AppSec USA 2014

Denver, ColoradoHacking .NET/C# Applications:

Defend By DesignJon McCoy

DigitalBodyGuard

What is a Defendable System

What is a Strong/Weak Design

How to view a Software System

This Speech

Thanks AppSec/OWASPA Critical part of the security world

Thanks To

Jon McCoy - DigitalBodyGuard• Software Engineer

• Digital Security

• Application Level Security

• .NET Framework Expert

• Attack and Defense

Introduction

Work Area:PenTesting and Active Defender

Specialize:.Net Framework Systems

Overview

What is a Thick Client?

GrayWolf

Demo

Context

Share What I Have Seen

Context

What is aDefendable API

Context

What is aDefendable API

Context

Focus of this talk

Daemon

API

Service

Focus of this talk

= =

Focus of this talk

= =

Focus of this talk

Daemon

Service Security

Business UnitsNetwork

Client World View

Cyber Attack

Users

Web Server

DB

Client Wants it secure

Communications

API/DAL

Log Detection

Honey-Pot

Crypto

CryptoPOS

WebLog

Communications

Web Service

Web Service

SOPE/REST

Encrypted

AuthAuth

SOPE/REST

Encrypted

UMLUnified Modeling Language

Network Diagram

Cyber Attack

Critical Units

Credit Cards

Production DB

$1,000,000

$20,000,000

User Info DB

$100,000

Client Is Strong

Strong

Critical Units

Credit Cards

Production DB

$1,000,000

$20,000,000

User Info DB

$100,000

A Security Review

I ”PenTester” will hit you at

Lets say you are “Secure”

• Network• Computer Login• Employees• Hardware• TechSupport• ………..

Strong

I ”The Hacker” will Attack

Lets say you are “Secure”

• Users• Your Physical Infrastructure• Your Web-Face• All Digital Devices• ………..• Except (X/Y/Z)

My Team

A Security Review

On Problem

Still Good Everything is Bad

• We took full control of Domain Admin• We took full control of Network• We took full control of Database Systems• We took full control of Physical Security• We took full control of File Management• We took full control of Back Up…..• ………..

Security Review

On Problem

Everything is Bad

How do we Fix This

Critical Units

Credit Cards

Production DB

$2,000,000

$20,000,000

User Info DB

$200,000

Layered Defenses

Credit Cards

Production DB

$2,000,000

$20,000,000

User Info DB

$200,000

Layered Defenses

Cards Hash

User Info DB

Credit Cards

Production DB

Layered Defenses

Cards Hash

User Info DB

Credit Cards

Production DB

Guards

Quick Recommendations

API Type: OWIN.orgREST – SOPE – Socket

DB Type: Node.JS – Neo4Netde Database

Security: OAuth (2)RSA 4096 – AES 256 – MAC(message authentication code)

API Type: REST – SOPE – Socket

DB Type: Node Database – Sharding & Segmentation

Security:RSA 4096 – AES 256 – MAC(message authentication code)

• Detect and Protect the Perimeter• Guard and Respond• Build Choke Points• Find the Weak Blind Spots• …………

Layered Defense

“Client Remediates the Issues”

Client is stronger

Layered Defense

Attacking as Hackers

Layered Defense

Layered Defense

• We took Admin in 2-4 hours(Tell Client 8 Hours)• We took full control of Network• We took full control of Database Systems• We Failed to control of Physical Security• We took full control of File Management• We Failed to control of Back Up…..• ………..

Security Review

How do we Fix This

Layered defense

Detection and Response

Guard Post

Now we have started talking the same

Language

Now Security Can Start

Segmentation

Anit-Pattern

Pattern=

==

Developer=>ITGood Design

Bad Design

Separation

Controllers

Facade

Claims

Actions

View

Authentication===

Developer => DBA

Security Controls

Attack Vector

Security Test

Defendable Systems

Security User Story

Security Unit Test=

==

Developer=>Security

Language = Context

Now Security Can Start

Get to know the Client

Web Data Processing

Strong API/DAL

Communications

Data Access Layer

Communications

Data Access Layer

Communications

Data Access LayerCommunications

Communications

Strong vs WeakSoftware

DEMO

Communications

Security Level

Communications

Security Level

Communications

Communications

Communications

Domain Expert

Communications

Design Security

DEMO

Communications

Two Completely Different SystemsPOS

Web

Communications

POS

Web

Communications

POS

Web

DB

IT/&/Networking

TeamsPOS != WEB != DB != IT

Mockup Project

Defend the POS

Communications

Trusted Network

Point Of Sales

Clients & Partners

Communications

Built 5 Years ago

Changes Twice a year

Only X can Access it

Bad Fix

Bandage Security

Communications

Communications

$250kYou will preventX/Y/Z AttacksBest “Buzzword” Protection

• Turn Key• Reliable• Low Long Term Cost• Free Upgrades for Three Years• ……….

Communications

Design Security

Communications

Communications

Secure System

Communications

Secure System

Log System

Passive Detection

Communications

API/DAL

Log

Detection

Communications

API/DAL

Log

Detection

Communications

API/DAL

Log

Detection

Honey-Pot

Communications

API/DAL

Log

Detection

Honey-Pot

Communications

API/DAL

Log Detection

Honey-Pot

API/DAL

Communications

API/DAL

Log Detection

Honey-Pot

Data Management &

Point To Point CryptoAPI/DAL

Communications

API/DAL

Log Detection

Honey-Pot

Crypto

Crypto

API/DAL

Communications

API/DAL

Log Detection

Honey-Pot

Crypto

Crypto

CommunicationsSegmented

Network

POS Auth

Communications

Data API

POSAuth

Auth

• Segmented Hardware• Segmented User Authentication(NO AD!)• Segmented Management• Segmented Data Storage/Backup• Segmented Buildings• Segmented Developers• Segmented IT/Security• Segmented Power…….

Communications

API/DAL

Log Detection

Honey-Pot

Crypto

CryptoPOS

Web

Communications

POS

Web

Data API

Communications

Data API

POS

Web

SQL

SQL

Communications

Data API

POS

Web

SQL-Injection=>

SQL

Security User Stories----SQL Injection----

• Detect SQL-injection• Prevent SQL-injection

• Respond to SQL-injection

Communications

API/DAL

Log Detection

Honey-Pot

Crypto

CryptoPOS

Web

SQL-Injection=>

Communications

API/DAL

Log Detection

Honey-Pot

Crypto

CryptoPOS

Web

SQL-Injection

Protection

Communications

API/DAL

Log Detection

Honey-Pot

Crypto

CryptoPOS

Web

SQL-Injection

Protection

SQL

Protection

SQL-Injection

Protection

SQL-Injection

Protection

Security User Stories----SQL Injection----

• Detect SQL-injection• Prevent SQL-injection

• Respond to SQL-injection

Security Unity Test----SQL Injection----

• API -> SQL-injection• Processing Logic -> SQL-injection

• BackEnd -> SQL-injection

• Detect Injection

SQL-Injection

Security User Stories----SQL Injection Occurred----

• Evaluate SQL-injection• If Critical Respond

• If non-Critical Notify/Fix

Security Unity Test----SQL Injection Detection---

• API -> Notify• Processing Logic -> Notify

• BackEnd -> Notify

• LockDown Each Layer

SQL-Injection

Occurred

Communications

API/DAL

Log Detection

Honey-Pot

Crypto

CryptoPOS

Web

SQL-Injection

Communications

API/DAL

Log Detection

Honey-Pot

Crypto

CryptoPOS

Web

Security Response

Communications

Data API

POS

Web

SQL

SQL

Communications

API/DAL

Log Detection

Honey-Pot

Crypto

CryptoPOS

Web

SOAP -

REST

Communications

API/DAL

Log Detection

Honey-Pot

Crypto

CryptoPOS

Web

SQL

Protection

SQLSOAP

- REST

Communications

API/DAL

Log Detection

Honey-Pot

Crypto

CryptoPOS

Web

Communications

Data API

POS

Web

SQL

SQL

Log

Communications

Data API

POS

Web

SOPE/REST

SOPE/REST

Communications

Data API

POS

Web

SOPE/RESTEncrypted

SOPE/REST

Communications

POS

Web

SOPE/RESTEncrypted

SOPE/REST

Why?

Not encrypt?

Communications

Web

SOPE/REST

Why?

Not encrypt?

Communications

Web

SOPE/REST

Do Not Trust

Publicly Exposed

Design PatternExposed SystemBURN THEM!!!!

Communications

Web

SOPE/REST

Encrypted

SOPE/REST

POSI/O

Web

Detect and Burn

CommunicationsSOPE/REST

Encrypted

SOPE/REST

POSI/ODetect

and Burn

Communications

Web

SOPE/REST

Encrypted

POSI/O

Service

Quick TangentBetter Web Server Layout

Communications

Web Service

Web Service

SOPE/REST

Encrypted

SOPE/REST

Encrypted

Communications

Web Service

Web Service

SOPE/REST

Encrypted

AuthAuth

SOPE/REST

Encrypted

Segmentation Is Good

Communications

API/DAL

Log Detection

Honey-Pot

Crypto

CryptoPOS

Web

Communications

POS

Web

Communications

POS

Web Bridge

Communications

POS

Web Bridge

Communications

POS

Web

BridgeDetection is Easy

Everything is Hard

Locking it down is Easy

Detection is Easy

If Breach Occurs POS

WebBridge

Lock it All Down

Respond Aggressively

Burn it all Down

Fix ExploitReplace Server

Rotate Security

Communications

API/DAL

Log Detection

Honey-Pot

Crypto

CryptoPOS

Web

For a Secure Segmentation -

Developers Need To Design And Control• FireWalls• Network Layout• System Provisioning • System Security• ………

Communications

API/DAL

Log Detection

Honey-Pot

POS

Web

Port:1234

Incoming TCP/UDP

From: 10.88.10.1

To: 10.88.11.255

Port:7676

Incoming TCP/UDP

From: 10.88.88.1

To: 10.88.99.111

Layered Defense

Security Test

For DeveloperSecurity User Stories

----Core DataBase is Hacked----

For SecuritySecurity User Stories

----Core DataBase is Hacked----

For SysAdminSecurity User Stories

----Core DataBase is Hacked----

For CxOSecurity User Stories

----Core DataBase is Hacked----

For ………..Security User Stories

----Core DataBase is Hacked----

Communications

API/DAL

Log Detection

Honey-Pot

Crypto

CryptoPOS

WebLog

Communications

API/DAL

Log Detection

Honey-Pot

Crypto

CryptoPOS

WebLog

Security User Stories----Core DataBase is Hacked----

• Prevent Changing the Logs• Prevent Access to Other DBs

Systems Game Theory

Systems Game TheoryAnti-Fragile

Security User Stories----Lost DataBase Bridge----

• Keep WebServer Up• Take Services Down

• Sync After Bridge is Up

Communications

API/DAL

Log Detection

Honey-Pot

Crypto

CryptoPOS

WebLog

Security User Stories----Lost DataBase Bridge----

• Keep WebServer Up• Take Services Down

• Sync After Bridge is Up

Developer Response System

• Security User Stories • Security Unit Test

• Security Response Stories

Communications

API/DAL

Log Detection

Honey-Pot

Crypto

CryptoPOS

WebLog

Security Response Stories----Hacker on Core Bridge----

• Guns• Fire• Pain

Security Response Stories----Hacker on Core Bridge----

• Activate Full Security Response• Revoke All Security Tokens• Lock Down All Choke Points

Developer Response System

Security User Stories----Lost POS Ingress---

• Revoke Old POS Privileges• Standup New POS System

• Standup New POS Auth System

Communications

Data API

POSAuth

Auth

Auth

Communications

Data API

POSAuth

Auth

Auth

Network Diagram

If Extra Time

Fun Attack Demo

GrayWolf

Demo

Context

172

FIN

173

www.DigitalBodyGuard.comJonM@DigitalBodyGuard.com

MORE INFORMATION @:

Jon McCoy