The document discusses application security strategies for enterprises. It summarizes a talk on the biggest hack in history that stole over 200 million credit card numbers. The hacker used SQL injection to hack retail websites and steal card data. It then discusses how application vulnerabilities can be exploited and the high costs of data breaches for companies. The rest of the document outlines a holistic solution to application security that includes secure design, development, testing, training and management.

1. Application Security –
Enterprise Strategies
K. K. Mookhey, CISA, CISSP, CISM
Principal Consultant
www.niiconsulting.com

2. Agenda
The Biggest Hack in History
How the Cookie Crumbles?
Answers!
www.niiconsulting.com

3. Speaker Introduction
Founder & Principal Consultant, Network
Intelligence
Speaker at Blackhat 2004, Interop 2005, IT
Underground 2005, OWASP Asia 2008,2009
Co-author of book on Metasploit Framework
(Syngress), Linux Security & Controls (ISACA)
Author of numerous articles on SecurityFocus,
IT Audit, IS Controls (ISACA)
Conducted numerous pen-tests, application
security assessments, forensics, etc.
www.niiconsulting.com

4. THE BIGGEST HACK IN
HISTORY
www.niiconsulting.com

5. Gonzalez, TJX and Heart-break-land
>200 million credit card number stolen
Heartland Payment Systems, TJX, and 2 US
national retailers hacked
Modus operandi
Visit retail stores to understand workings
Analyze websites for vulnerabilities
Hack in using SQL injection
Inject malware
Sniff for card numbers and details
Hide tracks
www.niiconsulting.com

6. The hacker underground
Albert Gonzalez
a/k/a “segvec,”
a/k/a “soupnazi,”
a/k/a “j4guar17”
Malware, scripts and hacked data hosted on servers in:
Latvia Ukraine
New Jersey
Netherlands
California
IRC chats
March 2007: Gonzalez “planning my second phase against
Hannaford”
December 2007: Hacker P.T. “that’s how [HACKER 2]
hacked Hannaford.”
www.niiconsulting.com

7. Where does all this end up?
IRC Channels
#cc
#ccards
#ccinfo
#ccpower
#ccs
#masterccs
#thacc
#thecc
#virgincc
Commands used on IRC
!cardable
!cc, !cclimit, !chk, !cvv2, !exploit, !order.log,
!proxychk
www.niiconsulting.com

8. TJX direct costs $200 million in
fines/penalties
$41 million to
Visa
$24 million to
Mastercard
www.niiconsulting.com

9. Cost of an incident
$6.6 million average cost of a data breach
From this, cost of lost business is $4.6
million
More than $200 per compromised record
On the other hand:
Fixing a bug costs $400 to $4000
Cost increases exponentially as time lapses
www.niiconsulting.com

10. How the Cookie Crumbles
www.niiconsulting.com

11. www.niiconsulting.com

12. www.niiconsulting.com

13. www.niiconsulting.com

14. www.niiconsulting.com

15. www.niiconsulting.com

16. www.niiconsulting.com

17. www.niiconsulting.com

18. www.niiconsulting.com

19. www.niiconsulting.com

20. www.niiconsulting.com

21. Betting blind!
DB Name
Table Names
User IDs
Table Structure
Data
www.niiconsulting.com

22. Net Result
Enterprise Owned!
www.niiconsulting.com

23. Other aspects
www.niiconsulting.com

24. App2App Communication
• App2App interaction requires an authentication process
– Calling application needs to send credentials to target
application
• Common use cases
– Applications and Scripts connecting to databases
– 3rd Party Products accessing network resources
– Job Scheduling
– Application Server Connection Pools
– Distributed Computing Centers
– Application Encryption Key Management
– ATM, Kiosks, etc.
www.niiconsulting.com

25. Answers!
www.niiconsulting.com

26. Technology Solutions
Web Application Firewalls
Privileged Identity Management Suites
Application-Aware Firewalls
Application-Aware SIEMS
Database Access Management Solutions
www.niiconsulting.com

27. Before we get to the technology…
www.niiconsulting.com

28. Application Security – Holistic Solution
Design
Develop/
Train
Manage
Test
www.niiconsulting.com

29. Secure Design
Secure Designing Models
Client Inputs
Client Education
Threat Modeling
Vulnerability Classification – STRIDE
Risk Classification – DREAD
www.niiconsulting.com

30. Microsoft’s Threat Modeling Tool
www.niiconsulting.com

31. Secure Coding Overview
Secure coding isn’t taught in school
Homeland Security's Build Security In
Maturity Model (BSIMM)
Microsoft's Security Development Lifecycle
(SDL)
OpenSAMM (Software Assurance Maturity
Model)
OWASP Secure Coding Guides
www.niiconsulting.com

32. Secure Coding Principles
1. Minimize attack surface area
2. Establish secure defaults
3. Principle of least privilege
4. Principle of defense in depth
5. Fail securely
6. Don’t trust input – user or services
7. Separation of duties
8. Avoid security by obscurity
9. Keep security simple
10.Fix security issues correctly
www.niiconsulting.com

33. Vendor Management
Big names != Good security
Contractual weaknesses
Lack of vendor oversight
No penalties for blatantly buggy code!
www.niiconsulting.com

34. Secure Hosting
Web Security OS Security
Secured web server Security Patches
Secured application server – Users and Groups
all components Access Control
Web application firewalls Security Policies
Database Security Secured Login
Security Patches Logging
Users and Roles
Access Control
Logging
Password Security
Database Table Encryption
Data Masking
www.niiconsulting.com

35. Secure Testing
Security testing options
Blackbox
Greybox
Whitebox
Source Code Review
OWASP Top Ten
(www.owasp.org)
OWASP Testing Guide
Tools of the trade
Open source – Wikto, Paros, Webscarab, Firefox plugins
Commercial – Acunetix, Cenzic, Netsparker, Burpsuite
www.niiconsulting.com

36. Training
Back to basics
Natural thought process
Look at larger picture
Make it fun
Giving back to the community
www.niiconsulting.com

37. Application Security Vision
Design
Develop/
Train
Manage
Test
www.niiconsulting.com

38. Questions?
Thank you! kkmookhey@niiconsulting.com
Information Security Institute of Information
Consulting Services Security
www.niiconsulting.com