Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The state of web applications (in)security @ ITDays 2016

309 views

Published on

The global security landscape is changing, now more than ever. With cloud computing gaining momentum and advanced persistent threats becoming a common occurrence, the industry is taking a more focused and serious approach, especially after some of last years' heavily publicized cyber breaches. Join this session for a high-level overview on the industry trends in the area of web application security, and find out why security is bound to become a hot topic in any organization developing or using web applications.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

The state of web applications (in)security @ ITDays 2016

  1. 1. Tudor Damian Executive Manager @ Avaelgo The state of web applications (in)security
  2. 2. Tudor Damian • Executive Manager @ Avaelgo • IT Advisory Services • Microsoft Gold Cloud Platform Partner • Consulting, Software Development, Tech Support, Security, Training • Co-founder @ ITCamp & ITCamp Community • Cloud and Datacenter Management MVP (Microsoft) • Certified Ethical Hacker (EC-Council) • Certified Security Professional (CQURE) • Contact: tudor.damian@avaelgo.ro / @tudydamian / tudy.tel
  3. 3. VIDEO Source: Microsoft Ignite 2016 Keynote (Atlanta, Sep 2016) https://vimeo.com/191623226
  4. 4. Video summary • 75% of CEOs see rising risks from technology • On average, it takes 200 days to detect a security breach, and another 80 days to recover from it • The average cost per security incident is around $12 million • Estimated loss in productivity and growth: $3 trillion • User endpoints are the target of most cyber attacks
  5. 5. Discovery time for cyber attacks worldwide (2013) Hours, 9% Days, 8% Weeks, 16% Months, 62% Years, 5% Source: Verizon
  6. 6. Cyber attacks against US companies (2014) VIRUSES, WORMS, TROJANS MALWARE BOTNETS WEB-BASED ATTACKS MALICIOUS CODE PHISHING AND SOCIAL ENGINEERING MALICIOUS INSIDERS STOLEN SERVICES DENIAL OF SERVICE 100% 97% 76% 61% 46% 44% 41% 37% 34% Source: Ponemon Institute; Hewlett-Packard (HP Enterprise Security)
  7. 7. Lack of security professionals • CISCO, 2014 • There are more than 1 million unfilled security jobs worldwide • (ISC)² study, 2015 • A shortfall of 1.5 million security professionals is estimated by 2020 Sources: http://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2014_ASR.pdf http://blog.isc2.org/isc2_blog/2015/04/isc-study-workforce-shortfall-due-to-hiring-difficulties-despite-rising-salaries-increased-budgets-a.html
  8. 8. “Mega-breaches” made public in 2016 • Myspace (2007-2012), 427 mil passwords • Fling (2011), 40 mil passwords • LinkedIn (2012), 164 mil passwords • VK.com (2012), 100 mil passwords in cleartext • Dropbox (2012), 68 mil passwords • Tumblr (2013), 65 mil passwords • Yahoo (2014), 500 mil users’ data • FriendFinder (2016), 400 million accounts More on https://haveibeenpwned.com/PwnedWebsites
  9. 9. The Browser Wars – Malware Detection • Security study on 8 browsers from 2014 • 657 samples of socially engineered malware (SEM) • Block rates ranged from 99.9% to 4.1% Source: https://www.nsslabs.com/reports/browser-security-comparative-analysis-report-socially-engineered-malware
  10. 10. The Browser Wars – Pwn2Own • Sandbox escapes or 3rd party code execution found in: • Internet Explorer • Microsoft Edge • Mozilla Firefox • Google Chrome • Adobe Flash • Adobe Reader XI • Apple Safari on Mac OS X • Windows • OS X • 2014 - $850.000 total prize money, paid to 8 entrants • 2015 - $557.500 total prize money, paid to 6 entrants • 2016 - $460.000 total prize money Sources: http://www.eweek.com/security/pwn2own-2014-claims-ie-chrome-safari-and-more-firefox-zero-days.html http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2015-Day-One-results/ba-p/6722204 http://www.securityweek.com/pwn2own-2016-hackers-earn-460000-21-new-flaws
  11. 11. Current state of web applications • 55% of apps have at least one high-severity vulnerability • Up 9% in 12 months • Ex: XSS, SQL Injection • 84% of apps have at least one medium-severity vulnerability • Ex: CSRF • Vulnerable JS libraries have more than doubled since 2015 • 95% of web app breaches were financially motivated • 68% of funds lost as a result of a cyber attack were declared unrecoverable • 35% of websites still rely on SHA-1 • Certificates with SHA-1 no longer issued after Jan 1st, 2016 • Certificates will trigger an error in browsers starting on Jan 1st, 2017 Sources: http://www.darkreading.com/operations/as-deadline-looms-35-percent-of-web-sites-still-rely-on-sha-1/d/d-id/1327522 http://www.acunetix.com/acunetix-web-application-vulnerability-report-2016/ http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
  12. 12. Current state of web applications • In 2013, it was estimated that nearly 30.000 websites were infected with malware every day • 45% of breaches exceed $500.000 in losses • In 56% of cases of website data or system breach, no one was held accountable • Organizations with accountability – 33% remediation rate • Organizations without accountability – 24% remediation rate • There’s very little evidence of “best-practices” being used in web application security • Social engineering and insider attacks are on the rise Sources: http://www.forbes.com/sites/jameslyne/2013/09/06/30000-web-sites-hacked-a-day-how-do-you-host-yours/ https://info.whitehatsec.com/rs/whitehatsecurity/images/2015-Stats-Report.pdf
  13. 13. Vulnerable web applications (%) 1 2 3 3 3 4 6 7 9 10 13 15 23 23 27 27 33 43 59 0 10 20 30 40 50 60 70 SERVER-SIDE REQUEST FORGERY FILE INCLUSION DIRECTORY TRAVERSAL DNS RELATED VULNERABILITIES MAIL RELATED VULNERABILITIES WEAK PASSWORDS CODE EXECUTION OVERFLOW VULNERABILITIES HOST HEADER INJECTION SOURCE SCRIPT DISCLOSURE SSH RELATED VULNERABILITIES DIRECTORY LISTING SQL INJECTION TLS/SSL RELATED VULNERABILITIES VULNERABLE JS LIBRARIES SLOW HTTP DOS CROSS-SITE SCRIPTING DOS RELATED VULNERABILITIES CROSS-SITE REQUEST FORGERY Source: http://www.acunetix.com/acunetix-web-application-vulnerability-report-2016/
  14. 14. Top 10 threats in web app breaches Hacking - use of stolen creds Hacking - use of backdoor or C2 Social - Phising Malware - Spyware/Keylogger Malware - C2 Malware - Export Data Hacking - SQLi Malware - Backdoor Hacking - RFI Brute Force Source: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
  15. 15. How much time does security get? An attacker has 24x7x365 to attack you Attacker Schedule Time The defender has 20 (?) man days per year to detect and defend Who has the edge?  Scheduled Pen-Test Scheduled Pen-Test
  16. 16. Two weeks of ethical hacking Ten man-years of development Business Logic Flaws Code Flaws Security Errors An inconvenient truth
  17. 17. Software in a Perfect World Intended Functionality Actual Functionality
  18. 18. Software in the Real World Intended Functionality Actual Functionality Unintended And Undocumented Functionality Built Features Bugs
  19. 19. Implementing Security within SDL Design Governance •Policy & Compliance •Education and Guidance •Strategy and Metrics Intelligence •Attack Models •Threat Assessment •Security Requirements •Security Architecture Implementation Security Features and Design Architecture Analysis Coding Standards Verification Attack Surface Review Code Review Security Testing Deployment Software Environment Configuration Management Vulnerability Management Operation Environment Hardening Operational Compliance Enablement
  20. 20. “Prevent Breach” approach – obsolete? • In today’s world, when dealing with a cybersecurity breach, there’s 4 essential questions you need to be able to answer: • What did the attack do? • How did it get here? • Where did it spread? • What’s the risk to me, my company and my customers? • Trying to do this retroactively is unproductive, it takes time, and significantly affects your company
  21. 21. Prevent & Assume Breach Prevent Breach – A methodical Secure Development Lifecycle and Operational Security minimizes probability of exposure Assume Breach – Identifies & addresses potential gaps in security: • Ongoing live site testing of security response plans improves mean time to detection and recovery • Bug bounty program encourages security researchers in the industry to discover and report vulnerabilities • Reduce exposure to internal attack (once inside, attackers do not have broad access) • Latest threat intelligence to prevent breaches and to test security response plans • State of the art security monitoring and response Security monitoring and response Prevent breach • Secure Development Lifecycle • Operational Security Assume breach • Bug Bounty Program • War game exercises • Live site penetration testing Threat intelligence
  22. 22. Assume Breach - a change in mindset • We have to stop focusing on preventing a data breach and start assuming the breach has already happened • Currently: a one-sided, purely preventative strategy • Future: emphasis on breach detection, incident response, and effective recovery • Start thinking about the time when a breach will (almost inevitably) occur in your infrastructure • Be prepared for that!
  23. 23. • MTTC – Mean Time to Compromise • MTTP – Mean Time to Privilege Escalation or “Pwnage” • MTTD - Mean Time to Detection • MTTR - Mean Time to Recovery Red Team vs. Blue Team Gather Detect Alert Triage Context Plan Execute Recon Delivery Foothold Persist Move Elevate Exfiltrate
  24. 24. What did we learn? • Security breaches take months to be detected • All companies are being attacked, whether they know it or not • There’s a severe lack of security professionals worldwide • Current security issues are not known or simply ignored • 50-80% of web apps have serious security issues • Investments in security are quite rare and low in value • Trying to prevent a data breach is no longer enough
  25. 25. What to do next? • Implement a Secure Development Lifecycle • Security in Design, Coding, Testing/QA, Deployment, Operation • Invest more in Operational Security • Create a bug bounty program • Run wargame exercises (Red vs Blue) • Do live site penetration testing • Invest in security monitoring, detection and response • Tap into existing industry threat intelligence • e.g. http://map.norsecorp.com/
  26. 26. Tudor Damian • Executive Manager @ Avaelgo • IT Advisory Services • Microsoft Gold Cloud Platform Partner • Consulting, Software Development, Tech Support, Security, Training • Co-founder @ ITCamp & ITCamp Community • Cloud and Datacenter Management MVP (Microsoft) • Certified Ethical Hacker (EC-Council) • Certified Security Professional (CQURE) • Contact: tudor.damian@avaelgo.ro / @tudydamian / tudy.tel

×