Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

Similar documents
Web Applications Security. Radovan Gibala F5 Networks

F5 Big-IP Application Security Manager v11

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

GOING WHERE NO WAFS HAVE GONE BEFORE

F5 Application Security. Radovan Gibala Field Systems Engineer

Architecture: Consolidated Platform. Eddie Augustine Major Accounts Manager: Federal

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Configuring BIG-IP ASM v12.1 Application Security Manager

Sam Pickles, F5 Networks A DAY IN THE LIFE OF A WAF

Herding Cats. Carl Brothers, F5 Field Systems Engineer

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

Application Layer Security

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

BIG-IP Application Security Manager : Getting Started. Version 12.1

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

The Top 6 WAF Essentials to Achieve Application Security Efficacy

The Interactive Guide to Protecting Your Election Website

WEBSCALE CONVERGED APPLICATION DELIVERY PLATFORM

Solutions Business Manager Web Application Security Assessment

KEEPING THE BAD GUYS OUT WHILE LETTING THE GOOD GUYS IN. Paul Deakin Federal Field Systems Engineer

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Comprehensive datacenter protection

haltdos - Web Application Firewall

Identiteettien hallinta ja sovellusturvallisuus. Timo Lohenoja, CISPP Systems Engineer, F5 Networks

Web Application Security. Philippe Bogaerts

BIG-IP Application Security Manager : Implementations. Version 13.0

C1: Define Security Requirements

F5 Synthesis Information Session. April, 2014

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

What s next for your data center? Power Your Evolution with Physical and Virtual ADCs. Jeppe Koefoed Wim Zandee Field sales, Nordics

Integrated Web Application Firewall & Distributed Denial of Service (DDoS) Mitigation Solution

Applications Security

Evaluation Criteria for Web Application Firewalls

Securing Online Businesses Against SSL-based DDoS Attacks. Whitepaper

Introduction Who needs WAF anyway? The Death of WAF? Advanced WAF Why F5?

THUNDER WEB APPLICATION FIREWALL

Web Application Firewall

Imperva Incapsula Product Overview

The DNS of Things. A. 2001:19b8:10 1:2::f5f5:1d Q. WHERE IS Peter Silva Sr. Technical Marketing

Application Security. Rafal Chrusciel Senior Security Operations Analyst, F5 Networks

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

DenyAll Protect. accelerating. Web Application & Services Firewalls. your applications. DenyAll Protect

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

303 BIG-IP ASM SPECIALIST

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Certified Secure Web Application Engineer

F5 Azure Cloud Try User Guide. F5 Networks, Inc. Rev. September 2016

Providing Secure, Fast and Available

Web Application Penetration Testing

Maximum Security, Zero Compromise in Availability and Performance

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

Secure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect

Copyright

Advanced Techniques for DDoS Mitigation and Web Application Defense

AKAMAI CLOUD SECURITY SOLUTIONS

CERTIFICATION RESOURCE GUIDE

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

ADC im Cloud - Zeitalter

AppSpider Enterprise. Getting Started Guide

CSWAE Certified Secure Web Application Engineer

DATACENTER SECURITY. Paul Deakin System Engineer, F5 Networks

Imperva Incapsula Website Security

Blended Security Threats and Mitigations

August 14th, 2018 PRESENTED BY:

the Breakdown of Perimeter Defenses

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

OWASP TOP OWASP TOP

TIBCO Cloud Integration Security Overview

RiskSense Attack Surface Validation for Web Applications

O365 Solutions. Three Phase Approach. Page 1 34

War Stories from the Cloud Going Behind the Web Security Headlines. Emmanuel Mace Security Expert

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

OWASP Top 10 The Ten Most Critical Web Application Security Risks

epldt Web Builder Security March 2017

Pulse Secure Application Delivery

Web Application Vulnerabilities: OWASP Top 10 Revisited

RETHINKING DATA CENTER SECURITY. Reed Shipley Field Systems Engineer, CISSP State / Local Government & Education

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Welcome to the OWASP TOP 10

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

68% 63% 50% 25% 24% 20% 17% Credit Theft. DDoS. Web Fraud. Cross-site Scripting. SQL Injection. Clickjack. Cross-site Request Forgery.

Network Security. Thierry Sans

Citrix NetScaler AppFirewall and Web App Security Service

PCI DSS Compliance with Riverbed Stingray Traffic Manager and Stingray Application Firewall WHITE PAPER

Intelligent and Secure Network

Overview. Application security - the never-ending story

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Enterprise D/DoS Mitigation Solution offering

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

PRESENTED BY:

Transcription:

Cyber Attacks and Application - Motivation, Methods and Mitigation Alfredo Vistola a.vistola@f5.com Solution Architect Security, EMEA

Attacks are Moving Up the Stack Network Threats Application Threats 90% of security investment focused here 75% of attacks focused here Source: Gartner

Example 1

Statement - SONY Playstation http://blog.us.playstation.com/author/pseybold/ We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised we believe that an unauthorized person has obtained name, address, email address, birthdate, PSN/Qriocity password (hashed) and login, profile data, including purchase history While there is no evidence at this time that encrypted credit card data was taken, we cannot rule out the possibility. Comment: SONY Playstation has about 77Mio customers

Statement - SONY Online Entertainment http://blog.eu.playstation.com/ On April 16th and 17th, 2011.. Personal information from approximately 24.6 million SOE accounts may have been stolen, Name, e-mail, login, hashed password, As well as certain information from an outdated database from 2007 for 10.700 customer in EU Name, bank account number, address,

Example 2

What happened to WikiLeaks Several companies stopped the service for WikiLeaks although it is not proven that WikiLeaks violates the existing law Amazon removed all WikiLeaks content from their servers EveryDNS switched off the DNS resolution for wikileaks.org Several financial institutes locked up donation accounts

Finally Thousand of internet users unloaded their accumulated anger starting 7th Dec 2010 Web servers of Swiss Postfinance bank were down for several hours Credit card companies like Mastercard and VISA where not accessible for several hours/day over several days Paypal s transaction network were slow but not taken down completely

Behind the scenes Operation Payback admitted to this attack. They are also known as Anonymous from previous attacks They used a modified version of the tool called LOIC Originally developed for load tests Nearly 50,000 people downloaded it to join voluntary a botnet It performs a DoS or DDoS on a target site by flooding the server with TCP packets UDP packets or HTTP requests to disrupt the service of a host

Slowloris, Slow POST attack How to choke a web server slowly... Takes down a web server with minimal bandwidth Slowloris begins by sending a partial HTTP request......followed by subsequent HTTP headers One at a time..very slowly......and never ends... Slow POST attack The data are sent very slow Server holds connection open and runs out of available connections Result server is unavailable with no errors in the logs

Policies, Standards, Guidelines, Audits, Contracts, Checklists All Levels need to be covered Application Layer Application Source Code Infrastructure Layer Services Operation System Physical Layer Infrastructure Hardware

OWASP Top 10 for 2010 A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards

Value of the Web Application Firewall Allows immediate protection against new vulnerabilities Virtually patch vulnerabilities in minutes without changing application code Application visibility and reporting Comprehensive logging and reporting Reduce operation costs Ensure high application availability by stopping application based attacks and application based DoS/DDoS Reduce the expenses of meeting PCI security compliance requirements by showing clean scans Get out-of-the-box application security policies with minimal configuration Authentication and authorization with SSO at the edge of the network Cut your infrastructure costs with consolidation and reduce latency High availability, scalability, SSL acceleration, caching, compression, rate limiting, optimization,...

Application Security with the WAF! Illegal requests WAF WAF allows legitimate Stops requests bad requests / responses! Noncompliant Information Browser! Unauthorised Access Front auth Stops unauthorized Requests (SSO to backend)! Infrastructural Intelligence Applications e.g. Portal Reduces the attack vector because only authenticated, authorized and legal requests are permitted to the relevant application servers

Deploy WAF Policies without false positives Predefined Policy Templates Pre-configured security policies Learning mode Automatic or manual Application Scanner integration Gradual deployment Transparent / semi-transparent / full blocking

Example: App scanner integration

WAF Security Services Attack signatures (staging, update service) Information leakage prevention E.g. CC# 3568-4298-9764-7690

WAF Security Services Attack signatures (staging, update service) Information leakage prevention E.g. CC# ****-****-****-**** Block MS-Office files, PDFs,... Cookie signing and encryption Cookies are used to maintain the user state Detailed granular positive protection for every entity Protocol, URI, parameters, headers Protection for hidden field and dynamic parameter manipulation Access flow and login page enforcement E.g. restrict URL Access or mitigate broken authentication

WAF Security Services CSRF Protection Slowloris and Slow POST attack mitigation Bot and scanner detection and risk mitigation Layer 3 and Layer 7 DoS attacks Brute force attacks Web scraping ASM differentiates between a BOT which runs a script and a real user who uses the keyboard and moves the mouse ICAP support for http uploads, SOAP or SMTP attachments

AJAX/JSON Support for Web 2.0 Support AJAX apps or JSON payloads Parse JSON payloads Same attack vectors as http apps

Easily Secure JSON Payloads Protect from JSON threats Ability to present a unique blocking page to an AJAX widget User informs admin with support ID for resolution

Logging/Reporting

Centralized Reporting Examples

Track and Control User Behavior Session Awareness Associate the username with the app session Integrate user context within Logs Rules can be applied based on user behavior

XML/Web Services Firewall Well formatted validation Schema/WSDL validation WSDL Method selection (SOAP) Attack signatures for XML platforms Backend XML parser protection Full request logging WS-security message level encryption and digital signature support XML content based routing (built into LTM)

DNS Attacks Are Common

Problem: DNS is Vulnerable to Attacks X X X X X X X DNS Servers www.company.com

Solution: Handle All DNS Requests Scalability Authoritative DNS in Memory DNS Server Authoritative DNS in Memory Queries in Millions 6 Answer 3 DNS Query 0 Low Query Answer DNS Query Answer DNS Query Query Answer Growth DNS Query Query Spike Exponential DNS performance survives attack Answer DNS Query Query Decline OS NIC Manage DNS Records Max DNS DNS Queries w/ddos Admin Auth Roles Valid DNS Queries Dynamic DNS DHCP

Solution: Handle All DNS Requests Scalability Authoritative DNS in Memory IP Anycast Integration

DNS Attacks Are Common

DNS Session Hijacking What is DNS Hijacking? Subscriber initiates a DNS request which is through a resolver to an authoritative DNS server Instead of arriving at the authoritative DNS server for that specific hostname, another DNS server Hijacks the request and sends a false authoritative answer to the subscriber The subscriber is then directed to a wrong IP for the hostname requested Solution? DNSSEC

DNSSEC What is DNSSEC? DNSSEC is a standardized method of signing authoritative DNS responses. This signing ensures the identity of the authoritative DNS answering the request Where is the standard? There are multiple RFC s that define different elements of DNSSEC. (Not all are listed here, only the main RFC s) RFC4033 Introduction to DNSSEC RFC4034 DNSSEC Records RFC4035 - DNSSEC Protocol

Secure Your DNS Infrastructure Simple DNSSEC compliance: E.g. implement DNSSEC in front of existing DNS servers Ensure trusted DNS queries with dynamically signed responses

Application and Data Delivery Network F5 s Dynamic Control Plane Architecture Users Availability Scale HA / DR Bursting Load-Balancing Optimization Network Application Storage Offload Security Network Application Data Access Management Integration Visibility Orchestration Resources Private Public Physical Virtual Multi-Site DCs Cloud

Děkujeme za pozornost. Alfredo Vistola a.vistola@f5.com Security Architect, EMEA @ F5 16. února 2011? PROSTOR PRO OTÁZKY

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback