Benefits of In-depth Security Testing for the Enterprise
•
3 j'aime•1,931 vues
we45's CTO, Abhay Bhargav, delivering a talk on the benefits of In-depth Security Testing for the Enterprise at the Bangalore Cyber Security Summit 2011
Recommandé
Recommandé
Contenu connexe
Dernier
Dernier (20)
En vedette
En vedette (20)
Benefits of In-depth Security Testing for the Enterprise
- 1. Breaking ! Wall.. Benefits of In-Depth Security Testing for the Enterprise Copyright © we45 Solutions India Pvt. Ltd.
- 2. we45 - An Introduction • we45 = “we” + Fortify (45) • Focused Information Security Consulting Company • Research oriented Security Company • Showcased as one of Karnataka’s Top 20 Startups in 2010 Copyright © we45 Solutions India Pvt. Ltd.
- 3. Y#rs Truly... • Co-author of ‘Secure Java For Web Application Development’ • Specialization in Web Application Security • Trainer and Workshop Lead for Security Training Workshops • URL: abhaybhargav.com • we45’s Website: we45.com Copyright © we45 Solutions India Pvt. Ltd.
- 4. Why test for Secu%ty? • Validation of Controls • Removing the Illusion of Control • Understanding how newer and constantly evolving threats affect your environment • Malicious - People and Code Copyright © we45 Solutions India Pvt. Ltd.
- 5. &e Gap • Security Tests largely fail because of: • Lack of focus by the testers • Organization - Lack of Awareness and Will • Tools vs Skills Copyright © we45 Solutions India Pvt. Ltd.
- 6. C%tical Data on IT • Financial Information • Credit Card Information • User Personal Information • Customer Information • Healthcare Information • Other organization sensitive information - Stored, Processesd and Transmitted via IT Copyright © we45 Solutions India Pvt. Ltd.
- 7. D'turbing (at'tics 53% of Indian Companies have been victims of cyber attacks 70% of Enterprise Web Applications are found to be vulnerable 60%+ of Enterprise Endpoints vulnerable to client-side attacks Marked Rise in Social Engineering attacks 75% of Web Applications developed with non-secure coding practices Copyright © we45 Solutions India Pvt. Ltd.
- 8. &e Solution: In-Dep) Secu%ty Testing Copyright © we45 Solutions India Pvt. Ltd.
- 9. Web A*lications • Web Application Security is key with • Web Application Security Testing is organizations taking extensively to CRITICAL Web 2.0 • Tester should follow best practice • E-Commerce, ERP, Salesforce methodologies Automation, etc • Business Logic cannot be tested with tools • Application attacks: • Application attacks due to non-secure coding practices are massive • Coding Flaws • Configuration and Deployment oriented • Business Logic Flaws attacks are multifold • Configuration Flaws • Framework based attacks - Joomla, Drupal Copyright © we45 Solutions India Pvt. Ltd.
- 10. A*lication A+acks: Case Study • Testing a large infrastructure company’s critical web app • Finding SQL Injection while testing the authentication of a particular application • Database was running with ‘root’ privileges • Later, we found a configuration file in the application server with root username and password to the DB Copyright © we45 Solutions India Pvt. Ltd.
- 11. Servers and Endpoints • Server attacks - The Genesis: • Security Testing for Servers and Endpoints is mostly tool-based. • Lack of patching server and kernel level security updates • Low Priority given to Client-Side exploits by testers • Client-Side Software - The new Achilles Heel • Non-Secure Configuration of Endpoints results in over 40% of • Endpoint Security - Insecure Security Flaws Client-side Software, Patches and Browser-based • Internal Security Testing also security flaws essential Copyright © we45 Solutions India Pvt. Ltd.
- 12. Severe Server and Endpoint Secu%ty Vulnerabilities • MS08-067: Critical Flaw in Windows Server allowing attacker to exploit the system and run his/her code - 43% of Enterprise Endpoints and Servers affected • Adobe Reader code execution flaw where attacker can exploit can run commands on victim’s system - 59% of Enterprise Endpoints found to be affected • Multiple Java Exploits affecting servers and endpoints • and many more..... Copyright © we45 Solutions India Pvt. Ltd.
- 13. Network Infra(ructure • Network Devices • Have to be tested comprehensively for authentication vulnerabilities - 38% of Network Devices have authentication flaws • Firmware Updates and Security Updates not applied - Compromise the Perimeter • Focus on Depth of Finding, rather than review Copyright © we45 Solutions India Pvt. Ltd.
- 14. People: &e Weakest Link • People are the easiest targets in a security compromise • Companies must consider comprehensive Social • Targeted Phishing - Spear Engineering Assessments to Phishing Attacks on the rise with identify lapses in User Security over 56,000 reports Awareness • Social Networks and Email: Rife • Organizations Assessments must to spread Malware and compromise user endpoints cover security over Web Browsers • Browser Security considerations Copyright © we45 Solutions India Pvt. Ltd.
- 15. In Conclusion... • Threats are multifold and evolve constantly • Organizations have to test often to avoid being a vulnerability statistic • Tests have to encompass these elements during the year based on applicability • Testers should be chosen carefully based on skills and not tools • Reporting should be clear and prescriptive, not vague and generic Copyright © we45 Solutions India Pvt. Ltd.
- 16. &ank Y# • URL: www.we45.com • Email: abhay@we45.com • Twitter: @abhaybhargav • abhaybhargav.com Copyright © we45 Solutions India Pvt. Ltd.
Notes de l'éditeur
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n