cyber trends & industry penetration testing connect 2015...vulnerability on openssldisclosed....
Post on 30-Sep-2020
5 Views
Preview:
TRANSCRIPT
Technology Risk Supervision Division � Monetary Authority of Singapore
CYBER TRENDS &
INDUSTRY
PENETRATION
TESTING
2
A NEW DAWN
�New Services / Mobile
Application, NFC, FAST
� Technology / Biometrics, Big
Data, Analytics, Cloud, Blockchain
� Payment Methods / Virtual currencies
� Interconnectivity / Globalisation, network reach
� Cyber threats / APTs,
Zero Days, DDoS
� Anonymous / Hacktivism,
Political
Dec 2013 – 40M credit/debit cards compromised at Target.
3
2015
Aug 2014 - JP Morgan Chase compromised. 83 million records of households/small biz leaked.
Feb 2013 -US$40M coordinated ATM heist across the globe.
Nov 2014 - Sony Pictures hacked. Personnel information, emails, unreleased movies leaked. Computer systems crippled.
Mar 2013 –Computer networks of 3 major banks and 2 large broadcasters in South Korea paralysed.
Mar 2013 – Phase 3 of Operation AbabilDDoS campaign on US banks
Jan 2014 – Contractor walk out from credit bureau with credit card details of 20M South Koreans on thumbdrive.
Feb 2014 – Mt. Gox hacked. 850k bitcoins(~US$450M) lost.
Feb 2014 –comGatewayhacked. 90k credit cards compromised. A third from Singapore.
Apr 2014 – Critical “Heartbleed” vulnerability on OpenSSL disclosed.
May 2014 – 233M customer info compromised at eBay.
20142013
MAJOR CYBER ATTACKS (2013 – 2015)
Venom, Dyre, 400+Gbps DDoS, FREAK, LogJam, DD4BC, Ransom ware, Duqu…
4
“Robbing one person at a time using a knife or
gun doesn’t scale well. But now one person
can rob millions at the click of a button,”
Marc Goodman of the Future Crimes Institute.
5
TECHNOLOGY RISK SUPERVISION
FINANCIAL SECTOR
Off-site reviews
On-site inspections / Supervisory
visits
Issuance of Guidelines and
Notice
Cyber Security Initiatives
Regular engagements
SUPERVISION POLICY SURVEILLANCE
WHAT IS PENETRATION TESTING?
“Penetration testing is the process of attempting to gain access to resources without knowledge of usernames, passwords and other normal means of access.”
- SANS institute
“PT provides a snapshot of the security posture or point-in-time security assessment of the FI’s systems andinfrastructure.”
- ABS Penetration Testing Guidelines May 14
PT? VA?
9.4.4 The FI should carry out penetration tests in order
to conduct an in-depth evaluation of the security posture
of the system through simulations of actual attacks on
the system. The FI should conduct penetration tests on
internet-facing systems at least annually.
OBJECTIVE
7
Develop a set of Penetration testing (PT) guidelines for the financial sector
11 FIs participated in the IPT
Analyse PT results and refine guidelines
Publish PT guidelines and share key findings with ABS members
1
2
3
4
DEVELOPMENT OF IPT GUIDELINES
� Referenced from reputable sources on PT standards:• PTES (Penetration Testing Execution Standard) Technical
Guidelines • OWASP Top Ten • CWE, CVSS, CAPEC standards
• Reviewed by senior technical specialist from
participating FIs
• PT guideline covered key areas including scope,
methodology, vendor selection criteria and reporting
requirements
• Scope of PT
DELIVERING A SECURE APPLICATION
9
Requirements Gathering•Functional
•Non-functional
Secure Development•Source code review
•Non-functional tests
Secure Deployment•Hardening
•PT/ VA
Secure Operations•Security monitoring
•Firewall
This should not be the final step in your SDLC process..
10
PT ANALYSIS
• To ensure consistency in our analysis, 2 key standards
were used:
� Common weakness enumeration (CWE)
� Common vulnerability scoring system (CVSS)
• To ensure independence, FIs are asked to engage
third party to perform the PT and assess the severity
of issues identified.
• CWE is a community-developed dictionary of software weaknesstypes that can occur in software's architecture, design, code orimplementation that can lead to exploitable security vulnerabilities.The MITRE Corporation maintains CWE.
• Examples of CWE:
� CWE-200 Information Disclosure
� CWE-79 Cross-site Scripting
� CWE-598 Information Exposure Through Query Strings inGET Request
COMMON WEAKNESS ENUMERATION (CWE)
COMMON WEAKNESS ENUMERATION (CWE)
13
COMMON VULNERABILITY SCORING SYSTEM (CVSS)
14
Risk Rating CVSSv2 ScoreHigh 7.0-10.0Medium 4.0-6.9Low 0.0-3.9
• CVSS provides a universal open and standardized method forrating IT vulnerabilities
• Developed by FIRST - an international confederation of trustedcomputer incident response teams who cooperatively handlecomputer security incidents and promote incident preventionprograms
FINDINGS
• Common weaknesses identified
• Top 10 high risk vulnerabilities according to CVSS BASE scores
Key observations across all FIs
15
COMMON WEAKNESSES IDENTIFIED
16
Information Exposure Through an Error Message
Web Server Version Disclosure
Clear Text Storage of Sensitive Information in a Cookie
CWE-200: INFORMATION EXPOSURE
An information exposure can provide information about the product or its
environment that could be useful in an attack
Use of a Broken or Risky Cryptographic Algorithm
Inadequate Encryption Strength
Missing Encryption of Sensitive Data
CWE-310: CRYPTOGRAPHIC ISSUES
Vertical Privilege Escalation
Web Server Supports Basic Authentication
Improper Restriction of Excessive Authentication Attempts
CWE-284: IMPROPER ACCESS CONTROL
Cross-site Scripting (XSS)
SQL Injections
Pathname Traversal
CWE-20: IMPROPER INPUT VALIDATION
CWE-20: Improper input validation
21
CWE-89: SQL Injection
CWE-17: Code
CWE-18: Source Code CWE-19: Data Handling
• Without sufficient validation of SQL syntax in inputs, the SQL query can cause those inputs to be interpreted as SQL
• This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database, possibly including execution of system commands.
• SQL injection has become a common issue with database-driven web sites.
CWE-89
22
Automatic Static, Dynamic Analysis, Manual Static Analysis – Source Code
Input field validation, application firewall
TOP 10 HIGH-RISK VULNERABILITIES
23
SQL injections*
Cross Site Scripting*
Information Exposure Through an Error Message*
Insecure Cookies
Cacheable SSL Pages
Validation performed on
client-side only
Admin interfaces configured with default credentials
Unpatched/outdated systems*
Core Dump Enabled
OpenSSL 'ChangeCipherSpec' MiTMVulnerability
Note:
Based on CVSS v2 “Base Score” – A vulnerability with a score of =>7.0 will be classified as “High-risk”
Vulnerabilities noted may not
be easily exploitable as there are layered controls in FIs’ environment. (e.g., Login credential, system access)
POINTS TO NOTE
While efforts were made to align the scope
and methodology as much as possible,
these factors will affect the results of the PT:
Skill and judgement of the penetration
tester(s)
Date of last PT performed on the
system
The period since security fixes and
patches were applied to the
system
Major system enhancements prior
to IPT
WHAT’S NEXT?
Issuance of PT guidelines
ABS SCCS to share
observations and recommendations
Next IPTAccreditation of
penetration tester
25
top related