SlideShare a Scribd company logo

Hiding in Plain Sight: The Danger of Known Vulnerabilities

Imperva
Imperva

While a lot of attention is devoted to the mitigation of previously unknown attack methods ("0 days"), many of today's high-profile breaches are caused by "Known Vulnerabilities" in the application's components, also referred to as "vulnerabilities in third-party components." Attackers are quickly moving to exploit applications built with vulnerable components and are inflicting serious data loss and/or hijacking entire servers in the process. The rising popularity of third-party components in application development enables attackers to quickly and repeatedly locate and exploit vulnerabilities in application components - making these attacks widespread and extremely hazardous. This presentation will: (1) explore the recent growth of "Known Vulnerabilities" and examine the scope of the problem (2) examine how attackers are able to quickly "weaponize" these vulnerabilities for immediate profit (3) reveal techniques for limiting the damage resulting from "Known Vulnerabilities" exploitation.

Technology
1 of 44
Download to read offline
Hiding in Plain Sight – The Danger of Known Vulnerabilities Tal Be’ery, Web Security Research Team Leader 1 © 2013 Imperva, Inc. All rights reserved. Confidential
Agenda §  Introduction •  Zero-days Vs. Known vulnerabilities §  The anatomy of a known vulnerability web attack: Attacking a specific victim •  Theory •  Test case analysis: A vulnerable ColdFusion application §  The anatomy of a known vulnerability web attack: Mass attacks •  Theory •  Test case analysis: Abusing JBOSS §  Summary & conclusion §  Q&A 2 © 2013 Imperva, Inc. All rights reserved. Confidential
HII Reports §  Hacker Intelligence Initiative (HII) is focused at understanding how attackers are operating in practice •  A different approach from vulnerability research §  Data set composition •  ~60 real world applications •  Anonymous proxies §  More than 24 months of data §  Powerful analysis system •  Combines analytic tools with drill down capabilities 3 © 2013 Imperva, Inc. All rights reserved. Confidential
Tal Be’ery,Web Research Team Leader §  Web Security Research Team Leader at Imperva §  Holds MSc & BSc degree in CS/EE from TAU §  10+ years of experience in IS domain §  Facebook “white hat” §  Speaker at RSA, BlackHat, AusCERT §  Columnist for securityweek.com §  CISSP 4 © 2013 Imperva, Inc. All rights reserved.
Introduction 5 © 2013 Imperva, Inc. All rights reserved. Confidential
The Known Knowns §  There are known knowns; these are things we know that we know. §  There are known unknowns; that is to say, there are things that we now know we don't know. §  But there are also unknown unknowns – there are things we do not know we don't know. -- Donald Rumsfeld, U.S. Secretary of Defense, February 2002 6 © 2013 Imperva, Inc. All rights reserved. Confidential
Security’s Knowns and Unknowns Defined §  Unknown Unkowns: Zero-Days A zero-day attack is an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on "day zero" of awareness of the vulnerability (Wikipedia http://en.wikipedia.org/wiki/Zero-day_attack) §  Known Knowns: Known vulnerabilities Vulnerable components (e.g., framework libraries) can be identified and exploited (OWASP https://www.owasp.org/index.php/Top_10_2013-A9Using_Components_with_Known_Vulnerabilities) 7 © 2013 Imperva, Inc. All rights reserved. Confidential
CVE: Managing Known Vulnerabilities §  Known vulnerabilities are assigned with a CVE (Common Vulnerabilities and Exposures) ID §  “CVE’s common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools” (MITRE http://cve.mitre.org/about/index.html) 8 © 2013 Imperva, Inc. All rights reserved. Confidential
“Hollywood Style”: Web Site Hacking Single Site Attack Hacking 1.  Identify Target 2.  Research Vulnerability 3.  Exploit https://depot.gdnet.org/cms/gallery//25-iStock_000004333554Medium.jpg 9 © 2013 Imperva, Inc. All rights reserved. Confidential
Reality Check: Research Does Not Scale! Multiple Site Attacks Hacking 1.  2.  3.  Identify Target Research Vulnerability Exploit Hacking 1.  2.  3.  Identify Target Research Vulnerability Exploit Hacking 1.  2.  3.  Identify Target Research Vulnerability Exploit Hacking 1.  2.  3.  Identify Target Research Vulnerability Exploit Hacking 1.  2.  3.  10 © 2013 Imperva, Inc. All rights reserved. Identify Target Research Vulnerability Exploit Confidential
Reality Check: Known Exploits Scale! Multiple Site Attacks Hacking 1.  2.  3.  Identify Infrastructure Find Existing Exploit Exploit Hacking 1.  2.  3.  Identify Infrastructure Find Existing Exploit Exploit Hacking 1.  2.  3.  Identify Infrastructure Find Existing Exploit Exploit Hacking 1.  2.  3.  Identify Infrastructure Find Existing Exploit Exploit Hacking 1.  2.  3.  11 © 2013 Imperva, Inc. All rights reserved. Identify Infrastructure Find Existing Exploit Exploit Confidential
Zero-Days Vs. Known Vulnerabilities §  Zero-Days get all the glory •  Technically interesting •  Give rise to some interesting theoretical questions: How to defend the “unkown unkowns?” §  But known vulnerabilities are doing a lot of the damage •  Provide hackers with a very costeffective method to exploit applications http://faildesk.net/wp-content/uploads/2012/02/movie-hacking-vs.-real-hacking.gif 12 © 2013 Imperva, Inc. All rights reserved. Confidential
Vulnerability Lifecycle in Reality 13 © 2013 Imperva, Inc. All rights reserved. Confidential
Why is Known Vulnerability Exploitation so Successful? §  Applications are based mostly on 3rd party code §  Web applications are no different •  HTTP Server, Application Server, Plugins, Libraries, etc. §  Code re-use equals vulnerability re-use §  Exploits’ code is available for known vulnerabilities 14 © 2013 Imperva, Inc. All rights reserved. Confidential
3rd Party Code Provides a Rich Attack Surface According to Veracode: •  Up to 70% of internally developed code originates outside of the development team •  28% of assessed applications are identified as created by a 3rd party 15 © 2013 Imperva, Inc. All rights reserved. Confidential
Known Vulnerabilities Disclosure Increases §  CVE IDs Enumeration syntax was changed to track more than 10,000 vulnerabilities in a single year, starting on 2014. 16 © 2013 Imperva, Inc. All rights reserved. Confidential
Exploits Are Publicly Available §  Exploit-DB: http://www.exploit-db.com/ 17 © 2013 Imperva, Inc. All rights reserved. Confidential
OWASP Top 10 – 2013 Update New, A9 - Using Known Vulnerable Components 18 © 2013 Imperva, Inc. All rights reserved. Confidential
The Anatomy of a Known Vulnerability Web attack Attacking a Specific Victim 19 © 2013 Imperva, Inc. All rights reserved. Confidential
Attacking a Specific Application: Theory §  Step 1: Fingerprinting of the victim application to discover third party components and infrastructure §  Step 2: For the discovered components, find known vulnerabilities and exploits that gives the hacker the desired access level §  Step 3: Apply the exploit to the victim’s application 20 © 2013 Imperva, Inc. All rights reserved. Confidential
The Art of Fingerprinting Identify a fingerprint in victim application A fingerprint can be •  Image •  URL •  Content •  Object Reference •  Response to a query •  Etc. 21 © 2013 Imperva, Inc. All rights reserved. Confidential
Fingerprinting Example 1: Content Based The code will usually contain fingerprints of the infrastructure in use. 22 © 2013 Imperva, Inc. All rights reserved. Confidential
Fingerprinting Example 2: URL Based An administrator interface may be front facing, allowing detection and login attempts. 23 © 2013 Imperva, Inc. All rights reserved. Confidential
Test Case: corporatecaronline.com Hack http://krebsonsecurity.com/2013/11/hackers-take-limo-service-firm-for-a-ride/ 24 © 2013 Imperva, Inc. All rights reserved. Confidential
Fingerprinting corporatecaronline.com §  The application is using CFM files §  What’s a CFM file? 25 © 2013 Imperva, Inc. All rights reserved. Confidential
Known Vulnerability for ColdFusion §  CVE-2013-0632 §  Reported on January 2013 §  A “perfect 10” risk score 26 © 2013 Imperva, Inc. All rights reserved. Confidential
Public Exploit for CVE-2013-0632 http://downloads.securityfocus.com/vulnerabilities/exploits/57164.rb 27 © 2013 Imperva, Inc. All rights reserved. Confidential
ColdFusion Attacks in the Wild §  Data collected on October 2013 §  More than 4,000 attacks §  Attacking various resources within the CFIDE directory 28 © 2013 Imperva, Inc. All rights reserved. Confidential
The Anatomy of a Known Vulnerability Web attack Mass Hacking 29 © 2013 Imperva, Inc. All rights reserved. Confidential
Mass Hacking: Theory §  Step 1: Find a public exploit in an infrastructure •  Infrastructure is relevant to many application •  Exploit is “powerful”: usually full server takeover §  Step 2: Create a search query to identify vulnerable applications in the web •  Often named “Google Dorks” §  Step 3: Apply the exploit to all of the vulnerable applications 30 © 2013 Imperva, Inc. All rights reserved. Confidential
Mass Hacking - Finding a Vulnerability Find a vulnerability in an infrastructure Source: www.exploit-db.com Public vulnerability databases contain thousands of web related exploits 31 © 2013 Imperva, Inc. All rights reserved. Confidential
Google Dork for the Masses §  Query: inurl:(wp-config.conf | wp-config.txt) ext:(conf | txt | config) §  Results: 144,000 32 © 2013 Imperva, Inc. All rights reserved. Confidential
Test Case: JBoss Based Hack §  An open source application server http://www.jboss.org/jbossas 33 © 2013 Imperva, Inc. All rights reserved. Confidential
Known Vulnerability for JBoss §  Presented during the OWASP Bay Area Chapter Meeting in November 2011 http://www.matasano.com/research/OWASP3011_Luca.pdf 34 © 2013 Imperva, Inc. All rights reserved. Confidential
Exploit for the Known Vulnerability §  Exploit was publicly published on September 2013 http://www.exploit-db.com/exploits/28713/ 35 © 2013 Imperva, Inc. All rights reserved. Confidential
Google Dorking for Vulnerable JBoss §  In 2011: 7,370 results §  In 2013: 23,100 results 36 © 2013 Imperva, Inc. All rights reserved. Confidential
Hackers Apply the Attack §  Many websites report on being hit by the attack resulting with “pwn.jsp” web shell deployed on the server §  Allows the attacker to execute arbitrary OS commands 37 © 2013 Imperva, Inc. All rights reserved. Confidential
Summary & Conclusion 38 © 2013 Imperva, Inc. All rights reserved. Confidential
Vendor’s Patches Are Not Enough (1) §  Security does not necessarily know all components §  Security does not necessarily know all vulnerabilities for components •  Not everything is reported as CVE §  Vendor patches may not be available •  System reached End of Support (EoS) •  Open source product with no SLA 39 © 2013 Imperva, Inc. All rights reserved. Confidential
Vendor’s Patches Are Not Enough (2) §  Patch installation requires testing before deploying •  Patch may be problematic •  Patch may break custom functionality 40 © 2013 Imperva, Inc. All rights reserved. Confidential
Recommendations When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should: §  Implement policies both on the legal and technical aspects to control data access and data usage §  Require third party applications to accept your security policies and put proper controls in place §  Monitor the enforcement of these policies 41 © 2013 Imperva, Inc. All rights reserved. Confidential
Technical Recommendations §  Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities §  Pen test before deployment to identify these issues §  Deploy the application behind a WAF to •  Virtually patch pen test findings •  Mitigate new risks (unknown on the pen test time) •  Mitigate issues the pen tester missed •  Use cloud WAF for remotely hosted applications §  Apply vendor patches, when possible §  Virtually patch newly discovered CVEs 42 © 2013 Imperva, Inc. All rights reserved. Confidential
Virtual Patching Check List §  Virtually patch newly discovered CVEs §  Requires a robust security update service •  Timely: Attackers are very quick to on board newly discovered exploit into their hacking code •  Coverage: Cover all relevant vulnerabilities in the relevant domain •  Accurate: Tested for false positives •  Secured by default : §  Automatically loaded into the protecting system §  No need to reboot 43 © 2013 Imperva, Inc. All rights reserved. Confidential
www.imperva.com 44 © 2013 Imperva, Inc. All rights reserved. Confidential

Recommended

How secure are your systems
How secure are your systemsHow secure are your systems
How secure are your systemsCity Unrulyversity
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Dan Morrill
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersOllie Whitehouse
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Yuval Sinay, CISSP, C|CISO
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsSameer Thadani
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...Luigi Delgrosso
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
 

Recommended

How secure are your systems
How secure are your systemsHow secure are your systems
How secure are your systemsCity Unrulyversity
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Dan Morrill
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersOllie Whitehouse
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Yuval Sinay, CISSP, C|CISO
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsSameer Thadani
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...Luigi Delgrosso
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismGlobal Micro Solutions
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...RootedCON
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?festival ICT 2016
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault
 
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefYehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefShah Sheikh
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingSaqib Raza
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotDefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotShah Sheikh
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspectiveDr. Anish Cheriyan (PhD)
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringLancope, Inc.
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMAlienVault
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554TISA
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...CODE BLUE
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsPriyanka Aash
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testingecmee
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident responsePriyanka Aash
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksAPNIC
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
Session 5.2: Gamble
Session 5.2: GambleSession 5.2: Gamble
Session 5.2: GambleAlbert Einstein Cancer Center
 

More Related Content

What's hot

Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismGlobal Micro Solutions
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...RootedCON
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?festival ICT 2016
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault
 
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefYehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefShah Sheikh
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingSaqib Raza
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotDefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotShah Sheikh
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspectiveDr. Anish Cheriyan (PhD)
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringLancope, Inc.
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMAlienVault
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554TISA
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...CODE BLUE
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsPriyanka Aash
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testingecmee
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident responsePriyanka Aash
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksAPNIC
 

What's hot (20)

Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivism
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefYehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotDefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security Monitoring
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USM
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration tests
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident response
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacks
 

Viewers also liked

Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
[Webinar Slides] Time for Spring Cleaning: How to Clean Up Your Data
[Webinar Slides] Time for Spring Cleaning: How to Clean Up Your Data[Webinar Slides] Time for Spring Cleaning: How to Clean Up Your Data
[Webinar Slides] Time for Spring Cleaning: How to Clean Up Your DataAIIM International
 
2014 11-06-sonarqube-asfws-141110031042-conversion-gate01
2014 11-06-sonarqube-asfws-141110031042-conversion-gate012014 11-06-sonarqube-asfws-141110031042-conversion-gate01
2014 11-06-sonarqube-asfws-141110031042-conversion-gate01Cyber Security Alliance
 
Managing Security in External Software Dependencies
Managing Security in External Software DependenciesManaging Security in External Software Dependencies
Managing Security in External Software Dependenciesthariyarox
 
Continuous Security - TCCC
Continuous Security - TCCCContinuous Security - TCCC
Continuous Security - TCCCWendy Istvanick
 
Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...Sonatype
 
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...Ajin Abraham
 
[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec toolsOWASP EEE
 
DevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan KapsDevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan KapsStephan Kaps
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsKevin Fealey
 
Continuous Integration with Maven for Android apps
Continuous Integration with Maven for Android appsContinuous Integration with Maven for Android apps
Continuous Integration with Maven for Android appsHugo Josefson
 
Les principales failles de sécurité des applications web actuelles
Les principales failles de sécurité des applications web actuellesLes principales failles de sécurité des applications web actuelles
Les principales failles de sécurité des applications web actuellesBee_Ware
 
Top 10 Security Challenges
Top 10 Security ChallengesTop 10 Security Challenges
Top 10 Security ChallengesJorge Sebastiao
 
Framework For Knowledge Creation
Framework For Knowledge CreationFramework For Knowledge Creation
Framework For Knowledge Creationjohncleveland
 
Owasp Project を使ってみた
Owasp Project を使ってみたOwasp Project を使ってみた
Owasp Project を使ってみたAkitsugu Ito
 

Viewers also liked (20)

Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
 
Session 5.2: Gamble
Session 5.2: GambleSession 5.2: Gamble
Session 5.2: Gamble
 
[Webinar Slides] Time for Spring Cleaning: How to Clean Up Your Data
[Webinar Slides] Time for Spring Cleaning: How to Clean Up Your Data[Webinar Slides] Time for Spring Cleaning: How to Clean Up Your Data
[Webinar Slides] Time for Spring Cleaning: How to Clean Up Your Data
 
2014 11-06-sonarqube-asfws-141110031042-conversion-gate01
2014 11-06-sonarqube-asfws-141110031042-conversion-gate012014 11-06-sonarqube-asfws-141110031042-conversion-gate01
2014 11-06-sonarqube-asfws-141110031042-conversion-gate01
 
27 jan 2012[1]
27 jan 2012[1]27 jan 2012[1]
27 jan 2012[1]
 
Managing Security in External Software Dependencies
Managing Security in External Software DependenciesManaging Security in External Software Dependencies
Managing Security in External Software Dependencies
 
Continuous Security - TCCC
Continuous Security - TCCCContinuous Security - TCCC
Continuous Security - TCCC
 
Dependency check
Dependency checkDependency check
Dependency check
 
Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...
 
Managing third party libraries
Managing third party librariesManaging third party libraries
Managing third party libraries
 
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
 
[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools
 
News Bytes - December 2015
News Bytes - December 2015News Bytes - December 2015
News Bytes - December 2015
 
DevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan KapsDevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
 
Continuous Integration with Maven for Android apps
Continuous Integration with Maven for Android appsContinuous Integration with Maven for Android apps
Continuous Integration with Maven for Android apps
 
Les principales failles de sécurité des applications web actuelles
Les principales failles de sécurité des applications web actuellesLes principales failles de sécurité des applications web actuelles
Les principales failles de sécurité des applications web actuelles
 
Top 10 Security Challenges
Top 10 Security ChallengesTop 10 Security Challenges
Top 10 Security Challenges
 
Framework For Knowledge Creation
Framework For Knowledge CreationFramework For Knowledge Creation
Framework For Knowledge Creation
 
Owasp Project を使ってみた
Owasp Project を使ってみたOwasp Project を使ってみた
Owasp Project を使ってみた
 

Similar to Hiding in Plain Sight: The Danger of Known Vulnerabilities

A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalImperva
 
Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014Imperva
 
Hacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindHacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindImperva
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsImperva
 
Imperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindImperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindBarry Shteiman
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksImperva
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesBleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesImperva
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.pptKaukau9
 
CMS Hacking 101
CMS Hacking 101CMS Hacking 101
CMS Hacking 101Imperva
 
A DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityA DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityImperva Incapsula
 
Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)TzahiArabov
 
The Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat IntelligenceThe Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat IntelligenceImperva
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118AngelaHoltby
 
PHP SuperGlobals: Supersized Trouble
PHP SuperGlobals: Supersized TroublePHP SuperGlobals: Supersized Trouble
PHP SuperGlobals: Supersized TroubleImperva
 

Similar to Hiding in Plain Sight: The Danger of Known Vulnerabilities (20)

A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack Survival
 
Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014
 
Hacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindHacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd Kind
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
 
Imperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindImperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kind
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted Attacks
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesBleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
 
CMS Hacking 101
CMS Hacking 101CMS Hacking 101
CMS Hacking 101
 
A DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityA DevOps Guide to Web Application Security
A DevOps Guide to Web Application Security
 
Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)
 
The Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat IntelligenceThe Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat Intelligence
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Application security
Application securityApplication security
Application security
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
 
PHP SuperGlobals: Supersized Trouble
PHP SuperGlobals: Supersized TroublePHP SuperGlobals: Supersized Trouble
PHP SuperGlobals: Supersized Trouble
 
Gg2511351142
Gg2511351142Gg2511351142
Gg2511351142
 
Gg2511351142
Gg2511351142Gg2511351142
Gg2511351142
 
Code protection
Code protectionCode protection
Code protection
 

More from Imperva

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyImperva
 
API Security Survey
API Security SurveyAPI Security Survey
API Security SurveyImperva
 
Imperva ppt
Imperva pptImperva ppt
Imperva pptImperva
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountImperva
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Imperva
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesImperva
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchImperva
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecurityImperva
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRImperva
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware Imperva
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged VendorsImperva
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet SophisticationImperva
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made EasyImperva
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceImperva
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyImperva
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR PlanImperva
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataImperva
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityImperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationImperva
 

More from Imperva (20)

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 Survey
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
 
Imperva ppt
Imperva pptImperva ppt
Imperva ppt
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber Security
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPR
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet Sophistication
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made Easy
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense Report
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat Intelligence
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR Plan
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your Data
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data Security
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
 

Recently uploaded

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Recently uploaded (20)

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

Hiding in Plain Sight: The Danger of Known Vulnerabilities

  • 1. Hiding in Plain Sight – The Danger of Known Vulnerabilities Tal Be’ery, Web Security Research Team Leader 1 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 2. Agenda §  Introduction •  Zero-days Vs. Known vulnerabilities §  The anatomy of a known vulnerability web attack: Attacking a specific victim •  Theory •  Test case analysis: A vulnerable ColdFusion application §  The anatomy of a known vulnerability web attack: Mass attacks •  Theory •  Test case analysis: Abusing JBOSS §  Summary & conclusion §  Q&A 2 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 3. HII Reports §  Hacker Intelligence Initiative (HII) is focused at understanding how attackers are operating in practice •  A different approach from vulnerability research §  Data set composition •  ~60 real world applications •  Anonymous proxies §  More than 24 months of data §  Powerful analysis system •  Combines analytic tools with drill down capabilities 3 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 4. Tal Be’ery,Web Research Team Leader §  Web Security Research Team Leader at Imperva §  Holds MSc & BSc degree in CS/EE from TAU §  10+ years of experience in IS domain §  Facebook “white hat” §  Speaker at RSA, BlackHat, AusCERT §  Columnist for securityweek.com §  CISSP 4 © 2013 Imperva, Inc. All rights reserved.
  • 5. Introduction 5 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 6. The Known Knowns §  There are known knowns; these are things we know that we know. §  There are known unknowns; that is to say, there are things that we now know we don't know. §  But there are also unknown unknowns – there are things we do not know we don't know. -- Donald Rumsfeld, U.S. Secretary of Defense, February 2002 6 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 7. Security’s Knowns and Unknowns Defined §  Unknown Unkowns: Zero-Days A zero-day attack is an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on "day zero" of awareness of the vulnerability (Wikipedia http://en.wikipedia.org/wiki/Zero-day_attack) §  Known Knowns: Known vulnerabilities Vulnerable components (e.g., framework libraries) can be identified and exploited (OWASP https://www.owasp.org/index.php/Top_10_2013-A9Using_Components_with_Known_Vulnerabilities) 7 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 8. CVE: Managing Known Vulnerabilities §  Known vulnerabilities are assigned with a CVE (Common Vulnerabilities and Exposures) ID §  “CVE’s common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools” (MITRE http://cve.mitre.org/about/index.html) 8 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 9. “Hollywood Style”: Web Site Hacking Single Site Attack Hacking 1.  Identify Target 2.  Research Vulnerability 3.  Exploit https://depot.gdnet.org/cms/gallery//25-iStock_000004333554Medium.jpg 9 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 10. Reality Check: Research Does Not Scale! Multiple Site Attacks Hacking 1.  2.  3.  Identify Target Research Vulnerability Exploit Hacking 1.  2.  3.  Identify Target Research Vulnerability Exploit Hacking 1.  2.  3.  Identify Target Research Vulnerability Exploit Hacking 1.  2.  3.  Identify Target Research Vulnerability Exploit Hacking 1.  2.  3.  10 © 2013 Imperva, Inc. All rights reserved. Identify Target Research Vulnerability Exploit Confidential
  • 11. Reality Check: Known Exploits Scale! Multiple Site Attacks Hacking 1.  2.  3.  Identify Infrastructure Find Existing Exploit Exploit Hacking 1.  2.  3.  Identify Infrastructure Find Existing Exploit Exploit Hacking 1.  2.  3.  Identify Infrastructure Find Existing Exploit Exploit Hacking 1.  2.  3.  Identify Infrastructure Find Existing Exploit Exploit Hacking 1.  2.  3.  11 © 2013 Imperva, Inc. All rights reserved. Identify Infrastructure Find Existing Exploit Exploit Confidential
  • 12. Zero-Days Vs. Known Vulnerabilities §  Zero-Days get all the glory •  Technically interesting •  Give rise to some interesting theoretical questions: How to defend the “unkown unkowns?” §  But known vulnerabilities are doing a lot of the damage •  Provide hackers with a very costeffective method to exploit applications http://faildesk.net/wp-content/uploads/2012/02/movie-hacking-vs.-real-hacking.gif 12 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 13. Vulnerability Lifecycle in Reality 13 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 14. Why is Known Vulnerability Exploitation so Successful? §  Applications are based mostly on 3rd party code §  Web applications are no different •  HTTP Server, Application Server, Plugins, Libraries, etc. §  Code re-use equals vulnerability re-use §  Exploits’ code is available for known vulnerabilities 14 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 15. 3rd Party Code Provides a Rich Attack Surface According to Veracode: •  Up to 70% of internally developed code originates outside of the development team •  28% of assessed applications are identified as created by a 3rd party 15 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 16. Known Vulnerabilities Disclosure Increases §  CVE IDs Enumeration syntax was changed to track more than 10,000 vulnerabilities in a single year, starting on 2014. 16 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 17. Exploits Are Publicly Available §  Exploit-DB: http://www.exploit-db.com/ 17 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 18. OWASP Top 10 – 2013 Update New, A9 - Using Known Vulnerable Components 18 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 19. The Anatomy of a Known Vulnerability Web attack Attacking a Specific Victim 19 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 20. Attacking a Specific Application: Theory §  Step 1: Fingerprinting of the victim application to discover third party components and infrastructure §  Step 2: For the discovered components, find known vulnerabilities and exploits that gives the hacker the desired access level §  Step 3: Apply the exploit to the victim’s application 20 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 21. The Art of Fingerprinting Identify a fingerprint in victim application A fingerprint can be •  Image •  URL •  Content •  Object Reference •  Response to a query •  Etc. 21 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 22. Fingerprinting Example 1: Content Based The code will usually contain fingerprints of the infrastructure in use. 22 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 23. Fingerprinting Example 2: URL Based An administrator interface may be front facing, allowing detection and login attempts. 23 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 24. Test Case: corporatecaronline.com Hack http://krebsonsecurity.com/2013/11/hackers-take-limo-service-firm-for-a-ride/ 24 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 25. Fingerprinting corporatecaronline.com §  The application is using CFM files §  What’s a CFM file? 25 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 26. Known Vulnerability for ColdFusion §  CVE-2013-0632 §  Reported on January 2013 §  A “perfect 10” risk score 26 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 27. Public Exploit for CVE-2013-0632 http://downloads.securityfocus.com/vulnerabilities/exploits/57164.rb 27 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 28. ColdFusion Attacks in the Wild §  Data collected on October 2013 §  More than 4,000 attacks §  Attacking various resources within the CFIDE directory 28 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 29. The Anatomy of a Known Vulnerability Web attack Mass Hacking 29 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 30. Mass Hacking: Theory §  Step 1: Find a public exploit in an infrastructure •  Infrastructure is relevant to many application •  Exploit is “powerful”: usually full server takeover §  Step 2: Create a search query to identify vulnerable applications in the web •  Often named “Google Dorks” §  Step 3: Apply the exploit to all of the vulnerable applications 30 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 31. Mass Hacking - Finding a Vulnerability Find a vulnerability in an infrastructure Source: www.exploit-db.com Public vulnerability databases contain thousands of web related exploits 31 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 32. Google Dork for the Masses §  Query: inurl:(wp-config.conf | wp-config.txt) ext:(conf | txt | config) §  Results: 144,000 32 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 33. Test Case: JBoss Based Hack §  An open source application server http://www.jboss.org/jbossas 33 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 34. Known Vulnerability for JBoss §  Presented during the OWASP Bay Area Chapter Meeting in November 2011 http://www.matasano.com/research/OWASP3011_Luca.pdf 34 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 35. Exploit for the Known Vulnerability §  Exploit was publicly published on September 2013 http://www.exploit-db.com/exploits/28713/ 35 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 36. Google Dorking for Vulnerable JBoss §  In 2011: 7,370 results §  In 2013: 23,100 results 36 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 37. Hackers Apply the Attack §  Many websites report on being hit by the attack resulting with “pwn.jsp” web shell deployed on the server §  Allows the attacker to execute arbitrary OS commands 37 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 38. Summary & Conclusion 38 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 39. Vendor’s Patches Are Not Enough (1) §  Security does not necessarily know all components §  Security does not necessarily know all vulnerabilities for components •  Not everything is reported as CVE §  Vendor patches may not be available •  System reached End of Support (EoS) •  Open source product with no SLA 39 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 40. Vendor’s Patches Are Not Enough (2) §  Patch installation requires testing before deploying •  Patch may be problematic •  Patch may break custom functionality 40 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 41. Recommendations When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should: §  Implement policies both on the legal and technical aspects to control data access and data usage §  Require third party applications to accept your security policies and put proper controls in place §  Monitor the enforcement of these policies 41 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 42. Technical Recommendations §  Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities §  Pen test before deployment to identify these issues §  Deploy the application behind a WAF to •  Virtually patch pen test findings •  Mitigate new risks (unknown on the pen test time) •  Mitigate issues the pen tester missed •  Use cloud WAF for remotely hosted applications §  Apply vendor patches, when possible §  Virtually patch newly discovered CVEs 42 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 43. Virtual Patching Check List §  Virtually patch newly discovered CVEs §  Requires a robust security update service •  Timely: Attackers are very quick to on board newly discovered exploit into their hacking code •  Coverage: Cover all relevant vulnerabilities in the relevant domain •  Accurate: Tested for false positives •  Secured by default : §  Automatically loaded into the protecting system §  No need to reboot 43 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 44. www.imperva.com 44 © 2013 Imperva, Inc. All rights reserved. Confidential