Sql injection to enterprise Owned - K.K. Mookhey

362 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
362
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Sql injection to enterprise Owned - K.K. Mookhey

  1. 1. People TechnologyProcesses Standards SQL Injection To Enterprise 0wned K. K. Mookhey, CISA, CISSP, CISM, CRISC
  2. 2. Introduction • Founder, Principal Consultant – Network Intelligence India Pvt. Ltd. – Institute of Information Security • CISA, CISSP, CISM, CRISC • Penetration testing, Security Auditing, Forensics, Compliance, Problem-solving • ICICI Bank, BNP Paribas, Morgan Stanley, United Nations, Indian Navy, DRDO, and hundreds of other clients over a decade of experience • Speaker at Blackhat, Interop, IT Underground, OWASP Asia, SecurityByte, Clubhack, Nullcon, ISACA, and numerous others© Network Intelligence India Pvt. Ltd.
  3. 3. Agenda • Introduction & Case Studies • Risk-based Penetration Testing • Solutions • Strategies • Take-Aways© Network Intelligence India Pvt. Ltd.
  4. 4. THE BIGGEST HACK IN HISTORY© Network Intelligence India Pvt. Ltd.
  5. 5. Gonzalez, TJX and Heart-break-land • >200 million credit card number stolen • Heartland Payment Systems, TJX, and 2 US national retailers hacked • Modus operandi – Visit retail stores to understand workings – Analyze websites for vulnerabilities – Hack in using SQL injection – Inject malware – Sniff for card numbers and details – Hide tracks© Network Intelligence India Pvt. Ltd.
  6. 6. The hacker underground • Albert Gonzalez – a/k/a “segvec,” – a/k/a “soupnazi,” – a/k/a “j4guar17” • Malware, scripts and hacked data hosted on servers in: – Latvia – Netherlands Ukraine New Jersey • IRC chats California – March 2007: Gonzalez “planning my second phase against Hannaford” – December 2007: Hacker P.T. “that’s how [HACKER 2] hacked Hannaford.”© Network Intelligence India Pvt. Ltd.
  7. 7. Where does all this end up? IRC Channels #cc #ccards #ccinfo #ccpower #ccs #masterccs #thacc #thecc #virgincc• Commands used on IRC – !cardable – !cc, !cclimit, !chk, !cvv2, !exploit, !order.log, !proxychk © Network Intelligence India Pvt. Ltd.
  8. 8. TJX direct costs $200 million in fines/penalties $41 million to Visa$24 million to Mastercard © Network Intelligence India Pvt. Ltd.
  9. 9. Cost of an incident • $6.6 million average cost of a data breach • From this, cost of lost business is $4.6 million • More than $200 per compromised record On the other hand: • Fixing a bug costs $400 to $4000 • Cost increases exponentially as time lapses© Network Intelligence India Pvt. Ltd.
  10. 10. HOW THE COOKIE CRUMBLES© Network Intelligence India Pvt. Ltd.
  11. 11. © Network Intelligence India Pvt. Ltd.
  12. 12. © Network Intelligence India Pvt. Ltd.
  13. 13. © Network Intelligence India Pvt. Ltd.
  14. 14. © Network Intelligence India Pvt. Ltd.
  15. 15. © Network Intelligence India Pvt. Ltd.
  16. 16. © Network Intelligence India Pvt. Ltd.
  17. 17. © Network Intelligence India Pvt. Ltd.
  18. 18. © Network Intelligence India Pvt. Ltd.
  19. 19. Betting blind! DB Name Table Names User IDs Table Structure Data© Network Intelligence India Pvt. Ltd.
  20. 20. Net ResultEnterprise Owned!
  21. 21. SOLUTIONS!© Network Intelligence India Pvt. Ltd.
  22. 22. Technology Solutions • Encryption • Web Application Firewalls • Source Code Review Solutions • Security Testing Suites • Data Leakage Prevention • Privileged Identity Management • Web Access Management • Information Rights Management • Database Security Solutions© Network Intelligence India Pvt. Ltd.
  23. 23. Before we get to the technology…© Network Intelligence India Pvt. Ltd.
  24. 24. Application Security – Holistic Solution Design Develop/ Train Manage Test© Network Intelligence India Pvt. Ltd.
  25. 25. EVOLVED PENETRATION TESTING© Network Intelligence India Pvt. Ltd.
  26. 26. Secure Testing • Security testing options – Blackbox – Greybox – Whitebox – Source Code Review • OWASP Top Ten (www.owasp.org) • OWASP Testing GuideTools of the trade Open source – Wikto, Paros, Webscarab, Firefox plugins Commercial – Acunetix, Cenzic, Netsparker, Burpsuite © Network Intelligence India Pvt. Ltd.
  27. 27. Traditional vs. Risk-based Pentesting Traditional Pentesting Risk-based Pentesting Focus is on technical Focus is on business risks vulnerabilities Requires strong technical know- Requires both technical and business how process know-how Having the right set of tools is Understanding the workings of the critical business and applications is critical Is usually zero-knowledge Requires a person who understands the business process to play a significant role – usually an insider Understanding the regulatory Understanding the regulatory environment is good environment is mandatory© Network Intelligence India Pvt. Ltd.
  28. 28. Traditional vs. Risk-based Pentesting Traditional Pentesting Risk-based Pentesting Severity levels are based on Severity levels are based on risk to technical parameters the business Risk levels in report are assigned Risk levels in report reflect the levels post facto assigned prior to testing Test cases are build based on Tests cases additionally build on risk testing methodologies or generic scenarios testing processes Audience for the report is usually Audience for the report also includes the IT and Security teams the business process owners and heads of departments© Network Intelligence India Pvt. Ltd.
  29. 29. GROUND REALITIES!© Network Intelligence India Pvt. Ltd.
  30. 30. Ground realities • Business priorities – Expand, grow, market share!! • Developer illiteracy – Unaware of security implications – Shortcut fixes • Vendor apathy – Problem re-enforced by weak contracts • Unclear budgets – Lip service by management towards information security – CISO left fighting the battle alone without adequate resources© Network Intelligence India Pvt. Ltd.
  31. 31. Use Triage STRATEGIZE!© Network Intelligence India Pvt. Ltd.
  32. 32. Sample Strategies Implement & In-house Enforce Internal Developed SLAs Claims Processing Regular SecureATLAS – Agents Access Coding Training Over Internet Active Emphasis on Development Secure Coding Team Libraries Secure Hosting© Network Intelligence India Pvt. Ltd.
  33. 33. Take-Aways • Mindset change – most importantly of the business owners’! – Data protection does matter! – It is NOT simply a technology issue – ISO 27001 is not the answer • Implement application security in a comprehensive, cohesive and consistent manner • Evangelize constantly! • Demonstrate impact – always in business terms • Strategize – you can’t protect everything all the time • Leverage regulatory and legal requirements© Network Intelligence India Pvt. Ltd.
  34. 34. Ensure – this never happens!© Network Intelligence India Pvt. Ltd.
  35. 35. Questions? kkmookhey@niiconsulting.com @kkmookhey http://www.linkedin.com/kkmookhey THANK YOU!© Network Intelligence India Pvt. Ltd.

×