How were the Credit Card Numbers Published on the Web? February 19, 2004

Similar documents
Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Certified Secure Web Application Engineer

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

CSWAE Certified Secure Web Application Engineer

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Integrigy Consulting Overview

F5 Application Security. Radovan Gibala Field Systems Engineer

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Advanced Diploma on Information Security

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

RiskSense Attack Surface Validation for Web Applications

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

Web Application Penetration Testing

Security

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Cyber Security Audit & Roadmap Business Process and

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Curso: Ethical Hacking and Countermeasures

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Improving Security in the Application Development Life-cycle

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Ethical Hacking and Prevention

Web Security. Outline

Application Security through a Hacker s Eyes James Walden Northern Kentucky University


n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

INNOV-09 How to Keep Hackers Out of your Web Application

Defense in Depth Security in the Enterprise

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

DenyAll Protect. accelerating. Web Application & Services Firewalls. your applications. DenyAll Protect

Security+ SY0-501 Study Guide Table of Contents

COMPUTER NETWORK SECURITY

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

Coordinated Threat Control

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

The Top 6 WAF Essentials to Achieve Application Security Efficacy

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Web Application Firewall Subscription on Cyberoam UTM appliances

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

OSSIM Fast Guide

2. Firewall Management Tools used to monitor and control the Firewall Environment.

Chapter 9. Firewalls

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

Copyright

Going Without CPU Patches on Oracle E-Business Suite 11i?

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

ECCouncil Exam v8 Certified Ethical Hacker v8 Exam Version: 7.0 [ Total Questions: 357 ]

Introduction. The Safe-T Solution

Cyber security tips and self-assessment for business

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Citrix NetScaler AppFirewall and Web App Security Service

Developing Secure Applications with OWASP OWASP. The OWASP Foundation Martin Knobloch

SECURITY TESTING. Towards a safer web world

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Web Security, Summer Term 2012

19.1. Security must consider external environment of the system, and protect it from:

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

How NOT To Get Hacked

CN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005

CoreMax Consulting s Cyber Security Roadmap

Solutions Business Manager Web Application Security Assessment

Citrix NetScaler Basic and Advanced Administration Bootcamp

McAfee Database Security

NETWORK THREATS DEMAN

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Security Solutions. Overview. Business Needs

Security and Authentication

PRACTICAL NETWORK DEFENSE VERSION 1

Herding Cats. Carl Brothers, F5 Field Systems Engineer

PND at a glance: The World s Premier Online Practical Network Defense course. Self-paced, online, flexible access

C1: Define Security Requirements

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

Web Applications Security. Radovan Gibala F5 Networks

Network Security and Cryptography. 2 September Marking Scheme

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Computer Security: Cyber Essentials KAMI VANIEA 1

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Cyber Criminal Methods & Prevention Techniques. By

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Payment Card Industry (PCI) Data Security Standard

PT Unified Application Security Enforcement. ptsecurity.com

Dynamic Datacenter Security Solidex, November 2009

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

5 IT security hot topics How safe are you?

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Transcription:

How were the Credit Card Numbers Published on the Web? February 19, 2004

Agenda Security holes? what holes? Should I worry? How can I asses my exposure? and how can I fix that? Q & A Reference: Resources and Tools 2

But I already have security... don t I? Network Security: Network firewall SSL / TLS Network IDS Network assessment Server Security: Patch Warfare Host IDS Forensic log analysis Server assessment Application Security: AAA Identity Mgmt. Web App Firewall Assessments, audits 3

100,000 Rate of Security Incidents is Skyrocketing Where is this massive increase coming from? 97,812 80,000 60,000 52,658 40,000 20,000 0 252 773 21,756 9,859 2,412 89 90 91 92 93 94 95 96 97 98 99 00 01 02 Annual Incidents Reported to CERT 4

List of Application Attack Techniques Grows Every Day Web Application Threats 1. Cross-Site Scripting 2. SQL Injection 3. Command Injection 4. Cookie/Session Poisoning 5. Parameter/Form Tampering 6. Buffer Overflow 7. Directory Traversal/Forceful Browsing 8. Cryptographic Interception 9. Cookie Snooping 10. Authentication Hijacking 11. Log Tampering 12. Error Message Interception 13. Attack Obfuscation 14. Application Platform Exploits 15. DMZ Protocol Exploits 16. Security Management Attacks 17. Zero Day Attacks 18. Network Access Attacks 19. TCP Fragmentation 20. Denial of Service 21. Distributed Denial of Service Most Common Impact Access to unpublished pages Unauthorized app access Password theft Identity theft Theft of customer data Modification of data Disruption of service Website defacement Recovery and cleanup 5

Web Apps are unbelievably complex http://www.none.to/script?submenu=update&uid=1'+or+like'%25admin%25';--%00 Network Firewall Web Servers Presentation Layer Microsoft IIS App Servers Business Logic J2EE/.NET Legacy Apps Database Servers Customer Info Business Data Transaction Info Microsoft SQL Server Apache Operating Systems Operating Systems Operating Systems Linux Solaris AIX Windows 6

Web Attacks are Invisible to Firewall and IDS Employees Legacy Firewall blocks only network attacks ATTACKS Firewall Port 80/443 Web traffic goes right through Intrusion Detection WebDav Nimda Cross site scripting Unicode attacks Cookie poisoning SQL injection Code Red Forceful browsing OS command injection Cookie password theft Web-based worms Site defacing Data Center LAN Web Applications 7

That s why! 011010 011010 011010 011010 011010 011010 011010 011010 011010 Terminate TCP and reassemble d5opx;ðóge]ì ³ [Z ܾç Ù Vð ' #Ôm]ëæoª5Zòˆ!0 Ø mt È œ í H?>'5@ êü ³Mµ4 ø Èò¾øá %2E%2E%2Fpartners %2F%7Efinance%2F %2Fhome%2Flogin%2 Decrypt SSL /partners /finance /home/login Normalize Normal site behavior is often hard to characterize There s no effective way to control browsers or apply policies to Internet users Web applications often run the business, can t easily be simulated, and can never be fully tested off-line Full comprehension of application traffic 8

It s going to get worse Employees Legacy Firewall blocks only nonweb network attacks Port 80/443 Web traffic goes right through File and Print Servers Internal LAN Firewall IDS Java XML.NET SOAP web services J2EE Web Applications DMZ and Data Center 9

A lot worse XML web services will reopen 70% of the attack paths closed by firewalls over the past decade. They can carry virtually any payload over port 80, and the firewall is incapable of stopping it. - Gartner Group, 2002 10

Detecting vulnerabilities in web applications Tools: Learn what assessment tools are available, and test them Use automated tools whenever possible If an automated tool is not available, write or script one Test the security of the network, servers, OS, webservers, middleware, business logic, databases, and browsers Techniques: Think like an Attacker!!! Where do you want to go today? Use de-compilation techniques to review source code Be curious try strange techniques and fuzzing What can an unauthenticated user do? What can an authenticated user do? Document everything you do (and what you didn t do)! Become familiar with security bulletins Get written permission from someone authorized to give it to you 11

Know thy Application! Security alerts bulletins reading essential Abundance of open-source and commercial scanners: nmap primary lower-layers nikto, nessus, brutus, spike Application vulnerability and assessment scanners perform automated application testing based on a database of known vulnerabilities Some (spike) are capable of brute-force testing and thus able to detect previously unknown problems Forensics and Intrusion Detection Systems 12

Protection Methods Firewalls traditional network layer systems are usually inadequate to fully protect web applications Web Security Gateways purpose-built systems to protect web applications through deep traffic inspection SSL cryptographic protocol that provides privacy and authentication Restrictive access authorization policies Server and application patching 13

Secure Ecosystem SSL Encryption SSL VPN Network Firewall Load Balancer Scanner Application Firewall content accelerator Web Applications Effective web app installation and deployment requires a set of techniques and systems that implement them security traffic management monitoring 14

What is AVDL Application Vulnerability Description Language (AVDL) Developed through the OASIS standards body XML-based standard proposed in April 2003 Draft approved and now in public commenting period www.avdl.org Multi-vendor effort in the application security led by NetContinuum, SPI Dynamics, and Citadel 15

Introduction to AVDL AVDL security data consists of probes representing application transactions vulnerability probes specify known defects, applicability domain, and detection signature as well as human-readable descriptions, tracking, etc traversal probes specify normal, legitimate application usage and can specify parameters, attributes, valid ranges, etc Probes can be batched together in sessions or used individually, either off-line or real-time 16

The AVDL Vision Security Alerts CIAC subscribes to security alerts from vendors and security research organizations DOE Sites Custom subscription policy Integrates with application firewalls and patching systems CIAC Portal System Admins Custom subscription policy Integrates with VA tools US Government Security Incident Response Portal will debut this Spring with AVDL listeners 17

A comparison of mitigation strategies known network and application vulnerabilities detect and disclose mitigate vulnerability assessment tools, forensic log analysis, panic calls to Help Desk! network firewall, application firewalls, patches and upgrades unknown network and application vulnerabilities detect and disclose mitigate source code review, fuzzing, brute force attacks, penetration testing techniques Personal firewalls, Host IDS, Web Application Firewalls 18

Action plan in 7 easy steps To mitigate web application vulnerabilities: 1. Know the risk your organization is willing to accept, and clearly define acceptable loss 2. Implement a Defense in Depth protection architecture 3. Develop a deep understanding of the usage and features of your most critical web applications 4. Regularly test all layers of your web applications with automated and manual tools and techniques 5. Perform periodic forensic review of logs and error messages 6. Trust nobody validate all user input 7. Think Like an Attacker!!! (or befriend someone who does) 19

Q & A Thanks! Jan Bialkowski VP & CTO NetContinuum 408.961.5603 jan@netcontinuum.com 20

Simulation and Training Environments Reading Materials Assessment Tools Proxy Reference: Resources and Tools WebMaven http://www.mavensecurity.com WebGoat http://www.owasp.org/development/webgoat Open Source Security Testing Methodology Manual http://www.isecom.org/projects/osstmm.htm OWASP Guide to Building Secure Web Apps http://www.owasp.org/documentation Hacking Exposed Series http://www.hackingexposed.com Web Hacking Attacks and Defense McClure, Shah Nmap, Nikto, Nessus, Brutus, Spike, SPI WebInspect Top 75 Security Tools: http://www.insecure.org/tools.html Achilles, WebProxy, Paros, SPI Dynamics 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback