2. OutlineOutline
Brief timeline on cyber attack historyBrief timeline on cyber attack history
DefinitionDefinition
Foundations of SecurityFoundations of Security
Definition of TermsDefinition of Terms
Threat ModelingThreat Modeling
3. OutlineOutline
Application Vulnerability CategoriesApplication Vulnerability Categories
Core Security PrinciplesCore Security Principles
Web Application SecurityWeb Application Security
Risks and Risk Mitigation/Control MeasuresRisks and Risk Mitigation/Control Measures
ReferencesReferences
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14. The number of variants of malicious software aimed at mobile devicesThe number of variants of malicious software aimed at mobile devices
has reportedly risen from about 14,000 to 40,000 or about 185% in lesshas reportedly risen from about 14,000 to 40,000 or about 185% in less
than a year – Government Accountability Office (GAO), US (2012)than a year – Government Accountability Office (GAO), US (2012)
15. SecuritySecurity
Fundamentally about protecting assetsFundamentally about protecting assets
AssetsAssets
Tangible items such as a Web page or yourTangible items such as a Web page or your
customer databasecustomer database
Less tangible items such as the company’sLess tangible items such as the company’s
reputationreputation
16.
17. SecuritySecurity
AA pathpath, not a destination, not a destination
As you analyze your infrastructure and applications,As you analyze your infrastructure and applications,
youyou identify potential threatsidentify potential threats and understand thatand understand that
each threat presents aeach threat presents a degree of riskdegree of risk
AboutAbout risk managementrisk management and implementingand implementing
effective countermeasureseffective countermeasures
18. Foundations of SecurityFoundations of Security
AuthenticationAuthentication
Addresses the question:Addresses the question: “who are you?”“who are you?”
Process ofProcess of uniquely identifying the clientsuniquely identifying the clients of yourof your
applications and servicesapplications and services
Might be end-users, other services, processes, orMight be end-users, other services, processes, or
computerscomputers
Authenticated clients are referred to asAuthenticated clients are referred to as principalsprincipals
19. Foundations of SecurityFoundations of Security
AuthorizationAuthorization
Addresses the question:Addresses the question: “what can you do?”“what can you do?”
Process that governs the resources and operationsProcess that governs the resources and operations
that the authenticated client isthat the authenticated client is permitted topermitted to
accessaccess
20. Foundations of SecurityFoundations of Security
AuthorizationAuthorization
ResourcesResources include files, databases, tables, rows, and soinclude files, databases, tables, rows, and so
on, together with system-level resources such as registryon, together with system-level resources such as registry
keys and configuration datakeys and configuration data
OperationsOperations include performing transactions such asinclude performing transactions such as
purchasing a product, transferring money from onepurchasing a product, transferring money from one
account to another, or increasing a customer's creditaccount to another, or increasing a customer's credit
ratingrating
21. Foundations of SecurityFoundations of Security
ConfidentialityConfidentiality
PrivacyPrivacy
Process of making sure that data remainsProcess of making sure that data remains privateprivate
andand confidentialconfidential, and that it cannot be viewed by, and that it cannot be viewed by
unauthorized users or eavesdroppers who monitorunauthorized users or eavesdroppers who monitor
the flow of traffic across a networkthe flow of traffic across a network
22. Foundations of SecurityFoundations of Security
ConfidentialityConfidentiality
EncryptionEncryption is frequently used to enforceis frequently used to enforce
confidentialityconfidentiality
DES (Data Encryption Standard), RSA, HASH,DES (Data Encryption Standard), RSA, HASH,
MD5, AES (Advanced Encryption Standard), SHA-MD5, AES (Advanced Encryption Standard), SHA-
1, HMAC, Blowfish1, HMAC, Blowfish
Access control lists (Access control lists (ACLsACLs) are another means) are another means
23. Foundations of SecurityFoundations of Security
IntegrityIntegrity
Guarantee that data isGuarantee that data is protectedprotected from accidentalfrom accidental
or deliberate (malicious) modificationor deliberate (malicious) modification
Integrity for data in transit is typically provided byIntegrity for data in transit is typically provided by
usingusing hashing techniqueshashing techniques andand messagemessage
authentication codesauthentication codes
24. Foundations of SecurityFoundations of Security
AvailabilityAvailability
Systems remain available for legitimate usersSystems remain available for legitimate users
25. Definition of TermsDefinition of Terms
ThreatThreat
Any potential occurrence, malicious or otherwise,Any potential occurrence, malicious or otherwise,
thatthat could harm an assetcould harm an asset
26.
27. Definition of TermsDefinition of Terms
VulnerabilityVulnerability
WeaknessWeakness that makes a threat possiblethat makes a threat possible
May be because of poor design, configurationMay be because of poor design, configuration
mistakes, or inappropriate and insecure codingmistakes, or inappropriate and insecure coding
techniquestechniques
e.g. lack of or improper input validatione.g. lack of or improper input validation
28. Definition of TermsDefinition of Terms
AttackAttack
Action thatAction that exploits a vulnerabilityexploits a vulnerability oror enacts aenacts a
threatthreat
e.g. sending malicious input to an applicatione.g. sending malicious input to an application
e.g. flooding a network in an attempt to denye.g. flooding a network in an attempt to deny
serviceservice
29. Threat ModelingThreat Modeling
Recommended to form part of your application'sRecommended to form part of your application's
design phasedesign phase
Analyzes your application's architecture and designAnalyzes your application's architecture and design
andand identify potentially vulnerable areasidentify potentially vulnerable areas thatthat
may allow a user, perhaps mistakenly, or an attackermay allow a user, perhaps mistakenly, or an attacker
with malicious intent, to compromise your system'swith malicious intent, to compromise your system's
securitysecurity
30.
31. Application SecurityApplication Security
Use of software, hardware, and procedural methodsUse of software, hardware, and procedural methods
toto protect applications from external threatsprotect applications from external threats
39. Application VulnerabilityApplication Vulnerability
CategoriesCategories
Configuration ManagementConfiguration Management
How is your application administered?How is your application administered?
How are these settings secured?How are these settings secured?
How your application handles these operationalHow your application handles these operational
issuesissues
40.
41. Application VulnerabilityApplication Vulnerability
CategoriesCategories
Sensitive DataSensitive Data
How your applicationHow your application
handles any data thathandles any data that
must be protectedmust be protected
eithereither in memory,in memory,
over the wire, or inover the wire, or in
persistent storespersistent stores
42.
43. Application VulnerabilityApplication Vulnerability
CategoriesCategories
Session ManagementSession Management
SessionSession
Series of related interactions between a user andSeries of related interactions between a user and
your web applicationyour web application
How your application handles and protects theseHow your application handles and protects these
interactionsinteractions
44.
45. Application VulnerabilityApplication Vulnerability
CategoriesCategories
CryptographyCryptography
How are your keeping secrets, secret (How are your keeping secrets, secret (confidentialityconfidentiality)?)?
How are you tamperproofing your data or libraries (How are you tamperproofing your data or libraries (integrityintegrity)?)?
How are you providingHow are you providing seeds for random valuesseeds for random values that mustthat must
be cryptographically strong?be cryptographically strong?
How your application enforces confidentiality and integrityHow your application enforces confidentiality and integrity
46. Application VulnerabilityApplication Vulnerability
CategoriesCategories
Parameter ManipulationParameter Manipulation
Form fields, query string arguments,Form fields, query string arguments, andand
cookie valuescookie values are frequently used as parametersare frequently used as parameters
for your applicationfor your application
How your application safeguards tampering ofHow your application safeguards tampering of
these values and how your application processesthese values and how your application processes
input parametersinput parameters
49. Application VulnerabilityApplication Vulnerability
CategoriesCategories
Exception ManagementException Management
Do you return friendly error information to end-Do you return friendly error information to end-
users?users?
Do you pass valuable exception information back toDo you pass valuable exception information back to
the caller?the caller?
How does your application fail gracefully?How does your application fail gracefully?
53. Core Security PrinciplesCore Security Principles
CompartmentalizeCompartmentalize
Reduce the surface area of attackReduce the surface area of attack
Ask yourself how you will contain a problemAsk yourself how you will contain a problem
If an attacker takes over your application, whatIf an attacker takes over your application, what
resources can he or she access?resources can he or she access?
Can an attacker access network resources?Can an attacker access network resources?
54. Core Security PrinciplesCore Security Principles
CompartmentalizeCompartmentalize
How are you restricting potential damage?How are you restricting potential damage?
ExamplesExamples
FirewallsFirewalls
Least privileged accountsLeast privileged accounts
Least privileged codeLeast privileged code
55.
56.
57. Core Security PrinciplesCore Security Principles
Use least privilegeUse least privilege
By running processes usingBy running processes using accounts withaccounts with
minimal privileges and access rightminimal privileges and access rights, yous, you
significantly reduce the capabilities of an attacker ifsignificantly reduce the capabilities of an attacker if
the attacker manages to compromise security andthe attacker manages to compromise security and
run coderun code
58.
59. Core Security PrinciplesCore Security Principles
Apply defense in depthApply defense in depth
UseUse multiple gatekeepersmultiple gatekeepers to keep attackers atto keep attackers at
baybay
Do not rely on aDo not rely on a singlesingle layer of securitylayer of security
Consider that one of your layers may beConsider that one of your layers may be bypassedbypassed
or compromisedor compromised
60.
61. Core Security PrinciplesCore Security Principles
Do not trust user inputDo not trust user input
Your application's user input is theYour application's user input is the attacker'sattacker's
primary weaponprimary weapon when targeting your applicationwhen targeting your application
Assume all input is malicious until proven otherwiseAssume all input is malicious until proven otherwise
62.
63. Core Security PrinciplesCore Security Principles
Check at the gateCheck at the gate
Authenticate and authorize callers early at the firstAuthenticate and authorize callers early at the first
gategate
64.
65. Core Security PrinciplesCore Security Principles
Fail securelyFail securely
If an application fails, do not leave sensitive dataIf an application fails, do not leave sensitive data
accessibleaccessible
Return friendly errors to end-users that do not exposeReturn friendly errors to end-users that do not expose
internal system detailsinternal system details
Do not include details that may help an attackerDo not include details that may help an attacker
exploit vulnerabilities in your applicationexploit vulnerabilities in your application
66.
67. Core Security PrinciplesCore Security Principles
Secure the weakest linkSecure the weakest link
Is there a vulnerability at the network layer that an attackerIs there a vulnerability at the network layer that an attacker
can exploit?can exploit?
What about the host?What about the host?
Is your application secure?Is your application secure?
Any weak link in the chain is an opportunity for breachedAny weak link in the chain is an opportunity for breached
securitysecurity
68. Core Security PrinciplesCore Security Principles
Create secure defaultsCreate secure defaults
Is the default account set up with the least privilege?Is the default account set up with the least privilege?
Is the default account disabled by default and then explicitlyIs the default account disabled by default and then explicitly
enabled when required?enabled when required?
Does the configuration use a password in plain text?Does the configuration use a password in plain text?
When an error occurs, does sensitive information leak back toWhen an error occurs, does sensitive information leak back to
the client to be used potentially against the system?the client to be used potentially against the system?
69.
70. Core Security PrinciplesCore Security Principles
Reduce your attack surfaceReduce your attack surface
If you do not use it, remove it or disable itIf you do not use it, remove it or disable it
Reduce the surface area of attack by disabling orReduce the surface area of attack by disabling or
removing unused services, protocols, and functionalityremoving unused services, protocols, and functionality
Does your server need all those services and ports?Does your server need all those services and ports?
Does your application need all those features?Does your application need all those features?
71.
72. Application SecurityApplication Security
Aims to identify:Aims to identify:
TheThe critical assetscritical assets of the organizationof the organization
Genuine usersGenuine users who may access the datawho may access the data
Level of accessLevel of access provided to each userprovided to each user
73. Application SecurityApplication Security
Aims to identify:Aims to identify:
VariousVarious vulnerabilitiesvulnerabilities that may exist in thethat may exist in the
applicationapplication
Data criticality and risk analysisData criticality and risk analysis on dataon data
exposureexposure
AppropriateAppropriate remediation measuresremediation measures
74. Controls/Risk MitigationControls/Risk Mitigation
MeasuresMeasures
Implement a Software Development Lifecycle (Implement a Software Development Lifecycle (SDLCSDLC))
AddAdd securitysecurity attributes to your SDLCattributes to your SDLC
Performing thePerforming the rightright activitiesactivities
QualifiedQualified personnelpersonnel
77. Controls/Risk MitigationControls/Risk Mitigation
MeasuresMeasures
Application Firewalls (e.g.Application Firewalls (e.g. WAFWAF))
Inspects all traffic flowing to the web application forInspects all traffic flowing to the web application for
common web application attackscommon web application attacks
Add your solution to your asset inventory andAdd your solution to your asset inventory and
configuration assessment tasksconfiguration assessment tasks
80. Controls/Risk MitigationControls/Risk Mitigation
MeasuresMeasures
Whenever a variable is created in source code, the size andWhenever a variable is created in source code, the size and
type should be determinedtype should be determined
Guard againstGuard against overflowsoverflows
Buffer overflowsBuffer overflows
Integer overflowsInteger overflows
Perform the checks usingPerform the checks using code reviews,code reviews, andand static andstatic and
runtime analysisruntime analysis
81. Controls/Risk MitigationControls/Risk Mitigation
MeasuresMeasures
When input is provided by the user, it should beWhen input is provided by the user, it should be
verified that it does not exceed the size or the dataverified that it does not exceed the size or the data
type of the memory location in which it is stored ortype of the memory location in which it is stored or
moved in the futuremoved in the future
Can be mitigated against through fCan be mitigated against through formalizedormalized
SDLC with good code-review and automatedSDLC with good code-review and automated
analysisanalysis
82. Controls/Risk MitigationControls/Risk Mitigation
MeasuresMeasures
Test in-house-developed web applications forTest in-house-developed web applications for
common security weaknesses using automatedcommon security weaknesses using automated
remote web application scanners prior to deploymentremote web application scanners prior to deployment
ThroughThrough penetration testingpenetration testing
83. Controls/Risk MitigationControls/Risk Mitigation
MeasuresMeasures
Test in-house-developed web applications forTest in-house-developed web applications for
common security weaknesses using automatedcommon security weaknesses using automated
remote web application scanners whenever updatesremote web application scanners whenever updates
are made to the applicationare made to the application
Regression testing for security issuesRegression testing for security issues
84. Controls/Risk MitigationControls/Risk Mitigation
MeasuresMeasures
System error messages should not be displayed to end-usersSystem error messages should not be displayed to end-users
((output sanitizationoutput sanitization))
SimpleSimple data leakage mitigationdata leakage mitigation
Can be troublesome for your support groupCan be troublesome for your support group
If need be, create anIf need be, create an error code mappingerror code mapping from thefrom the
plaform/internals to something you can share with an end-plaform/internals to something you can share with an end-
user who will likely call support at some point anywayuser who will likely call support at some point anyway
85. Controls/Risk MitigationControls/Risk Mitigation
MeasuresMeasures
Organizations should understand how theirOrganizations should understand how their
applications behave underapplications behave under denial of servicedenial of service
attacksattacks
Test your service for load and have an executableTest your service for load and have an executable
plan in place for when something goes wrongplan in place for when something goes wrong
Organizations should understand how theirOrganizations should understand how their
applications behave underapplications behave under resource exhaustionresource exhaustion
attacksattacks
86. Controls/Risk MitigationControls/Risk Mitigation
MeasuresMeasures
MaintainMaintain separate environmentsseparate environments for production andfor production and
non-production systemsnon-production systems
Developers should not typically haveDevelopers should not typically have unmonitoredunmonitored
access to production environmentsaccess to production environments
87. Controls/Risk MitigationControls/Risk Mitigation
MeasuresMeasures
Test in-house-developed/third-party web and otherTest in-house-developed/third-party web and other
application software forapplication software for coding errors andcoding errors and
malware insertionmalware insertion prior to deploymentprior to deployment
88. SummarySummary
Brief timeline on cyber attack historyBrief timeline on cyber attack history
DefinitionDefinition
Foundations of SecurityFoundations of Security
AuthenticationAuthentication
AuthorizationAuthorization
AuditingAuditing
89. SummarySummary
Foundations of SecurityFoundations of Security
ConfidentialityConfidentiality
IntegrityIntegrity
AvailabilityAvailability
Definition of TermsDefinition of Terms
ThreatThreat
VulnerabilityVulnerability
AttackAttack
91. SummarySummary
Application Vulnerability CategoriesApplication Vulnerability Categories
Session ManagementSession Management
CryptographyCryptography
Parameter ManipulationParameter Manipulation
Exception ManagementException Management
Auditing and LoggingAuditing and Logging
Core Security PrinciplesCore Security Principles
CompartmentalizeCompartmentalize
Use least privilegeUse least privilege
92. SummarySummary
Core Security PrinciplesCore Security Principles
Apply defense in depthApply defense in depth
Do not trust user inputDo not trust user input
Check at the gateCheck at the gate
Fail securelyFail securely
Secure the weakest linkSecure the weakest link
Create secure defaultsCreate secure defaults
Reduce your attack surfaceReduce your attack surface
93. SummarySummary
Core Security PrinciplesCore Security Principles
Apply defense in depthApply defense in depth
Do not trust user inputDo not trust user input
Check at the gateCheck at the gate
Fail securelyFail securely
Secure the weakest linkSecure the weakest link
Create secure defaultsCreate secure defaults
Reduce your attack surfaceReduce your attack surface
Risks and Risk Mitigation/Control MeasuresRisks and Risk Mitigation/Control Measures
94. ReferencesReferences
Open Web Application Security Project (OWASP)Open Web Application Security Project (OWASP)
https://www.owasp.org/index.php/Main_Pagehttps://www.owasp.org/index.php/Main_Page
Web Application Security ConsortiumWeb Application Security Consortium
http://www.webappsec.org/http://www.webappsec.org/
Web Application SecurityWeb Application Security
http://www.techopedia.com/definition/24377/web-application-securityhttp://www.techopedia.com/definition/24377/web-application-security
Application Software SecurityApplication Software Security
http://www.tripwire.com/state-of-security/security-data-protection/20-critical-security-controls-control-6-application-sofhttp://www.tripwire.com/state-of-security/security-data-protection/20-critical-security-controls-control-6-application-sof
Improving Web Application Security: Threats and CountermeasuresImproving Web Application Security: Threats and Countermeasures
http://msdn.microsoft.com/en-us/library/ff648636.aspxhttp://msdn.microsoft.com/en-us/library/ff648636.aspx
95. ReferencesReferences
10 Common Mobile Security Problems to Attack10 Common Mobile Security Problems to Attack
http://www.pcworld.com/article/2010278/10-common-mobile-security-problems-http://www.pcworld.com/article/2010278/10-common-mobile-security-problems-
11 Most Common Security Threats11 Most Common Security Threats
http://www.symantec-norton.com/11-most-common-computer-security-threats_khttp://www.symantec-norton.com/11-most-common-computer-security-threats_k
Cyber Attack TimelineCyber Attack Timeline
http://www.nato.int/docu/review/2013/Cyber/timeline/EN/index.htmhttp://www.nato.int/docu/review/2013/Cyber/timeline/EN/index.htm
96. ReferencesReferences
A Potted History of the IT Industry: 25 Years of MilestonesA Potted History of the IT Industry: 25 Years of Milestones
http://www.computerworlduk.com/slideshow/it-business/3278948/a-potted-history-of-the-it-industry-2http://www.computerworlduk.com/slideshow/it-business/3278948/a-potted-history-of-the-it-industry-2
A Short History of Hacks, Worms and CyberterrorsA Short History of Hacks, Worms and Cyberterrors
http://www.computerworld.com/s/article/9131924/A_short_history_of_hacks_worms_and_cyberterrorhttp://www.computerworld.com/s/article/9131924/A_short_history_of_hacks_worms_and_cyberterror
Data Visualization of DDoS on TwitterData Visualization of DDoS on Twitter
http://datavisualization.ch/showcases/how-twitter-got-attacked-by-a-ddos/http://datavisualization.ch/showcases/how-twitter-got-attacked-by-a-ddos/
Russian Coder: I Hacked Georgia’s Sites in CyberwarRussian Coder: I Hacked Georgia’s Sites in Cyberwar
http://www.wired.com/2008/10/government-and/http://www.wired.com/2008/10/government-and/