Companies of all sizes face a universal security threat from today's organized hacking industry. Why? Hackers are decreasing costs and expanding their reach with tools and technologies that allow for automated attacks against Web applications. The hacker’s arsenal includes armies of zombies (i.e. global networks of compromised computers) that access large amounts of personal and corporate data that can be sold on the black market. As part of Imperva's ongoing Hacker Intelligence Initiative, we monitored and categorized individual attacks across the Internet over a period of six months. This webinar will detail the results of this research, which encompasses attacks witnessed via onion router (TOR) traffic as well as attacks targeting 30 different enterprise and government Web applications. The research includes: • Insight into how automation allows hackers to generate 7 attacks per second • Overview of the top vulnerabilities exploited by hackers: directory traversal, cross-site scripting (XSS), SQL injection, and remote file inclusion (RFI) • Detail into which countries generate the most malicious activity • Recommendations, both technical and nontechnical, for security teams and executive

1. The State of Application Security:
What Hackers Break
Amichai Shulman, CTO, Imperva

2. Agenda
 The current state of Web vulnerabilities
 Studying hackers
+ Why? Prioritizing defenses
+ How? Methodology
 Analyzing real-life attack traffic
+ Key findings
+ Take-aways
 Technical recommendations
2

3. Imperva Overview
Imperva’s mission is simple:
Protect the data that drives business
The leader in a new category:
Data Security
HQ in Redwood Shores CA; Global Presence
+ Installed in 50+ Countries
1,200+ direct customers; 25,000+ cloud users
+ 3 of the top 5 US banks
+ 3 of the top 10 financial services firms
+ 3 of the top 5 Telecoms
+ 2 of the top 5 food & drug stores
+ 3 of the top 5 specialty retailers
+ Hundreds of small and medium businesses
3

4. Today’s Presenter
Amichai Shulman – CTO Imperva
 Speaker at industry events
+ RSA, Sybase Techwave, Info Security UK, Black
Hat
 Lecturer on Info Security
+ Technion - Israel Institute of Technology
 Former security consultant to banks and
financial services firms
 Leads the Application Defense Center (ADC)
+ Discovered over 20 commercial application
vulnerabilities
– Credited by Oracle, MS-SQL, IBM and others
Amichai Shulman one of InfoWorld’s “Top 25 CTOs”

5. WhiteHat Security Top Ten—2010
Percentage likelihood of a website having at least
one vulnerability sorted by class

6. The Situation Today
# of websites : 357,292,065
(estimated: July 2011)
# of x
vulnerabilities : 230
1%
821,771,600
vulnerabilities in active circulation

7. The Situation Today
# of websites : 357,292,065
(estimated: July 2011)
# of x
vulnerabilities : 230
But which will be exploited?
1%
821,771,600
vulnerabilities in active circulation

8. Studying Hackers
 Focus on actual threats
+ Focus on what hackers want, helping good guys prioritize
+ Technical insight into hacker activity
+ Business trends of hacker activity
+ Future directions of hacker activity
 Eliminate uncertainties
+ Active attack sources
+ Explicit attack vectors
+ Spam content
 Devise new defenses based on real data
+ Reduce guess work

9. Understanding the Threat Landscape:
Methodology
 Analyze hacker tools and activity
 Tap into hacker forums
 Record and monitor hacker activity
+ Categorized attacks across 30 applications
+ Monitored TOR traffic
+ Recorded over 10M suspicious requests
+ 6 months: December 2010-May 2011

10. Lesson #1: Automation is Prevailing
 Attacks are automated
+ Botnets
+ Mass SQL Injection attacks
+ Google dorks

11. Lesson #1: Automation is Prevailing
 Tools and kits exist for everything

12. Lesson #1: Automation is Prevailing
Apps under automated attack:
25,000 attacks per hour.
≈ 7 per second
On Average:
27 attacks per hour
≈ 1 attack per 2 min.

13. Lesson #1: Automation is Prevailing
Apps under automated attack:
25,000 attacks per hour.
≈ 7 per second
Take-away: On Average:
27 attacks per hour
Get ready to fight automation
≈ 1 attack per 2 minutes

14. Lesson #2: The ―Unfab‖ Four

15. Lesson #2A: The ―Unfab‖ Four
SQL Injection

16. Lesson #2B: The ―Unfab‖ Four
Remote File Inclusion

17. Lesson #2B: The ―Unfab‖ Four
Remote File Inclusion
Analyzing the parameters and source of an RFI attack
enhances common signature-based attack detection.

18. Lesson #2C: The ―Unfab‖ Four
Directory Traversal

19. Lesson #2C: The ―Unfab‖ Four
Directory Traversal

20. Lesson #2D: The ―Unfab‖ Four
Cross Site Scripting

21. Lesson #2D: The ―Unfab‖ Four
Cross Site Scripting

22. Lesson #2D: The ―Unfab‖ Four
Cross Site Scripting – Zooming into Search Engine Poisoning
http://HighRankingWebSite+PopularKeywords+XSS
…
http://HighRankingWebSite+PopularKeywords+XSS

23. Lesson #2D: The ―Unfab‖ Four
Cross Site Scripting
New Search Engine Indexing Cycle

24. Lesson #2: The ―Unfab‖ Four
Take-away:
Protect against these common attacks
These may seem obvious common attacks, but RFI and DT do not
even appear in OWASP’s top 10 list.

25. Directory Traversal Missing from OWASP Top 10?
 OWASP Rationale:
Directory traversal is covered in the OWASP
Top Ten 2010 through the more general case,
A4, Insecure Direct Object Reference.
 ―Insecure Direct Object Reference‖ is different than
―Directory Traversal‖ because in the latter access is
made to a resource that, to begin with, should not have
been available through the application.

26. Remote File Inclusion Missing from OWASP Top 10?
 A3, OWASP Top 10 2007 - Malicious File Execution.
Removed in the OWASP Top 10 2010.
 OWASP Rationale:
REMOVED: A3 – Malicious File Execution. This
is still a significant problem in many
different environments. However, its
prevalence in 2007 was inflated by large
numbers of PHP applications having this
problem. PHP now ships with a more secure
configuration by default, lowering the
prevalence of this problem.

27. Lesson #3: The U.S. is the Source of Most Attacks
We witnessed 29% of attack events originating from 10 sources.

28. Lesson #3: The U.S. is the Source of Most Attacks
Take-away:
Sort traffic based on reputation
We witnessed 29% of attack events originating from 10 sources.

29. Organizations like these Funded a $27B Security
Market in 2010…
…All had major breaches in 2011. What’s wrong?

30. Threat vs. Spending Market Dislocation
 The data theft industry is estimated at $1 trillion annually
 Organized crime is responsible for 85% of data breaches 1
Threats Spending
― Yet well over
90% of the
― In 2010, 76%
of all data
$27 billion
spent on
breached was security
from servers products was
and
‖
on traditional
applications1
‖ security2
1 2011 Data Breach Investigations Report (Verizon RISK Team in conjunction
with the US Secret Service & Dutch High Tech Crime Unit)
2 Worldwide Security Products 2011-2014 Forecast (IDC - February 2011)

31. Summary
Deploy security solutions that deter automated
attacks
Detect known vulnerability attacks
Acquire intelligence on malicious sources and apply it
in real time
Participate in a security community and share data on
attacks

32. Summary
―Foreknowledge cannot be
gotten from ghosts and
spirits, cannot be had by
analogy, cannot be found
out by calculation. It must
be obtained from people,
people who know the
conditions of the enemy‖ 1
1 Sun Tzu – The art of war

33. Imperva: Our Story in 60 Seconds
Attack Usage
Protection Audit
Virtual Rights
Patching Management
Reputation Access
Controls Control

34. Webinar Materials
Get LinkedIn to
Imperva Data Security Direct for…
Answers to
Post-Webinar
Attendee
Discussions
Questions
Webinar
Much more…
Recording Link

35. Questions
- CONFIDENTIAL -

36. Thank You
- CONFIDENTIAL -