Owasp e crime-london-2012-final


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • I think the presentation would be perfect for this audience, we normally have a very senior audience (CISO, Head of Information Security, Director of Information Security, etc) who appreciate a presentation that makes them think, confirms that they are going down a similar road to others, or even to reconsider what they are currently doing!  At all of the events we have a mixture of technical, operational and strategic presentations, which hopefully provides the delegates who are involved in different job roles an interesting mixture of topics and areas. I believe that your presentation will fit perfectly into the strategic area. Here is a link to the previous agenda from the last e-Crime Mid Year meeting in London. I think that some of the topic areas will have evolved, but hopefully it will give you a better picture of the different types of presentation that take place throughout the day and the variety of topics covered. http://www.e-crimecongress.org/forum/website.asp?page=2011agenda I have also sat with my manager, Jon Hawes, today and talked through the amends to the presentation bullet points. Jon has suggested the changes below which I hope captures some of the content that the presentation will cover. Please feel free to change these as you wish, as they are only suggestions! It would be great to hear your thoughts. Adapting to evolving cyber attack scenarios: a focus on online banking and e-Commerce threats- New threats and attacks: how are the types and level of impact that businesses must prepare for changing, and what are the implications for security stakeholders?- How can existing measures designed to prevent and detect attacks be improved to mitigate loss and guard against potential business disruption?- Structuring application security controls to reduce risk and maximise the value of software security engineering, threat modelling and security testing- Preparing for what the future holds as the cyber threat landscape continues to change: tools and techniques that can support enterprise security strategy  Best wishes, and if you do have any questions please don't hesitate to give me a call, 
  • Slide 1 preface will characterise today threat landscape the perspective of the threat agents, the motives their targets. If you are a medium or large bank chances are you are running a site that allows for your customers to bank online, this support rich feature and risky transactions such as opening bank accounts, transfer money to external accounts, pay bills etc. The online banking site also collects and processes sensitive information of the customers. This data and transactions are the the digital assets that are sought by potential fraudsters seeking to steal customer sensitive and card for identity theft, card not present transactions as well as fraud. It your company as ecommerce web site, payments and credit card data are also a target. The main question we are trying to answer is what are the threats agents and what are their motives and what are the tools and techniques that use to pursuit their motives.
  • Ten years ago:Threat agents: script kiddiesMotives: becoming famous Severity: occasional denial of serviceToday:Threat agents: cybercriminals and hacktivistsMotives: financial and politicalSeverity: identity theft, DDOS, online fraudGliscenarisonocambiatiradicalmentenegliultimidiecianni, inziutto I motivichesonodenaro e profitto in nuovi hackers fannao parte di organizazzioni dedicate allaperperpetuazione di crimine ma ancheallosviluppo di strumenti di attaccco molto sofisticati. I principalivittimesono le aziiendeed in particolareilsettorefinanziarioFinancial losses due to malware-based attacks are rising:In the U.S.A. alone, according to data from FDIC (Federal Deposit Insurance Corporation), during the third quarter of 2009 malware-based online banking fraud rose to over $ 120 millionIn the UK, according to data from the Cards Association, losses from the online banking sector in UK during 2009 totaled 60 million UK pounds.
  • Some percentagesexpecially type per incident are not 100% or data that means some data types are not classified e.g. 81%Incidents:Latest IncidentsLargest IncidentsMost Discussed IncidentsRecently Updated IncidentsData Types:CCNSSNNAAEMAMISCMEDACCDOBFINUNKPWDADDSectors:BizEduGovMedSources:OutsideInside - AccidentalInside - MaliciousInsideUnknownBreach Types:Disposal Computer | Disposal Document | Disposal Tape | Disposal DriveDisposal Mobile | Email | Fax | Fraud SeHack | Lost Computer | Lost Document | Lost DriveLost Laptop | Lost Media | Lost Mobile | Lost TapeMissing Document | Missing Laptop | Missing Media | Snail MailStolen Computer | Stolen Document | Stolen Drive | Stolen LaptopStolen Media | Stolen Mobile | Stolen Tape | UnknownVirus | Web |
  • Questiesempi di MiTBservonoanche a caratterizzareiltipo di malware e a determinareunaazione di incident response
  • Interessantevedere l impatto come onlien fraud, disolitosiparladi account take over, application contraffazzione, ma online frodi include un poditutto
  • Tecniche malware/hacking per furtodeidati e dellesessioni online banking (account takeover)
  • Owasp e crime-london-2012-final

    1. 1. Adapting to evolving cyber attack scenarios: a focus on hacking and malware threats targeting financial applications Marco Morana Global Industry Committee OWASP Foundation Email: marco.m.morana@gmail.com Twitter: marcomoranaOWASPE-Crime CongressMeeting25th October 2012, Copyright © 2011 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this documentLondon UK under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org
    2. 2. OWASP 2
    3. 3. Presentation Agenda PART I: The evolution of the threat landscape forhacking and malware, the impact of data breaches and online fraudPART II: How to adapt application security measures,activities and security tools to protect web applications from hacking and malware threats PART III: What the future holds as the cyber threatlandscape continues to change: processes, skills, tools and techniques that can support enterprise security strategy OWASP 3
    4. 4. PART IThe evolution of the threat landscape for hacking and malware and the impact of data breaches and online fraud “If you know your enemy and know yourself you need not fear the results of a hundred battles” Sun Tzu OWASP 4
    5. 5. Dissecting The Hacking and Malware Threats Fraudsters, Cy ber criminals, Hackivists, Threat Cyber Spies, Script Kiddies Social Weaknesses DDoS, Engineering, SQLi, Application Phishing, Vulnerabilities Attacks Session Hijacking, Gaps/Weaknesses in security Key logging controls OWASP 5
    6. 6. The Evolution of Cyber Threats Threats: Basic Intrusions and Threats: Script Kiddies, Viruses, Threats: Fraudsters, Threats: Hacktivists, Viruses Worms Malware, Trojans Cyber crime, Cyber Espionage, Motives: Testing and Probing Motives: Notoriety and Fame, Motives: Identity Theft, Fraudsters, Malware Systems and Data Profit from renting Botnet for Online and Credit/Debit Communications spamming Card Fraud Motives: Political, Stealing Company Attacks: Exploiting Absence of Attacks: DoS, Buffer Overflow Attacks: SQLi, Sniffing Secrets and Clients Security Controls, Sniffing Data Exploits, Spamming, Sniffing Wireless Traffic, Session Confidential and Traffic, Defacing Network Traffic, Phishing Hijacking, Phishing, Credit Card emails with viruses Vishing, Drive by Download Information for Fraud Attacks: DDoS, Defacing, Account Take Over/Session Hijacking, SQLi, Spear Phishing, APT, WHATThreat Severity RAT NEXT ? OWASP 6 1995 2000 2005 2010 2012 Time
    7. 7. Data Breach Incidents: 2011-2012 Statistics1. Threats: Hacking and malware are the major causes2. Attacks: SQLi and HTTP injection for uploading scripts for remote server commands (also increased of 50% from 2010)3. Likelihood: 90% of organizations had at least one data breach over the period of 12 months4. Targets: 54% of incidents target web applications5. Data Lost: Log in credentials, emails and personal identifiable information are the major data types6. Business Impact: The average cost of data breach is estimated as $ 222 per record7. Incident Response: Majority of incidents is discovered after weeks/months from the time of initial data compromise Sources: OSF, DataLossDb.org http://www.datalossdb.org Ponemon Institute and Juniper Research, June 2011 Perceptions about network security, Ponemon Institute and Symantec, Research March 2012 2011 Cost of a Data Breach: United States OWASP 7 Verizon’s Investigative data Breach Report 2012 Verizon Investigative data breach report,
    8. 8. Man in the Browser Attacks OWASP 8
    9. 9. Examples of Malware & Hacking Attacks Usedfor Online And Credit/Debit Card Fraud  Account takeover: hijack web session to take over the victim’ s bank account and conduct unauthorized transfer of money from the victim account to a bank account outside the bank  Money laundering: transferring money from illegal proceeds (e.g. sale of drugs) into hacked banking accounts  Application fraud: using stolen credit card and bank account information for opening bank accounts to steal information from the victim and to make payments  Card non present fraud: conducting online purchases with stolen credit card and cardholder data  Card counterfeiting: use of credit and debit card data stolen online to counterfeit card and conduct fraud with ATM/ABM, POS channels  Carding: validation of stolen or purchased debit/credit card data such as CCN, PINs, DOBs, ACC# by using online web forms  Identity theft theft of personal data by phishing/social engineering the victim, using malware (e.g. MitB, keyloggers) as well as by log in into the victim’s online banking account OWASP 9
    10. 10. New Technologies Challenge Security AndCreates Opportunities for New Attack VectorsYesterday Today OWASP 10
    11. 11. PART IIHow to adapt application security measures, activitiesand security tools to protect web applications fromhacking and malware threats“To improve is to change; to be perfect is to change often”Winston Churchill OWASP 11
    12. 12. Identification and Risk Mitigation of WebApplication VulnerabilitiesManual ManualPenetration CodeTesting Review Automated Automated Vulnerability Static Code Scanning Analysis OWASP 12
    13. 13. Mitigating Hacking and Malware Attacks Against Financial Web Applications  Client PC and browser based security measures:  Awareness of social engineering: alerts and pointed information for customers on phishing and malware threats  Secure Browser and PC: keep O.S. and browsers up to date, anti-malware, PC used for online banking with no email, facebook  Web application security measures:  Fixing web application vulnerabilities: SQL injection, XSS, invalidated redirection, remote command invocations, session management and the rest of OWASP TOP ten vulnerabilities  Validating security of transactions/payments: positive pay, dual verification & authorizations, anomaly and fraud detection  Out of band transaction validation/authentication: two way notification confirmation via independent mobile/voice channels  Prevention and detection measures: strong multi-factor authentication, malicious data filtering/white-listing malicious, web traffic monitoring with WAF and SIEM, behavioral fraud detection OWASP 13
    14. 14. PART III:What the future holds as the cyber threat landscapecontinues to change: skills, tools and techniques that can support enterprise security strategy“I do not feel obliged to believe that the same God who has endowed us with sense, reason, and intellect has intended us to forgo their use.” Galileo Galilei OWASP 14
    15. 15. Adapting Application Security Strategy To Hacking and Malware Threats People trained/hired to conduct threat modeling, design secure applications, build secure software and conduct security testing Processes for gather threat intelligence analyze threats and vulnerabilities. Risk frameworks for identifying gaps and countermeasures that mitigate malware and hacking risks Technologies that are effective in protecting and detecting malware attacks, including security tools for testing applications for new vulnerabilities OWASP 15
    16. 16. Application Security Plan For Protecting Applications from Malware and Hacking Move on from tactical processes:Response to Incidents, Catch and Patch for Vulnerabilities To strategic security activities:Secure Software Assurance, Governance, Compliance & RiskManagement OWASP 16
    18. 18. OWASP References Top Ten Vulnerabilities  http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf Testing Guide  https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf Development Guide  https://www.owasp.org/index.php/OWASP_Guide_Project Application Threat Modeling  http://www.owasp.org/index.php/Application_Threat_Modeling Open Software Assurance Maturity Model (SAMM)  http://www.opensamm.org/ Enterprise Security API for JAVA  http://code.google.com/p/owasp-esapi-java/ Cheat Sheets  https://www.owasp.org/index.php/Cheat_Sheets OWASP Live CD and Web Application Security  http://appseclive.org/ Application Security Guide for CISO (in progress)  https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs OWASP 18