Post on 18-Nov-2014
description
Technology People
Standards Processes
SQL Injection To Enterprise 0wned
K. K. Mookhey, CISA, CISSP,
CISM, CRISC
© Network Intelligence India Pvt. Ltd.
Introduction
• Founder, Principal Consultant – Network Intelligence India Pvt. Ltd.
– Institute of Information Security
• CISA, CISSP, CISM, CRISC
• Penetration testing, Security Auditing, Forensics, Compliance, Problem-solving
• ICICI Bank, BNP Paribas, Morgan Stanley, United Nations, Indian Navy, DRDO, and hundreds of other clients over a decade of experience
• Speaker at Blackhat, Interop, IT Underground, OWASP Asia, SecurityByte, Clubhack, Nullcon, ISACA, and numerous others
© Network Intelligence India Pvt. Ltd.
Agenda
• Introduction & Case Studies
• Risk-based Penetration Testing
• Solutions
• Strategies
• Take-Aways
© Network Intelligence India Pvt. Ltd.
THE BIGGEST HACK IN HISTORY
© Network Intelligence India Pvt. Ltd.
Gonzalez, TJX and Heart-break-land
• >200 million credit card number stolen
• Heartland Payment Systems, TJX, and 2
US national retailers hacked
• Modus operandi
– Visit retail stores to understand workings
– Analyze websites for vulnerabilities
– Hack in using SQL injection
– Inject malware
– Sniff for card numbers and details
– Hide tracks
© Network Intelligence India Pvt. Ltd.
The hacker underground
• Albert Gonzalez
– a/k/a “segvec,”
– a/k/a “soupnazi,”
– a/k/a “j4guar17”
• Malware, scripts and hacked data hosted on servers in:
– Latvia
– Netherlands
• IRC chats
– March 2007: Gonzalez “planning my second phase against
Hannaford”
– December 2007: Hacker P.T. “that’s how [HACKER 2] hacked
Hannaford.”
Ukraine
New Jersey
California
© Network Intelligence India Pvt. Ltd.
Where does all this end up?
• Commands used on IRC
– !cardable
– !cc, !cclimit, !chk, !cvv2, !exploit, !order.log,
!proxychk
IRC Channels
#cc
#ccards
#ccinfo
#ccpower
#ccs
#masterccs
#thacc
#thecc
#virgincc
© Network Intelligence India Pvt. Ltd.
TJX direct costs
$24 million to
Mastercard
$41 million to Visa
$200 million in
fines/penalties
© Network Intelligence India Pvt. Ltd.
Cost of an incident
• $6.6 million average cost of a data breach
• From this, cost of lost business is $4.6
million
• More than $200 per compromised record
On the other hand:
• Fixing a bug costs $400 to $4000
• Cost increases exponentially as time lapses
© Network Intelligence India Pvt. Ltd.
HOW THE COOKIE CRUMBLES
© Network Intelligence India Pvt. Ltd.
© Network Intelligence India Pvt. Ltd.
© Network Intelligence India Pvt. Ltd.
© Network Intelligence India Pvt. Ltd.
© Network Intelligence India Pvt. Ltd.
© Network Intelligence India Pvt. Ltd.
© Network Intelligence India Pvt. Ltd.
© Network Intelligence India Pvt. Ltd.
© Network Intelligence India Pvt. Ltd.
Betting blind!
DB Name
Table Names
User IDs
Table Structure
Data
Net Result
Enterprise Owned!
© Network Intelligence India Pvt. Ltd.
SOLUTIONS!
© Network Intelligence India Pvt. Ltd.
Technology Solutions
• Encryption
• Web Application Firewalls
• Source Code Review Solutions
• Security Testing Suites
• Data Leakage Prevention
• Privileged Identity Management
• Web Access Management
• Information Rights Management
• Database Security Solutions
© Network Intelligence India Pvt. Ltd.
Before we get to the technology…
© Network Intelligence India Pvt. Ltd.
Design
Develop/
Manage
Test
Train
Application Security – Holistic Solution
© Network Intelligence India Pvt. Ltd.
EVOLVED PENETRATION
TESTING
© Network Intelligence India Pvt. Ltd.
Secure Testing
• Security testing options
– Blackbox
– Greybox
– Whitebox
– Source Code Review
• OWASP Top Ten
(www.owasp.org)
• OWASP Testing Guide
Tools of the trade
Open source – Wikto, Paros, Webscarab, Firefox plugins
Commercial – Acunetix, Cenzic, Netsparker, Burpsuite
© Network Intelligence India Pvt. Ltd.
Traditional vs. Risk-based Pentesting
Traditional Pentesting Risk-based Pentesting
Focus is on technical vulnerabilities
Focus is on business risks
Requires strong technical know-how
Requires both technical and business process know-how
Having the right set of tools is critical
Understanding the workings of the business and applications is critical
Is usually zero-knowledge Requires a person who understands the business process to play a significant role – usually an insider
Understanding the regulatory environment is good
Understanding the regulatory environment is mandatory
© Network Intelligence India Pvt. Ltd.
Traditional vs. Risk-based Pentesting
Traditional Pentesting Risk-based Pentesting
Severity levels are based on technical parameters
Severity levels are based on risk to the business
Risk levels in report are assigned post facto
Risk levels in report reflect the levels assigned prior to testing
Test cases are build based on testing methodologies or generic testing processes
Tests cases additionally build on risk scenarios
Audience for the report is usually the IT and Security teams
Audience for the report also includes the business process owners and heads of departments
© Network Intelligence India Pvt. Ltd.
GROUND REALITIES!
© Network Intelligence India Pvt. Ltd.
Ground realities
• Business priorities
– Expand, grow, market share!!
• Developer illiteracy
– Unaware of security implications
– Shortcut fixes
• Vendor apathy
– Problem re-enforced by weak contracts
• Unclear budgets
– Lip service by management towards information
security
– CISO left fighting the battle alone without
adequate resources
© Network Intelligence India Pvt. Ltd.
STRATEGIZE!
Use Triage
© Network Intelligence India Pvt. Ltd.
Sample Strategies
ATLAS Claims Processing – Agents Access
Over Internet
In-house Developed
Implement & Enforce Internal
SLAs
Active Development
Team
Regular Secure Coding Training
Emphasis on Secure Coding
Libraries
Secure Hosting
© Network Intelligence India Pvt. Ltd.
Take-Aways
• Mindset change – most importantly of the business
owners’!
– Data protection does matter!
– It is NOT simply a technology issue
– ISO 27001 is not the answer
• Implement application security in a comprehensive,
cohesive and consistent manner
• Evangelize constantly!
• Demonstrate impact – always in business terms
• Strategize – you can’t protect everything all the
time
• Leverage regulatory and legal requirements
© Network Intelligence India Pvt. Ltd.
Ensure – this never happens!
© Network Intelligence India Pvt. Ltd.
THANK YOU!
Questions?
kkmookhey@niiconsulting.com
@kkmookhey
http://www.linkedin.com/kkmookhey