![Page 1: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/1.jpg)
Technology Risk Supervision Division � Monetary Authority of Singapore
CYBER TRENDS &
INDUSTRY
PENETRATION
TESTING
![Page 2: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/2.jpg)
2
A NEW DAWN
�New Services / Mobile
Application, NFC, FAST
� Technology / Biometrics, Big
Data, Analytics, Cloud, Blockchain
� Payment Methods / Virtual currencies
� Interconnectivity / Globalisation, network reach
� Cyber threats / APTs,
Zero Days, DDoS
� Anonymous / Hacktivism,
Political
![Page 3: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/3.jpg)
Dec 2013 – 40M credit/debit cards compromised at Target.
3
2015
Aug 2014 - JP Morgan Chase compromised. 83 million records of households/small biz leaked.
Feb 2013 -US$40M coordinated ATM heist across the globe.
Nov 2014 - Sony Pictures hacked. Personnel information, emails, unreleased movies leaked. Computer systems crippled.
Mar 2013 –Computer networks of 3 major banks and 2 large broadcasters in South Korea paralysed.
Mar 2013 – Phase 3 of Operation AbabilDDoS campaign on US banks
Jan 2014 – Contractor walk out from credit bureau with credit card details of 20M South Koreans on thumbdrive.
Feb 2014 – Mt. Gox hacked. 850k bitcoins(~US$450M) lost.
Feb 2014 –comGatewayhacked. 90k credit cards compromised. A third from Singapore.
Apr 2014 – Critical “Heartbleed” vulnerability on OpenSSL disclosed.
May 2014 – 233M customer info compromised at eBay.
20142013
MAJOR CYBER ATTACKS (2013 – 2015)
Venom, Dyre, 400+Gbps DDoS, FREAK, LogJam, DD4BC, Ransom ware, Duqu…
![Page 4: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/4.jpg)
4
“Robbing one person at a time using a knife or
gun doesn’t scale well. But now one person
can rob millions at the click of a button,”
Marc Goodman of the Future Crimes Institute.
![Page 5: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/5.jpg)
5
TECHNOLOGY RISK SUPERVISION
FINANCIAL SECTOR
Off-site reviews
On-site inspections / Supervisory
visits
Issuance of Guidelines and
Notice
Cyber Security Initiatives
Regular engagements
SUPERVISION POLICY SURVEILLANCE
![Page 6: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/6.jpg)
WHAT IS PENETRATION TESTING?
“Penetration testing is the process of attempting to gain access to resources without knowledge of usernames, passwords and other normal means of access.”
- SANS institute
“PT provides a snapshot of the security posture or point-in-time security assessment of the FI’s systems andinfrastructure.”
- ABS Penetration Testing Guidelines May 14
PT? VA?
9.4.4 The FI should carry out penetration tests in order
to conduct an in-depth evaluation of the security posture
of the system through simulations of actual attacks on
the system. The FI should conduct penetration tests on
internet-facing systems at least annually.
![Page 7: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/7.jpg)
OBJECTIVE
7
Develop a set of Penetration testing (PT) guidelines for the financial sector
11 FIs participated in the IPT
Analyse PT results and refine guidelines
Publish PT guidelines and share key findings with ABS members
1
2
3
4
![Page 8: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/8.jpg)
DEVELOPMENT OF IPT GUIDELINES
� Referenced from reputable sources on PT standards:• PTES (Penetration Testing Execution Standard) Technical
Guidelines • OWASP Top Ten • CWE, CVSS, CAPEC standards
• Reviewed by senior technical specialist from
participating FIs
• PT guideline covered key areas including scope,
methodology, vendor selection criteria and reporting
requirements
• Scope of PT
![Page 9: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/9.jpg)
DELIVERING A SECURE APPLICATION
9
Requirements Gathering•Functional
•Non-functional
Secure Development•Source code review
•Non-functional tests
Secure Deployment•Hardening
•PT/ VA
Secure Operations•Security monitoring
•Firewall
![Page 10: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/10.jpg)
This should not be the final step in your SDLC process..
10
![Page 11: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/11.jpg)
PT ANALYSIS
• To ensure consistency in our analysis, 2 key standards
were used:
� Common weakness enumeration (CWE)
� Common vulnerability scoring system (CVSS)
• To ensure independence, FIs are asked to engage
third party to perform the PT and assess the severity
of issues identified.
![Page 12: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/12.jpg)
• CWE is a community-developed dictionary of software weaknesstypes that can occur in software's architecture, design, code orimplementation that can lead to exploitable security vulnerabilities.The MITRE Corporation maintains CWE.
• Examples of CWE:
� CWE-200 Information Disclosure
� CWE-79 Cross-site Scripting
� CWE-598 Information Exposure Through Query Strings inGET Request
COMMON WEAKNESS ENUMERATION (CWE)
![Page 13: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/13.jpg)
COMMON WEAKNESS ENUMERATION (CWE)
13
![Page 14: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/14.jpg)
COMMON VULNERABILITY SCORING SYSTEM (CVSS)
14
Risk Rating CVSSv2 ScoreHigh 7.0-10.0Medium 4.0-6.9Low 0.0-3.9
• CVSS provides a universal open and standardized method forrating IT vulnerabilities
• Developed by FIRST - an international confederation of trustedcomputer incident response teams who cooperatively handlecomputer security incidents and promote incident preventionprograms
![Page 15: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/15.jpg)
FINDINGS
• Common weaknesses identified
• Top 10 high risk vulnerabilities according to CVSS BASE scores
Key observations across all FIs
15
![Page 16: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/16.jpg)
COMMON WEAKNESSES IDENTIFIED
16
![Page 17: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/17.jpg)
Information Exposure Through an Error Message
Web Server Version Disclosure
Clear Text Storage of Sensitive Information in a Cookie
CWE-200: INFORMATION EXPOSURE
An information exposure can provide information about the product or its
environment that could be useful in an attack
![Page 18: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/18.jpg)
Use of a Broken or Risky Cryptographic Algorithm
Inadequate Encryption Strength
Missing Encryption of Sensitive Data
CWE-310: CRYPTOGRAPHIC ISSUES
![Page 19: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/19.jpg)
Vertical Privilege Escalation
Web Server Supports Basic Authentication
Improper Restriction of Excessive Authentication Attempts
CWE-284: IMPROPER ACCESS CONTROL
![Page 20: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/20.jpg)
Cross-site Scripting (XSS)
SQL Injections
Pathname Traversal
CWE-20: IMPROPER INPUT VALIDATION
![Page 21: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/21.jpg)
CWE-20: Improper input validation
21
CWE-89: SQL Injection
CWE-17: Code
CWE-18: Source Code CWE-19: Data Handling
• Without sufficient validation of SQL syntax in inputs, the SQL query can cause those inputs to be interpreted as SQL
• This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database, possibly including execution of system commands.
• SQL injection has become a common issue with database-driven web sites.
![Page 22: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/22.jpg)
CWE-89
22
Automatic Static, Dynamic Analysis, Manual Static Analysis – Source Code
Input field validation, application firewall
![Page 23: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/23.jpg)
TOP 10 HIGH-RISK VULNERABILITIES
23
SQL injections*
Cross Site Scripting*
Information Exposure Through an Error Message*
Insecure Cookies
Cacheable SSL Pages
Validation performed on
client-side only
Admin interfaces configured with default credentials
Unpatched/outdated systems*
Core Dump Enabled
OpenSSL 'ChangeCipherSpec' MiTMVulnerability
Note:
Based on CVSS v2 “Base Score” – A vulnerability with a score of =>7.0 will be classified as “High-risk”
Vulnerabilities noted may not
be easily exploitable as there are layered controls in FIs’ environment. (e.g., Login credential, system access)
![Page 24: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/24.jpg)
POINTS TO NOTE
While efforts were made to align the scope
and methodology as much as possible,
these factors will affect the results of the PT:
Skill and judgement of the penetration
tester(s)
Date of last PT performed on the
system
The period since security fixes and
patches were applied to the
system
Major system enhancements prior
to IPT
![Page 25: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/25.jpg)
WHAT’S NEXT?
Issuance of PT guidelines
ABS SCCS to share
observations and recommendations
Next IPTAccreditation of
penetration tester
25
![Page 26: CYBER TRENDS & INDUSTRY PENETRATION TESTING Connect 2015...vulnerability on OpenSSLdisclosed. May 2014 –233M customer info compromised at eBay. 2013 2014 MAJOR CYBER ATTACKS (2013](https://reader034.vdocuments.mx/reader034/viewer/2022051810/601b415e5700c6486c10de12/html5/thumbnails/26.jpg)