3. Presentation Agenda
PART I: The evolution of the threat landscape for
hacking and malware, the impact of data breaches and
online fraud
PART II: How to adapt application security measures,
activities and security tools to protect web applications
from hacking and malware threats
PART III: What the future holds as the cyber threat
landscape continues to change: processes, skills, tools
and techniques that can support enterprise security
strategy
OWASP 3
4. PART I
The evolution of the threat landscape for hacking and
malware and the impact of data breaches and
online fraud
“If you know your enemy and know yourself you need
not fear the results of a hundred battles”
Sun Tzu
OWASP 4
5. Dissecting The Hacking and Malware Threats
Fraudsters, Cy
ber criminals,
Hackivists,
Threat Cyber Spies,
Script Kiddies
Social
Weaknesses DDoS, Engineering,
SQLi, Application
Phishing, Vulnerabilities
Attacks Session
Hijacking, Gaps/Weaknesses
in security
Key logging
controls
OWASP 5
6. The Evolution of Cyber Threats
Threats: Basic Intrusions and Threats: Script Kiddies, Viruses, Threats: Fraudsters, Threats: Hacktivists,
Viruses Worms Malware, Trojans Cyber crime, Cyber
Espionage,
Motives: Testing and Probing Motives: Notoriety and Fame, Motives: Identity Theft, Fraudsters, Malware
Systems and Data Profit from renting Botnet for Online and Credit/Debit
Communications spamming Card Fraud Motives: Political,
Stealing Company
Attacks: Exploiting Absence of Attacks: DoS, Buffer Overflow Attacks: SQLi, Sniffing Secrets and Clients
Security Controls, Sniffing Data Exploits, Spamming, Sniffing Wireless Traffic, Session Confidential and
Traffic, Defacing Network Traffic, Phishing Hijacking, Phishing, Credit Card
emails with viruses Vishing, Drive by Download Information for Fraud
Attacks: DDoS,
Defacing, Account
Take Over/Session
Hijacking, SQLi,
Spear Phishing, APT, WHAT
Threat Severity
RAT NEXT ?
OWASP 6
1995 2000 2005 2010 2012 Time
7. Data Breach Incidents: 2011-2012 Statistics
1. Threats: Hacking and malware are the major causes
2. Attacks: SQLi and HTTP injection for uploading scripts for
remote server commands (also increased of 50% from 2010)
3. Likelihood: 90% of organizations had at least one data
breach over the period of 12 months
4. Targets: 54% of incidents target web applications
5. Data Lost: Log in credentials, emails and personal
identifiable information are the major data types
6. Business Impact: The average cost of data breach is
estimated as $ 222 per record
7. Incident Response: Majority of incidents is discovered after
weeks/months from the time of initial data compromise
Sources: OSF, DataLossDb.org http://www.datalossdb.org
Ponemon Institute and Juniper Research, June 2011 Perceptions about network security,
Ponemon Institute and Symantec, Research March 2012 2011 Cost of a Data Breach: United States OWASP 7
Verizon’s Investigative data Breach Report 2012 Verizon Investigative data breach report,
9. Examples of Malware & Hacking Attacks Used
for Online And Credit/Debit Card Fraud
Account takeover: hijack web session to take over the victim’ s bank
account and conduct unauthorized transfer of money from the victim
account to a bank account outside the bank
Money laundering: transferring money from illegal proceeds (e.g.
sale of drugs) into hacked banking accounts
Application fraud: using stolen credit card and bank account
information for opening bank accounts to steal information from the
victim and to make payments
Card non present fraud: conducting online purchases with stolen
credit card and cardholder data
Card counterfeiting: use of credit and debit card data stolen online
to counterfeit card and conduct fraud with ATM/ABM, POS channels
Carding: validation of stolen or purchased debit/credit card data such
as CCN, PINs, DOBs, ACC# by using online web forms
Identity theft theft of personal data by phishing/social engineering
the victim, using malware (e.g. MitB, keyloggers) as well as by log in
into the victim’s online banking account OWASP 9
10. New Technologies Challenge Security And
Creates Opportunities for New Attack Vectors
Yesterday Today
OWASP 10
11. PART II
How to adapt application security measures, activities
and security tools to protect web applications from
hacking and malware threats
“To improve is to change; to be perfect is to change
often”
Winston Churchill
OWASP 11
12. Identification and Risk Mitigation of Web
Application Vulnerabilities
Manual Manual
Penetration Code
Testing Review
Automated Automated
Vulnerability Static Code
Scanning Analysis
OWASP 12
13. Mitigating Hacking and Malware Attacks Against
Financial Web Applications
Client PC and browser based security measures:
Awareness of social engineering: alerts and pointed
information for customers on phishing and malware threats
Secure Browser and PC: keep O.S. and browsers up to date,
anti-malware, PC used for online banking with no email, facebook
Web application security measures:
Fixing web application vulnerabilities: SQL injection, XSS,
invalidated redirection, remote command invocations, session
management and the rest of OWASP TOP ten vulnerabilities
Validating security of transactions/payments: positive pay,
dual verification & authorizations, anomaly and fraud detection
Out of band transaction validation/authentication: two way
notification confirmation via independent mobile/voice channels
Prevention and detection measures: strong multi-factor
authentication, malicious data filtering/white-listing malicious, web
traffic monitoring with WAF and SIEM, behavioral fraud detection
OWASP 13
14. PART III:
What the future holds as the cyber threat landscape
continues to change: skills, tools and techniques that
can support enterprise security strategy
“I do not feel obliged to believe that the same God
who has endowed us with sense, reason, and
intellect has intended us to forgo their use.”
Galileo Galilei
OWASP 14
15. Adapting Application Security Strategy To
Hacking and Malware Threats
People trained/hired to conduct threat
modeling, design secure applications,
build secure software and conduct
security testing
Processes for gather threat intelligence
analyze threats and vulnerabilities. Risk
frameworks for identifying gaps and
countermeasures that mitigate malware
and hacking risks
Technologies that are effective in
protecting and detecting malware
attacks, including security tools for
testing applications for new
vulnerabilities OWASP 15
16. Application Security Plan For Protecting
Applications from Malware and Hacking
Move on from tactical processes:
Response to Incidents, Catch and Patch for Vulnerabilities
To strategic security activities:
Secure Software Assurance, Governance, Compliance & Risk
Management
OWASP 16
18. OWASP References
Top Ten Vulnerabilities
http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf
Testing Guide
https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf
Development Guide
https://www.owasp.org/index.php/OWASP_Guide_Project
Application Threat Modeling
http://www.owasp.org/index.php/Application_Threat_Modeling
Open Software Assurance Maturity Model (SAMM)
http://www.opensamm.org/
Enterprise Security API for JAVA
http://code.google.com/p/owasp-esapi-java/
Cheat Sheets
https://www.owasp.org/index.php/Cheat_Sheets
OWASP Live CD and Web Application Security
http://appseclive.org/
Application Security Guide for CISO (in progress)
https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs
OWASP 18
Editor's Notes
I think the presentation would be perfect for this audience, we normally have a very senior audience (CISO, Head of Information Security, Director of Information Security, etc) who appreciate a presentation that makes them think, confirms that they are going down a similar road to others, or even to reconsider what they are currently doing! At all of the events we have a mixture of technical, operational and strategic presentations, which hopefully provides the delegates who are involved in different job roles an interesting mixture of topics and areas. I believe that your presentation will fit perfectly into the strategic area. Here is a link to the previous agenda from the last e-Crime Mid Year meeting in London. I think that some of the topic areas will have evolved, but hopefully it will give you a better picture of the different types of presentation that take place throughout the day and the variety of topics covered. http://www.e-crimecongress.org/forum/website.asp?page=2011agenda I have also sat with my manager, Jon Hawes, today and talked through the amends to the presentation bullet points. Jon has suggested the changes below which I hope captures some of the content that the presentation will cover. Please feel free to change these as you wish, as they are only suggestions! It would be great to hear your thoughts. Adapting to evolving cyber attack scenarios: a focus on online banking and e-Commerce threats- New threats and attacks: how are the types and level of impact that businesses must prepare for changing, and what are the implications for security stakeholders?- How can existing measures designed to prevent and detect attacks be improved to mitigate loss and guard against potential business disruption?- Structuring application security controls to reduce risk and maximise the value of software security engineering, threat modelling and security testing- Preparing for what the future holds as the cyber threat landscape continues to change: tools and techniques that can support enterprise security strategy Best wishes, and if you do have any questions please don't hesitate to give me a call,
Slide 1 preface will characterise today threat landscape the perspective of the threat agents, the motives their targets. If you are a medium or large bank chances are you are running a site that allows for your customers to bank online, this support rich feature and risky transactions such as opening bank accounts, transfer money to external accounts, pay bills etc. The online banking site also collects and processes sensitive information of the customers. This data and transactions are the the digital assets that are sought by potential fraudsters seeking to steal customer sensitive and card for identity theft, card not present transactions as well as fraud. It your company as ecommerce web site, payments and credit card data are also a target. The main question we are trying to answer is what are the threats agents and what are their motives and what are the tools and techniques that use to pursuit their motives.
Ten years ago:Threat agents: script kiddiesMotives: becoming famous Severity: occasional denial of serviceToday:Threat agents: cybercriminals and hacktivistsMotives: financial and politicalSeverity: identity theft, DDOS, online fraudGliscenarisonocambiatiradicalmentenegliultimidiecianni, inziutto I motivichesonodenaro e profitto in nuovi hackers fannao parte di organizazzioni dedicate allaperperpetuazione di crimine ma ancheallosviluppo di strumenti di attaccco molto sofisticati. I principalivittimesono le aziiendeed in particolareilsettorefinanziarioFinancial losses due to malware-based attacks are rising:In the U.S.A. alone, according to data from FDIC (Federal Deposit Insurance Corporation), during the third quarter of 2009 malware-based online banking fraud rose to over $ 120 millionIn the UK, according to data from the Cards Association, losses from the online banking sector in UK during 2009 totaled 60 million UK pounds.
Some percentagesexpecially type per incident are not 100% or data that means some data types are not classified e.g. 81%Incidents:Latest IncidentsLargest IncidentsMost Discussed IncidentsRecently Updated IncidentsData Types:CCNSSNNAAEMAMISCMEDACCDOBFINUNKPWDADDSectors:BizEduGovMedSources:OutsideInside - AccidentalInside - MaliciousInsideUnknownBreach Types:Disposal Computer | Disposal Document | Disposal Tape | Disposal DriveDisposal Mobile | Email | Fax | Fraud SeHack | Lost Computer | Lost Document | Lost DriveLost Laptop | Lost Media | Lost Mobile | Lost TapeMissing Document | Missing Laptop | Missing Media | Snail MailStolen Computer | Stolen Document | Stolen Drive | Stolen LaptopStolen Media | Stolen Mobile | Stolen Tape | UnknownVirus | Web |
Questiesempi di MiTBservonoanche a caratterizzareiltipo di malware e a determinareunaazione di incident response
Interessantevedere l impatto come onlien fraud, disolitosiparladi account take over, application contraffazzione, ma online frodi include un poditutto
Tecniche malware/hacking per furtodeidati e dellesessioni online banking (account takeover)