Listen only mode
Watch again
View slides
Submit via panelQ&A

www.MykonosSoftware.com
Al Huizenga
Director of Product Management
Mykonos Software
Kyle Adams
Chief Architect
Mykonos Software
Three Goals
THINK DIFFERENTLY
About Web Security
Today, your Web applications
are a black hole
The Future of Web Security is
smart self-defensive applications.
It’s time to
understand and respond
to your web attackers
Free Accounts
Created
Used as Spam
Engine
What is Web application Abuse?
Shopping Cart
Manipulation
1
2
3
4
5
6
Social Engineering
Confidence Scams
Points Systems
D...
Definition
Manipulating your site (and its trust)
in an attempt to commit fraud,
vandalize your brand,
and compromise your...
What does Web Application
Abuse look like?
SALE
SALESocial
Network XXX
SALESocial
Network XXXPharmacy
Hacked
Why does Web Application
Abuse happen?
of all security threats are now
at the web application layer
Source: Gartner
of security spending is at the web
application layer
Source: State of Web Application Security by Ponemon Institute April ...
Network
Perimeter
Network Firewall
Database Firewall
Servers
Databases
NIPS HIPS IDS
PORT
80
HR Benefits
Core Business
App...
of developer headcount
is focused on security
Source: OWASP Security Spending Benchmarks Project March 2009
vulnerabilities per web application
Source: Web Application Security Council (WASC)
What are the common
characteristics of a Web attack?
Automated
and/or
Distributed
Based on
Application
behavior
Hard to fi...
How does it happen….?
Day 1
Attack begins
Day X
Attack discovered
OVER TIME
Phase 1
Silent
Introspection
Phase 2
Attack Vector
Establishment
Phase 3
Attack
Implementation
Phase 4
Attack
Automation
P...
Phase 1
Silent Introspection
Footprint: Low
Method: Run a debugger, surf the site,
collect data, analyze offline
Info Soug...
Phase 2
Attack Vector Establishment
Footprint: Higher
Techniques:
1. Cloak yourself
2. For all dynamic URLs, test inputs f...
Phase 3
Implementation
Footprint: Highest
Attack Defined: Now that you know the
vector(s), what can you do with them?
• Ex...
Phase 4
Automation
Footprint: Low
Attack Successful: If the attack makes money,
you want to do it discretely again and aga...
Phase 5
Maintenance
Footprint: Low
Attack Successful: Let the money roll in, go do
something else
Successful automated abu...
Vulnerability Management
Web Application
Firewall
Phase 1
Silent
Introspection
Phase 2
Attack Vector
Establishment
Phase 3...
Web Application Intrusion Detection & Prevention
The Mykonos Security Appliance.

Identify and track
attempts to introspe...
A New Innovative Approach
App
Server
Client
Code Honey-pots
Network
Perimeter
Database Firewall
Traps
Triggers
www.MykonosSoftware.com
Download Whitepaper
Understanding and Responding to the
Five Phases of Web Application Abuse
www.MykonosSoftware.com
How websites are attacked
How websites are attacked
How websites are attacked
How websites are attacked
How websites are attacked
How websites are attacked
How websites are attacked
How websites are attacked
How websites are attacked
Upcoming SlideShare
Loading in …5
×

How websites are attacked

3,980 views

Published on

Understanding and responding to the five phases of web application abuse

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,980
On SlideShare
0
From Embeds
0
Number of Embeds
2,691
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Welcome to this Webinar brought to you by Mykonos Software.

    Today’s presentation titled “How Web Applications are Attacked” looks at “Understanding and Responding to the Five Phases of Web Application Abuse”.

    My name is Edward Roberts and I’ll be the moderator for this event.

    For those of you who are new to Mykonos Software, we are helping companies understand how Web applications are abused by criminal attackers to steal data, commit fraud or even use company bandwidth for un-intended tasks.

    The Mykonos Security Appliance detects malicious abuse of web applications before the damage is done. This software solution profiles the abuse through intelligence gathering and responds to any abuse in real-time ultimately preventing data theft, fraudulent behavior and misuse of your Web properties.
  • You are in listen only mode.

    We encourage you to ask questions. We will have time to answer them at the conclusion of the presentation. Please use the panel to submit your questions

    You can view the slides and watch the webinar again on our website with the next 2-3 days.
  • Al Huizenga Director of Product Management Al has 11 years experience managing, releasing, and marketing Web-based products and technologies in companies such as Cognos Inc., Platform Computing, and Panorama Software.

    Kyle Adams Chief Architect: Has final responsibility for code quality and technical excellence. He is a graduate of the Rochester Institute of Technology, earning a Degree in Computer Science with a minor in Criminal Justice. He wrote his first password protection software at age 10, started hacking incessantly, and was writting his own encryption software by age 14. An AJAX expert and enthusiast, Kyle has worked on scores of web application projects.
  • Today’s presentation has three goals
  • I want you to think differently about security.

    I will offer a unique way to think about security by understanding the behavior of an attacker rather than concentrating on packets of data.
  • Secondly I today you will see how hackers attack a website with real-life techniques that will frighten you in their simplicity.
  • And thirdly we want you to help remove Grandma’s frustration because the web is frightening enough to her without having to overcome abuse that she can’t even understand.
  • You do not have any visibility into the traffic?
    Do you know what is normal use?
    Do you know what is abusive use?
    Do you know who is introspecting your site?
    Isn’t it time to understand the behavior of all users on your site rather than just monitoring data packets?
  • For too long applications are passive waiting for a malicious user to attack. The future Web security is creating smart self-defensive applications.
  • It’s time to understand and respond to your web attackers.

    But in order to do those two things first you must be able to identify them before they attack your web application.
  • What is our background with Web application abuse?

    Mykonos Software was incubated within Bluetie. One of the first online email and collaboration SaaS providers since 1999. With over 2million users, Bluetie sees its fair share of malicious users.

    What kind of abuse occurred?
  • Bluetie would see abuse where fake accounts are created. The Web application would be used as a spam engine.

    Attackers would change the web application code and write a script against it to use the resources of Bluetie rather than go for stealing data.

    It’s a nuisance and wastes company bandwidth and resources and slows down the product to real legitimate users.

  • What is Web application Abuse?

    On the right here we have the ultimate fear which is data theft of credit cards, financial data, SS#’s.

    But web application abuse can be many different things.

    Shopping cart manipulation – If you can change the number of items in a cart and not pay for it, it can be very lucrative, and to the company it looks like normal use.
    Social engineering confidence scams – the recent twitter attack.
    Points sytems – If you can change the points used you can improve scores in games, change airmiles, change student grades.
    Defacement of Site – More of an embarrassment and a nuisance but getting the site defaced creates problems for real users who worry about the safety of going to your site.
    Transfer of funds from one account to another – anytime money is accessible on-line there is the opportunity for some abuse.
    Data Theft – Credit cards, SS#, personal data, financial data, healthcare data.
  • What does Web application abuse look like?

    As we just stated it can take many forms. Let’s take you through some examples….
  • Grandma has been saving up for a flat screen TV.

    She sees that an online electronics store is going to have a great sale on a particular model on Black Friday.

    She waits until the minute the sale starts, and goes online to make the purchase. Sadly, younger, more tech savvy shoppers have figured out how to reserve all of the flat screen TVs in inventory by automating the application shopping cart.

    Grandma is out of luck – even though she jumped in right away to make the purchase, it looks like the store is out of TVs, and she feels ripped off.
  • Grandma decides to go online and see Christmas pictures from her family around the US.

    When she gets into the site, she sees a message from her daughter, and clicks it.

    Oddly, instead of showing family pictures, the message automatically redirects her to a pornography site.

    Grandma is shocked, upset, and vows never to go to that social networking site again.

    Also, she doesn’t know it, but that porn site downloaded a virus to her laptop. Grandma has been compromised.
  • The shock took it’s toll on Grandma’s heart, and she goes to her pharmacy’s Web site to get her heart medication prescription refilled.

    She has an account on the site that contains her Medicare information, including social security number, address, and her CC information too.

    What she doesn’t know is that the pharmacy Web site has been compromised, and criminals regularly and discretely pull all of that PII from the database, and sell it on the black market.

    Grandma is a prime candidate for identity theft.
  • Why does Web application abuse happen?

    It’s a factor of where security is today.
  • The impact of the web application revolution is that 70% of all threats are now at the web layer

    According to Gartner
  • The focus has been on the network.

    93 % of security spending is at the network layer.
  • The network has been well secured and the techniques used were effective.

    Then came web apps and we blew open port 80. We put applications on the web and many companies put the entire business on the web.

    And this is open to 2 billion users with a browser to use or abuse.
  • In almost half of companies (41%), less than 2% of developer headcount is focused on security.
  • What does that mean to you? WASC states that the average web application has 12 vulnerabilities. Multiply that by how many web applications your organization has and you’ll see how many options an abusive user has.
  • What are the common characteristics of a Web attack?

    Based on a deep understanding of application behavior

    Hard to filter out effectively over time

    Often automated or distributed

  • Not a one-time incident (it just gets reported that way)

    The actual attack vector that works needs to be established first

    The abuse needs to be tested and automated

    It has it’s own dev lifecycle
  • Examples: Twitter
  • Vulnerability management and filtering help…but have their limits

    Code scanning pre or post compile is hard because who is going to go back and patch all the vulnerabilities that are found. Many are in third party apps, Most companies are not going to re-write all their internal apps.

    It’s hard to pre-guess all possible vulnerabilities and vectors
    It’s hard to filter intelligently and dynamically enough

    New solutions are attempting to hook into the application context, use it to understand abusive behavior, and respond adaptively
  • The Mykonos Security Appliance works during the first two phases of the attack.

    It does three things to help you catch an attacker before the damage is done.

    1 Identify and track attempts to introspect your sites/apps.

    2. Gain intelligence about behavior & threat level of bad actors

    3. Instantly neutralize threats.
  • We have an innovative approach.

    We work as a reverse proxy.

    We insert detection points into the code as it is delivered to the browser.

    If an abusive user plays with one of the detection points we deliver a token onto the hackers machine so that we can re-identify them if they return.
  • And maybe we wouldn’t annoy our grandma’s if we all went a little more pro-active on our defense of Web application abuse.
  • How websites are attacked

    1. 1. Listen only mode Watch again View slides Submit via panelQ&A 
    2. 2. www.MykonosSoftware.com
    3. 3. Al Huizenga Director of Product Management Mykonos Software Kyle Adams Chief Architect Mykonos Software
    4. 4. Three Goals
    5. 5. THINK DIFFERENTLY About Web Security
    6. 6. Today, your Web applications are a black hole
    7. 7. The Future of Web Security is smart self-defensive applications.
    8. 8. It’s time to understand and respond to your web attackers
    9. 9. Free Accounts Created Used as Spam Engine
    10. 10. What is Web application Abuse? Shopping Cart Manipulation 1 2 3 4 5 6 Social Engineering Confidence Scams Points Systems Defacement of Site Transfer of Funds Data Theft
    11. 11. Definition Manipulating your site (and its trust) in an attempt to commit fraud, vandalize your brand, and compromise your users’ privacy.
    12. 12. What does Web Application Abuse look like?
    13. 13. SALE
    14. 14. SALESocial Network XXX
    15. 15. SALESocial Network XXXPharmacy Hacked
    16. 16. Why does Web Application Abuse happen?
    17. 17. of all security threats are now at the web application layer Source: Gartner
    18. 18. of security spending is at the web application layer Source: State of Web Application Security by Ponemon Institute April 2010
    19. 19. Network Perimeter Network Firewall Database Firewall Servers Databases NIPS HIPS IDS PORT 80 HR Benefits Core Business ApplicationCRM E-commerceMarketing    
    20. 20. of developer headcount is focused on security Source: OWASP Security Spending Benchmarks Project March 2009
    21. 21. vulnerabilities per web application Source: Web Application Security Council (WASC)
    22. 22. What are the common characteristics of a Web attack? Automated and/or Distributed Based on Application behavior Hard to filter out
    23. 23. How does it happen….? Day 1 Attack begins Day X Attack discovered OVER TIME
    24. 24. Phase 1 Silent Introspection Phase 2 Attack Vector Establishment Phase 3 Attack Implementation Phase 4 Attack Automation Phase 5 Maintenance Five Phases of Web App Abuse
    25. 25. Phase 1 Silent Introspection Footprint: Low Method: Run a debugger, surf the site, collect data, analyze offline Info Sought: What Web server? Database? Network hardware and software? Programming languages and libraries?
    26. 26. Phase 2 Attack Vector Establishment Footprint: Higher Techniques: 1. Cloak yourself 2. For all dynamic URLs, test inputs for errors or blind injection to find vulnerabilities 3. For each vulnerability, start structuring your input to shape the error into an attack
    27. 27. Phase 3 Implementation Footprint: Highest Attack Defined: Now that you know the vector(s), what can you do with them? • Extract/edit/delete DB records or tables? • Infect site with a worm that distributes malware? • Launch a complex phishing scam?
    28. 28. Phase 4 Automation Footprint: Low Attack Successful: If the attack makes money, you want to do it discretely again and again • Write an attack program script • Buy a pre-fab “Command and Control” kit and raise your own BotNet to attack from
    29. 29. Phase 5 Maintenance Footprint: Low Attack Successful: Let the money roll in, go do something else Successful automated abuse can exist undetected in maintenance mode for years If a patch disrupts the abuse, oh well. Either refine the vector again, or go hunting elsewhere
    30. 30. Vulnerability Management Web Application Firewall Phase 1 Silent Introspection Phase 2 Attack Vector Establishment Phase 3 Attack Implementation Phase 4 Attack Automation Phase 5 Maintenance What can you do? Mykonos Security Appliance
    31. 31. Web Application Intrusion Detection & Prevention The Mykonos Security Appliance.  Identify and track attempts to introspect your sites/apps 1 Gain intelligence about behavior & threat level of bad actors 2 Instantly neutralize threats 3
    32. 32. A New Innovative Approach App Server Client Code Honey-pots Network Perimeter Database Firewall Traps Triggers
    33. 33. www.MykonosSoftware.com Download Whitepaper Understanding and Responding to the Five Phases of Web Application Abuse
    34. 34. www.MykonosSoftware.com

    ×