The document discusses the rise of threat analysis and fall of compliance in mitigating web application security risks. It argues that while regulatory compliance aims to improve security, many compliant organizations have still suffered major data breaches. The document advocates applying threat modeling techniques like attack tree analysis to understand likely cybercrime threats and how they could exploit vulnerabilities. This helps identify targeted security measures to implement in applications and architecture.
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
Everyone has become increasingly aware of the danger hackers pose—they can steal data, dismantle systems, and cause damage that can take years to recover from. However, organizations often have a false sense of safety when it comes to their security environments. There are countless ways that businesses are making it easier for a threat actor to find their way in undetected.
Join cybersecurity expert Bob Erdman, senior security product manager, as he outlines the most common ways organizations unintentionally put themselves at risk against threats like:
Insider attacks
Alert and console fatigue
Shortage of security staff
Misconfigurations
Excessive access
By better understanding what and where the challenges are, organizations can be better equipped to find solutions. This webinar will also highlight different strategies for mitigating risk, from specific Security Information and Event Management (SIEM) tools to employee education.
NIST Cybersecurity Framework is voluntary framework to support the emerging needs for having robust and effective cyber security practices across an enterprise. This presentation recaps the Framework 6 months into implementation and along with changes. Also, discusses the capabilities of TrustedAgent GRC to accelerate and strengthen the implementation of an effective cybersecurity program by automating or addressing many of the practices required by the framework.
SOC presentation- Building a Security Operations CenterMichael Nickle
Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
Everyone has become increasingly aware of the danger hackers pose—they can steal data, dismantle systems, and cause damage that can take years to recover from. However, organizations often have a false sense of safety when it comes to their security environments. There are countless ways that businesses are making it easier for a threat actor to find their way in undetected.
Join cybersecurity expert Bob Erdman, senior security product manager, as he outlines the most common ways organizations unintentionally put themselves at risk against threats like:
Insider attacks
Alert and console fatigue
Shortage of security staff
Misconfigurations
Excessive access
By better understanding what and where the challenges are, organizations can be better equipped to find solutions. This webinar will also highlight different strategies for mitigating risk, from specific Security Information and Event Management (SIEM) tools to employee education.
NIST Cybersecurity Framework is voluntary framework to support the emerging needs for having robust and effective cyber security practices across an enterprise. This presentation recaps the Framework 6 months into implementation and along with changes. Also, discusses the capabilities of TrustedAgent GRC to accelerate and strengthen the implementation of an effective cybersecurity program by automating or addressing many of the practices required by the framework.
SOC presentation- Building a Security Operations CenterMichael Nickle
Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.
Cyber threat intelligence: maturity and metricsMark Arena
From SANS Cyber Threat Intelligence Summit 2016. What are the characteristics of a mature cyber threat intelligence program, and how do you develop meaningful metrics? Traditionally, intelligence has been about providing decision
support to executives whilst the field of cyber threat intelligence supports this customer, and network defenders, who have different requirements. By using the intelligence cycle, this talk will
seek to help attendees understand how they can identify what a mature intelligence program looks like and the steps to take their program to the next level.
Artificial Intelligence Large Language Models (LLM) and Machine Learning (ML) Application Security Threats and Defenses. OWASP Top Tens for LLM and ML along with software development attack preventative best practices.
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
Cyber Security is one of the major challenges facing organisations within all industries. This presentation will examine the integration of an Enterprise Architecture approach with an Enterprise Security Architecture approach (TOGAF and SABSA) and propose a generic framework.
Download this presentation at http://opengroup.co.za/presentations
MITRE ATT&CK framework is about the framework that is followed by Threat Hunters, Threat Analysts for Threat Modelling purpose, which can be use for Adversary Emulation and Attack Defense. Cybersecurity Analyst widely use it for framing the attack through its various used Tactics and Techniques.
Identity and Access Management (IAM) is a crucial part of living in a connected world. It involves managing multiple identities of an individual or entity, distributed across disparate portals. In an enterprise, IAM solutions serve as a mean to secure access, control user activities and manage authentication for an App or a group of software (infrastructure).
This detailed PowerPoint brings you the most fundamental concepts and ideas related to identity and access management. Plus, we have debunked some popular IAM myths, so do checkout!
Cloud Security using NIST guidelines, using NIST Cloud Computing Security Reference Architecture
(NIST SP 500-299), NIST Cloud
Computing Reference Architecture (NIST SP 500-292), NIST's Guide for Applying the Risk Management Framework to Federal Information Systems (NIST SP 800-37)
Control physical and logical access to assets, Manage identification and authentication of people and devices, Integrate identity as a service (e.g., cloud identity),
Integrate third-party identity services (e.g., on-premise), Implement and manage authorization mechanisms, Prevent or mitigate access control attacks, Manage the identity and access provisioning life cycle (e.g., provisioning, review)
Presentation talks about introduction to MITRE ATT&CK Framework, different use cases, pitfalls to take care about.. Talk was delivered @Null Bangalore and @OWASP Bangalore chapter on 15th February 2019.
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
You own a SIEM, but to be secure, you need a Security Operations Center! How do you cross the chasm? Do you hire staff or outsource? And what skills are needed? Mike Ostrowski, a cybersecurity industry veteran, will review common pitfalls experienced through the journey from SIEM to SOC, the pros and cons of an all in-house SOC vs. outsourcing, and the benefits of a hybrid SOC model.
Learning Objectives:
1: You own a SIEM, but to be secure, you need a SOC. How do you cross the chasm?
2: What are the pros and cons of in-house, fully managed and hybrid security?
3: What considerations go into deciding whether to employ a hybrid strategy?
(Source: RSA Conference USA 2018)
The SOC analyst training program is meticulously designed by the subject matter experts at Infosec Train. The training program offers a deep insight into the SOC operations and workflows. It is an excellent opportunity for aspiring and current SOC analysts (L1/L2/L3) to level up their skills to mitigate business risks by effectively handling and responding to security threats.
https://www.infosectrain.com/courses/soc-analyst-expert-training/
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
According to Technavio's latest market research report, the data security market value will grow by $2.85 Billion during 2021-2025.
To secure their data, organizations can use the CIA triad, a data security model developed to help the data security market and people deal with various IT security parts.
The webinar covers
• Overview Of CIA
• Description of Data Governance vs Information Security vs Privacy
• Relationship of CIA to Data Governance
• Relationship of CIA to Information Security
• Relationship of CIA to Privacy
• How to Implement and Maintain the CIA model (e.g., PDCA, etc.)
Presenters:
Anthony English
Our presenter for this webinar is Anthony English, one of the top cybersecurity professionals in Atlantic Canada with extensive Canadian and International experience in cybersecurity covering risk assessment, management, mitigation, security testing, business continuity, information security management systems, architecture security reviews, project security, security awareness, lectures, presentations and standards-based compliance.
Date: November 17, 2021
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Youtube video: https://youtu.be/eA8uQhdLZpw
Website link: https://pecb.com/
Application Security Architecture and Threat ModellingPriyanka Aash
95% of attacks are against “Web Servers and Web Applications”
Security Architecture and SDLC
3 Tier – Web App Architecture
Would you trust the code?
Traditional SDLC
Secure SDLC
SAST vs. DAST
Cyber threat intelligence: maturity and metricsMark Arena
From SANS Cyber Threat Intelligence Summit 2016. What are the characteristics of a mature cyber threat intelligence program, and how do you develop meaningful metrics? Traditionally, intelligence has been about providing decision
support to executives whilst the field of cyber threat intelligence supports this customer, and network defenders, who have different requirements. By using the intelligence cycle, this talk will
seek to help attendees understand how they can identify what a mature intelligence program looks like and the steps to take their program to the next level.
Artificial Intelligence Large Language Models (LLM) and Machine Learning (ML) Application Security Threats and Defenses. OWASP Top Tens for LLM and ML along with software development attack preventative best practices.
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
Cyber Security is one of the major challenges facing organisations within all industries. This presentation will examine the integration of an Enterprise Architecture approach with an Enterprise Security Architecture approach (TOGAF and SABSA) and propose a generic framework.
Download this presentation at http://opengroup.co.za/presentations
MITRE ATT&CK framework is about the framework that is followed by Threat Hunters, Threat Analysts for Threat Modelling purpose, which can be use for Adversary Emulation and Attack Defense. Cybersecurity Analyst widely use it for framing the attack through its various used Tactics and Techniques.
Identity and Access Management (IAM) is a crucial part of living in a connected world. It involves managing multiple identities of an individual or entity, distributed across disparate portals. In an enterprise, IAM solutions serve as a mean to secure access, control user activities and manage authentication for an App or a group of software (infrastructure).
This detailed PowerPoint brings you the most fundamental concepts and ideas related to identity and access management. Plus, we have debunked some popular IAM myths, so do checkout!
Cloud Security using NIST guidelines, using NIST Cloud Computing Security Reference Architecture
(NIST SP 500-299), NIST Cloud
Computing Reference Architecture (NIST SP 500-292), NIST's Guide for Applying the Risk Management Framework to Federal Information Systems (NIST SP 800-37)
Control physical and logical access to assets, Manage identification and authentication of people and devices, Integrate identity as a service (e.g., cloud identity),
Integrate third-party identity services (e.g., on-premise), Implement and manage authorization mechanisms, Prevent or mitigate access control attacks, Manage the identity and access provisioning life cycle (e.g., provisioning, review)
Presentation talks about introduction to MITRE ATT&CK Framework, different use cases, pitfalls to take care about.. Talk was delivered @Null Bangalore and @OWASP Bangalore chapter on 15th February 2019.
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
You own a SIEM, but to be secure, you need a Security Operations Center! How do you cross the chasm? Do you hire staff or outsource? And what skills are needed? Mike Ostrowski, a cybersecurity industry veteran, will review common pitfalls experienced through the journey from SIEM to SOC, the pros and cons of an all in-house SOC vs. outsourcing, and the benefits of a hybrid SOC model.
Learning Objectives:
1: You own a SIEM, but to be secure, you need a SOC. How do you cross the chasm?
2: What are the pros and cons of in-house, fully managed and hybrid security?
3: What considerations go into deciding whether to employ a hybrid strategy?
(Source: RSA Conference USA 2018)
The SOC analyst training program is meticulously designed by the subject matter experts at Infosec Train. The training program offers a deep insight into the SOC operations and workflows. It is an excellent opportunity for aspiring and current SOC analysts (L1/L2/L3) to level up their skills to mitigate business risks by effectively handling and responding to security threats.
https://www.infosectrain.com/courses/soc-analyst-expert-training/
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
According to Technavio's latest market research report, the data security market value will grow by $2.85 Billion during 2021-2025.
To secure their data, organizations can use the CIA triad, a data security model developed to help the data security market and people deal with various IT security parts.
The webinar covers
• Overview Of CIA
• Description of Data Governance vs Information Security vs Privacy
• Relationship of CIA to Data Governance
• Relationship of CIA to Information Security
• Relationship of CIA to Privacy
• How to Implement and Maintain the CIA model (e.g., PDCA, etc.)
Presenters:
Anthony English
Our presenter for this webinar is Anthony English, one of the top cybersecurity professionals in Atlantic Canada with extensive Canadian and International experience in cybersecurity covering risk assessment, management, mitigation, security testing, business continuity, information security management systems, architecture security reviews, project security, security awareness, lectures, presentations and standards-based compliance.
Date: November 17, 2021
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Youtube video: https://youtu.be/eA8uQhdLZpw
Website link: https://pecb.com/
Application Security Architecture and Threat ModellingPriyanka Aash
95% of attacks are against “Web Servers and Web Applications”
Security Architecture and SDLC
3 Tier – Web App Architecture
Would you trust the code?
Traditional SDLC
Secure SDLC
SAST vs. DAST
How Can I Reduce The Risk Of A Cyber-Attack?Osei Fortune
A professional guide to reducing the risks of a cyber attack on your business. A professionally written article that would be suitable for a technical IT blog.
A Multidimensional View of Critical Web Application Security Risks: A Novel '...Cognizant
An actionable guide for website application developers to successfully ward off threats to vulnerabilities in a range of functionalities: user authentication, payment records, cross-site scripting, search, registration, file loading and privilege escalation.
Banking and Modern Payments System Security AnalysisCSCJournals
Cyber-criminals have benefited from on-line banking (OB), regardless of the extensive research on financial cyber-security. To better be prepared for what the future might bring, we try to predict how hacking tools might evolve. We briefly survey the state-of-the-art tools developed by black- hat hackers and conclude that they could be automated dramatically. To demonstrate the feasibility of our predictions and prove that many two-factor authentication schemes can be bypassed, we have analyzed banking and modern payments system security.
In this research we will review different payment protocols and security methods that are being used to run banking systems. We will survey some of the popular systems that are being used today, with a deeper focus on the Chips, cards, NFC, authentication etc. In addition, we will also discuss the weaknesses in the systems that can compromise the customer's trust.
WhiteHat Security "Website Security Statistics Report" FULL (Q1'09)Jeremiah Grossman
The WhiteHat Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to avert attack. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, vertical market trends and new attack vectors, since 2006.
The WhiteHat report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites.
WhiteHat issues continued installments of the Website Security Statistics Report on a quarterly basis. To ensure the report remains useful and relevant, WhiteHat incorporates feedback and ideas from leading industry thought leaders and influencers. Based on feedback already received, the latest report includes: comparing vulnerability prevalence by severity, top ten vulnerability classes sorted by percentage likelihood and an outline of the types of technology typically encountered during WhiteHat vulnerability assessments mapped with the associated vulnerability percentage breakdown.
Since the advent of the Internet, cybersecurity has been handed new challenges due to the massively expanded accessibility and interconnectedness of the web. Where once security was considered to be dealt with in a multi-layered manner, now those layers are so fuzzy and expanded as to no longer exist.
By United Security Providers
Cybersecurity in BFSI - Top Threats & Importancemanoharparakh
Cybersecurity has been the major area of concern throughout 2022 and now 2023 is all set to witness a new version of cyber-attacks with advanced technologies.
Risk Analysis Of Banking Malware AttacksMarco Morana
Analysis of How Banking Malware Like Zeus Exploit Weakenesses In On-Line Banking Applications and Security Controls. This prezo is a walkthrough the attack scenarion, the attack vectors, the vulnerability exploits and the techniques to model the threats so that countermeasures can be identified
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Security Compliance Web Application Risk Management
1. The Rise of Threat Analysis and the Fall of Compliance in Mitigating Web Application Security Risks Marco Morana OWASP Cincinnati Chapter Lead [email_address] Tony Ucedavelez OWASP Atlanta Chapter Lead [email_address] LA and OC Chapters Sept 2009 Meetings
2.
3.
4. Biggest Fraud in History 170 million card and ATM numbers used sql injection and packet sniffers Companies mentioned in the indictments (3) include: TJX Companies Heartland Payment Systems (HPY) Hannaford Bros
5.
6.
7. PCI DSS: Protection of CCH and Sensitive Credit Card Authentication Data [PCI-DSS] 3.2 Do not store sensitive authentication data subsequent to authorization (even if encrypted) [PCI-DSS] 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). [PCI-DSS] 3.4 Render PAN , at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs)
29. Common Code Injection Attack Vector From: www.technicalinfo.net/papers/Phishing.html
30.
31.
32.
33.
34. Mapping of Threats, Attacks, Vulnerabilities and Countermeasures <SCRIPT>alert(“Cookie”+ document.cookie)</SCRIPT> Injection flaws CSRF, Insecure Direct Obj. Ref, Insecure Remote File Inclusion NSAPI/ ISAPI Filter Custom errors OR ‘1’=’1—‘, Prepared Statements/ Parameterized Queries, Store Procedures ESAPI Filtering, Server RBAC Form Tokenization XSS, SQL Injection, Information Disclosure Via errors Broken Authentication, Connection DB PWD in clear Hashed/ Salted Pwds in Storage and Transit Trusted Server To Server Authentication, SSO Trusted Authentication, Federation, Mutual Authentication Broken Authentication/ Impersonation, Lack of Synch Session Logout No PK exposed as URL parameter Encrypt Confidential PII in Storage/Transit Insecure Crypto Storage Insecure Crypto Storage "../../../../etc/passwd%00" Cmd=%3B+mkdir+hackerDirectory http://www.abc.com?RoleID Phishing, Privacy Violations, Financial Loss Identity Theft System Compromise, Data Alteration, Destruction
We take a critical view of security driven by compliance in view of the increased threat of identify theft and credit card fraud We will talk about modeling threats and how can be used to learn how to mitigate cybercrime threats such as attack trees, use and misuse cases, attack vector analysis and data flow and data flow/architectural analysis Finally we will provide some mitigation strategies against cybercrime attacks
Heartland Payment Systems (HPY) data breach: 130 Credit Card Accounts Exploited SQL Injection vulnerabilities to install malware (Hannaford 9/07, Company A & B on 1/08) Used “wardriving” and installed sniffers Acted ad member of a Cybercrime gang Profited from the sale of ACC#, PINs to fake credit cards and commit ATM fraud Engaged in money laundering
On PCI compliance: http://www.thetechherald.com/article.php/200905/2849/Does-the-Heartland-breach-prove-PCI-useless Visa and MasterCard raised some red flags and alerted Heartland to suspicious transactions. After an audit, Heartland uncovered Malware (the data-sniffing kind) that allowed thieves to capture credit or debit-card numbers, expiration dates, and in some cases the cardholder’s name. Heartland was, at the time of the breach, and currently is, PCI compliant. It passed an inspection in April of 2008; this fact only serves to stress the point that PCI compliance does not equal security. The company that certified them, Trustwave, is established as a QSA (Qualified Security Assessors). If you wanted to lay blame on Trustwave for the breach, you would be hard-pressed to prove it. A QSA can only ensure that a company meets or exceeds the requirements of PCI compliance. No QSA can ensure or promise that a company it assesses for is completely secure and defended against attack. Card systems had 40 ML Breach prior PCI being mandatory Customer portal exploited via SQL injection
Compliance drive security from stick perspective with audit fines and restrictions. The cost also of intangible reputation since information disclosures In the case of TJX maxx for example a credit card processor was fined 800,000 USD because of lack of security controls by VISA nevertheless some times it is cheaper to pay the fine rather then implement the controls
PCI DSS brings precision, but with FUD: Greater detail surrounding technical/ non-tech security requirements Cardholder data such as PAN need to be masked in display and need to be protected in storage and transit with encryption, the same for card holder data and expiration data on the card Track 2 data that include CVV2, PINs cannot be stored even if encrypted
The reality is that there is a market for bank account and credit card information in the black economy
A similar math can be factored using Van Geer data of 4.5% of data loss probability (FTC 2003 data) x 655 $/person cost Can we correlate this losses somehow, the cost for loss with the fact that among all breaches 13 % are from wbe and 19% use SQL injection attack vectors you can come out with 0.025 that is 2.5 % as the probability that an identify theft will occurr through the web channel because of a SQL injection attack. The cost is the cost per incident x record loss for internal (pokemon is 200 $) or you can just factor the cost per re-issance of the card This multipled for the cost per incident/records you can came out with 241 ML for 14 million records for 130 ML is 2.5 BILLION According to the case in NJ SQL injection is considered cause of Hannaford http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20US%20Cost%20of%20Data%20Breach%20Report%20Final.pdf http://www.securecomputing.net.au/Tools/Print.aspx?CIID=103302 Assume that according that 2003 FTC data the potential loss per identity theft incident is $ 655 per incident. Assume you are serving via your web site a population of 4 million customers, the potential loss of losing your customer data such as credit card accounts for example would be of $ 2,6 Billion and with probability of identity theft occurrence of 4.6 % (also FTC data) the projected loss for your company could be $ 120 ML for which 14% or $ 16 ML would be the cost of data losses via the web channel alone.
It is important not to confuse compliance with security and confusing compliance risk (that is fines, liability risks) with real risks that include all the above. Security is people process and technology and compliance just addresses on component. So the question is do we place the effort and the right focus?
From the risk perspective compliance is a business risk and secondary to accessing the risk factors of likelihood and impact of a threat against the cost of preventing and mitigating a threat. If you think about 1) the cost of compliance is in essence like the cost of implementing a countermeasure vs the cost of the loss. Compliance risks are minimum requirements and in the risk equation cost less then the cost of a potential security breach,
The areas are the threat surface that is at which extent you can mitigate known threats by identifying vulnerabilities and remediating them The areas represents the threat space, you are as secure as the threat you know. For example tools and standards compliance can capture at maximum 40 % of all potential vulnerabilities, the light blue area represents all risks known and unknown and the green area represents the threat modeling activities that can be used to tackle 75-80% of all potential issues
In same cases the cyber attack vectors are reported step by step Use &quot;xp_cmdshell“ to download hacker tools to the compromised MSSQL server. Obtain valid Windows credentials by using fgdump Install network &quot;sniffers&quot; to identify card data and systems involved in processing credit card transactions. Install backdoors that &quot;beacon&quot; periodically to their command and control servers Target databases, Hardware Security Modules (HSMs), and processing applications in an effort to obtain credit card data or brute-force ATM PINs. Use WinRAR to compress the information they pilfer from the compromised networks.
Botnet attack bank customers using malware that perform MITM. The attack vector is email phishing (lure to accept an offer for free software) and delivered via hidden frames Once it knows the banksite and gets user credentials from the user, it will do the attack without the user knowing using automated script that can perform wire transfers and supply all the extra data as required such as SSN, S/W OTP. It will simulate all user keystrokes and simulate being an attack from valid browser Botnet-controlled Trojan robbing online bank customers Security firm says malware targeting commercial customers believed to have come from Russia By Ellen Messmer , Network World , 12/13/2007 Share/Email Tweet This 1 Comment Print A new variant on the &quot;Prg Banking Trojan&quot; malware discovered in June is stealing funds from commercial accounts in the United States, United Kingdom, Spain and Italy with a botnet called Zbot, says Atlanta-based SecureWorks . &quot;It's been very successful since we've first seen this at the end of November,&quot; says Don Jackson, senior security researcher at SecureWorks, which believes the Prg Trojan variant is designed by the Russian hackers group known as Russian UpLevel working with some German affiliates. Manage Security and Compliance in an Adverse Economy in 2009 and Beyond: View now &quot;The Trojan has the ability to use a man-in-the-middle attack, a kind of shoulder-surfing when someone logs into a bank account. It can inject a request for a Social Security number or other information, and it's very dynamic . It’s targeted for each specific bank.&quot; SecureWorks says about a dozen banks -- which it wouldn't identify because it says the U.S. Secret Service is investigating the incidents -- have had their commercial customers affected by the Trojan-based money fraud operation. According to SecureWorks, the bank Trojan malware can be distributed using iFrame exploits on Web sites or through very targeted attacks against bank customers via phishing . Oftentimes, the phishing e-mail attempts to lure the victim into clicking on a site to offer software disguised as a real certificate, security code or soft token, the company says, adding that it has uncovered caches of stolen data in its research. If the attacker succeeds in getting the Trojan malware onto the victim's computer, he can piggyback on a session of online banking without even having to use the victim's name and password. The infected computer communicates back to the Trojan's command-and-controller exactly which bank the victim has an account with. It then automatically feeds code that tells the Trojan how to mimic actual online transactions with a particular bank to do wire transfers or bill payments SecureWorks says the Trojan performs keystrokes that imitate the victim's keystrokes to avoid any online fraud-monitoring. Although the Secret Service is investigating the Trojan's impact on banks and their customers, Jackson says Russian law authorities are lax in reining in online criminal groups widely believed to be operating from Russia, including Russian UpLevel and the Russian Business Network .
What cyber threats are relevant to your industry? Peel the threat onion (industry, geographic, local market, overall business, branch) Are you looking at outdated cyber threats?
Most of cybercrime attacks target both the browser and the web application. You are as secure as the weakest link and the weakest link is always the human element, so phishing and social engineering is the easier way to get CC data directly from a user. Other attacks use drive by download to install malware to perform MITM, clickjacking or man in the browser attacks exploit browser vulnerabilities and in the exeuctable content (browser plugins, adobe and macromedia flash, activex controls) From the web application pespective the attacks can exploit SQL injection vulnerabilities to upload sniffers, get the data by altering the query, attack the weak encryption and attack session such as using session fixaction, hijacking the session in transit or being cached logged
You can attack an ATM to commit fraud in many ways, one is by exploiting weakenesses in the ATM network like the DOS slammer. To forge a card you need CIN, PIN, CVV track 1 and 2 data you get them by using a skimming device, or buy cardholder and sensitivre CC data online, getting this data by banking sites that use ATM and CC to validate the customers in certain transactions, spear phising, exploit ATM vulnerabilitiees
This can be used to evaluate the strenght of security controls against known attacks. This is very high level representations. Diagrams of this kind can be used to evaluate coutnermeasues
Definition : Defining use and abuse cases is the foundation of the security requirement phase in which security requirements are developed. Abuse cases are instrumental to elicit requirements for security controls to mitigate potential risks. The scope of such activity is to gather functional requirements from business analysts, security governance team members, project managers and risk analysts to document the expected functionality for the application and the security controls based upon the defined use cases (positive requirements) as well as the abuse cases (negative requirements)..
In the example herein a malicious page is injected in the original page. Attack of this nature can exploit unvalidated URLs to executed within the legitimate frame and delivered to the victim via phishing, or can reflect script that when execute evil code such as a keylogger or spyware to steal cookies and other information stored on the browser.
Identify entry and the exit points and the access levels (anonymous, user authenticated, administrator, super-user) required to access the different critical components (data, services) being identified in the DFDs Enumerate the threats to the application elements by using the DFD as basis for the threat analysis by using the STRIDE (Spoofing, Tampering, Repudiation, Info Disclosure, Denial of Service, Elevation of Privilege) per element technique Identify the most likely attack vectors and how can impact the application from the entry points of the application and the end to end data flow visualized in the DFD and how these can exploit weaknesses (vulnerabilities) across authorization, authentication, secure communication channels as well as misuse the application functionality to cause undesirable results Identify mitigations (countermeasures) to the previously identified attack vectors and to locate them within function level (DFD level 2) diagram. Use the ASF (Application Security Frame) threat-vulnerability-countermeasure mapping (authentication, authorization, session management, data protection, data validation, error and exception handling, auditing and logging, configuration management) to indentify locate countermeasures for the DFD processes and the various DFD elements.
Threat modeling for multi-channel fraud threat scenarios
Learn to identify the most likely attacks by taking into consideration the potential opportunities for an attacker/malicious user to exploit: The application accessibility (internet, intranet, extranet) The value of the data (business sensitive, confidential PII) The gaps and weaknesses in the authentication being used (none, single authentication, multifactor, secondary) The level of authorization required to interact with the application (authenticated and non-authenticated users, administrators) and the data The potential client and server vulnerabilities because of their type function : Browser-Client Executables, Web server-Web Forms, Web Services, Application server-Dynamic Web Pages DB Access, Middleware-Messaging Backend Service Access, Databases The potential vulnerabilities due to the inherent risk of the software technology/framework and programming language being used: AJAX, JavaScript, J2EE, .NET 3.5, C/C++, Adobe Flash/RIA The exposure to the data in transit because of the inherent risks of communication protocols used: HTTP/S,XML, SOAP, Message Queues, Chat/IRC, email SMTP/POP
A lot of vulnerabilities are due to unsecure configuration
Ideally the next step is to drive security by design according to basic principles the challenge is make these principles Actionable and not a checklist. This is where compliance should be focusing on the spirit of the law rather then the letter of the low. The OWASP guidelines just do that translate this principles in actionable items for architects and developers and testers
Cyber crime threats and application countermeasures via threat modeling The presentation will also demonstrate how threat modeling is capable of delivering critical business functions as well as in mitigating current and future cyber attacks, such as distributed denial of service, botnet driven-malware, spear phishing techniques, and more attacks that ultimately lead to identity and credit card fraud.