Académique Documents
Professionnel Documents
Culture Documents
Developer
Conference
Terry Kurzynski
CISA, CISSP, PMP
Halock Security Labs
terryk@halock.com
• Evolution of Exploits
• Justification for the Risk Assessment
– Regulation Compliance
– Security Best Practices
• Risk Assessment
– Scanning Tools
– Ethical Hacking
– SDLC Assessment
– Source Code Analysis
• Application Security Discipline
– Tools, and Techniques
– Guidelines, Methods, Standards, and Procedures
– Integration
– Training
• Monitor and Evaluate
Evolution of Exploits
Applications are the New Vulnerability
70% of Attacks
- Gartner
The Disconnect
1) Non-validated Input
2) Broken Access Control
3) Broken Authentication and Session Management
4) Cross Site Scripting (XSS) Flaws
5) Buffer Overflows
6) Injection Flaws
7) Improper Error Handling
8) Insecure Storage
9) Denial of Service
10) Insecure Configuration Management
Mapping Compliance to Web Application Security
Regulation Requirement Mapping to OWASP
Sarbox User authentication Broken authentication
GLBA Protect against unauthorized access to or use of customer info Broken access control, broken authentication and
session management, & insecure storage
PCI Protect stored data, encrypt transmission of cardholder data and other sensitive info Insecure storage
PCI Restrict access to data on business need to know. Assign unique ID.. Broken access control and authentication
FFIEC Encryption is used to secure communications and data storage of sensitive info Insecure storage
FFIEC Access should be provided only to authorized individuals limited to minimum business req Broken Access Control
FFIEC Controls to protect against malicious code Non-validated input, XSS, bufferoverflow,
SQLinjections
HIPAA Requirements for encryption of sensitive data transmission and storage Insecure storage
Security Breach Notification Acts
• Arkansas, passed 2005
• California, effective 7/1/2003
• Connecticut, effective 1/1/2006
• Delaware, signed 6/28/2005
• Florida, effective 7/1/2005
• Georgia, effective 5/6/2005
• Illinois, effective 1/1/2006
• Indiana, effective 6/30/2006
• Louisiana, effective 1/1/2006
• Maine, effective 1/31/2006
• Minnesota, effective 1/1/2006
• Montana, effective 3/1/2006
• New Jersey, effective 1/1/2006
• New York, effective Jan 2006
• Nevada, effective 1/1/2006
• North Carolina, effective 12/1/2005
• North Dakota, effective 6/1/2005
• Ohio, effective 2/15/2006
• Rhode Island, effective 3/1/2006
• Tennessee, effective 7/1/2005
• Texas, effective 9/1/2005
• Washington, effective 7/24/2005
Security Breach Notifications Since Feb 15, 2005
• Feb. 15, 2005 ChoicePointBogus accounts established by ID thieves 145,000
• Feb. 25 , 2005 Bank of America Lost backup tape 1,200,000
• Feb. 25, 2005 PayMaxx Exposed online
25,000
• March 8, 2005 DSW/Retail VenturesHacking 100,000
• March 10, 2005 LexisNexis Passwords compromised 32,000
• March 11, 2005 Univ. of CA, Berkeley Stolen laptop 98,400
• March 11, 2005 Boston College Hacking 120,000
• March 12, 2005 NV Dept. of Motor Vehicle Stolen computer 8,900
• March 20, 2005 Northwestern Univ.Hacking 21,000
• March 20, 2005 Univ. of NV., Las Vegas Hacking 5,000
• March 22, 2005 Calif. State Univ., Chico Hacking 59,000
• March 23, 2005 Univ. of CA, San Francisco Hacking 7,000
• March 28, 2005 Univ. of Chicago Hospital Dishonest insider unknown
• April ?, 2005 Georgia DMV Dishonest insider 465,000
• April 5, 2005 MCIStolen laptop 16,500
• April 8, 2005 Eastern National Hacker 15,000
• April 8, 2005 San Jose Med. Group Stolen computer
185,000
• April 11, 2005 Tufts University Hacking 106,000
• April 12, 2005 LexisNexis Passwords compromised Additional 280,000
• April 14, 2005 Polo Ralph Lauren/HSBC Hacking 180,000
• April 14, 2005 Calif. Fastrack Dishonest Insider 4,500
• April 15, 2005 CA Dept. of Health Services Stolen laptop 21,600
Notifications continued
• April 18, 2005 DSW/ Retail Ventures Hacking Additional 1,300,000
• April 20, 2005 Ameritrade Lost backup tape 200,000
• April 21, 2005 Carnegie Mellon Univ. Hacking 19,000
• April 26, 2005 Mich. State Univ's Wharton Center Hacking 40,000
• April 26, 2005 Christus St. Joseph's Hospital Stolen computer 19,000
• April 28, 2005 Georgia Southern Univ.Hacking "tens of thousands“
• April 28, 2005 Wachovia, Bank of America,PNC Financial Services Group and
Commerce Bancorp Dishonest insiders 676,000
• April 29, 2005 Oklahoma State Univ. Missing laptop 37,000
• May 2, 2005 Time Warner Lost backup tapes 600,000
• May 4, 2005 CO. Health Dept. Stolen laptop 1,600 (families)
• May 5, 2005 Purdue Univ. Hacking 11,360
• May 7, 2005 Dept. of Justice Stolen laptop 80,000
• May 11, 2005 Stanford Univ. Hacking 9,900
• May 12, 2005 Hinsdale Central High School Hacking 2,400
• May 16, 2005 Westborough BankDishonest insider 750
• May 18, 2005 Jackson Comm. College, Michigan Hacking 8,000
• May 18, 2005 Univ. of Iowa Hacking 30,000
• May 19, 2005 Valdosta State Univ., GA Hacking 40,000
• May 20, 2005 Purdue Univ. Hacking 11,000
• May 26, 2005 Duke Univ. Hacking 5,500
• May 27, 2005 Cleveland State Univ.Stolen laptop: CSU found the stolen laptop [44,420]
May 28, 2005 Merlin Data Services Bogus acct. set up 9,000
• May 30, 2005 Motorola Computers stolen unknown
• June 6, 2005 CitiFinancial Lost backup tapes 3,900,000
• June 10, 2005 Fed. Deposit Insurance Corp. (FDIC) Not disclosed 6,000
• June 16, 2005 CardSystems Hacking 40,000,000
Notifications continued
• Mar. 14, 2006 Buffalo Bisons and Choice One Online w SSN Unknown
• Mar. 15,2006 Ernst & Young Laptop lost w SSN and other info of IBM emp Unknown
• Mar. 16, 2006 Bananas.com Hacker accessed credit card numbers 274
• Mar. 22,2006 Medco Health Solutions Stolen laptop w SSN and drug histories 4,600
• Mar. 23,2006 Fidelity Investments Stolen laptop with DOB, SSN 196,000
• Mar. 24,2006 CA State Employment Division SSN info sent to wrong address 64,000
Risk Assessments for Web Applications
“If you know the enemy and know yourself you can fight a
hundred battles with no danger of defeat." - Sun Tzu
Developer
Conference
Terry McCarthy
Information Risk Manager
Volkswagen Credit, Inc.
Terry.McCarthy@vwcredit.com
• Vulnerabilities tested?
– Example – OWASP Top 20 (Open Web Application Security
Project)
– Unvalidated input, broken access controls...
• Custom rules
– Example – Show only last 4 characters of account number
• Use of existing test case scripts from testing tools
• Reporting
– Individual errors and recommended fix
– Compliance mapping to regulations and custom rules
– Module and full application security rating
Case Study – Volkswagen Credit Inc.
Integration Requirements
• Buffer Overflow
– Corrupting objects with heap overruns
– Method redirection by v-table hijacking
– Denial of Service (DoS)
• Cross-Site Scripting (XSS)
– Embedding malicious code
– Intercepting user input
– Cookie poisoning
• SQL Injection
– Passes malicious input to a database server
– Tainted SQL
– Examine, modify and corrupt
Defending the Application
with the Security Assessment Solution
What is the Security Assessment Solution?