Security Compliance Web Application Risk Management


Published on

The Rise of Threat Analysis and the Fall of Compliance in Mitigating Web Application Security Risks

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • We take a critical view of security driven by compliance in view of the increased threat of identify theft and credit card fraud We will talk about modeling threats and how can be used to learn how to mitigate cybercrime threats such as attack trees, use and misuse cases, attack vector analysis and data flow and data flow/architectural analysis Finally we will provide some mitigation strategies against cybercrime attacks
  • Heartland Payment Systems (HPY) data breach: 130 Credit Card Accounts Exploited SQL Injection vulnerabilities to install malware (Hannaford 9/07, Company A & B on 1/08) Used “wardriving” and installed sniffers Acted ad member of a Cybercrime gang Profited from the sale of ACC#, PINs to fake credit cards and commit ATM fraud Engaged in money laundering
  • On PCI compliance: Visa and MasterCard raised some red flags and alerted Heartland to suspicious transactions. After an audit, Heartland uncovered Malware (the data-sniffing kind) that allowed thieves to capture credit or debit-card numbers, expiration dates, and in some cases the cardholder’s name. Heartland was, at the time of the breach, and currently is, PCI compliant. It passed an inspection in April of 2008; this fact only serves to stress the point that PCI compliance does not equal security. The company that certified them, Trustwave, is established as a QSA (Qualified Security Assessors). If you wanted to lay blame on Trustwave for the breach, you would be hard-pressed to prove it. A QSA can only ensure that a company meets or exceeds the requirements of PCI compliance. No QSA can ensure or promise that a company it assesses for is completely secure and defended against attack. Card systems had 40 ML Breach prior PCI being mandatory Customer portal exploited via SQL injection
  • Compliance drive security from stick perspective with audit fines and restrictions. The cost also of intangible reputation since information disclosures In the case of TJX maxx for example a credit card processor was fined 800,000 USD because of lack of security controls by VISA nevertheless some times it is cheaper to pay the fine rather then implement the controls
  • PCI DSS brings precision, but with FUD: Greater detail surrounding technical/ non-tech security requirements Cardholder data such as PAN need to be masked in display and need to be protected in storage and transit with encryption, the same for card holder data and expiration data on the card Track 2 data that include CVV2, PINs cannot be stored even if encrypted
  • The reality is that there is a market for bank account and credit card information in the black economy
  • A similar math can be factored using Van Geer data of 4.5% of data loss probability (FTC 2003 data) x 655 $/person cost Can we correlate this losses somehow, the cost for loss with the fact that among all breaches 13 % are from wbe and 19% use SQL injection attack vectors you can come out with 0.025 that is 2.5 % as the probability that an identify theft will occurr through the web channel because of a SQL injection attack. The cost is the cost per incident x record loss for internal (pokemon is 200 $) or you can just factor the cost per re-issance of the card This multipled for the cost per incident/records you can came out with 241 ML for 14 million records for 130 ML is 2.5 BILLION According to the case in NJ SQL injection is considered cause of Hannaford Assume that according that 2003 FTC data the potential loss per identity theft incident is $ 655 per incident. Assume you are serving via your web site a population of 4 million customers, the potential loss of losing your customer data such as credit card accounts for example would be of $ 2,6 Billion and with probability of identity theft occurrence of 4.6 % (also FTC data) the projected loss for your company could be $ 120 ML for which 14% or $ 16 ML would be the cost of data losses via the web channel alone.
  • It is important not to confuse compliance with security and confusing compliance risk (that is fines, liability risks) with real risks that include all the above. Security is people process and technology and compliance just addresses on component. So the question is do we place the effort and the right focus?
  • From the risk perspective compliance is a business risk and secondary to accessing the risk factors of likelihood and impact of a threat against the cost of preventing and mitigating a threat. If you think about 1) the cost of compliance is in essence like the cost of implementing a countermeasure vs the cost of the loss. Compliance risks are minimum requirements and in the risk equation cost less then the cost of a potential security breach,
  • The areas are the threat surface that is at which extent you can mitigate known threats by identifying vulnerabilities and remediating them The areas represents the threat space, you are as secure as the threat you know. For example tools and standards compliance can capture at maximum 40 % of all potential vulnerabilities, the light blue area represents all risks known and unknown and the green area represents the threat modeling activities that can be used to tackle 75-80% of all potential issues
  • In same cases the cyber attack vectors are reported step by step Use "xp_cmdshell“ to download hacker tools to the compromised MSSQL server. Obtain valid Windows credentials by using fgdump Install network "sniffers" to identify card data and systems involved in processing credit card transactions. Install backdoors that "beacon" periodically to their command and control servers Target databases, Hardware Security Modules (HSMs), and processing applications in an effort to obtain credit card data or brute-force ATM PINs. Use WinRAR to compress the information they pilfer from the compromised networks.
  • Botnet attack bank customers using malware that perform MITM. The attack vector is email phishing (lure to accept an offer for free software) and delivered via hidden frames Once it knows the banksite and gets user credentials from the user, it will do the attack without the user knowing using automated script that can perform wire transfers and supply all the extra data as required such as SSN, S/W OTP. It will simulate all user keystrokes and simulate being an attack from valid browser Botnet-controlled Trojan robbing online bank customers Security firm says malware targeting commercial customers believed to have come from Russia By Ellen Messmer , Network World , 12/13/2007 Share/Email Tweet This 1 Comment Print A new variant on the "Prg Banking Trojan" malware discovered in June is stealing funds from commercial accounts in the United States, United Kingdom, Spain and Italy with a botnet called Zbot, says Atlanta-based SecureWorks . "It's been very successful since we've first seen this at the end of November," says Don Jackson, senior security researcher at SecureWorks, which believes the Prg Trojan variant is designed by the Russian hackers group known as Russian UpLevel working with some German affiliates.  Manage Security and Compliance in an Adverse Economy in 2009 and Beyond: View now "The Trojan has the ability to use a man-in-the-middle attack, a kind of shoulder-surfing when someone logs into a bank account. It can inject a request for a Social Security number or other information, and it's very dynamic . It’s targeted for each specific bank." SecureWorks says about a dozen banks -- which it wouldn't identify because it says the U.S. Secret Service is investigating the incidents -- have had their commercial customers affected by the Trojan-based money fraud operation. According to SecureWorks, the bank Trojan malware can be distributed using iFrame exploits on Web sites or through very targeted attacks against bank customers via phishing . Oftentimes, the phishing e-mail attempts to lure the victim into clicking on a site to offer software disguised as a real certificate, security code or soft token, the company says, adding that it has uncovered caches of stolen data in its research. If the attacker succeeds in getting the Trojan malware onto the victim's computer, he can piggyback on a session of online banking without even having to use the victim's name and password. The infected computer communicates back to the Trojan's command-and-controller exactly which bank the victim has an account with. It then automatically feeds code that tells the Trojan how to mimic actual online transactions with a particular bank to do wire transfers or bill payments SecureWorks says the Trojan performs keystrokes that imitate the victim's keystrokes to avoid any online fraud-monitoring. Although the Secret Service is investigating the Trojan's impact on banks and their customers, Jackson says Russian law authorities are lax in reining in online criminal groups widely believed to be operating from Russia, including Russian UpLevel and the Russian Business Network .
  • What cyber threats are relevant to your industry? Peel the threat onion (industry, geographic, local market, overall business, branch) Are you looking at outdated cyber threats?
  • Most of cybercrime attacks target both the browser and the web application. You are as secure as the weakest link and the weakest link is always the human element, so phishing and social engineering is the easier way to get CC data directly from a user. Other attacks use drive by download to install malware to perform MITM, clickjacking or man in the browser attacks exploit browser vulnerabilities and in the exeuctable content (browser plugins, adobe and macromedia flash, activex controls) From the web application pespective the attacks can exploit SQL injection vulnerabilities to upload sniffers, get the data by altering the query, attack the weak encryption and attack session such as using session fixaction, hijacking the session in transit or being cached logged
  • You can attack an ATM to commit fraud in many ways, one is by exploiting weakenesses in the ATM network like the DOS slammer. To forge a card you need CIN, PIN, CVV track 1 and 2 data you get them by using a skimming device, or buy cardholder and sensitivre CC data online, getting this data by banking sites that use ATM and CC to validate the customers in certain transactions, spear phising, exploit ATM vulnerabilitiees
  • This can be used to evaluate the strenght of security controls against known attacks. This is very high level representations. Diagrams of this kind can be used to evaluate coutnermeasues
  • Definition : Defining use and abuse cases is the foundation of the security requirement phase in which security requirements are developed. Abuse cases are instrumental to elicit requirements for security controls to mitigate potential risks. The scope of such activity is to gather functional requirements from business analysts, security governance team members, project managers and risk analysts to document the expected functionality for the application and the security controls based upon the defined use cases (positive requirements) as well as the abuse cases (negative requirements)..
  • In the example herein a malicious page is injected in the original page. Attack of this nature can exploit unvalidated URLs to executed within the legitimate frame and delivered to the victim via phishing, or can reflect script that when execute evil code such as a keylogger or spyware to steal cookies and other information stored on the browser.
  • Identify entry and the exit points and the access levels (anonymous, user authenticated, administrator, super-user) required to access the different critical components (data, services) being identified in the DFDs Enumerate the threats to the application elements by using the DFD as basis for the threat analysis by using the STRIDE (Spoofing, Tampering, Repudiation, Info Disclosure, Denial of Service, Elevation of Privilege) per element technique Identify the most likely attack vectors and how can impact the application from the entry points of the application and the end to end data flow visualized in the DFD and how these can exploit weaknesses (vulnerabilities) across authorization, authentication, secure communication channels as well as misuse the application functionality to cause undesirable results Identify mitigations (countermeasures) to the previously identified attack vectors and to locate them within function level (DFD level 2) diagram. Use the ASF (Application Security Frame) threat-vulnerability-countermeasure mapping (authentication, authorization, session management, data protection, data validation, error and exception handling, auditing and logging, configuration management) to indentify locate countermeasures for the DFD processes and the various DFD elements.
  • Threat modeling for multi-channel fraud threat scenarios
  • Learn to identify the most likely attacks by taking into consideration the potential opportunities for an attacker/malicious user to exploit: The application accessibility (internet, intranet, extranet) The value of the data (business sensitive, confidential PII) The gaps and weaknesses in the authentication being used (none, single authentication, multifactor, secondary) The level of authorization required to interact with the application (authenticated and non-authenticated users, administrators) and the data The potential client and server vulnerabilities because of their type function : Browser-Client Executables, Web server-Web Forms, Web Services, Application server-Dynamic Web Pages DB Access, Middleware-Messaging Backend Service Access, Databases The potential vulnerabilities due to the inherent risk of the software technology/framework and programming language being used: AJAX, JavaScript, J2EE, .NET 3.5, C/C++, Adobe Flash/RIA The exposure to the data in transit because of the inherent risks of communication protocols used: HTTP/S,XML, SOAP, Message Queues, Chat/IRC, email SMTP/POP
  • A lot of vulnerabilities are due to unsecure configuration
  • Ideally the next step is to drive security by design according to basic principles the challenge is make these principles Actionable and not a checklist. This is where compliance should be focusing on the spirit of the law rather then the letter of the low. The OWASP guidelines just do that translate this principles in actionable items for architects and developers and testers
  • Cyber crime threats and application countermeasures via threat modeling The presentation will also demonstrate how threat modeling is capable of delivering critical business functions as well as in mitigating current and future cyber attacks, such as distributed denial of service, botnet driven-malware, spear phishing techniques, and more attacks that ultimately lead to identity and credit card fraud.
  • Security Compliance Web Application Risk Management

    1. 1. The Rise of Threat Analysis and the Fall of Compliance in Mitigating Web Application Security Risks Marco Morana OWASP Cincinnati Chapter Lead [email_address] Tony Ucedavelez OWASP Atlanta Chapter Lead [email_address] LA and OC Chapters Sept 2009 Meetings
    2. 2. Meeting Agenda <ul><li>“ Status quo” of security compliance in mitigating cybercrime risks </li></ul><ul><ul><li>Compliance data vs. data breach data </li></ul></ul><ul><ul><li>Business impact of data breaches </li></ul></ul><ul><ul><li>Critical view of how compliance drives security </li></ul></ul><ul><li>Threat modeling techniques for the analysis of cybercrime threats </li></ul><ul><ul><li>Attack tree analysis </li></ul></ul><ul><ul><li>Use and misuse cases </li></ul></ul><ul><ul><li>Attack vectors analysis </li></ul></ul><ul><ul><li>Data flow/architecture analysis </li></ul></ul><ul><li>Risk mitigation strategies against cybercrime attacks </li></ul>
    3. 3. <ul><li>Status Quo of Security Policy and Regulatory Compliance in Mitigating Risks </li></ul>
    4. 4. Biggest Fraud in History 170 million card and ATM numbers used sql injection and packet sniffers Companies mentioned in the indictments (3) include: TJX Companies Heartland Payment Systems (HPY) Hannaford Bros
    5. 5. Let’s look at PCI-DSS COMPLIANCE and data breach reported ( <ul><ul><li>Heartland Payment Systems (HPY) WAS PCI COMPLIANT at the time of the breach (August 2007) and is currently PCI COMPLIANT </li></ul></ul><ul><ul><ul><li>Passed Inspection in April 2008 (Trustwave QSA ) </li></ul></ul></ul><ul><ul><ul><li>After an audit, Heartland uncovered Malware (the data-sniffing kind) to capture CC or ATM numbers </li></ul></ul></ul><ul><ul><ul><li>94 ML CCN ( Reported January 7 2007) </li></ul></ul></ul><ul><ul><ul><li>4.2 ML CCN and ATM data(reported March 17 2008) </li></ul></ul></ul><ul><ul><li>TJX was fined for NOT BEING PCI COMPLIANT during the data breach (May 2006-December 2007) </li></ul></ul><ul><ul><ul><li>VISA allowed them to continue processing </li></ul></ul></ul><ul><ul><ul><li>Poor network security and use of weak encryption </li></ul></ul></ul><ul><ul><li>Hannaford Bros WAS PCI COMPLIANT while being hacked (November 2007) </li></ul></ul><ul><ul><ul><li>Compliant with protect CCH data in storage and in transit over public/open networks </li></ul></ul></ul><ul><ul><ul><li>130 ML CCN (reported January 20 2009) </li></ul></ul></ul>
    6. 6. So How Compliance Drives Security? <ul><li>Regulations such as PCI, Gramm-Leach Bliley Act (GLBA), FFIEC, HIPAA, SB 1386, AB 1950 drive security via an adversarial approach, some examples: </li></ul><ul><ul><li>Fail audit => additional fines, restrictions and controls </li></ul></ul><ul><ul><li>Leak of PII => public information disclosure in most US states (SB1386) </li></ul></ul><ul><ul><li>Running afoul of PCI => can’t do business using credit cards, can’t do business with Wal-Mart </li></ul></ul><ul><ul><li>Generally is security by FUD </li></ul></ul><ul><ul><li>Fear of backlash, private suits, etc </li></ul></ul>
    7. 7. PCI DSS: Protection of CCH and Sensitive Credit Card Authentication Data [PCI-DSS] 3.2 Do not store sensitive authentication data subsequent to authorization (even if encrypted) [PCI-DSS] 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). [PCI-DSS] 3.4 Render PAN , at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs)
    8. 8.
    9. 9. Underground economy for stolen credit card and bank account credentials
    10. 10. Monetize The Losses ? Ask TJX CFO <ul><li>The cyber attack on the retailer Marshalls and TJ Maxx (disclosed in January 2007): after-tax cash charge of approximately $118 million , or $.25 per share. </li></ul><ul><li>The company increased its estimate of pre-tax charges for the compromise to nearly $216 million . </li></ul><ul><li>According to some experts, TJX may have to spend in the end a total of more than $500 million , including litigation fees and government fines. </li></ul>
    11. 11. Another Way to Look at Business Impact Of Data Breaches : Correlate Drop in Stock Price With Bad News (chart from <ul><ul><ul><li>130 ML CCN (reported January 20 2009) </li></ul></ul></ul>
    12. 12. Cost Estimate Of Web Application Data Breach Due to SQL Injection Attack <ul><li>Probability of attack by type and attack vector incident (identity theft) data : </li></ul><ul><ul><li>13 % of incidents involving breaches of web channel ( x 19 % of incidents that use SQL injection as attack vector (WHID) = 2.5 % as the probability that a SQL injection vulnerability will cause identity theft data loss </li></ul></ul><ul><li>Estimate business impact of attack (SQL injection) by multiply probability of attack x number of losses x cost of one data loss </li></ul><ul><ul><li>$ 691 per each individual theft case (Javelin) X 130 million individual ID theft cases x 2.5 % attack ID theft probability = $ 2.2 Billions </li></ul></ul>
    13. 13. A Critical View of Compliance and Security <ul><li>Is compliance = security ? </li></ul><ul><ul><li>Plenty of compliant firms have recently been hit with major security breaches </li></ul></ul><ul><ul><li>Increased number of stolen credit card and bank account credentials available in the black market </li></ul></ul><ul><li>Is compliance cost and risk effective? </li></ul><ul><ul><li>Derail security effort from strategy </li></ul></ul><ul><ul><li>C-Levels question the value to what they perceive as 'extra' or 'misguided' efforts </li></ul></ul><ul><ul><li>Cost vs. benefit is cost of non-compliance fines vs. benefit (savings) of not implementing controls </li></ul></ul>
    14. 14. Did PCI compliance auditors failed Hearthland?
    15. 15. Non Compliance From Risk Perspective <ul><ul><li>Regulatory noncompliance is by it self a business risk : assessing the likelihood and potential costs of a particular threat against the cost of preventing or mitigating that threat </li></ul></ul>
    16. 16. <ul><li>Threat modeling techniques for cybercrime threats </li></ul>
    17. 17. Application Threat Modeling And The Cybercrime Attack Surface Standards Compliance Gap Analysis Penetration Testing Attack Tree Analysis Cybercrime Intelligence DFD/Secure Architecture Analysis Use and misuse cases Security By Design Risk Mitigation Strategies Attack Vector Analysis Source Code Analysis
    18. 18. Cybercrime Threat Intelligence and Analysis: Attacks Against Financial Services and Online retailers <ul><li>THREAT INTELLIGENCE: </li></ul><ul><li>Attack “xp_cmdshell on MSQL server to upload sniffers to capture CC transactions and ATM PINs from DB, HSM </li></ul><ul><li>THREAT MITIGATION ANALYSIS: </li></ul><ul><li>Disable xp_cmdshell, </li></ul><ul><li>Deny extended URL, escape “”, </li></ul><ul><li>Use store procedures, </li></ul><ul><li>Run SQL Server and IIS under non-privilege, </li></ul><ul><li>Do not use “sa” hardcoded, </li></ul><ul><li>Lock account on mainframes against brute force </li></ul><ul><li>Use minimum privileges on AD/SQL server, restrict access by IP, </li></ul><ul><li>Use proxy server for internet access, </li></ul><ul><li>Implement firewall rules </li></ul><ul><li>Ensure HSM are not responsive of any commands with PIN in the clear </li></ul>
    19. 19. Cybercrime Threat Intelligence: Attacks Against Online Bank Customers <ul><li>ZBOT THREAT INTELLIGENCE (from Secureworks article): </li></ul><ul><li>The attack vector is email spear phishing and the payload is an IFRAME browser exploit that deploys malware/spyware on the desktop </li></ul><ul><li>The malware connects back to the hacker botnet C&C for commands and configuration files targeting specific on-line banking sites </li></ul><ul><li>The targeted bank malware performs MiTM attacks against the bank customer to get banking credentials and log into the banking site and perform transactions such as wire transfers </li></ul><ul><li>A keylogger logs keystrokes and supplies them to the site by defeating fraud monitoring controls </li></ul>
    20. 20. Cybercrime Intelligence And Analysis Goals <ul><ul><li>Understand cyber threats and how they may affect your business : </li></ul></ul><ul><ul><ul><li>What cyber threats are relevant to your industry? </li></ul></ul></ul><ul><ul><li>Learn from cyber criminals motives and the most likely attack scenarios : </li></ul></ul><ul><ul><ul><li>Become your enemy ! Build the right attack tree to walk through probable attack scenarios. </li></ul></ul></ul><ul><ul><li>Plan defenses for the attack vectors being used by your enemy : </li></ul></ul><ul><ul><ul><li>Based on the likely attack patterns for each branch of the attack tree, identify which application vulnerabilities can be exploited via which attacks </li></ul></ul></ul>
    21. 21. <ul><li>Attack-Threat Tree Analysis </li></ul>
    22. 22. Threat Tree For Credit Card Attacks
    23. 23. Threat Tree For ATM Attacks
    24. 24. <ul><li>Use and Abuse Cases </li></ul>
    25. 25. Use And Abuse Cases For Multi Factor Authentication
    26. 26. Use and Abuse Cases For Logins
    27. 27. <ul><li>Attack Vector Analysis </li></ul>
    28. 28. Attack Vector Analysis <ul><li>Derive a list of attack vectors that can be used for the threat/attack analysis of the application </li></ul><ul><li>Start with code injection attacks library: </li></ul><ul><ul><li>SQL injection attacks </li></ul></ul><ul><ul><li>HTML (IFRAME) injection attacks </li></ul></ul><ul><ul><li>Script injection (e.g. cross-site scripting) attacks </li></ul></ul><ul><ul><li>Command shell injection attacks </li></ul></ul><ul><ul><li>File injection attacks </li></ul></ul><ul><ul><li>Server pages injection attacks (e.g. ASP, PHP) </li></ul></ul><ul><ul><li>Cookie poisoning attacks </li></ul></ul><ul><ul><li>XML poisoning attacks </li></ul></ul>
    29. 29. Common Code Injection Attack Vector From:
    30. 30. <ul><li>IFRAME injection (In-Line Frame Injection) </li></ul><ul><li>Browser vulnerabilities in handling iFrame tags </li></ul><ul><li>Trusted sites with malicious banner ads </li></ul><ul><li>Leverages blackhat in order to drive traffic to vulnerable sites </li></ul><ul><li>Growing attack vectors for malware propagation </li></ul><ul><li>Blackhat SEO fueled Rogue Software Campaigns. </li></ul><ul><ul><li>over 1 Million links all targeting the Ford Motor Company. </li></ul></ul><ul><li>Mislead search engines to falsely promote malicious pages to the top of the search results. </li></ul><ul><ul><li>user visits one malicious sites, </li></ul></ul><ul><ul><li>prompted to download and install a malicious &quot;codec&quot;, </li></ul></ul>Cybercrime HTML-IFRAME Injection Attack Vectors Intended Site Ad with Embedded iFrame Malicious Site
    31. 31. <ul><li>Architecture analysis via threat modeling </li></ul>
    32. 32. DFD/Architecture Threat Analysis Objectives <ul><li>Identify entry and the exit points and the access levels </li></ul><ul><li>Enumerate the threats to the application elements and map to countermeasures </li></ul><ul><li>Identify the vulnerabilities that can be exploited by threat using the most likely attack vectors </li></ul><ul><li>Select and locate countermeasures in the application architecture </li></ul>
    33. 33. Mapping DFD Components to STRIDE Threats to Find Countermeasures Access Level External Access Level Internal Access Level Restricted <ul><li>Spoofing </li></ul><ul><li>Repudiation </li></ul><ul><li>Tampering </li></ul><ul><li>Repudiation </li></ul><ul><li>Info Disclosure </li></ul><ul><li>Denial OF service </li></ul><ul><li>AuthN, Encryption </li></ul><ul><li>Digital signatures, HMAC, TS, </li></ul><ul><li>AuthN, Encryption </li></ul><ul><li>Digital signatures, HMAC, TS,AuthZ Audit </li></ul><ul><li>Encryption, AuthZ </li></ul><ul><li>Filtering, AuthN </li></ul>
    34. 34. Mapping of Threats, Attacks, Vulnerabilities and Countermeasures <SCRIPT>alert(“Cookie”+ document.cookie)</SCRIPT> Injection flaws CSRF, Insecure Direct Obj. Ref, Insecure Remote File Inclusion NSAPI/ ISAPI Filter Custom errors OR ‘1’=’1—‘, Prepared Statements/ Parameterized Queries, Store Procedures ESAPI Filtering, Server RBAC Form Tokenization XSS, SQL Injection, Information Disclosure Via errors Broken Authentication, Connection DB PWD in clear Hashed/ Salted Pwds in Storage and Transit Trusted Server To Server Authentication, SSO Trusted Authentication, Federation, Mutual Authentication Broken Authentication/ Impersonation, Lack of Synch Session Logout No PK exposed as URL parameter Encrypt Confidential PII in Storage/Transit Insecure Crypto Storage Insecure Crypto Storage &quot;../../../../etc/passwd%00&quot; Cmd=%3B+mkdir+hackerDirectory Phishing, Privacy Violations, Financial Loss Identity Theft System Compromise, Data Alteration, Destruction
    35. 35. Secure By Default Application Measures Securing The Web server: 1) Hardening and Locking 2) Secure Configuration Mgmt. 3) Auditing and Logging Securing The DB Server: 1) Hardening, remove extended store procedures 2) Enforce Access Privileges 3) Protect PII and sensitive data in storage and transit (S/ODBC) 4) Auditing and logging <ul><li>Securing The App Server: </li></ul><ul><ul><li>1) Server to server authentication </li></ul></ul><ul><ul><li>2) Message security </li></ul></ul><ul><ul><li>3) Secure Session Management, </li></ul></ul><ul><ul><li>4) Auditing & Logging </li></ul></ul>Securing The Browser 1) AV, AS, Browser updates 2) Hardening, sandboxing 3) Use EV SSL enabled browsers
    36. 36. Secure By Design Architecture Principles <ul><ul><li>Implement Authentication With Adequate Strength </li></ul></ul><ul><ul><li>Enforce Least Privilege </li></ul></ul><ul><ul><li>Protect Sensitive Data In Storage, Transit And Display </li></ul></ul><ul><ul><li>Enforce Minimal Trust </li></ul></ul><ul><ul><li>Trace and Log User Actions And Security Events </li></ul></ul><ul><ul><li>Fail Securely And Gracefully </li></ul></ul><ul><ul><li>Apply Defense in Depth </li></ul></ul><ul><ul><li>Apply Security By Default </li></ul></ul><ul><ul><li>Design For Simplicity, KISS Principle </li></ul></ul><ul><ul><li>Secure By Design, Development and Deployment </li></ul></ul><ul><ul><li>Secure As The Weakest Link </li></ul></ul><ul><ul><li>Avoid Security By Obscurity </li></ul></ul>
    37. 37. <ul><li>Mitigation strategies against cybercrime attacks </li></ul>
    38. 38.
    39. 39. Cybercrime Situational Awareness Questions <ul><li>Are your organization mitigations against threats mostly driven by security audit and compliance? </li></ul><ul><ul><li>Is compliance a factor for business risk ? </li></ul></ul><ul><ul><li>What is your appetite for risk? Is your glass half full ( 'What is BofA doing?' or 'What does Gartner say?‘) or half empty Build you (Devil's Advocate) </li></ul></ul><ul><li>Do you know HOW threats will affect your data assets? For example: </li></ul><ul><ul><li>HOW transactions can be can be abused for fraud ? </li></ul></ul><ul><ul><li>WHAT are possible ways in which you application can leak sensitive/credit card data ? </li></ul></ul>
    40. 40. Application Layer Cybercrime Threats Mitigation Strategy <ul><li>Mitigate against known threats that exploit common vulnerabilities (e.g. OWASP T10) at the application layer </li></ul><ul><li>Stay ahead of cybercrime threats : adopt cyber-intelligence and cyber threat analysis to learn about new threats and attack vectors </li></ul><ul><li>Apply Threat Modeling to new and existing applications to identify countermeasures in the application architecture </li></ul><ul><li>Drive security into applications following secure architecture design principles </li></ul>
    41. 41. Q & Q U E S T I O N S A N S W E R S