A Journey Into the Emotions of Software Developers
Security Compliance Web Application Risk Management
1. The Rise of Threat Analysis and the Fall of Compliance in Mitigating Web Application Security Risks Marco Morana OWASP Cincinnati Chapter Lead [email_address] Tony Ucedavelez OWASP Atlanta Chapter Lead [email_address] LA and OC Chapters Sept 2009 Meetings
2.
3.
4. Biggest Fraud in History 170 million card and ATM numbers used sql injection and packet sniffers Companies mentioned in the indictments (3) include: TJX Companies Heartland Payment Systems (HPY) Hannaford Bros
5.
6.
7. PCI DSS: Protection of CCH and Sensitive Credit Card Authentication Data [PCI-DSS] 3.2 Do not store sensitive authentication data subsequent to authorization (even if encrypted) [PCI-DSS] 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). [PCI-DSS] 3.4 Render PAN , at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs)
29. Common Code Injection Attack Vector From: www.technicalinfo.net/papers/Phishing.html
30.
31.
32.
33.
34. Mapping of Threats, Attacks, Vulnerabilities and Countermeasures <SCRIPT>alert(“Cookie”+ document.cookie)</SCRIPT> Injection flaws CSRF, Insecure Direct Obj. Ref, Insecure Remote File Inclusion NSAPI/ ISAPI Filter Custom errors OR ‘1’=’1—‘, Prepared Statements/ Parameterized Queries, Store Procedures ESAPI Filtering, Server RBAC Form Tokenization XSS, SQL Injection, Information Disclosure Via errors Broken Authentication, Connection DB PWD in clear Hashed/ Salted Pwds in Storage and Transit Trusted Server To Server Authentication, SSO Trusted Authentication, Federation, Mutual Authentication Broken Authentication/ Impersonation, Lack of Synch Session Logout No PK exposed as URL parameter Encrypt Confidential PII in Storage/Transit Insecure Crypto Storage Insecure Crypto Storage "../../../../etc/passwd%00" Cmd=%3B+mkdir+hackerDirectory http://www.abc.com?RoleID Phishing, Privacy Violations, Financial Loss Identity Theft System Compromise, Data Alteration, Destruction
We take a critical view of security driven by compliance in view of the increased threat of identify theft and credit card fraud We will talk about modeling threats and how can be used to learn how to mitigate cybercrime threats such as attack trees, use and misuse cases, attack vector analysis and data flow and data flow/architectural analysis Finally we will provide some mitigation strategies against cybercrime attacks
Heartland Payment Systems (HPY) data breach: 130 Credit Card Accounts Exploited SQL Injection vulnerabilities to install malware (Hannaford 9/07, Company A & B on 1/08) Used “wardriving” and installed sniffers Acted ad member of a Cybercrime gang Profited from the sale of ACC#, PINs to fake credit cards and commit ATM fraud Engaged in money laundering
On PCI compliance: http://www.thetechherald.com/article.php/200905/2849/Does-the-Heartland-breach-prove-PCI-useless Visa and MasterCard raised some red flags and alerted Heartland to suspicious transactions. After an audit, Heartland uncovered Malware (the data-sniffing kind) that allowed thieves to capture credit or debit-card numbers, expiration dates, and in some cases the cardholder’s name. Heartland was, at the time of the breach, and currently is, PCI compliant. It passed an inspection in April of 2008; this fact only serves to stress the point that PCI compliance does not equal security. The company that certified them, Trustwave, is established as a QSA (Qualified Security Assessors). If you wanted to lay blame on Trustwave for the breach, you would be hard-pressed to prove it. A QSA can only ensure that a company meets or exceeds the requirements of PCI compliance. No QSA can ensure or promise that a company it assesses for is completely secure and defended against attack. Card systems had 40 ML Breach prior PCI being mandatory Customer portal exploited via SQL injection
Compliance drive security from stick perspective with audit fines and restrictions. The cost also of intangible reputation since information disclosures In the case of TJX maxx for example a credit card processor was fined 800,000 USD because of lack of security controls by VISA nevertheless some times it is cheaper to pay the fine rather then implement the controls
PCI DSS brings precision, but with FUD: Greater detail surrounding technical/ non-tech security requirements Cardholder data such as PAN need to be masked in display and need to be protected in storage and transit with encryption, the same for card holder data and expiration data on the card Track 2 data that include CVV2, PINs cannot be stored even if encrypted
The reality is that there is a market for bank account and credit card information in the black economy
A similar math can be factored using Van Geer data of 4.5% of data loss probability (FTC 2003 data) x 655 $/person cost Can we correlate this losses somehow, the cost for loss with the fact that among all breaches 13 % are from wbe and 19% use SQL injection attack vectors you can come out with 0.025 that is 2.5 % as the probability that an identify theft will occurr through the web channel because of a SQL injection attack. The cost is the cost per incident x record loss for internal (pokemon is 200 $) or you can just factor the cost per re-issance of the card This multipled for the cost per incident/records you can came out with 241 ML for 14 million records for 130 ML is 2.5 BILLION According to the case in NJ SQL injection is considered cause of Hannaford http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20US%20Cost%20of%20Data%20Breach%20Report%20Final.pdf http://www.securecomputing.net.au/Tools/Print.aspx?CIID=103302 Assume that according that 2003 FTC data the potential loss per identity theft incident is $ 655 per incident. Assume you are serving via your web site a population of 4 million customers, the potential loss of losing your customer data such as credit card accounts for example would be of $ 2,6 Billion and with probability of identity theft occurrence of 4.6 % (also FTC data) the projected loss for your company could be $ 120 ML for which 14% or $ 16 ML would be the cost of data losses via the web channel alone.
It is important not to confuse compliance with security and confusing compliance risk (that is fines, liability risks) with real risks that include all the above. Security is people process and technology and compliance just addresses on component. So the question is do we place the effort and the right focus?
From the risk perspective compliance is a business risk and secondary to accessing the risk factors of likelihood and impact of a threat against the cost of preventing and mitigating a threat. If you think about 1) the cost of compliance is in essence like the cost of implementing a countermeasure vs the cost of the loss. Compliance risks are minimum requirements and in the risk equation cost less then the cost of a potential security breach,
The areas are the threat surface that is at which extent you can mitigate known threats by identifying vulnerabilities and remediating them The areas represents the threat space, you are as secure as the threat you know. For example tools and standards compliance can capture at maximum 40 % of all potential vulnerabilities, the light blue area represents all risks known and unknown and the green area represents the threat modeling activities that can be used to tackle 75-80% of all potential issues
In same cases the cyber attack vectors are reported step by step Use &quot;xp_cmdshell“ to download hacker tools to the compromised MSSQL server. Obtain valid Windows credentials by using fgdump Install network &quot;sniffers&quot; to identify card data and systems involved in processing credit card transactions. Install backdoors that &quot;beacon&quot; periodically to their command and control servers Target databases, Hardware Security Modules (HSMs), and processing applications in an effort to obtain credit card data or brute-force ATM PINs. Use WinRAR to compress the information they pilfer from the compromised networks.
Botnet attack bank customers using malware that perform MITM. The attack vector is email phishing (lure to accept an offer for free software) and delivered via hidden frames Once it knows the banksite and gets user credentials from the user, it will do the attack without the user knowing using automated script that can perform wire transfers and supply all the extra data as required such as SSN, S/W OTP. It will simulate all user keystrokes and simulate being an attack from valid browser Botnet-controlled Trojan robbing online bank customers Security firm says malware targeting commercial customers believed to have come from Russia By Ellen Messmer , Network World , 12/13/2007 Share/Email Tweet This 1 Comment Print A new variant on the &quot;Prg Banking Trojan&quot; malware discovered in June is stealing funds from commercial accounts in the United States, United Kingdom, Spain and Italy with a botnet called Zbot, says Atlanta-based SecureWorks . &quot;It's been very successful since we've first seen this at the end of November,&quot; says Don Jackson, senior security researcher at SecureWorks, which believes the Prg Trojan variant is designed by the Russian hackers group known as Russian UpLevel working with some German affiliates. Manage Security and Compliance in an Adverse Economy in 2009 and Beyond: View now &quot;The Trojan has the ability to use a man-in-the-middle attack, a kind of shoulder-surfing when someone logs into a bank account. It can inject a request for a Social Security number or other information, and it's very dynamic . It’s targeted for each specific bank.&quot; SecureWorks says about a dozen banks -- which it wouldn't identify because it says the U.S. Secret Service is investigating the incidents -- have had their commercial customers affected by the Trojan-based money fraud operation. According to SecureWorks, the bank Trojan malware can be distributed using iFrame exploits on Web sites or through very targeted attacks against bank customers via phishing . Oftentimes, the phishing e-mail attempts to lure the victim into clicking on a site to offer software disguised as a real certificate, security code or soft token, the company says, adding that it has uncovered caches of stolen data in its research. If the attacker succeeds in getting the Trojan malware onto the victim's computer, he can piggyback on a session of online banking without even having to use the victim's name and password. The infected computer communicates back to the Trojan's command-and-controller exactly which bank the victim has an account with. It then automatically feeds code that tells the Trojan how to mimic actual online transactions with a particular bank to do wire transfers or bill payments SecureWorks says the Trojan performs keystrokes that imitate the victim's keystrokes to avoid any online fraud-monitoring. Although the Secret Service is investigating the Trojan's impact on banks and their customers, Jackson says Russian law authorities are lax in reining in online criminal groups widely believed to be operating from Russia, including Russian UpLevel and the Russian Business Network .
What cyber threats are relevant to your industry? Peel the threat onion (industry, geographic, local market, overall business, branch) Are you looking at outdated cyber threats?
Most of cybercrime attacks target both the browser and the web application. You are as secure as the weakest link and the weakest link is always the human element, so phishing and social engineering is the easier way to get CC data directly from a user. Other attacks use drive by download to install malware to perform MITM, clickjacking or man in the browser attacks exploit browser vulnerabilities and in the exeuctable content (browser plugins, adobe and macromedia flash, activex controls) From the web application pespective the attacks can exploit SQL injection vulnerabilities to upload sniffers, get the data by altering the query, attack the weak encryption and attack session such as using session fixaction, hijacking the session in transit or being cached logged
You can attack an ATM to commit fraud in many ways, one is by exploiting weakenesses in the ATM network like the DOS slammer. To forge a card you need CIN, PIN, CVV track 1 and 2 data you get them by using a skimming device, or buy cardholder and sensitivre CC data online, getting this data by banking sites that use ATM and CC to validate the customers in certain transactions, spear phising, exploit ATM vulnerabilitiees
This can be used to evaluate the strenght of security controls against known attacks. This is very high level representations. Diagrams of this kind can be used to evaluate coutnermeasues
Definition : Defining use and abuse cases is the foundation of the security requirement phase in which security requirements are developed. Abuse cases are instrumental to elicit requirements for security controls to mitigate potential risks. The scope of such activity is to gather functional requirements from business analysts, security governance team members, project managers and risk analysts to document the expected functionality for the application and the security controls based upon the defined use cases (positive requirements) as well as the abuse cases (negative requirements)..
In the example herein a malicious page is injected in the original page. Attack of this nature can exploit unvalidated URLs to executed within the legitimate frame and delivered to the victim via phishing, or can reflect script that when execute evil code such as a keylogger or spyware to steal cookies and other information stored on the browser.
Identify entry and the exit points and the access levels (anonymous, user authenticated, administrator, super-user) required to access the different critical components (data, services) being identified in the DFDs Enumerate the threats to the application elements by using the DFD as basis for the threat analysis by using the STRIDE (Spoofing, Tampering, Repudiation, Info Disclosure, Denial of Service, Elevation of Privilege) per element technique Identify the most likely attack vectors and how can impact the application from the entry points of the application and the end to end data flow visualized in the DFD and how these can exploit weaknesses (vulnerabilities) across authorization, authentication, secure communication channels as well as misuse the application functionality to cause undesirable results Identify mitigations (countermeasures) to the previously identified attack vectors and to locate them within function level (DFD level 2) diagram. Use the ASF (Application Security Frame) threat-vulnerability-countermeasure mapping (authentication, authorization, session management, data protection, data validation, error and exception handling, auditing and logging, configuration management) to indentify locate countermeasures for the DFD processes and the various DFD elements.
Threat modeling for multi-channel fraud threat scenarios
Learn to identify the most likely attacks by taking into consideration the potential opportunities for an attacker/malicious user to exploit: The application accessibility (internet, intranet, extranet) The value of the data (business sensitive, confidential PII) The gaps and weaknesses in the authentication being used (none, single authentication, multifactor, secondary) The level of authorization required to interact with the application (authenticated and non-authenticated users, administrators) and the data The potential client and server vulnerabilities because of their type function : Browser-Client Executables, Web server-Web Forms, Web Services, Application server-Dynamic Web Pages DB Access, Middleware-Messaging Backend Service Access, Databases The potential vulnerabilities due to the inherent risk of the software technology/framework and programming language being used: AJAX, JavaScript, J2EE, .NET 3.5, C/C++, Adobe Flash/RIA The exposure to the data in transit because of the inherent risks of communication protocols used: HTTP/S,XML, SOAP, Message Queues, Chat/IRC, email SMTP/POP
A lot of vulnerabilities are due to unsecure configuration
Ideally the next step is to drive security by design according to basic principles the challenge is make these principles Actionable and not a checklist. This is where compliance should be focusing on the spirit of the law rather then the letter of the low. The OWASP guidelines just do that translate this principles in actionable items for architects and developers and testers
Cyber crime threats and application countermeasures via threat modeling The presentation will also demonstrate how threat modeling is capable of delivering critical business functions as well as in mitigating current and future cyber attacks, such as distributed denial of service, botnet driven-malware, spear phishing techniques, and more attacks that ultimately lead to identity and credit card fraud.