implementing a comprehensive application security progaram - tawfiq
DESCRIPTION
Presented in OWASP Qatar Chapter Meeting - December 2012TRANSCRIPT
www.niiconsulting.com
Implementing a Comprehensive Application Security Program
Taufiq Ali Manager – Security Assessment
www.niiconsulting.com
Agenda
The Biggest Hack in History
How the Cookie Crumbles
Answers!
Technology Solutions
Strategies
Q&A
www.niiconsulting.com
Paradigm Shift – Part I APT & The Season of Hacks
6
www.niiconsulting.com
What is APT
APT = Advanced Persistent Threat
APT is defined as a group of sophisticated, determined and coordinated attackers that have been systematically compromising U.S. Government and Commercial networks for years. The vast majority of APT activity observed has been linked to China.
APT is a term coined by the U.S. Air Force in 2006
7
www.niiconsulting.com
APT Objectives
Political
Includes suppression of their own population for stability
Economic
Theft of IP, to gain competitive advantage
Technical
Obtain source code for further exploit development
Military
Identifying weaknesses that allow inferior military forces to defeat superior military forces
8
www.niiconsulting.com
How RSA was hacked
RSA is one of the biggest security companies in the world
Rivest Shamir Adelman – iconic founders
Created a multi-billion $ enterprise
10
www.niiconsulting.com
Initial Intrusion into the Network
Specific email IDs were discovered from public sources and social engineering
Spoofed email was sent
The email subject line read “2011 Recruitment Plan.”
The attachment was a backdoor Excel file, titled “2011 Recruitment plan.xls.
It exploited a 0-day vulnerability - Adobe Flash vulnerability (CVE-2011-0609)
www.niiconsulting.com
Establish a Backdoor into the Network
Attempt to obtain domain administrative credentials . . . Transfer the credentials out of the network
The attackers then established a stronger foothold in the environment by moving laterally through the network and installing multiple backdoors with different configurations.
The malware is installed with system level privileges through the use of process injection, registry modification or scheduled services.
Poison Ivy variant set in a reverse-connect mode that makes it more difficult to detect
www.niiconsulting.com
Obtain User Credentials
The attackers often target domain controllers to obtain user accounts and corresponding password hashes en masse.
The attackers also obtain local credentials from compromised systems
The APT intruders access approximately 40 systems on a victim network using compromised credentials
Analysts have seen as few as 10 compromised systems to in excess of 150 compromised systems
www.niiconsulting.com
Conclusion
The APT is everyone’s problem. No target is too small, or too obscure, or too well-known, or too vulnerable. Its’ not spy-vs.-spy, but spy-vs.-everyone.
This is a war of attrition against an enemy with extensive resources. It is a long fight, one that never ends.
They steal information to achieve economic, political and strategic advantage.
They establish and maintain an occupying force in their target’s environment.
They steal between $40 billion to $50 billion in intellectual property from U.S. organizations each year.
www.niiconsulting.com
Conclusion
These are real and they are on a spree
Your applications and end points are key entry points for such attacks
www.niiconsulting.com
Gonzalez, TJX and Heart-break-land
>200 million credit card number stolen
Heartland Payment Systems, TJX, and 2 US national retailers hacked
Modus operandi
Visit retail stores to understand workings
Analyze websites for vulnerabilities
Hack in using SQL injection
Inject malware
Sniff for card numbers and details
Hide tracks
www.niiconsulting.com
The hacker underground
Albert Gonzalez
a/k/a “segvec,”
a/k/a “soupnazi,”
a/k/a “j4guar17”
Malware, scripts and hacked data hosted on servers in:
Latvia
Netherlands
IRC chats
March 2007: Gonzalez “planning my second phase against Hannaford”
December 2007: Hacker P.T. “that’s how [HACKER 2] hacked Hannaford.”
Ukraine New Jersey California
www.niiconsulting.com
Where does all this end up?
Commands used on IRC
!cardable
!cc, !cclimit, !chk, !cvv2, !exploit, !order.log, !proxychk
IRC Channels #cc #ccards #ccinfo #ccpower #ccs #masterccs #thacc #thecc #virgincc
www.niiconsulting.com
TJX direct costs
$24 million to Mastercard
$41 million to Visa
$200 million in fines/penalties
www.niiconsulting.com
OWASP TOP 10
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards
www.niiconsulting.com
Injection – 0wning the Enterprise
Identifying SQL Injections
Getting to all the data inside the database
Reading Sensitive data inside the database like system users, users, password etc.
But how do you own the enterprise
Cracking the password hashes
Running OS level commands
Escalating privileges
Adding the user with administrators role
Enterprise Owned!
www.niiconsulting.com
Identifying SQL Injection
Identifying SQL Injections
[06:19:58] [INFO] TESTING FOR SQL INJECTION ON GET PARAMETER 'ID'
[06:20:10] [INFO] target url appears to have 2 columns in query
[06:20:10] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
GET PARAMETER 'ID' IS VULNERABLE. DO YOU WANT TO KEEP TESTING THE OTHERS (IF ANY)? [Y/N]
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
What is Next?
Running OS level commands
Escalating privileges
Adding the user with administrators role
Taking remote access to the system
www.niiconsulting.com
XSS to 0wning the Enterprise
XSS is a client side attack
Attacking your client base
Browser bugs are most popular targets for compromising end point
Java and Adobe Flash
End points are entry into the network
So what happens when you find Zero day bug in most popular software’s like Java?
www.niiconsulting.com
Java Zeroday
This exploit has been tested successfully against multiple platforms,
Internet Explorer
Firefox
Safari
Chrome
Fully Patched operating systems
Windows
Ubuntu
OS X
Solaris
www.niiconsulting.com
www.niiconsulting.com
Chaining multiple issues
How other OWASP can be lethal when put together
www.niiconsulting.com
Death by thousand cuts (Rsnake Case Study)
#1 - webmail is easily located
#2 - easily discoverable and plentiful email addresses
#3 - forgotten passwords are sent in plain text
#4 - system will allow users to change email address to any email address they want (with no verification)
#5 - XSS vulnerabilities in the application
#6 - usernames are email addresses
#7 - recommendation engine sends custom emails
#8 - login redirection issue
#9 - function to detect valid users.
#10 - change email function is vulnerable to CSRF
www.niiconsulting.com
Death by thousand cuts - Attack
Detect Valid user on the website (2#, 6# and 9#)
Now change my email address to one of the email addresses of a corporate user (#4) that's NOT a user on the system
Finding valid users using the change email function (#9)
Send an email to one of the valid users on the system (#2) using the recommendation engine (#7).
www.niiconsulting.com
Death by thousand cuts - Attack
The link is a link to the login function (#8) that redirects the user to an XSS hole (#5).
Now the user has logged in and their browser is under our control.
Forward the user invisibly to the change email function and force them to change their email address through CSRF (#10) to another email address that we've got control over.
Then I have their browser submit the forgot password function (#3) which delivers their password to my inbox.
www.niiconsulting.com
Take away..
Often minor issues are overlooked but even in some cases the smallest issues can mount into huge compromises in security
Even minor issues that are regularly dismissed in security assessments can be leveraged by a determined attacker to compromise a corporation
www.niiconsulting.com
Problem Background
Lack of Business Risk Perspective – US Department of Homeland Security:
“Most penetration testing processes and tools do little, if anything, to substantively address the business risks...
This is largely due to the fact that the tools and the testers view the target systems with “technology blinders” on...
Although many testing tools and services claim to rank vulnerabilities in terms of technical severity, they do not typically take business risk into account in any significant sense.
At best, the test teams conduct interviews with the business owners of the applications and the application architects in an attempt to ascertain some degree of business impact, but that connection is tenuous.
…the business perspectives, however limited, that these processes can determine are all post facto. That is, they make their business impact rankings after the test is completed...This is a key shortcoming of penetration testing practices today.”
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/penetration/655-BSI.html
Software Security – building security in, Chapter 6 on “Penetration Testing Today”
“The problem? No clue about security risk. No idea whether the most critical security risks have been identified, how much more risk remains in the system, and how many bugs are lurking in the zillions of lines of code”
www.niiconsulting.com
The challenge
“Penetration testing is dead. The concept as we know it is on its death bed, waiting to die and
come back as something else.”
- Brian Chess, Co-Founder, Fortify Software
www.niiconsulting.com
Approach
Pre-sales Approach
Client: “Please provide quote for black-box penetration test”
SP: “Hang on...”
SP: “I’d first like to know…”
Pre-sales approach evolved
Client: “Please provide quote for black-box penetration test”
SP: “Hang on...”
SP: “I’d first like to know…”
www.niiconsulting.com
Traditional vs. Risk-based Security Testing
Traditional Testing Risk-based Testing
Focus is on technical vulnerabilities
Focus is on business risks
Requires strong technical know-how
Requires both technical and business process know-how
Having the right set of tools is critical
Understanding the workings of the business and applications is critical
Is usually zero-knowledge Requires a person who understands the business process to play a significant role – usually an insider
Understanding the regulatory environment is good
Understanding the regulatory environment is mandatory
www.niiconsulting.com
Traditional vs. Risk-based Pentesting
Traditional Pentesting Risk-based Pentesting
Severity levels are based on technical parameters
Severity levels are based on risk to the business
Risk levels in report are assigned post facto
Risk levels in report reflect the levels assigned prior to testing
Test cases are build based on testing methodologies or generic testing processes
Tests cases additionally build on risk scenarios
Audience for the report is usually the IT and Security teams
Audience for the report also includes the business process owners and heads of departments
www.niiconsulting.com
Case study
Corporate Banking Platform – allows 3 logins
Maker who enters the transaction into the system
Verifier who checks the transaction data
Authorizer who authorizes the final payment
Each screen in the web application is different based on privilege level of logged in user
Security implemented by:
Restricting access to URLs that allow certain transactions
Parameters that trigger certain transactions
www.niiconsulting.com
Case study
RA Phase Understand business process Understand business risks Define test cases
Can maker do what verifier does Can verifier do what authorizer does Can client’s admin do what bank’s admin does So forth
Pentesting discovers http://www.bankPay.co.in/BankPayApp/authorizePaymentAction.
action is available only to Authorizer But what if Maker puts it in his browser? Transaction still doesn’t get authorized Further investigation reveals a parameter:
Filter=‘block’
When this value is changed to: Filter=‘submitToPay’
www.niiconsulting.com
Understanding the business
Who are the key actors – employees, departments, customers, partners, vendors, investors, brokers, franchisees, resellers?
What applications do they use?
What data do they access through these applications?
What are the risks if any of these actors turns bad?
What possibilities exist if an actor should decide to misuse the data – building fraud scenarios?
www.niiconsulting.com
Regulations that drive webapp testing
PCI DSS For all credit card processing merchants Quarterly, semi-annual, annual network scans and
penetration tests Focus on web application security Requires high-level of protection of credit card
data There are no fines for non-compliance but
breaches of security could put you out of business
HIPAA For healthcare and pharma providers Requires high-level of protection for patient
records and medical history Fines for non-compliance are usually high Breaches could put you out of practice/business
www.niiconsulting.com
Technology Solutions
Web Application Firewalls
Privileged Identity Management Suites
Application-Aware Firewalls
Application-Aware SIEMS
Database Access Management Solutions
www.niiconsulting.com
Design
Develop/
Manage
Test
Train
Application Security – Holistic Solution
www.niiconsulting.com
Secure Design
Secure Designing Models
Client Inputs
Client Education
Threat Modeling
Vulnerability Classification – STRIDE
Risk Classification – DREAD
www.niiconsulting.com
Secure Coding Overview
Secure coding isn’t taught in school
Homeland Security's Build Security In Maturity Model (BSIMM)
Microsoft's Security Development Lifecycle (SDL)
OpenSAMM (Software Assurance Maturity Model)
OWASP Secure Coding Guides
www.niiconsulting.com
Vendor Management
Big names != Good security
Contractual weaknesses
Lack of vendor oversight
No penalties for blatantly buggy code!
www.niiconsulting.com
Secure Hosting
Web Security
Secured web server
Secured application server – all components
Web application firewalls
Database Security
Security Patches
Users and Roles
Access Control
Logging
Password Security
Database Table Encryption
Data Masking
OS Security
Security Patches
Users and Groups
Access Control
Security Policies
Secured Login
Logging
www.niiconsulting.com
Secure Testing
Security testing options
Blackbox
Greybox
Whitebox
Source Code Review
OWASP Top Ten (www.owasp.org)
OWASP Testing Guide
www.niiconsulting.com
Training
Back to basics
Natural thought process
Look at larger picture
Make it fun
Giving back to the community
www.niiconsulting.com
Ground realities
Business priorities
Expand, grow, market share!!
Developer illiteracy
Unaware of security implications
Shortcut fixes
Vendor apathy
Problem re-enforced by weak contracts
Unclear budgets
Lip service by management towards information security
CISO left fighting the battle alone without adequate resources
www.niiconsulting.com
Applications’ Triage / 1
Application Risk Assessment
Regulatory
PCI DSS
DOT
HIPAA/SOX/etc.
Legal
Contractual
Business Impact
Reputation Impact
www.niiconsulting.com
Applications’ Triage / 2
Nature of the Application
Internal
External
Mixed
Number of registered users
Revenue generating / Business process supporting / Back-office / Reporting
Data that it deals with
Financial
PII
Corporate
Other
www.niiconsulting.com
Applications Triage / 3
Developed In-house
Currently being supported
Developers have moved on
Outsourced
Within the country
Externally
Commercial Off the Shelf
High Level of Customization
No Customization
Vendor Leverage
Code/Libraries in Escrow
Existing Vendor Relationship
Dormant/Dead Vendor Relationship
www.niiconsulting.com
Sample Strategies / A
FINPRO
Financial Processing –
Accessible over Internet
COTSE – Heavily Customized
Isolate System in the Data Center
Vendor Relationship -
Dormant
Revive Vendor Relationship
Implement PIM & WAF
Determine Alternatives
www.niiconsulting.com
Sample Strategies / B
ATLAS Claims Processing – Agents Access Over Internet
In-house Developed
Implement & Enforce Internal
SLAs
Active Development
Team
Regular Secure Coding Training
Emphasis on Secure Coding
Libraries
Secure Hosting
www.niiconsulting.com
Take-Aways
Application security has a long way to go for most large organizations
The threat is ever-present and sustained
Not all applications can be dealt with in the same manner
Strategizing helps direct limited resources towards high-risk problems
Vendors, business units, and information security have to co-ordinate efforts, and stop the blame-game
www.niiconsulting.com
Thank you! Questions?
Information Security Consulting Services
Institute of Information Security