JM
Uploaded byJaime Manteiga
PPTX, PDF75 views

What Makes Web Applications Desirable For Hackers

Unethical hackers target web applications for several reasons including financial gain, ideology, fun, and espionage. They communicate and sell stolen data on dark web forums using cryptocurrency, with some data selling for as little as $10. To protect applications, developers should follow best practices like the OWASP Top 10, implement web application firewalls, conduct security scans and assessments, and formalize a secure software development lifecycle.

Embed presentation

Download to read offline
1 WHAT MAKES WEB APPLICATIONS DESIRABLE FOR HACKERS How To Protect Yours CTO / Co-Founder at Venkon JAIME MANTEIGA
2 Agenda 01 02 03 To protect your applications, it is essential to know "how" web application hacking techniques work. What Techniques Do Attackers Use? Data is the new "gold" and hackers know that — a glance into dark web markets. What’s The Value Of Stolen Data? — How They Make Money Before asking the “how” it’s important to know the “why”. What Motivates Unethical Hackers? 04Understanding and thinking like an attacker will give us a new perspective on how to improve our web security posture. How Can We Protect Ourselves? 05Sources and citations. References 06Share your thoughts, fears, and doubts. Questions?
3 Introduction What Makes Web Applications Desirable For Hackers — How To Protect Yours Jaime Manteiga is a dynamic Information Security Professional and Researcher who assists organizations across the world by improving their information security posture and cybersecurity challenges. Additionally, Jaime Manteiga as an Information Security Researcher holds public recognition from organizations such as Tesla, Shopify, United Airlines and Spotify for helping them to identify and mitigate information security flaws. Bio @JaimeManteiga Active Social Media Networks: Get in touch CTO / Co-Founder at Venkon JAIME MANTEIGA @JaimeManteiga https://www.linkedin.com/in/jaimemanteiga/ https://medium.com/@jaime.manteiga jaime.manteiga@Venkon.us
4 There are hundreds of methods hackers can use to take advantage of the security vulnerabilities in your applications, but there are just a few reasons to do it. These are the top motives in descending order: Motivation IDEOLOGY FUN ESPIONAGE FINANCIAL GAIN What Motivates Unethical Hackers? Before asking the “how” it’s important to know the “why” * Sources of the stats will be exhibited at the references slide
5 What Motivates Unethical Hackers? Cybersecurity Breaches, Costs and Facts * Sources of the stats will be exhibited at the references slide 2016 2017 2018 Marriott Hacking Exposes Data of Up to 500 Million Guests. Including names, addresses, dates of birth, passport numbers, email addresses and phone numbers Marriott Hotels In 2016, 3 billion Yahoo accounts were hacked in one of the biggest breaches of all time. Yahoo Uber reported that hackers stole the information of over 57 million riders and drivers. Uber The average cost of a cybersecurity attack on a company is $2.4 million. Under Armour reported that its “My Fitness Pal” was hacked, affecting 150 million users. Under Armour 147.9 million consumers were affected by the Equifax Breach. Equifax  In 2017, cyber crime costs accelerated with organizations spending nearly 23 percent more than 2016 — on average about $11.7 million  The most expensive component of a cyber attack is information loss, which represents 43 percent of costs  The average cost per lost or stolen records per individual is $141 — but that cost varies per country. Breaches are most expensive in the United States ($225) and Canada ($190)  In companies with over 50k compromised records, the average cost of a data breach is $6.3 million  Damage related to cybercrime is projected to hit $6 trillion annually by 2021
6 What Motivates Unethical Hackers? Marriott Hotels Security Breach Nov. 30, 2018 Marriott Breach Exposes Data of Up to 500 Million Guests. The hotel chain said that personal details including names, addresses, dates of birth, passport numbers, email addresses and phone numbers for hundreds of millions of guests may have been compromised. In the United States, the New York Attorney General's office said it had opened an investigation into the data breach. Marriott's (MAR) stock is plunging on the news, falling more than 6% in trading. The combined company has 6,700 properties in more than 129 countries. The next figure illustrates how the stock value was sinking after the incident. Overview
7 Hacking web applications is nothing new, but the methods used by attackers are constantly changing. There are several factors to determine which techniques an attacker can attempt to use in order to compromise your application — such as, programming language, web server version, server operative system, database type, etc. Hence, there is no -one answer- to determine which method they will use to compromise your application. The following illustration represents the paths that attackers can use to discover weaknesses; sometimes it takes multiples paths to compromise an application, depending on its complexity. What Techniques Do Attackers Use?
8What Techniques Do Attackers Use? OWASP TOP 10 Explained A1 - Injection A2 - Broken Authentication A3 - Sensitive Data A4 - XMLExternal Entities (XXE) A5 - Broken AccessControl A6 - Security Misconf guration A7 - Cross-SiteScripting (XSS) A8 - Insecure Deserialization A9 - Using Componentswith Known Vulnerabilities A10 - Insuf cient Logging &Monitoring We summarized a list of the most critical web application security risks following OWASP Top 10 (Open Web Application Security Project). This list focuses on identifying the most serious web application security risks for a broad array of organizations and industries.
9 A2 A1 A3 A4 INJECTION Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. What Techniques Do Attackers Use? OWASP TOP 10 Explained Part 1 A5 Mixer BROKEN AUTHENTICATION Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. . SENSITIVE DATA EXPOSURE Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. XML EXTERNAL ENTITIES (XXE) Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. BROKEN ACCESS CONTROL Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc.
10 A7 A6 A8 A9 SECURITY MISCONFIGURATION Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. What Techniques Do Attackers Use? OWASP TOP 10 Explained Part 2 A10 Mixer CROSS-SITE SCRIPTING (XSS) XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. INSECURE DESERIALIZATION Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. USING COMPONENTS WITH KNOWN VULNERABILITIES Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. INSUFFICIENT LOGGING & MONITORING Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.
11 We already know that the principal motivation for hackers is the financial gain — to know more in detail how much money they make, and how they sell the stolen data, we have to examine their communication channels. There are several ways for hackers to communicate, sell and exchange, but the most used is the "TOR Network," also known as "dark web or deep web." Simply put, TOR is an uncensored internet network principally used by cybercriminals. What’s The Value Of Stolen Data How They Make Money
12 Dark Web Forums are one of the places where cybercriminals trade their goods. They use underground forums as a safe interface to advertise their products and services. It is extremely challenging to get access to most of these forums since they require extensive vetting and trust from other cybercriminals. For this presentation, we took a “safe dive” into the dark web with the purpose of examining cybercriminals trading methods: What’s The Value Of Stolen Data How They Make Money Taking a Dive Into The “Deep Web” Figure 1 – Most of the forums were either taken down or seized by international organizations such as FBI, Interpol, Europol, and the DEA. It is pleasing to find that international government collaboration is in place to protect us from cybercriminals.
13 What’s The Value Of Stolen Data How They Make Money Taking a Dive Into The “Deep Web” Figure 2 – As previously mentioned, it is tough to get access to these forums. The figure above lists the rules to access the "unrestricted areas" of this forum.
14 What’s The Value Of Stolen Data How They Make Money Taking a Dive Into The “Deep Web” Figure 3 – We found another forum that used to have “free registration” — now you are required to be invited by a current member and pay a membership fee.
15 What’s The Value Of Stolen Data How They Make Money Taking a Dive Into The “Deep Web” Figure 4 – After an intensive research period, we were able to get access into one of the least used marketplace forums for cybercriminals. In this figure, we can appreciate a few things: 1. The principal payment method used by cybercriminals is the cryptocurrency Bitcoin. 2. Stolen data is somewhat cheaper than expected: ~ $10 USD dollars for millions of stolen Dropbox records. 3. Cybercriminal Marketplaces are mostly organized. This database appears to be from the security breach reported by Dropbox in 2016 — back then cybercriminals were selling this information for around $1500 USD.
16 What’s The Value Of Stolen Data How They Make Money Taking a Dive Into The “Deep Web” After our investigation in the deep web, we concluded that cybercriminals find very valuable and profitable our web applications. Below is a list of the most offered services by cybercriminals: This method provides direct access to your application which allows them to resell it. Web Shells They modify the integrity of the code to distribute malware to the users using an Exploit Kit. Distributed Malware For applications handling payments, a code captures the entered credit card data and then stores it in some local file for the hackers to access. Credit Card Scraping Installing a JS code in your application will allow the cybercriminals to start mining cryptocurrencies for them. Crypto mining They sell traffic redirection of your applications to other cybercriminals. Redirecting Traffic They download a copy of the database to categorize and sell the information afterward. Database CYBERCRIMINALS MARKETPLACE FOR WEB APPLICATIONS
17 Unethical hackers are restlessly trying to compromise web applications, and if we don't want to become one of their victims posted on the dark web, we must ensure that our systems are appropriately secured. There is more profitability in our web applications than we expected, even if no valuable data is present. Cybercriminals will use compromised web apps for a variety of things — needless to say, all actions of cybercriminals regarding our apps will affect us significantly. How can we protect ourselves? Sadly, there is no "one-answer," it depends on several factors that apply to specific requirements of your application and organization. The good news is, as we previously mentioned OWASP (Open Web Application Security Project) has an updated guideline created by industry experts and leading organizations to ensure your application is properly secured. Below are some recommended steps for improvements: How Can We Protect Ourselves? Recommendations For Improvements OWASP have countless guidelines and best practices documentation to improve your applications overall security posture. OWASP This is the best foundation when testing for security issues. Ensure that your tests follow this methodology. OWASP TOP 10 Formalize a process to perform regular automated and manual security scans. Security Scanning Reduce security issues and raise the overall security level for every stage of your application development. Formalize a Software Development Lifecycle (SDLC) WAF applies deep packet inspection (DPI) techniques to scan every HTTP request and response to identify and block any malicious content. Implement a Web Application Firewall Perform regular web application security assessment using an independent contractor. This provides a degree of autonomy to test controls that you could be missing and an external view of potential security risks. Independent Security Assessment
18 Below are the sources and citations used in this presentation: References 2018 Official Data Breach Investigations Report from Verizon: https://enterprise.verizon.com/resources/reports/dbir/ 2016 Uber Data Breach: https://www.uber.com/newsroom/2016-data-incident/ 2017 Equifax Data Breach: https://www.equifaxsecurity2017.com/2018/03/01/equifax-releases-updated-information-2017-cybersecurity-incident/ 2018 Under Armour Data Breach: http://investor.underarmour.com/releasedetail.cfm?ReleaseID=1062368 Average cost of a data breach (Accenture) https://www.accenture.com/us-en/event-cybertech-europe-2017?src=SOMS#block-insights-and-innovation 2016 Yahoo Data Breach: https://www.oath.com/press/yahoo-provides-notice-to-additional-users-affected-by-previously/ 2018 Marriot Hotels Data Breach: http://news.marriott.com/2018/11/marriott-announces-starwood-guest-reservation-database-security-incident/ OWASP TOP 10 - 2017: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
19 THANKS FOR WATCHING Questions, Thoughts, Fears or Doubts? @JaimeManteiga @JaimeManteiga https://www.linkedin.com/in/jaimemanteiga/ https://medium.com/@jaime.manteiga jaime.manteiga@Venkon.us

More Related Content

PDF
IRJET- Phishing and Anti-Phishing Techniques
byIRJET Journal
 
PDF
[Infographic] 7 Cyber attacks that shook the world
bySeqrite
 
PDF
RSA Monthly Online Fraud Report -- February 2014
byEMC
 
PDF
Detecting malicious URLs using binary classification through ada boost algori...
byIJECEIAES
 
PDF
Top 5 Cybersecurity Risks in Banking
bySeqrite
 
PDF
Axxera End Point Security Protection
byShawn Crimson
 
PPTX
Data security for healthcare industry
bySeqrite
 
PDF
[Infographic] Data Loss Prevention
bySeqrite
 
IRJET- Phishing and Anti-Phishing Techniques
byIRJET Journal
 
[Infographic] 7 Cyber attacks that shook the world
bySeqrite
 
RSA Monthly Online Fraud Report -- February 2014
byEMC
 
Detecting malicious URLs using binary classification through ada boost algori...
byIJECEIAES
 
Top 5 Cybersecurity Risks in Banking
bySeqrite
 
Axxera End Point Security Protection
byShawn Crimson
 
Data security for healthcare industry
bySeqrite
 
[Infographic] Data Loss Prevention
bySeqrite
 

What's hot

PDF
10 Types Of Cyber Attacks And How They Can Affect You- Detox technologies.pdf
byCyber security professional services- Detox techno
 
PDF
Symantec Website Threat Report Part-1 2015
byRapidSSLOnline.com
 
PPTX
The Whys and Wherefores of Web Security – by United Security Providers
byUnited Security Providers AG
 
PPTX
Security weekly september 28 october 4, 2021
byRoen Branham
 
PDF
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
byERPScan
 
PDF
Why Should A Business Worry about Cyber Attacks?
byAinsha Noordin (Umie)
 
PDF
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
byAM Publications,India
 
PDF
Study on Phishing Attacks and Antiphishing Tools
byIRJET Journal
 
PDF
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
byMZERMA Amine
 
PPTX
5 Cybersecurity threats in Public Sector
bySeqrite
 
PDF
cybercrime survival guide
byGary Gray, MCSE
 
PPTX
Different Types of Phishing Attacks
bySysCloud
 
PPTX
Phishing ppt
byshindept123
 
PDF
Prevent phishing scams
byronpoul
 
PPTX
Phishing ppt
bySanjay Kumar
 
PPTX
Phishing
bySagar Rai
 
PPSX
November 2017: Part 6
byseadeloitte
 
PPTX
Top 5 Cybersecurity Threats in Retail Industry
bySeqrite
 
PPTX
December 2019 Part 10
byseadeloitte
 
PPTX
Grift horse money stealing trojan takes 10m android users for a ride
byRoen Branham
 
10 Types Of Cyber Attacks And How They Can Affect You- Detox technologies.pdf
byCyber security professional services- Detox techno
 
Symantec Website Threat Report Part-1 2015
byRapidSSLOnline.com
 
The Whys and Wherefores of Web Security – by United Security Providers
byUnited Security Providers AG
 
Security weekly september 28 october 4, 2021
byRoen Branham
 
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
byERPScan
 
Why Should A Business Worry about Cyber Attacks?
byAinsha Noordin (Umie)
 
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
byAM Publications,India
 
Study on Phishing Attacks and Antiphishing Tools
byIRJET Journal
 
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
byMZERMA Amine
 
5 Cybersecurity threats in Public Sector
bySeqrite
 
cybercrime survival guide
byGary Gray, MCSE
 
Different Types of Phishing Attacks
bySysCloud
 
Phishing ppt
byshindept123
 
Prevent phishing scams
byronpoul
 
Phishing ppt
bySanjay Kumar
 
Phishing
bySagar Rai
 
November 2017: Part 6
byseadeloitte
 
Top 5 Cybersecurity Threats in Retail Industry
bySeqrite
 
December 2019 Part 10
byseadeloitte
 
Grift horse money stealing trojan takes 10m android users for a ride
byRoen Branham
 

Similar to What Makes Web Applications Desirable For Hackers

PDF
Owasp Top 10
byShivam Porwal
 
PDF
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
byAlert Logic
 
PDF
CSS17: Houston - Protecting Web Apps
byAlert Logic
 
PPT
Information security
bySathyanarayana Panduranga
 
PPTX
Web Application Security Session for Web Developers
byKrishna Srikanth Manda
 
PPT
Web Application Security
byColin English
 
PPTX
CSS 17: NYC - Protecting your Web Applications
byAlert Logic
 
PDF
OWASP Top 10 - 2017
byHackerOne
 
PPTX
owasp features in secure coding techniques
bySri Latha
 
PPTX
Web_Appication_Security_Training_For_Developers.pptx
byxobewe1102
 
PPTX
State of the information security nation
bySensePost
 
PDF
Cybersecurity update 12
byJim Kaplan CIA CFE
 
PPTX
Cyber Security OWASP and attacks, Man in the Middle
byGoodReads1
 
PPT
Owasp top 10 & Web vulnerabilities
byRIZWAN HASAN
 
PDF
Threats, Threat Modeling and Analysis
byIan G
 
PDF
The State of Application Security: What Hackers Break
byImperva
 
PDF
The State of Application Security: What Hackers Break
byImperva
 
PDF
Thy myth of hacking Oracle
byErmando
 
PPTX
Owasp top 10 security threats
byVishal Kumar
 
PDF
OWASP Top Ten in Practice
bySecurity Innovation
 
Owasp Top 10
byShivam Porwal
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
byAlert Logic
 
CSS17: Houston - Protecting Web Apps
byAlert Logic
 
Information security
bySathyanarayana Panduranga
 
Web Application Security Session for Web Developers
byKrishna Srikanth Manda
 
Web Application Security
byColin English
 
CSS 17: NYC - Protecting your Web Applications
byAlert Logic
 
OWASP Top 10 - 2017
byHackerOne
 
owasp features in secure coding techniques
bySri Latha
 
Web_Appication_Security_Training_For_Developers.pptx
byxobewe1102
 
State of the information security nation
bySensePost
 
Cybersecurity update 12
byJim Kaplan CIA CFE
 
Cyber Security OWASP and attacks, Man in the Middle
byGoodReads1
 
Owasp top 10 & Web vulnerabilities
byRIZWAN HASAN
 
Threats, Threat Modeling and Analysis
byIan G
 
The State of Application Security: What Hackers Break
byImperva
 
The State of Application Security: What Hackers Break
byImperva
 
Thy myth of hacking Oracle
byErmando
 
Owasp top 10 security threats
byVishal Kumar
 
OWASP Top Ten in Practice
bySecurity Innovation
 

What Makes Web Applications Desirable For Hackers

  • 1.
    1 WHAT MAKES WEBAPPLICATIONS DESIRABLE FOR HACKERS How To Protect Yours CTO / Co-Founder at Venkon JAIME MANTEIGA
  • 2.
    2 Agenda 01 02 03 To protect yourapplications, it is essential to know "how" web application hacking techniques work. What Techniques Do Attackers Use? Data is the new "gold" and hackers know that — a glance into dark web markets. What’s The Value Of Stolen Data? — How They Make Money Before asking the “how” it’s important to know the “why”. What Motivates Unethical Hackers? 04Understanding and thinking like an attacker will give us a new perspective on how to improve our web security posture. How Can We Protect Ourselves? 05Sources and citations. References 06Share your thoughts, fears, and doubts. Questions?
  • 3.
    3 Introduction What Makes WebApplications Desirable For Hackers — How To Protect Yours Jaime Manteiga is a dynamic Information Security Professional and Researcher who assists organizations across the world by improving their information security posture and cybersecurity challenges. Additionally, Jaime Manteiga as an Information Security Researcher holds public recognition from organizations such as Tesla, Shopify, United Airlines and Spotify for helping them to identify and mitigate information security flaws. Bio @JaimeManteiga Active Social Media Networks: Get in touch CTO / Co-Founder at Venkon JAIME MANTEIGA @JaimeManteiga https://www.linkedin.com/in/jaimemanteiga/ https://medium.com/@jaime.manteiga jaime.manteiga@Venkon.us
  • 4.
    4 There are hundredsof methods hackers can use to take advantage of the security vulnerabilities in your applications, but there are just a few reasons to do it. These are the top motives in descending order: Motivation IDEOLOGY FUN ESPIONAGE FINANCIAL GAIN What Motivates Unethical Hackers? Before asking the “how” it’s important to know the “why” * Sources of the stats will be exhibited at the references slide
  • 5.
    5 What Motivates UnethicalHackers? Cybersecurity Breaches, Costs and Facts * Sources of the stats will be exhibited at the references slide 2016 2017 2018 Marriott Hacking Exposes Data of Up to 500 Million Guests. Including names, addresses, dates of birth, passport numbers, email addresses and phone numbers Marriott Hotels In 2016, 3 billion Yahoo accounts were hacked in one of the biggest breaches of all time. Yahoo Uber reported that hackers stole the information of over 57 million riders and drivers. Uber The average cost of a cybersecurity attack on a company is $2.4 million. Under Armour reported that its “My Fitness Pal” was hacked, affecting 150 million users. Under Armour 147.9 million consumers were affected by the Equifax Breach. Equifax  In 2017, cyber crime costs accelerated with organizations spending nearly 23 percent more than 2016 — on average about $11.7 million  The most expensive component of a cyber attack is information loss, which represents 43 percent of costs  The average cost per lost or stolen records per individual is $141 — but that cost varies per country. Breaches are most expensive in the United States ($225) and Canada ($190)  In companies with over 50k compromised records, the average cost of a data breach is $6.3 million  Damage related to cybercrime is projected to hit $6 trillion annually by 2021
  • 6.
    6 What Motivates UnethicalHackers? Marriott Hotels Security Breach Nov. 30, 2018 Marriott Breach Exposes Data of Up to 500 Million Guests. The hotel chain said that personal details including names, addresses, dates of birth, passport numbers, email addresses and phone numbers for hundreds of millions of guests may have been compromised. In the United States, the New York Attorney General's office said it had opened an investigation into the data breach. Marriott's (MAR) stock is plunging on the news, falling more than 6% in trading. The combined company has 6,700 properties in more than 129 countries. The next figure illustrates how the stock value was sinking after the incident. Overview
  • 7.
    7 Hacking web applicationsis nothing new, but the methods used by attackers are constantly changing. There are several factors to determine which techniques an attacker can attempt to use in order to compromise your application — such as, programming language, web server version, server operative system, database type, etc. Hence, there is no -one answer- to determine which method they will use to compromise your application. The following illustration represents the paths that attackers can use to discover weaknesses; sometimes it takes multiples paths to compromise an application, depending on its complexity. What Techniques Do Attackers Use?
  • 8.
    8What Techniques DoAttackers Use? OWASP TOP 10 Explained A1 - Injection A2 - Broken Authentication A3 - Sensitive Data A4 - XMLExternal Entities (XXE) A5 - Broken AccessControl A6 - Security Misconf guration A7 - Cross-SiteScripting (XSS) A8 - Insecure Deserialization A9 - Using Componentswith Known Vulnerabilities A10 - Insuf cient Logging &Monitoring We summarized a list of the most critical web application security risks following OWASP Top 10 (Open Web Application Security Project). This list focuses on identifying the most serious web application security risks for a broad array of organizations and industries.
  • 9.
    9 A2 A1 A3 A4 INJECTION Injection flaws, suchas SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. What Techniques Do Attackers Use? OWASP TOP 10 Explained Part 1 A5 Mixer BROKEN AUTHENTICATION Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. . SENSITIVE DATA EXPOSURE Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. XML EXTERNAL ENTITIES (XXE) Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. BROKEN ACCESS CONTROL Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc.
  • 10.
    10 A7 A6 A8 A9 SECURITY MISCONFIGURATION Security misconfigurationis the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. What Techniques Do Attackers Use? OWASP TOP 10 Explained Part 2 A10 Mixer CROSS-SITE SCRIPTING (XSS) XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. INSECURE DESERIALIZATION Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. USING COMPONENTS WITH KNOWN VULNERABILITIES Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. INSUFFICIENT LOGGING & MONITORING Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.
  • 11.
    11 We already knowthat the principal motivation for hackers is the financial gain — to know more in detail how much money they make, and how they sell the stolen data, we have to examine their communication channels. There are several ways for hackers to communicate, sell and exchange, but the most used is the "TOR Network," also known as "dark web or deep web." Simply put, TOR is an uncensored internet network principally used by cybercriminals. What’s The Value Of Stolen Data How They Make Money
  • 12.
    12 Dark Web Forumsare one of the places where cybercriminals trade their goods. They use underground forums as a safe interface to advertise their products and services. It is extremely challenging to get access to most of these forums since they require extensive vetting and trust from other cybercriminals. For this presentation, we took a “safe dive” into the dark web with the purpose of examining cybercriminals trading methods: What’s The Value Of Stolen Data How They Make Money Taking a Dive Into The “Deep Web” Figure 1 – Most of the forums were either taken down or seized by international organizations such as FBI, Interpol, Europol, and the DEA. It is pleasing to find that international government collaboration is in place to protect us from cybercriminals.
  • 13.
    13 What’s The ValueOf Stolen Data How They Make Money Taking a Dive Into The “Deep Web” Figure 2 – As previously mentioned, it is tough to get access to these forums. The figure above lists the rules to access the "unrestricted areas" of this forum.
  • 14.
    14 What’s The ValueOf Stolen Data How They Make Money Taking a Dive Into The “Deep Web” Figure 3 – We found another forum that used to have “free registration” — now you are required to be invited by a current member and pay a membership fee.
  • 15.
    15 What’s The ValueOf Stolen Data How They Make Money Taking a Dive Into The “Deep Web” Figure 4 – After an intensive research period, we were able to get access into one of the least used marketplace forums for cybercriminals. In this figure, we can appreciate a few things: 1. The principal payment method used by cybercriminals is the cryptocurrency Bitcoin. 2. Stolen data is somewhat cheaper than expected: ~ $10 USD dollars for millions of stolen Dropbox records. 3. Cybercriminal Marketplaces are mostly organized. This database appears to be from the security breach reported by Dropbox in 2016 — back then cybercriminals were selling this information for around $1500 USD.
  • 16.
    16 What’s The ValueOf Stolen Data How They Make Money Taking a Dive Into The “Deep Web” After our investigation in the deep web, we concluded that cybercriminals find very valuable and profitable our web applications. Below is a list of the most offered services by cybercriminals: This method provides direct access to your application which allows them to resell it. Web Shells They modify the integrity of the code to distribute malware to the users using an Exploit Kit. Distributed Malware For applications handling payments, a code captures the entered credit card data and then stores it in some local file for the hackers to access. Credit Card Scraping Installing a JS code in your application will allow the cybercriminals to start mining cryptocurrencies for them. Crypto mining They sell traffic redirection of your applications to other cybercriminals. Redirecting Traffic They download a copy of the database to categorize and sell the information afterward. Database CYBERCRIMINALS MARKETPLACE FOR WEB APPLICATIONS
  • 17.
    17 Unethical hackers arerestlessly trying to compromise web applications, and if we don't want to become one of their victims posted on the dark web, we must ensure that our systems are appropriately secured. There is more profitability in our web applications than we expected, even if no valuable data is present. Cybercriminals will use compromised web apps for a variety of things — needless to say, all actions of cybercriminals regarding our apps will affect us significantly. How can we protect ourselves? Sadly, there is no "one-answer," it depends on several factors that apply to specific requirements of your application and organization. The good news is, as we previously mentioned OWASP (Open Web Application Security Project) has an updated guideline created by industry experts and leading organizations to ensure your application is properly secured. Below are some recommended steps for improvements: How Can We Protect Ourselves? Recommendations For Improvements OWASP have countless guidelines and best practices documentation to improve your applications overall security posture. OWASP This is the best foundation when testing for security issues. Ensure that your tests follow this methodology. OWASP TOP 10 Formalize a process to perform regular automated and manual security scans. Security Scanning Reduce security issues and raise the overall security level for every stage of your application development. Formalize a Software Development Lifecycle (SDLC) WAF applies deep packet inspection (DPI) techniques to scan every HTTP request and response to identify and block any malicious content. Implement a Web Application Firewall Perform regular web application security assessment using an independent contractor. This provides a degree of autonomy to test controls that you could be missing and an external view of potential security risks. Independent Security Assessment
  • 18.
    18 Below are thesources and citations used in this presentation: References 2018 Official Data Breach Investigations Report from Verizon: https://enterprise.verizon.com/resources/reports/dbir/ 2016 Uber Data Breach: https://www.uber.com/newsroom/2016-data-incident/ 2017 Equifax Data Breach: https://www.equifaxsecurity2017.com/2018/03/01/equifax-releases-updated-information-2017-cybersecurity-incident/ 2018 Under Armour Data Breach: http://investor.underarmour.com/releasedetail.cfm?ReleaseID=1062368 Average cost of a data breach (Accenture) https://www.accenture.com/us-en/event-cybertech-europe-2017?src=SOMS#block-insights-and-innovation 2016 Yahoo Data Breach: https://www.oath.com/press/yahoo-provides-notice-to-additional-users-affected-by-previously/ 2018 Marriot Hotels Data Breach: http://news.marriott.com/2018/11/marriott-announces-starwood-guest-reservation-database-security-incident/ OWASP TOP 10 - 2017: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
  • 19.
    19 THANKS FOR WATCHING Questions,Thoughts, Fears or Doubts? @JaimeManteiga @JaimeManteiga https://www.linkedin.com/in/jaimemanteiga/ https://medium.com/@jaime.manteiga jaime.manteiga@Venkon.us