• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
4 Years and 4 Thousand Websites Worth of Vulnerability Assessments: What Have We Learned?
 

4 Years and 4 Thousand Websites Worth of Vulnerability Assessments: What Have We Learned?

on

  • 1,861 views

Citigroup, Sony, PBS, Sega, Nintendo, Gawker, AT&T, the CIA, the US Senate, NASA, Nasdaq, the NYSE, Zynga, and thousands of others have something in common – all have had websites compromised in the ...

Citigroup, Sony, PBS, Sega, Nintendo, Gawker, AT&T, the CIA, the US Senate, NASA, Nasdaq, the NYSE, Zynga, and thousands of others have something in common – all have had websites compromised in the last year. No company or industry is immune. It doesn't matter if a business is in financial services, retail, education, gaming, social networking, government, telecom, media or travel. Daily headlines tell the stories of millions of lost credit-card numbers, millions of personal information records exposed, and gigabytes worth of intellectual property stolen. The net result – corporate losses in the hundreds of millions, sharp stock price declines, lawsuits, fines and costly downtime. All signs point to a worsening problem, but the big question is, "what can be done about it?"

Over the last 10 years WhiteHat Security has performed vulnerability assessments for hundreds of organizations on over 4,000 of the Internet's most important websites -- identifying the very same issues the bad guys routinely exploit. There is a tremendous amount to be learned from this volume of data. For example, by comparing the characteristic of highly secure websites versus the highly vulnerable we can identify the business practices that work best. Fundamentally, the answer to the software security question can be found through metrics. By carefully tracking and analyzing metrics, very particular key performance indicators (KPIs), an organization can determine where resources would be best invested.

Statistics

Views

Total Views
1,861
Views on SlideShare
1,527
Embed Views
334

Actions

Likes
0
Downloads
39
Comments
0

7 Embeds 334

http://www.realgenekim.me 303
http://realgenekim.squarespace.com 22
http://us-w1.rockmelt.com 3
http://a0.twimg.com 2
http://pasc1978 2
http://www.newsblur.com 1
http://inoreader.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NonCommercial-NoDerivs LicenseCC Attribution-NonCommercial-NoDerivs LicenseCC Attribution-NonCommercial-NoDerivs License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    4 Years and 4 Thousand Websites Worth of Vulnerability Assessments: What Have We Learned? 4 Years and 4 Thousand Websites Worth of Vulnerability Assessments: What Have We Learned? Presentation Transcript

    • 4 Years and 4 Thousand Websites:What Have We Learned aboutHacking Websites? Jeremiah Grossman Founder & Chief Technology Officer © 2011 WhiteHat Security, Inc.
    • Jeremiah Grossman• WhiteHat Security Founder & CTO• An InfoWorld Top 25 CTO• Co-founder of the Web Application Security Consortium• Co-author: Cross-Site Scripting Attacks• Former Yahoo! information security officer © 2011 WhiteHat Security, Inc. 2
    • We shop, bank, pay bills, file taxes, share photos, keep in touch with friends & family, watch movies, play games, and more.Cyber-war Cyber-crime Hacktivism © 2011 WhiteHat Security, Inc. 3
    • How Data Breaches HappenVerizon Business 2010 Data Breach Investigations Report (DBIR):“The majority of breaches and almost all of the datastolen in 2009 (95%) were perpetrated by remoteorganized criminal groups hacking "servers andapplications."Verizon Business 2011 Data Breach Investigations Report (DBIR):“The number of Web application breaches increased lastyear and made up nearly 40% of the overall attacks.“ And this was all before... © 2011 WhiteHat Security, Inc. 4
    • HACKED © 2011 WhiteHat Security, Inc. 5
    • What we SHOULD be learning1) Each and every one of these recent breaches could easily happen to any online business.2) Exploitation of just one website vulnerability is enough to significantly disrupt online business, cause data loss, shake customer confidence, and more.3) Attack techniques of choice are SQL Injection, PHP Local File Include, password reuse, denial of service, and malware; all of which cannot be defended against by firewalls or SSL. None should be considered ‘sophisticated’ by modern standards.4) What makes some of these breaches unique, and why the hacks keep occurring, is that the victimized companies are ‘targeted‘ and their adversaries are relentless.5) Software will always have bugs and by extension, security vulnerabilities. A practical goal for a secure software development lifecycle (SDLC) should be to reduce, not necessarily eliminate, the number of vulnerabilities introduced and the severity of those that remain. © 2011 WhiteHat Security, Inc. 6
    • Where to begin?Hack Yourself First © 2011 WhiteHat Security, Inc. 7
    • WhiteHat Sentinel 400+ enterprises from start-ups to fortune 500 4,500 total sites assessed 357,000 vulnerabilities processed per day 600,000,000 requests per month 10 Terabytes data stored per weekOur infrastructure -- Assessing Over 2,000 websiteshttp://jeremiahgrossman.blogspot.com/2010/09/our-infrastructure-assessing-over-2000.html © 2011 WhiteHat Security, Inc. 8
    • Average annual amount of new serious*vulnerabilities introduced per website by year 1111 795 480 230 148 2007 2008 2009 2010 2011 *  Serious  Vulnerability:  A  security  weakness  that  if  exploited  may  lead  to  breach  or  data  loss  of  a   system,  its  data,  or  users.  (PCI-­‐DSS  severity  HIGH,  CRITICAL,  or  URGENT) © 2011 WhiteHat Security, Inc. 9
    • Average annual amount of new serious* vulnerabilitiesintroduced per website by industry (2010) © 2011 WhiteHat Security, Inc. 10
    • Average annual amount of new serious* vulnerabilitiesintroduced per website by industry by yearBanking 10 76 101 30 30Education 10 144 107 80 86Financial Services 361 361 303 266 140Healthcare 20 109 112 33 104Insurance 154 417 539 80 84IT 328 300 178 111 126Manufacturing - - 33 35 36Retail 2471 1820 1000 404 238Social Networking 113 143 129 71 57Telecommunications - 891 634 215 119 2007 2008 2009 2010 2011 © 2011 WhiteHat Security, Inc. 11
    • WhiteHat Security Top Ten (2010) Percentage likelihood of a website having at least one vulnerability sorted by class © 2011 WhiteHat Security, Inc. 12
    • Top 7 Vulnerabilities by Industry (2010) Percentage likelihood of a website having at least one vulnerability sorted by class © 2011 WhiteHat Security, Inc. 13
    • The security posture of a website must take intoaccount remediation rates and time-to-fix metrics. © 2011 WhiteHat Security, Inc. 14
    • Window of Exposure (2010)Number of days [in a year] a website is exposed to at least oneserious* reported vulnerability. Most websites were exposed to at least one serious* vulnerability every single day of 2010, or nearly so (9-12 months of the year). Only 16% of websites were vulnerable less than 30 days of the year overall. Inc. © 2011 WhiteHat Security, 15
    • Time-to-Fix in Days Cumulative Website Percentage Average Time-to-Fix (Days) © 2011 WhiteHat Security, Inc. 16
    • Remediation Rates by Industry (Trend) A steady improvement in the percentage of reported vulnerabilitiesthat have been resolved during each of the last three years, which now resides at 53%. Progress! © 2011 WhiteHat Security, Inc. 17
    • Why do vulnerabilities go unfixed?• No one at the organization understands or is responsible for maintaining the code.• Development group does not understand or respect the vulnerability.• Lack of budget to fix the issues.• Affected code is owned by an unresponsive third-party vendor.• Website will be decommissioned or replaced “soon.”• Risk of exploitation is accepted.• Solution conflicts with business use case.• Compliance does not require fixing the issue.• Feature enhancements are prioritized ahead of security fixes. © 2011 WhiteHat Security, Inc. 18
    • Testing Speed & Frequency Matters © 2011 WhiteHat Security, Inc. 19
    • Why Do Breaches (and vulnerabilities) Continue to Happen?I don’t think the answer is technical © 2011 WhiteHat Security, Inc. 20
    • The IT Budget GameAsk the CFO where the business invests Applications Host Network Software, development, Servers, desktops, laptops, Routers, switches, network CRM, ERP, etc. etc. admins, etc. © 2011 WhiteHat Security, Inc. 21
    • Typical IT Budget Allocation Applications Host Network Software, development, Servers, desktops, laptops, Routers, switches, network CRM, ERP, etc. etc. admins, etc. © 2011 WhiteHat Security, Inc. 22
    • Ask the CISOSecurity investment to protect the IT assets Applications Host Network Vulnerability management, Firewalls, Network IDS, SSL, Software architecture, system config,patching, monitoring, etc. trainings,testing, etc. etc. © 2011 WhiteHat Security, Inc. 23
    • Typical IT Security Budget Applications Host Network Vulnerability management, Firewalls, Network IDS, SSL, Software architecture, system config,patching, monitoring, etc. trainings,testing, etc. etc. © 2011 WhiteHat Security, Inc. 24
    • Budget PrioritizationThe biggest line item in [non-security] spendingSHOULD match the biggest line item in security. IT IT Security 1 3Applications 2 2 Host 3 1 Network © 2011 WhiteHat Security, Inc. 25
    • Empirical Data Survey [2010] of IT pros and C-level executives from 450 Fortune 1000 companies (FishNet Security)... “Nearly 70% [of those surveyed] say mobile computing is the biggest threat to security today, closely followed by social networks (68%), and cloud computing platforms (35%). Around 65% rank mobile computing the top threat in the next two years, and 62% say cloud computing will be the biggest threat, bumping social networks." The report goes on to say... “45% say firewalls are their priority security purchase, followed by antivirus (39%), and authentication (31%) and anti-malware tools (31%)."http://www.darkreading.com/security-services/167801101/security/perimeter-security/227300116/index.html © 2011 WhiteHat Security, Inc. 26
    • Big Picture“Market-sizing estimates for network security rangeanywhere from $5-8bn, whereas our calculation for theaggregate application security market is about $444m.Despite the spending boost on application securitymandated by the Payment Card Industry Data SecurityStandards (PCI-DSS), it’s still not commensurate with thedemonstrated level of risk.”The Application Security Spectrum (The 451 Group) “...we expect this revenue will grow at a CAGR of 23% to reach $1bn by 2014.” © 2011 WhiteHat Security, Inc. 27
    • Difficult Choices1) Reallocate resources away from firewalls, IDS, anti- virus, etc. towards application security.2) Justify brand-new application security spending.3) Keep the status quo -- breaches continue and get worse. Security is optional, but then again, so is survival. © 2011 WhiteHat Security, Inc. 28
    • Thank You! Blog: http://blog.whitehatsec.com/ Twitter: http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com © 2011 WhiteHat Security, Inc. 29