Embed Size (px)
Citation preview
The business
The reason people
use the Internet
The gateway
to DATA
the target
APPLICATIONS ARE
6 minbefore it's scanned
If vulnerable, you
could be PWND in
<2 hours
1/3Mission critical
Certificate spoofing
Protocol abuse
Session hijacking
Key disclosure
DDoS
DDoS
Eavesdropping
Protocol abuse
Man-in-the-middle
Man-in-the-browser
Session hijacking
Malware
Cross-site request forgery
Cross-site scripting
DNS hijacking
DDoS
DNS spoofing
DNS cache poisoning
Man-in-the-middle
Dictionary attacks
Abuse of functionality
Man-in-the-middleDDoS
Malware
API attacks
InjectionCross-site scripting
Cross-site request forgery
Credential theft
Credential stuffing
Session hijacking
Brute force
Phishing
App Tiers
2013 OWASP Top 10
1. Injection
2. Broken authentication and session
management
3. Cross-site scripting (XSS)
4. Insecure direct object references
5. Security misconfiguration
6. Sensitive data exposure
7. Missing function level access control
8. Cross-site request forgery (CSRF)
9. Using components with known
vulnerabilities
10. Unvalidated redirects and forwards
2017 OWASP Top 10
1. Injection
2. Broken authentication
3. Sensitive data exposure
4. XML external entities (XXE)
5. Broken access control
6. Security misconfiguration
7. Cross-site scripting (XSS)
8. Insecure deserialization
9. Using components with known
vulnerabilities
10. Insufficient logging
and monitoring
58%
56%
6%
4%
3%
2%
2%
1%
1%
PHP
SQL
Exchweb
Comments
Cart
Betablock
Admin
Affiliates
Login
Injection → PHP & SQL
PHP
of PHP attacks were SQL injections.
46%
Loryka Attack Data
Access Attacks
5%
23%
26%
34%
9%
3%
Access Attacks – Check your Credentials
In the last 8 years more than 7.1 billion identities have been exposed in data breaches
70MILLION accounts
427 MILLION accounts
150 MILLION accounts
3 BILLIONaccounts
117 MILLION accounts
1. Symantec Internet Security Threat Report, April 2017
2. https://www.entrepreneur.com/article/246902#
Nearly 3 out of 4 consumers use duplicate passwords, many of which have not been changed in five years or more.
3 out of 4
Credential Stuffing – Major Breaches
Clients are phished → malware installed
Banking Trojans→ Fraud Trojans
Fraud targets = any site with a login page
Web Fraud Credential Stealing – Not Only Banks
Use our research to
learn about attack trends
affecting your industry
Application Threat Intelligence
DoS becomes newspam
L7 DoS attacks arerising
Multi-layeredprotection is needed
Denial of Service Attacks Against Applications
DDoS by Region 2017
BOTs
Rise of the BOTs98.6M bots observed
52% of Internet traffic is automated
77% of 2016 web app
breaches involved
the use of bots
ThingBOTs
Affected Devices
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
7Bots
SORA
OWARI
UPnPProxy
OMNI
RoamingMantis
Wicked
VPNFilter
1Bot
Brickerbot
2Bots
WireX
Reaper
3Bots
Mirai
BigBrother
Rediation
1Bot
Remaiten
1BotMoon
1Bot
Aidra
1Bot
Hydra
3Bots
Satori Fam
Amnesia
Persirai
6Bots
Masuta
PureMasuta
Hide ‘N Seek
JenX
OMG
DoubleDoor
1Bot
Crash
override
1Bot
Gafgyt
Family
2Bots
Darlloz
Marcher
1BotPsyb0t
4Bots
Hajime
Trickbot
IRC Telnet
Annie
CCTV
DVRs
WAPs
Set-Top Boxes
Media Center
Android
Wireless Chipsets
NVR Surveillance
Busybox Platforms
Smart TVs
VoIP Devices
Cable Modems
ICS
74% Discoveredin last 2 years
SOHO routers
iOS
IP Cameras
Thingbot Attack Type
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
7Bots
SORA
OWARI
UPnPProxy
OMNI
RoamingMantis
Wicked
VPNFilter
1Bot
Brickerbot
2Bots
WireX
Reaper
3Bots
Mirai
BigBrother
Rediation
1Bot
Remaiten
1BotMoon
1Bot
Aidra
1Bot
Hydra
3Bots
Satori Fam
Amnesia
Persirai
6Bots
Masuta
PureMasuta
Hide ‘N Seek
JenX
OMG
DoubleDoor
1Bot
Crash
override
1Bot
Gafgyt
Family
2Bots
Darlloz
Marcher
1Bot
Psyb0t
4Bots
Hajime
Trickbot
IRC Telnet
Annie
DNS Hijack
DDoS
PDoS
Proxy Servers
Unknown…
Rent-a-bot
Install-a-bot
Multi-purpose Bot
Fraud trojan
ICS protocol monitoring
Tor Node
Sniffer
Credential Collector
Shifting from primarily DDoS to multi-purpose
Crypto-miner
BOTs - Common source of threat vectors
Client-Side Attacks
Malware
Ransomware
Man-in-the-browser
Session hijacking
Cross-site request forgery
Cross-site scripting
DDoS Attacks
SYN, UDP, and HTTP floods
SSL renegotiation
DNS amplification
Heavy URL
App Infrastructure Attacks
Man-in-the-middle
Key disclosure
Eavesdropping
DNS cache poisoning
DNS spoofing
DNS hijacking
Protocol abuse
Dictionary attacks
Web Application Attacks
API attacks
Cross-site scripting
Injection
Cross-site request forgery
Malware
Abuse of functionality
Man-in-the-middle
Credential theft
Credential stuffing
Phishing
Certificate spoofing
Protocol abuse
Malware
Ransomware
Man-in-the-browser
Cross-site scripting
Dictionary attacks
SYN, UDP, HTTP floods
SSL renegotiation
DNS amplication
Heavy URL
API attacks
Cross-site scripting
Injection
Malware
Abuse of functionality
Credential stuffing
Phishing
Prioritize Defenses Based on Attacks
Reduce Your Attack Surface
UnderstandYourEnvironment
Select Flexible and Integrated Defense Tools
Integrate Security into Development
1 2 3 4 5
Recomendations
1UnderstandYourEnvironment
CISO’S #1 MISSION
PreventDowntime
EVERYONE’S #1 CHALLENGE
Visibility
Reduce Your Attack Surface
2
Sub domains hosting other versions of the main
application site
Dynamic web page generators
HTTP headersand cookies
Admin interfacesApps/files linked
to the app
Web service methods
Helper apps on client
(java, flash)
Server-side features such as search
Web pages and directories
Shells, Perl/PHP
Data entry forms
Administrative and monitoring stubs
and tools
Events of the application—triggered
server-side code
Backend connections through the server (injection)
APIs
Cookies/state tracking mechanisms
Data/active content pools—the data that populates and
drives pages
Prioritize Defenses Based on Attacks
3
Focus OpEx & CapEx spend
Select Flexible and Integrated Defense Tools
4
https://lifehacker.com/watch-alton-
brown-demonstrate-why-unitaskers-
have-no-1749470145
Integrate Security into Development
5
https://f5.com/labs/articles/cisotociso/
strategy/six-steps-to-finding-honey-in-
the-owasp
1 Understand your OWASP scope2 Scan all web applications3 Share Results4 Educate and inform5 Firewall what you can’t fix6Become part of the OWASP community
