? • Validation of Controls • Removing the Illusion of Control • Understanding how newer and constantly evolving threats affect your environment • Malicious - People and CodeCopyright © we45 Solutions India Pvt. Ltd.
  • 5. &e Gap • Security Tests largely fail because of: • Lack of focus by the testers • Organization - Lack of Awareness and Will • Tools vs SkillsCopyright © we45 Solutions India Pvt. Ltd.
  • 6. C%tical Data on IT • Financial Information • Credit Card Information • User Personal Information • Customer Information • Healthcare Information • Other organization sensitive information - Stored, Processesd and Transmitted via ITCopyright © we45 Solutions India Pvt. Ltd.
  • 7. Dturbing (attics53% of Indian Companies have been victims of cyber attacks 70% of Enterprise Web Applications are found to be vulnerable 60%+ of Enterprise Endpoints vulnerable to client-side attacks Marked Rise in Social Engineering attacks 75% of Web Applications developed with non-secure coding practicesCopyright © we45 Solutions India Pvt. Ltd.
  • 8. &e Solution: In-Dep) Secu%ty TestingCopyright © we45 Solutions India Pvt. Ltd.
  • 9. Web A*lications • Web Application Security is key with • Web Application Security Testing is organizations taking extensively to CRITICAL Web 2.0 • Tester should follow best practice • E-Commerce, ERP, Salesforce methodologies Automation, etc • Business Logic cannot be tested with tools • Application attacks: • Application attacks due to non-secure coding practices are massive • Coding Flaws • Configuration and Deployment oriented • Business Logic Flaws attacks are multifold • Configuration Flaws • Framework based attacks - Joomla, DrupalCopyright © we45 Solutions India Pvt. Ltd.
  • 10. A*lication A+acks: Case StudyCopyright © we45 Solutions India Pvt. Ltd.
  • 11. A*lication A+acks: Case Study • Testing a large infrastructure company’s critical web appCopyright © we45 Solutions India Pvt. Ltd.
  • 12. A*lication A+acks: Case Study • Testing a large infrastructure company’s critical web app • Finding SQL Injection while testing the authentication of a particular applicationCopyright © we45 Solutions India Pvt. Ltd.
  • 13. A*lication A+acks: Case Study • Testing a large infrastructure company’s critical web app • Finding SQL Injection while testing the authentication of a particular application • Database was running with ‘root’ privilegesCopyright © we45 Solutions India Pvt. Ltd.
  • 14. A*lication A+acks: Case Study • Testing a large infrastructure company’s critical web app • Finding SQL Injection while testing the authentication of a particular application • Database was running with ‘root’ privileges • Later, we found a configuration file in the application server with root username and password to the DBCopyright © we45 Solutions India Pvt. Ltd.
  • 15. Servers and Endpoints • Server attacks - The Genesis: • Security Testing for Servers and Endpoints is mostly tool-based. • Lack of patching server and kernel level security updates • Low Priority given to Client-Side exploits by testers • Client-Side Software - The new Achilles Heel • Non-Secure Configuration of Endpoints results in over 40% of • Endpoint Security - Insecure Security Flaws Client-side Software, Patches and Browser-based • Internal Security Testing also security flaws essentialCopyright © we45 Solutions India Pvt. Ltd.
  • 16. Severe Server and Endpoint Secu%ty Vulnerabilities • MS08-067: Critical Flaw in Windows Server allowing attacker to exploit the system and run his/her code - 43% of Enterprise Endpoints and Servers affected • Adobe Reader code execution flaw where attacker can exploit can run commands on victim’s system - 59% of Enterprise Endpoints found to be affected • Multiple Java Exploits affecting servers and endpoints • and many more.....Copyright © we45 Solutions India Pvt. Ltd.
  • 17. Network Infra(ructure • Network Devices • Have to be tested comprehensively for authentication vulnerabilities - 38% of Network Devices have authentication flaws • Firmware Updates and Security Updates not applied - Compromise the Perimeter • Focus on Depth of Finding, rather than reviewCopyright © we45 Solutions India Pvt. Ltd.
  • 18. People: &e Weakest Link • People are the easiest targets in a security compromise • Companies must consider comprehensive Social • Targeted Phishing - Spear Engineering Assessments to Phishing Attacks on the rise with identify lapses in User Security over 56,000 reports Awareness • Social Networks and Email: Rife • Organizations Assessments must to spread Malware and compromise user endpoints cover security over Web Browsers • Browser Security considerationsCopyright © we45 Solutions India Pvt. Ltd.
  • 19. In Conclusion... • Threats are multifold and evolve constantly • Organizations have to test often to avoid being a vulnerability statistic • Tests have to encompass these elements during the year based on applicability • Testers should be chosen carefully based on skills and not tools • Reporting should be clear and prescriptive, not vague and genericCopyright © we45 Solutions India Pvt. Ltd.
  • 20. &ank Y# • URL: www.we45.com • Email: abhay@we45.com • Twitter: @abhaybhargav • abhaybhargav.comCopyright © we45 Solutions India Pvt. Ltd.