SlideShare une entreprise Scribd logo
1  sur  58
Télécharger pour lire hors ligne
Metodologiaper la simulazionedegliattacchi e per l’ analisidelleminacciecontrole applicazioni web,[object Object],Marco Morana,[object Object],OWASP,[object Object],Security Summit ,[object Object],Roma ,[object Object],9 Giugno 2011,[object Object]
What is OWASP?,[object Object],2,[object Object]
3,[object Object],Agenda Della Presentazione,[object Object],PARTE I: I nuoviscenari di attaccoaisiti web: dati e statistiche,[object Object],PARTE II: La metodologiaper la simulazionedegliattacchi e delleminaccie,[object Object],PARTE III: Esempiodell’usodellemethodologia per l’analisidelleminaccie, attachi e calcolodeirischicausati da banking-malware,[object Object]
4,[object Object],PARTE I: I nuoviscenari di attacco: dati e statistiche,[object Object]
Il cambiamentodello scenario delleminacciealleapplicazioni,[object Object],5,[object Object],[object Object]
Gliattori di attaccosonomotivati dal denaro(e.g. furto di dati di carta di cerdito per vendita, frodifinanziarie)
Gliattoridi attaccofanno parte del crimineorganizzato(e.g. spiedeisegreti/proprieta’ intelletuale e gruppiterroristici)
I target sono le aziende e in particolareilsettorefinanzaSOURCE: Cisco: Threat Control and Containment: New Strategies For A Changed Threat Landscape,[object Object]
Datisulleminaccie del malware e hacking,[object Object],6,[object Object],[object Object]
Cosituiscono le minaccieprincipaliper tipologia di attaccoSource: Verizon Data Breach investigation Report: http://www.verizonbusiness.com/Products/security/dbir/,[object Object]
I targets delleminaccie malware e hacking,[object Object],7,[object Object],[object Object]
I tipi di datipiu’ a rischiosonodatisensibili (e.g. carte di credito)Source: Verizon Data Breach investigation Report: http://www.verizonbusiness.com/Products/security/dbir/,[object Object]
8,[object Object],GliAttoriDelleMinaccieDietroGliAttacchi di Hacking e Malware,[object Object],Il presunto hacker si e’ appenasvegliato e sorseggiandoilcaffe(o tea o magari vodka) inizia la suagiornata di lavorocon unabellalista di indirizzi IP di computer compromessie di logins per autenticarsiaisiti. Lo step successivoconsistenelspenderealcune ore a distibuire malware nei PC compromessi e rivederela listadei PC dellasettimanascorsa per aggiornarsisui daticollezionati.,[object Object],Dopo di che’ e ‘ ora di andare a casa ad accudiremoglie e figli. ,[object Object],CyberCrime& Doing Time A Blog about Cyber Crime and related Justice issues: http://garwarner.blogspot.com,[object Object]
Sherlock Holmes vs. DrJerkill/Mr Hyde,[object Object],9,[object Object]
L’ approccio al rischio “conosco ma non faccionulla”,[object Object]
L’ approccio al rischio “PauraIncertezza e Dubbio” ,[object Object],Paura di esserefuorinorma=> multe e restrizioni e controlli (e.g. SEC, PCI etc),[object Object],Paura di perdere la reputazione=> nelcaso di perdita di datisensibili, forzato a notificareilpubblico (SB 1386),[object Object],Paura di cause penali =>nelcaso la vittimadellafrode e’ il business-clienteinvecechel’utente,[object Object],Incertosulle cause e le conseguenze=> Siamonoiil target? Se lo siamoquantodenaropotremmoperdere? ,[object Object],Dubbisullaefficaciadellecontromisure=> Non ci fidiamodellenostremezzi, processi e persone,[object Object]
L’ approccio al rischio “come antagonista a chi ilrischio lo deve mitigate”,[object Object],“Noi vs. Loro” (Dept. Sicurezza vs. Dev/IT/BusinessUnits):,[object Object],Mitigazionefaccendoricorsoallapillolamagica,[object Object],Non c’edimostrazione di come gliattachiavvengono e impattano i business,[object Object],Non c’e’ nessunincentivo a collaborarefra chi ilrischio lo identifica e chi lo devemitigare con le contromisure,[object Object]
L’ approccio al rischio  ”Persone, Processi e Technologie” ,[object Object],Personalepreparato e qualificato per rispondereagliincidenti,[object Object],Processiadequati per l’identificazionedeglierrori di design e le vulnerabilita’ chevengonosfruttatidaglihackers ,[object Object],Technologie e contromisureper la mitigazionedelleminaccie del malware e hackers,[object Object],13,[object Object]
14,[object Object],PARTE II-Introduzione al metodo di Threat Modeling PASTA™ (Process for Attack Simulation and Threat Analysis),[object Object]
La Methodologia Per L’AnalisiDelleMinaccie,[object Object],[Application] Threat Modeling,[object Object],Un processostrategicochepunta a considerare le minaccie, ipossibiliscenari di attacco e le vulnerabilitachepossonoesseresfruttatenell’ambienteapplicativo con lo scopodigestirerischi e livelli di impatto.,[object Object],[object Object]
Si focalizzasudiversiaspetti per la mitigazionedelleminaccie:
Architettura & Software (design)
Gliassetti a rischio (dati, server, applicazioni)
Prospettiva di attacco o di difesa,[object Object]
Metodologia Threat Modeling STRIDE di Microsoft,[object Object],17,[object Object],Spoofing,[object Object],Repudiation,[object Object],Tampering,[object Object],Repudiation,[object Object],Info Disclosure,[object Object],Denial OF service,[object Object]
LimitazioniDelleMetodologie Di Threat Modeling UsateOggi,[object Object],Diverse metodologiema nessuna e’ adottata a largascala,[object Object],STRIDE & DREAD non sonometodologie ma modelli per la classificazionedelleminaccie e deirischi,[object Object],Limitatenelloscopo(e.g. assetto, attacco, software, security centriche) non tuttigliapprocciconsideranol’analisideglierrori di design ,[object Object],Limitatenell’adozionenella SDLC sopratuttorispetto ad altreattivita (e.g. review codicesicuro, pen testing),[object Object],Non sono parte deiprocessi di InfoSec (e.g. information security risk management, fraud, incident response),[object Object],Processisoggettivied  ad-hoc sibasanosull’esperienza di chi fal’analisi SMEs (Subject Matter Experts)/Security Architects/Consultants,[object Object]
La ricetta per la P.A.S.T.A™ Threat Modeling,[object Object],[object Object]
Include tutti i processi per la (e.g. intelligence)mitigazionestrategicadeirischi
Si basasullaanalisidegliscenari di attacco
Si focalizzanelleminimizzazionedeirischidelleapplicazionie degliimpatti per il business,[object Object]
Identify Security & Compliance Requirements
Business Impact Analysis The P.A.S.T.A™ Threat Modeling Methodology,[object Object],2. Define Technical Scope,[object Object],[object Object]
Capture Infrastructure | Application | Software Dependencies3. Application Decomposition,[object Object],[object Object]
 Identify Actors | Assets| Services | Roles| Data Sources
Data Flow Diagramming (DFDs) | Trust Boundaries4. Threat Analysis,[object Object],[object Object]
Regression Analysis on Security Events
Threat Intelligence Correlation & Analytics5. Vulnerability & Weaknesses Analysis,[object Object],[object Object]
Threat to Existing Vulnerability Mapping Using Threat Trees
 Design Flaw Analysis Using Use & Abuse Cases
 Scorings (CVSS/ CWSS) | Enumerations (CWE/CVE)6. Attack Modeling,[object Object],[object Object]
Attack Tree Development | Attack Library Mgt
Attack  to Vulnerability & Exploit Analysis using Attack Trees7. Risk & Impact Analysis,[object Object],[object Object]
 Countermeasure Identification & Residual Risk Analysis
ID risk mitigation strategies ,[object Object]
Architettidelle applicationschecosipossonoidentificareglierrori del design e identificare le contromisure per rimediarli e per proteggere i dati e gli assets
Sviluppatorichecosipossonocapire se ilsoftware e’ vulnerabileedespostoagliattacchi
Security testerschepossonousare i casi di use e abuso e le librerie di attacco per testarel’applicazione
Project managers checosipossonogestire la remediazionedeidiffetti in modopiu’ efficace
CISO checosipossonoprenderedecisionisu come mitigate i rischi a livelloapplicativo,[object Object]
Gli steps dellaanalisi del banking malware usando la metodologia P.A.S.T.A.,[object Object],23,[object Object],Documentazionedeirequisitiper l’analisideirischidelleminacciebanking malware, attachi e vulnerabilita’ ,[object Object],Definizionedelloscopotecnicodell’ analisi,[object Object],Analisidellasicurezza del sitodal punto di vista deicontrolli di sicurezza a livelloarchitetturale e di funzione,[object Object],Studio e analisidelleminacciedaidati di intelligence,[object Object],Analisidellevulnerabilita’ chepossonoesseresfruttatedalleminaccie per causare un impatto,[object Object],Modellidegliscenari di attacco,[object Object],Formulazionedellastrategia per la mitigazione del rischio e per la riduzione dell’ impatto a livello di business ,[object Object]
STAGE I DefinizioneDegliObbiettivi di Sicurezza e Del Business: “Catturadeirequisiti per l’ analisi e la gestionedeirischi di banking malware” ,[object Object],24,[object Object]
AnalisiPreliminareDegliImpatti,[object Object],Impatti per l’azienda/business,[object Object],Perdita di denaro a causa di frodi(e.g. transferimentoillegale di denaro) e perdita di datisensibili del cliente,[object Object],Non responabilita’ legaleper frodicontroclienti-business e’ causa di azionilegali da parte deglistessi,[object Object],Perdita di reputazione/immaginea causadellanotificazione al pubblicodellaperditadeidatisensibilideiclienti, questo ha anche un impattosullafedelta’ deiclienti,[object Object],Non in regola con la legge e la regolamentazione di sicurezza(e.g. PCI-DSS, FFIEC/OCC, GLBA, SB 1386, FACT Act, PATRIOT Act) e’ causa di multe e controllicostosi compliance,[object Object],Impatti per I clienti,[object Object],Furto di login per l’accesso a siti di on-line banking,[object Object],Furtodeidatisensibili,[object Object],Perdita di denarodal contonelcaso di contiaziendali/privati,[object Object]
Obbiettivi Dell’ Analisi e Requisiti Di Sicurezza e di Regolamentazione,[object Object]
STAGE II Definizionedello Scope TecnicoDell’Analisi ”Definizionedelloscopo di threat modeling relativoairequisitidell’analisi”,[object Object],27,[object Object]
Profilo Della Applicazione In Scopo Dell’ Analisi: Sito Online Banking,[object Object]
DefinizioneDelloScopoTecnicoDell’Analisi,[object Object],Informazioneestrattadaidocumenti di progetto:,[object Object],Componentidellaapplicazione web in funzionedeilivellifunzionali(presentazione, logica, dati),[object Object],Topologiadella rete (firewall, servers, routers etc),[object Object],Protocolli e processichesono parte dell’ architettura “end to end”  (diagrammi del flow deidati),[object Object],Scenari e funzionid’uso(diagrammi di sequenza) ,[object Object],Modellodellaapplicazione in supportodell’analisi:,[object Object],Gli assets dell’ applicazione(e.g. dati/servizi a diverse sezionidellaarchitetturaapplicativa),[object Object],I controlli di sicurezzadell’applicazione(autenticazione, autorizzazione, crittografia, gestionedella session, validazionedell’input, archivio e logs),[object Object],Le interazionifral’utente e l’applicazione per le varietransazioni web (e.g. login, registrazione, query deidati etc),[object Object]
30,[object Object],ScopodellaArchitettura: On-line Banking Application Architecture Diagram,[object Object]
Transazioni di On-Line Banking in Scopo Per L’Analisi,[object Object],31,[object Object],[object Object]

Contenu connexe

En vedette

Consejos educativos ppt
Consejos educativos pptConsejos educativos ppt
Consejos educativos pptAngel Urbina
 
Comunicacion y estilos de via saludables
Comunicacion y estilos de via saludablesComunicacion y estilos de via saludables
Comunicacion y estilos de via saludablesluis velasquez
 
Estrategias de acompañamiento y seguimiento de la tutoria virtual
Estrategias de acompañamiento  y seguimiento  de  la tutoria virtualEstrategias de acompañamiento  y seguimiento  de  la tutoria virtual
Estrategias de acompañamiento y seguimiento de la tutoria virtualMaritza Ana Ccayahua Huamanhorqque
 
Juárez gonzález claudia karina. no 9
Juárez gonzález claudia karina. no 9Juárez gonzález claudia karina. no 9
Juárez gonzález claudia karina. no 9leonelponce13
 
Estrategias de monitoreo en tutoría virtual
Estrategias de monitoreo en tutoría virtualEstrategias de monitoreo en tutoría virtual
Estrategias de monitoreo en tutoría virtualMarco García
 
Se está muriendo la escuela
Se está muriendo la escuelaSe está muriendo la escuela
Se está muriendo la escuelamokaritto
 
Mini ensayo los desafíos de la educación con tic - josé alejandro sánchez l...
Mini ensayo   los desafíos de la educación con tic - josé alejandro sánchez l...Mini ensayo   los desafíos de la educación con tic - josé alejandro sánchez l...
Mini ensayo los desafíos de la educación con tic - josé alejandro sánchez l...José Alejandro Sánchez Lozano
 
Dificultades específicas de aprendizaje dislexia
Dificultades específicas de aprendizaje dislexiaDificultades específicas de aprendizaje dislexia
Dificultades específicas de aprendizaje dislexiaSilvina Paricio Tato
 
Dificultades específicas de aprendizaje dislexia
Dificultades específicas de aprendizaje dislexiaDificultades específicas de aprendizaje dislexia
Dificultades específicas de aprendizaje dislexiaSilvina Paricio Tato
 
Postmodernidad
PostmodernidadPostmodernidad
Postmodernidadjonas2006
 
Principales cuentas del activo y pasivo
Principales cuentas del activo y pasivoPrincipales cuentas del activo y pasivo
Principales cuentas del activo y pasivoIsaias Toledo
 
State of the american workplace report 2013
State of the american workplace report 2013 State of the american workplace report 2013
State of the american workplace report 2013 Carles Almagro
 
Guía del PMBOK® > Gestión de Costos
Guía del PMBOK® > Gestión de CostosGuía del PMBOK® > Gestión de Costos
Guía del PMBOK® > Gestión de CostosDharma Consulting
 

En vedette (20)

Consejos educativos ppt
Consejos educativos pptConsejos educativos ppt
Consejos educativos ppt
 
Energías alternas.
Energías alternas.Energías alternas.
Energías alternas.
 
Comunicacion y estilos de via saludables
Comunicacion y estilos de via saludablesComunicacion y estilos de via saludables
Comunicacion y estilos de via saludables
 
Estrategias de acompañamiento y seguimiento de la tutoria virtual
Estrategias de acompañamiento  y seguimiento  de  la tutoria virtualEstrategias de acompañamiento  y seguimiento  de  la tutoria virtual
Estrategias de acompañamiento y seguimiento de la tutoria virtual
 
Juárez gonzález claudia karina. no 9
Juárez gonzález claudia karina. no 9Juárez gonzález claudia karina. no 9
Juárez gonzález claudia karina. no 9
 
Estrategias de monitoreo en tutoría virtual
Estrategias de monitoreo en tutoría virtualEstrategias de monitoreo en tutoría virtual
Estrategias de monitoreo en tutoría virtual
 
Se está muriendo la escuela
Se está muriendo la escuelaSe está muriendo la escuela
Se está muriendo la escuela
 
Mini ensayo los desafíos de la educación con tic - josé alejandro sánchez l...
Mini ensayo   los desafíos de la educación con tic - josé alejandro sánchez l...Mini ensayo   los desafíos de la educación con tic - josé alejandro sánchez l...
Mini ensayo los desafíos de la educación con tic - josé alejandro sánchez l...
 
Definir Metas
Definir MetasDefinir Metas
Definir Metas
 
Dificultades específicas de aprendizaje dislexia
Dificultades específicas de aprendizaje dislexiaDificultades específicas de aprendizaje dislexia
Dificultades específicas de aprendizaje dislexia
 
Ventas efectivas
Ventas efectivasVentas efectivas
Ventas efectivas
 
COSO Y COSO ERM
COSO Y COSO ERMCOSO Y COSO ERM
COSO Y COSO ERM
 
Dificultades específicas de aprendizaje dislexia
Dificultades específicas de aprendizaje dislexiaDificultades específicas de aprendizaje dislexia
Dificultades específicas de aprendizaje dislexia
 
Postmodernidad
PostmodernidadPostmodernidad
Postmodernidad
 
Principales cuentas del activo y pasivo
Principales cuentas del activo y pasivoPrincipales cuentas del activo y pasivo
Principales cuentas del activo y pasivo
 
State of the american workplace report 2013
State of the american workplace report 2013 State of the american workplace report 2013
State of the american workplace report 2013
 
Guía del PMBOK® > Gestión de Costos
Guía del PMBOK® > Gestión de CostosGuía del PMBOK® > Gestión de Costos
Guía del PMBOK® > Gestión de Costos
 
Gestión de proyectos ecaes
Gestión de proyectos ecaesGestión de proyectos ecaes
Gestión de proyectos ecaes
 
Mercados d e deuda
Mercados d e deudaMercados d e deuda
Mercados d e deuda
 
Ela Glce
Ela GlceEla Glce
Ela Glce
 

Similaire à Security Summit Rome 2011

Webinar sicurezza nei social network
Webinar  sicurezza nei social networkWebinar  sicurezza nei social network
Webinar sicurezza nei social networkMatteo Barberi
 
iDialoghi - Social Media Security Management
iDialoghi - Social Media Security Management iDialoghi - Social Media Security Management
iDialoghi - Social Media Security Management iDIALOGHI
 
IT-brochure Cyber Security
IT-brochure Cyber SecurityIT-brochure Cyber Security
IT-brochure Cyber SecurityEnrico Memmo
 
TIGPaper_Cybersecurity Trends_ V.1
TIGPaper_Cybersecurity Trends_ V.1TIGPaper_Cybersecurity Trends_ V.1
TIGPaper_Cybersecurity Trends_ V.1Elena Vaciago
 
ProtezioneCyber - Gestione integrata del cyber risk
ProtezioneCyber - Gestione integrata del cyber riskProtezioneCyber - Gestione integrata del cyber risk
ProtezioneCyber - Gestione integrata del cyber riskM2 Informatica
 
Social media management-webinar-virtual-meeting-05_2011_webinar
Social media management-webinar-virtual-meeting-05_2011_webinarSocial media management-webinar-virtual-meeting-05_2011_webinar
Social media management-webinar-virtual-meeting-05_2011_webinarMatteo Barberi
 
ProtezioneCyber - La soluzione assicurativa contro il cyber risk
ProtezioneCyber - La soluzione assicurativa contro il cyber riskProtezioneCyber - La soluzione assicurativa contro il cyber risk
ProtezioneCyber - La soluzione assicurativa contro il cyber riskM2 Informatica
 
Cyber Risk Assessment: Rileva, Intervieni e Previeni il rischio
Cyber Risk Assessment: Rileva, Intervieni e Previeni il rischioCyber Risk Assessment: Rileva, Intervieni e Previeni il rischio
Cyber Risk Assessment: Rileva, Intervieni e Previeni il rischioMarcoViscardi6
 
TIG White Paper Trends della Cybersecurity _maggio 2013
TIG White Paper Trends della Cybersecurity _maggio 2013TIG White Paper Trends della Cybersecurity _maggio 2013
TIG White Paper Trends della Cybersecurity _maggio 2013Elena Vaciago
 
APT, Social Network e Cybercriminali: Strategie difensive
APT, Social Network e Cybercriminali: Strategie difensiveAPT, Social Network e Cybercriminali: Strategie difensive
APT, Social Network e Cybercriminali: Strategie difensiveiDIALOGHI
 
Sicurezza delle Informazioni
Sicurezza delle InformazioniSicurezza delle Informazioni
Sicurezza delle Informazioniluca menini
 
Cyber Crime, una minaccia che evolve
Cyber Crime, una minaccia che evolveCyber Crime, una minaccia che evolve
Cyber Crime, una minaccia che evolveMorgan Jones
 
EVENTO PARADIGMA
EVENTO PARADIGMAEVENTO PARADIGMA
EVENTO PARADIGMASWASCAN
 
TIGPaper_Compliance e Cybersecurity -210115
TIGPaper_Compliance e Cybersecurity -210115TIGPaper_Compliance e Cybersecurity -210115
TIGPaper_Compliance e Cybersecurity -210115Elena Vaciago
 
Gestione dei rischi: analisi di un modello semplificato per le PMI
Gestione dei rischi: analisi di un modello semplificato per le PMIGestione dei rischi: analisi di un modello semplificato per le PMI
Gestione dei rischi: analisi di un modello semplificato per le PMIStefano Bendandi
 
IT GRC, Soluzioni Risk Management
IT GRC, Soluzioni Risk ManagementIT GRC, Soluzioni Risk Management
IT GRC, Soluzioni Risk ManagementDFLABS SRL
 
Come Implementare Strategie Zero Trust
Come Implementare Strategie Zero TrustCome Implementare Strategie Zero Trust
Come Implementare Strategie Zero TrustVincenzo Calabrò
 
Guardigli Sicurezza Nell Informatica Aziendale 3 4 Nov 2005
Guardigli Sicurezza Nell Informatica Aziendale 3 4 Nov 2005Guardigli Sicurezza Nell Informatica Aziendale 3 4 Nov 2005
Guardigli Sicurezza Nell Informatica Aziendale 3 4 Nov 2005Marco Guardigli
 
Alessandro Canella - convegno privacy - 23 Marzo 2004
Alessandro Canella   - convegno privacy - 23 Marzo 2004Alessandro Canella   - convegno privacy - 23 Marzo 2004
Alessandro Canella - convegno privacy - 23 Marzo 2004Alessandro Canella
 

Similaire à Security Summit Rome 2011 (20)

Webinar sicurezza nei social network
Webinar  sicurezza nei social networkWebinar  sicurezza nei social network
Webinar sicurezza nei social network
 
iDialoghi - Social Media Security Management
iDialoghi - Social Media Security Management iDialoghi - Social Media Security Management
iDialoghi - Social Media Security Management
 
IT-brochure Cyber Security
IT-brochure Cyber SecurityIT-brochure Cyber Security
IT-brochure Cyber Security
 
TIGPaper_Cybersecurity Trends_ V.1
TIGPaper_Cybersecurity Trends_ V.1TIGPaper_Cybersecurity Trends_ V.1
TIGPaper_Cybersecurity Trends_ V.1
 
ProtezioneCyber - Gestione integrata del cyber risk
ProtezioneCyber - Gestione integrata del cyber riskProtezioneCyber - Gestione integrata del cyber risk
ProtezioneCyber - Gestione integrata del cyber risk
 
Social media management-webinar-virtual-meeting-05_2011_webinar
Social media management-webinar-virtual-meeting-05_2011_webinarSocial media management-webinar-virtual-meeting-05_2011_webinar
Social media management-webinar-virtual-meeting-05_2011_webinar
 
ProtezioneCyber - La soluzione assicurativa contro il cyber risk
ProtezioneCyber - La soluzione assicurativa contro il cyber riskProtezioneCyber - La soluzione assicurativa contro il cyber risk
ProtezioneCyber - La soluzione assicurativa contro il cyber risk
 
Cyber Risk Assessment: Rileva, Intervieni e Previeni il rischio
Cyber Risk Assessment: Rileva, Intervieni e Previeni il rischioCyber Risk Assessment: Rileva, Intervieni e Previeni il rischio
Cyber Risk Assessment: Rileva, Intervieni e Previeni il rischio
 
TIG White Paper Trends della Cybersecurity _maggio 2013
TIG White Paper Trends della Cybersecurity _maggio 2013TIG White Paper Trends della Cybersecurity _maggio 2013
TIG White Paper Trends della Cybersecurity _maggio 2013
 
Security Operations Center
Security Operations CenterSecurity Operations Center
Security Operations Center
 
APT, Social Network e Cybercriminali: Strategie difensive
APT, Social Network e Cybercriminali: Strategie difensiveAPT, Social Network e Cybercriminali: Strategie difensive
APT, Social Network e Cybercriminali: Strategie difensive
 
Sicurezza delle Informazioni
Sicurezza delle InformazioniSicurezza delle Informazioni
Sicurezza delle Informazioni
 
Cyber Crime, una minaccia che evolve
Cyber Crime, una minaccia che evolveCyber Crime, una minaccia che evolve
Cyber Crime, una minaccia che evolve
 
EVENTO PARADIGMA
EVENTO PARADIGMAEVENTO PARADIGMA
EVENTO PARADIGMA
 
TIGPaper_Compliance e Cybersecurity -210115
TIGPaper_Compliance e Cybersecurity -210115TIGPaper_Compliance e Cybersecurity -210115
TIGPaper_Compliance e Cybersecurity -210115
 
Gestione dei rischi: analisi di un modello semplificato per le PMI
Gestione dei rischi: analisi di un modello semplificato per le PMIGestione dei rischi: analisi di un modello semplificato per le PMI
Gestione dei rischi: analisi di un modello semplificato per le PMI
 
IT GRC, Soluzioni Risk Management
IT GRC, Soluzioni Risk ManagementIT GRC, Soluzioni Risk Management
IT GRC, Soluzioni Risk Management
 
Come Implementare Strategie Zero Trust
Come Implementare Strategie Zero TrustCome Implementare Strategie Zero Trust
Come Implementare Strategie Zero Trust
 
Guardigli Sicurezza Nell Informatica Aziendale 3 4 Nov 2005
Guardigli Sicurezza Nell Informatica Aziendale 3 4 Nov 2005Guardigli Sicurezza Nell Informatica Aziendale 3 4 Nov 2005
Guardigli Sicurezza Nell Informatica Aziendale 3 4 Nov 2005
 
Alessandro Canella - convegno privacy - 23 Marzo 2004
Alessandro Canella   - convegno privacy - 23 Marzo 2004Alessandro Canella   - convegno privacy - 23 Marzo 2004
Alessandro Canella - convegno privacy - 23 Marzo 2004
 

Plus de Marco Morana

Is talent shortage ws marco morana
Is talent shortage ws marco moranaIs talent shortage ws marco morana
Is talent shortage ws marco moranaMarco Morana
 
Isaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdfIsaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdfMarco Morana
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Marco Morana
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-finalMarco Morana
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Marco Morana
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Owasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_finalOwasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_finalMarco Morana
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksMarco Morana
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Marco Morana
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksMarco Morana
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software securityMarco Morana
 
Security Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementSecurity Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementMarco Morana
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services SecurityMarco Morana
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security FrameworksMarco Morana
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'Marco Morana
 
Progetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web ApplicationsProgetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web ApplicationsMarco Morana
 

Plus de Marco Morana (20)

Is talent shortage ws marco morana
Is talent shortage ws marco moranaIs talent shortage ws marco morana
Is talent shortage ws marco morana
 
Isaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdfIsaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdf
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-final
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
 
Owasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_finalOwasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_final
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware Attacks
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic Attacks
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software security
 
Security Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementSecurity Compliance Web Application Risk Management
Security Compliance Web Application Risk Management
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services Security
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'
 
Progetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web ApplicationsProgetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web Applications
 

Security Summit Rome 2011

Notes de l'éditeur

  1. Gliscenarisonocambiatiradicalmentenegliultimidiecianni, inziutto I motivichesonodenaro e profitto in nuovi hackers fannao parte di organizazzioni dedicate allaperperpetuazione di crimine ma ancheallosviluppo di strumenti di attaccco molto sofisticati. I principalivittimesono le aziiendeed in particolareilsettorefinanziarioFinancial losses due to malware-based attacks are rising:In the U.S.A. alone, according to data from FDIC (Federal Deposit Insurance Corporation), during the third quarter of 2009 malware-based online banking fraud rose to over $ 120 millionIn the UK, according to data from the Cards Association, losses from the online banking sector in UK during 2009 totaled 60 million UK pounds.
  2. Gliattacchi di malvareContribuisconoallamaggioranzadelleperditadeidati (2010) e sono le due minaccieprincipalli per tipologia di attacco
  3. Qualisono I principlai target e I datisensiibilipiurichiesti. Web application represenato la maggioranaze per % deidaticompormessimentre in % dii tipologiaattaccosono al terzopostoI tipi di datipiu a rischiosono I records di carte di creditoseguitidalle login di autenticazione
  4. Qualisono glia attori di Il presunto hacker si e’ appenasvegliato e sorseggiando l caffe (o tea o magari vodka) inizia la suagiornata di lavoro con unabellalista di indirizzi IP di computer compromessiassieme a logins per autenticarsiaisiti. Lo step successivoconsiistenelspenderealcune ore a distibuire malware nei PC compromessi e rivedere I PIC vittimadellasettimanascorsa per aggirnarsi sui daticollezionati.Dopo di che’ e ‘ ora di andare a casa ad accudiremoglie e figli. Tuttobenefiinche non sono poi statipresi dal FBI per la compromissione di decine di account e per iltrasferrimento di circa 3 millioni di dollari ad altricontiaperti sotto falsaidentita
  5. Citrovianoquindi ad hackers di mestiere ma checonduconoviteapparentementenormalii e mettersisullelorotraccie non e’facileanche se dalla nostra parte abbiamouno come shrelockholmes
  6. Un’ altroapprocciotipico e’ quello di agire da soli pensandocheilproblema di security e’ di sola comptenza del diprtimento e questo e’ anche un approccioantagonisticoche non facilita’ la comuncazione e la collaborazione
  7. STRIDE e’ un modo di categorizarre I threats e associarliglielementidellaarchitectrurachesonoevidenziati qui nel data flow diagram
  8. Oggi ci troviamo ad usaremethodolgie diverse con diverso focus e limitatenelloscopo di mitigazione del rischio, non interfacciiano con altriprocessi come secure code review etc e sonoisloate da altriprocessi come risk management, fraud e incident respone e sibasano molto sull’espereienza di chi conduce l’assessment
  9. La nostraricetta e’ unametodolgiacheconsidera la mitigazionedelleminacie un problema di busienss, considera I processi di analisis del rischiostragetico per l’aziendapermette di analizzaregliattachi e siimplementa a stadisuccessivin
  10. Stage I-Define the objectives: Identify business objectives and ensure an appropriate level of security requirements to support the business goals for the application yet meeting compliance with security standards. Identify preliminary security and compliance risks and their business impacts to the application.Stage II- Define the technical scope: Define the technical scope/boundaries of threat modeling as dependency on the various technologies, software and hardware, components and services used by the application. Categorize any architectural and technologies/components whose function is to provide security controls (e.g. authentication, encryption) and security features (e.g. protection of CIA)Stage III- Decompose the application: Decompose the application in essential elements of the application architecture (e.g. users, servers, data-assets) that can be further analyzed for attack simulation and threat analysis from both the attacker and the defender perspective.Stage IV- Analyze the threats: Enumerate the possible threats targeting the application as an asset. Identify the most probable attack scenarios based upon threat agent models, security event monitoring and fraud mapping and threat intelligence reports. The final goal is to analyze the threat and attack scenarios that are most probable and need to prioritize later for attack simulation.Stage V-Vulnerabilities & Weaknesses Analysis: The main goal of this stage of the methodology is to map vulnerabilities identified for different assets that include the application as well as the application infrastructure to the threats and the attack scenarios previously identified in the previous threat analysis stage. Formal methods that map threats to several generic types of vulnerabilities such as threat trees will be used to identify which ones can be used for attacking the application assets. Once these vulnerabilities are identified, will be enumerated as and scored using standard vulnerability enumeration (CVE, CWE) and scoring methods ( CVSS, CWSS)Stage VI: Analyze the Attacks: The goal of this stage is to analyze how the application and the application context that includes the users-agents, the application and the application environment, can be attacked by exploiting vulnerabilities and using different attack libraries and attack vectors. Formal methods for the attack analysis used at this stage include attack surface analysis, attack trees and attack libraries-patterns. The ultimate outcome of this stage is to map attacks to vulnerabilities and document how these vulnerabilities can be exploited by different attack vectors.Stage VII:Risk and Impact Analysis: The goal of this final stage is to derive risk and impact values for the application environments, determine the residual risks to the business after countermeasures are applied and existing compensating security controls-measures are considered and provide risk mitigation strategies for informed risk management decisions.
  11. P.A.S.T.A allows architects to understand how vulnerabilities to the application affect threat mitigation, identify the trust boundaries and the classification of the data assets, identify vulnerabilities and apply countermeasures via proper design, developers are helped to understand which components of the application are vulnerable and the learn on how to mitigate vulnerabilities, security testers can use security requirements derived through the methodology as well as use and abuse to create positive and negative test cases, project managers can prioritize the remediation of security defects according to risks, business managers can determine which business objectives have impact on security while information risk officers can make strategic risk management decisions by mitigating technical risks yet considering costs of countermeasures vs. costs associated with business impact as risk mitigation factors
  12. E possibiledimostrare la metodologiasulcasodelll’analisidelleminaccie dal banking malware Explain the rationale of P.A.S.T.A and why this new framework is being used The seven steps of the P.A.S.T.A process will be covered by looking first and for most at malware-based threat mitigation as a business problem, followed by the definition of the technical scope of existing security controls and their dependencies, the analysis of the effectiveness of these controls using use and abuse cases, the analysis of malware-based threats using threat agent models and threat intelligence reports, the vulnerability and weaknesses analysis of multi-factor authentication, transaction integrity and session management controls, the model of the banking Trojan attacks using attack surface analysis, attack trees and identification of attack paths and the final risk and impact analysis that qualifies and quantifies the negative impact to the financial institution for these kind of attacks and the residual risk after different countermeasures are applied to protect online banking transactions as well as to detect the occurrence of the attacks. The ultimate goal of this presentation is to be able to provide application security-risk managers-officers and application security architects, an example on how P.A.S.T.A. threat modeling can be used to making informed risk management decisions and devise risk mitigation strategies to protect online banking applications from banking Trojans, malware-based type of attacks.
  13. Application architecture:The architecture of the application with respect to the “end to end” deployment scenario The location of servers on which the application functionality resides to (e.g. the network topology)The end to end data flows and the protocol/services being used/exposed from/to the user to/from the back end (e.g. data flow diagrams)The use case scenarios (e.g. sequence diagrams) Extract essential information in support of security architecture risk analysisThe exposure of the assets: servers hosting the application and the data including any external, DMZ and internal/GRN linksAll major application software/system components in all the application iers(e.g. front end, middle-tier, back end) and the protocols being used between tiersThe data interactions between the user of the application and between servers for the main use case scenarios (e.g. login, registration, query etc)
  14. Login help functionsUser registration, change userID/password, forgot userID/password, change of challenge/question/answersOnline profile management functionsChange of account profiles, emails, address, phone numbersHigh risk loginsAuthentication with Challenge/Questions, KBALogging from high risk location/machine, countryTransactions involving validation of Sensitive Customer InformationValidations of CCN#, CVV, ACC# and PINs for registration/ account openingAccess of PII and Sensitive Customer InformationRetrieval of PII such as SSNs, TaxIDs, DOB (e.g. account opening, tax statements)Access to Sensitive Customer Information such as ACC#, CCN#, PINsHigh Risk Financial TransactionsAccess of Sensitive Customer Information (e.g. ACC#, CCN#, SSN, DOB)ACHWires,Bill-payments
  15. Alivello di transaction e’ importanteidentificare I controlliilrlivello di rischiodellatarnsazione e la classificazionedeidati in uso
  16. Questiesempi di MiTBservonoanche a caratterizzareiltipo di malware e a determinareunaazione di incident response
  17. Web-based attacks take on all comersWhile targeted attacks frequently use zero-day vulnerabilities and social engineering to compromiseenterprise users on a network, similar techniques are also employed to compromise individual users. Inthe late 1990s and early 2000s, mass-mailing worms were the most common means of malicious codeinfection. Over the past few years, Web-based attacks have replaced the mass-mailing worm in thisposition. Attackers may use social engineering—such as in spam messages, as previously mentioned—tolure a user to a website that exploits browser and plug-in vulnerabilities. These attacks are then used toinstall malicious code or other applications such as rogue security software on the victim’s computer.15Of the top-attacked vulnerabilities that Symantec observed in 2009, four of the top five being exploitedwere client-side vulnerabilities that were frequently targeted by Web-based attacks (table 2). Two of thesevulnerabilities were in Adobe Reader, while one was in Microsoft Internet Explorer and the fourth was in anActiveX® control. This shows that while vulnerabilities in other network services are being targeted byattackers, vulnerabilities in Web browsers and associated technologies are favored. This may be becauseattacks against browsers are typically conducted through the HTTP protocol that is used for the majority ofWeb traffic. Since so much legitimate traffic uses this protocol and its associated ports, it can be difficultto detect or block malicious activity using HTTP .The top Web-based attacks observed in 2009 primarily targeted vulnerabilities in Internet Explorer andapplications that process PDF files (table 3). Because these two technologies are widely deployed, it islikely that attackers are targeting them to compromise the largest number of computers possible. Of theWeb browsers analyzed by Symantec in 2009, Mozilla® Firefox® had the most reported vulnerabilities, with169, while Internet Explorer had just 45, yet Internet Explorer was still the most attacked browser. Thisshows that attacks on software are not necessarily based on the number of vulnerabilities in a piece ofsoftware, but on its market share and the availability of exploit code as well.16
  18. The Threats (e.g. the causes) Fraudster targeting on-line banking application for data theft and to commit fraud (e.g. un-authorized money transfer to fraudulent accounts)The Vulnerabilities (e.g. the application weakness) Flaws in authentication and session management; Vulnerabilities in data confidentiality and integrity; Gaps in auditing and logging fraudsters actions and security eventsThe Technical impacts (e.g. breaking security controls) Bypassing authentication with Challenge/Questions, KBA, OTPs; Bypassing customer validations to authorize financial transactions; Tampering web forms for account takeover Abuse session by impersonating the authenticated userThe Business Impact (e.g. financial loss, fraud, unlawful compliance etc) Financial loss due to fraud and un-authorized money transfer to money mules; Reputation loss due to disclosure of breaches of customer data, PII; Lawsuits from businesses victim of business account compromise, un-covered money losses; Unlawful non-compliance with regulations
  19. Detective ControlsDetect and monitor application functions/transactions targeted by banking malwareAnomaly detection to detect anomalies in login/account transactions and misuse/signature based detection to match with known attack patternsLogs of malware targeted functions such as logins, account management, financial transactions involving wires, billpay, ACH, external transfersIdentify malware by detecting clues of malware initiated transactionsJavascript to capture user’s actions to detect HTML injected data fields with hidden/encrypted codes validated on the serverDetection of specific cookies and web form variables set by malware in HTTP transaction flowsHave customers to subscribe to alerts/notifications OOB (e.g. SMS) for financial transaction