PRESENTED BY: scheff@f5.com
APPLICATIONS ARE The reason people use the Internet The business the target The gateway to DATA
765 Average # of Apps in use per enterprise 6 min before its scanned 1/3 If vulnerable, you could be PWND in Mission critical <2 hrs
Cross-site request forgery Cross-site scripting Man-in-the-browser Session hijacking Malware DNS Client Man-in-the-middle DNS cache poisoning DNS spoofing DNS hijacking Dictionary attacks DDoS DDoS Eavesdropping Protocol abuse Man-in-the-middle Network API attacks Cross-site scripting Injection Cross-site request forgery Malware Man-in-the-middle DDoS Abuse of functionality Credential theft Credential stuffing Session hijacking Brute force DDoS Key disclosure Protocol abuse Session hijacking Certificate spoofing App services Phishing Access TLS
Cross-site request forgery Cross-site scripting Man-in-the-browser Session hijacking Malware DNS Client Man-in-the-middle DNS cache poisoning DNS spoofing DNS hijacking Dictionary attacks DDoS DDoS Eavesdropping Protocol abuse Man-in-the-middle Network API attacks Cross-site scripting Injection Cross-site request forgery Malware Man-in-the-middle DDoS Abuse of functionality Credential theft Credential stuffing Session hijacking Brute force DDoS Key disclosure Protocol abuse Session hijacking Certificate spoofing App services Phishing Access TLS (2017 4 US states) 30% (10 years 26 countries) 53% (2017 4 US states) 26% (10 years 26 countries) 33%
Injection PHP & SQL Login Affiliates Admin Betablock Cart Comments Exchweb SQL PHP 1% 1% 2% 2% 3% 4% 6% 56% 58%
2013 OWASP Top 10 1. Injection 2. Broken authentication and session management 3. Cross-site scripting (XSS) 4. Insecure direct object references 5. Security misconfiguration 6. Sensitive data exposure 7. Missing function level access control 8. Cross-site request forgery (CSRF) 9. Using components with known vulnerabilities 10. Unvalidated redirects and forwards 2017 OWASP Top 10 1. Injection 2. Broken authentication 3. Sensitive data exposure 4. XML external entities (XXE) 5. Broken access control 6. Security misconfiguration 7. Cross-site scripting (XSS) 8. Insecure deserialization 9. Using components with known vulnerabilities 10. Insufficient logging and monitoring
Access Attacks 5% 23% 34% 9% 26% 3%
Clients are phished malware installed Banking Trojans Fraud Trojans Fraud targets = any site with a login page
Affected Devices 74% Discovered in last 2 years CCTV DVRs SOHO routers ios WAPs Set-Top Boxes Media Center ICS Android IP Cameras Wireless Chipsets NVR Surveillance VoIP Devices Cable Modems Busybox Platforms Smart TVs Hydra Psyb0t Aidra 2Bots Darlloz Marcher Moon Gafgyt Family 3Bots Remaiten Crash override Mirai BigBrother Rediation 4Bots Hajime Trickbot IRC Telnet Annie Brickerbot 3Bots Satori Fam Amnesia Persirai 2Bots WireX Reaper 6Bots Masuta PureMasuta Hide N Seek JenX OMG DoubleDoor 7Bots SORA OWARI UPnPProxy OMNI RoamingMantis Wicked VPNFilter 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
Thingbot Attack Type Shifting from primarily DDoS to multi-purpose DNS Hijack Crypto-miner DDoS PDoS Proxy Servers Unknown Rent-a-bot Credential Collector Install-a-bot Multi-purpose Bot Fraud trojan ICS protocol monitoring Tor Node Sniffer Hydra Psyb0t Aidra 2Bots Darlloz Marcher Moon Gafgyt Family 3Bots Remaiten Crash override Mirai BigBrother Rediation 4Bots Hajime Trickbot IRC Telnet Annie Brickerbot 3Bots Satori Fam Amnesia Persirai 2Bots WireX Reaper 6Bots Masuta PureMasuta Hide N Seek JenX OMG DoubleDoor 7Bots SORA OWARI UPnPProxy OMNI RoamingMantis Wicked VPNFilter 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
2017 Study on Mobile and IoT Application Security https://www.arxan.com/resources/downloads/2017-study-mobile-iot-application-security-whitepaper
2017 Study on Mobile and IoT Application Security https://www.arxan.com/resources/downloads/2017-study-mobile-iot-application-security-whitepaper
2017 Study on Mobile and IoT Application Security https://www.arxan.com/resources/downloads/2017-study-mobile-iot-application-security-whitepaper
CISO S #1 MISSION EVERYONE S #1 CHALLENGE 1 Understand Your Environment Prevent Downtime Visibility
Sub domains hosting other versions of the main application site Web service methods Server-side features such as search Cookies/state tracking mechanisms 2 Reduce Your Attack Surface Dynamic web page generators HTTP headers and cookies Data entry forms Events of the application triggered server-side code Web pages and directories Shells, Perl/PHP APIs Administrative and monitoring stubs and tools Data/active content pools the data that populates and drives pages Backend connections through the server (injection) Admin interfaces Apps/files linked to the app Helper apps on client (java, flash)
Every 9 hrs CRITICAL vulnerability is released Attackers are weaponizing VULNERABILITIES in <24 hrs Does it apply to you? Has a patch been released? WAF configuration Did you test it? Did you apply it? ATTACKED!
3 Prioritize Defenses Based on Attacks Focus OpEx & CapEx spend
Facebook LinkedIn Twitter Laptops HR Desktops Execs Accounting Phones Sys Admins Mis configurations Identities Company website People search engines
Articles Threat Blog CISO to CISO Thought Leadership Blog General Threat Trends Phishing Encryption IoT (Attacker Hunt Series)
53% of breaches start here CLIENT INTEGRITY DEFENSE 33% of breaches start here 2018 F5 Networks