Published on November 8, 2013
SECURITY TEA LEAVES NOVEMBER 2013 Ed Bellis Matt Johansen Founder & CEO of Risk I/O Threat Research Center Manager @ebellis @mattjay
SPEAKERS Ed Bellis CoFounder, CEO • Contributing Author, Beautiful Security • Manages 50M+ vulnerabilities daily • Background in Baseball • Former Orbitz CISO, 20+ years experience • I'm hiring… a lot… © 2013 Risk IO, Inc. Matt Johansen Threat Research Center Manager • BlackHat, DEFCON, RSA Speaker • Oversees assessment of 15,000+ websites • Background in Penetration Testing • Hacker turned Management • I'm hiring… a lot… © 2013 WhiteHat Security, Inc. 2
NICE TO MEET YOU ✓ Data-Driven Vulnerability Intelligence Platform ✓ DataWeek 2012 Top Security Innovator ✓ Chicago & San Francisco ✓ Processing 50M+ Vulnerabilities Daily © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 3
ABOUT WhiteHat Security, Inc. 3970 Freedom Cir #200, Santa Clara, CA 95054 Founded 2001 Head quartered in Santa Clara, CA Employees: 260+ WhiteHat Sentinel: SaaS end-to-end website risk management platform (static and dynamic analysis) Customers: 500+ (banking, retail, healthcare, etc.) Founded in 2001 by Jeremiah Grossman–a former Yahoo! information security officer–WhiteHat combines a revolutionary, cloud-based technology platform with a team of leading security experts to help customers in the toughest, most regulated industries, including e-commerce, financial services, information technology, healthcare and more. Dozens of companies in the Fortune 500 rely on WhiteHat to help them prevent website attacks that could cost them millions. © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 4
REPORT WhiteHat Stats Report In a recent customer survey for our 2012 WhiteHat Stats report we were asked what the major reason to fix a vulnerability was. Answer: Compliance We also asked if a choice was made to NOT fix a vulnerability what the major reason was. Answer: Compliance. Something wrong with this picture. How do we better prioritize finding and fixing vulnerabilities in our web applications? © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 5
COUNTERTERRORISM Known Groups Past Incidents, Close Calls Threat Intel, Analysts Targets, Layouts © 2013 Risk IO, Inc. Surveillance © 2013 WhiteHat Security, Inc. 6
INFOSEC? © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 7
DATA Data pieces Industry Vuln Data Industry Attack Data WhiteHat Stats Report Imperva WAF traffic report. Verizon DBIR In House Vuln Data Find your vulns! © 2013 Risk IO, Inc. In House Attack Data What are the attackers using against YOU! © 2013 WhiteHat Security, Inc. 8
DEFEND LIKE YOU’VE DONE IT BEFORE Groups, Motivations Learning from Breache s Asset Topology, Actual Vulns on System © 2013 Risk IO, Inc. Vulnerability Definitions Exploits © 2013 WhiteHat Security, Inc. 9
WORK WITH WHAT YOU’VE GOT Akamai, Safenet NVD, MITRE ExploitDB, Metasploit © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 10
ARTICLES Blackhats Talking to Blackhats gives us great intelligence, even if it’s not always 100% reliable intel. For those of you who didn’t see the blog posts: • Blackhat part 1 • Blackhat part 2 • Blackhat part 3 © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 11
DATA Most Used Vulns? “What are the most used web based vulnerabilities?” Answer: • “Adam” admits that he doesn’t keep track • However, he believed that in his world XSS and SQL injection are the most used © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 12
VULNERABILITY OWASP 2013 RC “As you read the OWASP top 10 release candidate for 2013 does the order make sense in terms of how risky and/or common they are for companies to have in their sites if you are going to attack them?” Answer: • OWASP release candidate is unhelpful (to put it politely). • Concept of top 10 vulnerabilities are is “stupid, flawed and inaccurate.” • For it to be accurate he felt that you would have to update it daily, which is, of course practically impossible. © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 13
VULNERABILITY Esoteric Vulns? “How do you feel about LDAP injection, XML injection and XPath injection?” Answer: • “gangs” tend not to share information • However he wasn’t aware of anyone who was using those. © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 14
VULNERABILITY Useful Vulns? “What are the characteristics of a "good" web application vulnerability?” Answer: • Fast to exploit • Persistent • Full access (root) • Ability to deface/redirect • Ability to wipe IP logs © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 15
VULNERABILITY Preferred Vulns? “Do blackhats prefer command injection, SQL injection and brute force?” Answer: • It depended on the target and the value of the compromise • However, he indicated again that if it’s vulnerable that’s a problem, and it doesn’t really matter how it’s exploited. • The one exception to that is that he did concur with me is that “new” attacks tend not to be used much. © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 16
VULNERABILITY Prioritization “How would would you prioritize fixes?” Answer: • “Adam” said the hardest vuln to exploit/find would be last to be fixed and the easiest to exploit/find first. • In his opinion SQL injection would probably be the first to get fixed. © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 17
VULNERABILITY Additional Vulns “Any web-application issues that are extremely useful to attackers that aren't on the OWASP top 10?“ Answer: • Clickjacking • Denial of Service/DDoS © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 18
VULNERABILITY Best Practice? “if followed perfectly, is the OWASP top 10 is enough to stop credit card theft through web application vulnerabilities?” Answer: • The whole idea of testing for only 10 is “crazy”. • He felt that the banks are just as bad in many cases as the merchants. • Small online merchants should be banned outright from handling payment info © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 19
BLACKHATS Blackhats From these answers we know: • Blackhats don’t care about lists – the top 10 should only be used for prioritization, not as a matter of completeness or “best practice” • We were right to focus our energies on certain classes of attack first during human review, but also we know to start focusing on those vulns first during automated scans as well. • Most valuable vulns to attackers are the most valuable vulns to our customers, so why shouldn’t we prioritize ourselves similarly, while still maintaining the same coverage? © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 20
SHOW ME THE MONEY © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 21
CVSS AND REMEDIATION METRICS © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 22
CVSS AND REMEDIATION METRICS LESSONS FROM A CISO © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 23
THE KICKER - LIVE BREACH DATA © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 24
CVSS AND REMEDIATION - NOPE © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 25
CVSS - A VERY GENERAL GUIDE FOR REMEDIATION - YEP © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 26
THE ONE BILLION DOLLAR QUESTION Probability(You Will Be Breached On A Particular Open Vulnerability)? 1.98% © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 27
I LOVE IT WHEN YOU CALL ME BIG DATA © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 28
ENTER, THE SECURITY MENDOZA LINE Alex Hutton comes up with Security Mendoza Line Josh Corman expands the Security Mendoza Line “Compute power grows at the rate of doubling about every 2 years” Wouldn’t it be nice if we had something that helped us divide who we considered “Amateur” and who we considered “Professional”? “Casual attacker power grows at the rate of Metasploit” http://riskmanagementinsight.com/riskanalysis/? p=294 http://blog.cognitivedissidents.com/2011/11/01/introto-hdmoores-law/ © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 29
I LOVE IT WHEN YOU CALL ME BIG DATA © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 30
DATA How do we utilize this? Data! • We have another piece of the puzzle. What the bad guys are actually using. • Prioritization of testing and finding. • Prioritization of mitigating and fixing. © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 31
PRIORITY Prioritize Testing & Finding Use all the Industry and in house data to figure out what to try to test for across your entire web footprint. SQLi being used heavily by attackers? FIND ALL OF THEM! Command Injection not being used as much? Find it but not until you find every single SQLi. © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 32
FIXING Prioritize Mitigating & Fixing Nobody likes the pile of bug tickets that show up after a vulnerability assessment. Virtual Patch to buy time. IDS blaring alarms of XSS? Turn up the WAF rules for XSS. Will help block low hanging fruit scanners. Prioritize your bug tickets for Devs in swallowable chunks. What sounds better. “Ok team lets figure out how to parameterize our SQL queries and go through site by site and implement that.” OR “$Web_Scanner found 120 pages of vulns! Fix them now!!!110101” © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 32
I LOVE IT WHEN YOU CALL ME BIG DATA Spray and Pray => 2% CVSS 10 => 4% Metasploit + ExploitDB => 30% © 2013 Risk IO, Inc. © 2013 WhiteHat Security, Inc. 33
CASE STUDY Case Study RoR case study timeline (hope to get the actual visual from our customer) Shows importance of staying on top of bugs that are being actively exploited and prioritizing the finding and fixing of them. 1/10/2013 1/8/2013 1/9/2013 IDS signatures updated to Rails team releases patches Security Team notifies detect/prevent exploitation and blog post describing Developer Team about the critical vulnerabilities in the new vulnerabilities Rails framework 1/8/2013 1/9/2013 1/10/2013 1/11/2013 1/8/2013 Security Team receives 1/10/2013 notification from Intelligence Metasploit releases a team about Rails vulnerability command injection exploit 1/9/2013 for CVE-2012-0156 Security Team receives notification from WhiteHat with findings of Rails vulnerability 1/9/2013 Highest priority site upgraded to fully remediate the vulnerability © 2013 Risk IO, Inc. 2 Hours between workaround and first identified exploit attempt! 1/12/2013 1/13/2013 Another exploit attempt seen against large application from Germany 1/13/2013 1/14/2013 1/11/2013 Security Team receives first exploit attempt notification from IDS. The exploit was attempted from a Russian Federation IP address. 1/11/2013 The rest of the vulnerable applications apply temporary workaround patch © 2013 WhiteHat Security, Inc. 34
THANK YOU Ed Bellis Matt Johansen Founder & CEO of Risk I/O Threat Research Center Manager @ebellis @mattjay
Reading the HP security-acquisition tea leaves. Having just acquired SPI Dynamics, ...
Spring Pouchong tea (Chinese: 包 種 茶; pinyin: Bāozhòngchá) leaves that may be used for tasseography divination. ... Fenton, Sasha Tea Cup Reading: ...
Journal of Homeland Security Education 5 2 This is not to say that the process of introducing homeland security in higher education was easy or simple.
It all has experts reading the Chinese tea leaves. ... America’s economic ties with China have been out of whack with national security policy since Deng ...
Steve Recca. Steve Recca is the Director of the University and Agency Partnership Initiative for the Naval Postgraduate School (NPS) Center for Homeland ...
Thanks so much for supporting the brands that support Reading My Tea Leaves. 12 Comments. Share: rhubarb lilac spritzer.
Reading the Tea Leaves on Cybersecurity Regulation. ... security officers and ... reading of the tea leaves should include ...
Article describes NPS Professor Anna Simons' book "The Sovereignty Solution", its focus, and the selection by the Air Force to add it to the official Air ...