sql injection to enterprise owned - k.k. mookhey

Technology People

Standards Processes

SQL Injection To Enterprise 0wned

K. K. Mookhey, CISA, CISSP,

CISM, CRISC

© Network Intelligence India Pvt. Ltd.

Introduction

• Founder, Principal Consultant – Network Intelligence India Pvt. Ltd.

– Institute of Information Security

• CISA, CISSP, CISM, CRISC

• Penetration testing, Security Auditing, Forensics, Compliance, Problem-solving

• ICICI Bank, BNP Paribas, Morgan Stanley, United Nations, Indian Navy, DRDO, and hundreds of other clients over a decade of experience

• Speaker at Blackhat, Interop, IT Underground, OWASP Asia, SecurityByte, Clubhack, Nullcon, ISACA, and numerous others


Agenda

• Introduction & Case Studies

• Risk-based Penetration Testing

• Solutions

• Strategies

• Take-Aways


THE BIGGEST HACK IN HISTORY


Gonzalez, TJX and Heart-break-land

• >200 million credit card number stolen

• Heartland Payment Systems, TJX, and 2

US national retailers hacked

• Modus operandi

– Visit retail stores to understand workings

– Analyze websites for vulnerabilities

– Hack in using SQL injection

– Inject malware

– Sniff for card numbers and details

– Hide tracks


The hacker underground

• Albert Gonzalez

– a/k/a “segvec,”

– a/k/a “soupnazi,”

– a/k/a “j4guar17”

• Malware, scripts and hacked data hosted on servers in:

– Latvia

– Netherlands

• IRC chats

– March 2007: Gonzalez “planning my second phase against

Hannaford”

– December 2007: Hacker P.T. “that’s how [HACKER 2] hacked

Hannaford.”

Ukraine

New Jersey

California


Where does all this end up?

• Commands used on IRC

– !cardable

– !cc, !cclimit, !chk, !cvv2, !exploit, !order.log,

!proxychk

IRC Channels

#cc

#ccards

#ccinfo

#ccpower

#ccs

#masterccs

#thacc

#thecc

#virgincc

YouTube - ID Thieves selling stolen credit cards.flv


TJX direct costs

$24 million to

Mastercard

$41 million to Visa

$200 million in

fines/penalties


Cost of an incident

• $6.6 million average cost of a data breach

• From this, cost of lost business is $4.6

million

• More than $200 per compromised record

On the other hand:

• Fixing a bug costs $400 to $4000

• Cost increases exponentially as time lapses


HOW THE COOKIE CRUMBLES


Betting blind!

DB Name

Table Names

User IDs

Table Structure

Data

Net Result

Enterprise Owned!


SOLUTIONS!


Technology Solutions

• Encryption

• Web Application Firewalls

• Source Code Review Solutions

• Security Testing Suites

• Data Leakage Prevention

• Privileged Identity Management

• Web Access Management

• Information Rights Management

• Database Security Solutions


Before we get to the technology…


Design

Develop/

Manage

Test

Train

Application Security – Holistic Solution


EVOLVED PENETRATION

TESTING


Secure Testing

• Security testing options

– Blackbox

– Greybox

– Whitebox

– Source Code Review

• OWASP Top Ten

(www.owasp.org)

• OWASP Testing Guide

Tools of the trade

Open source – Wikto, Paros, Webscarab, Firefox plugins

Commercial – Acunetix, Cenzic, Netsparker, Burpsuite

http://www.owasp.org/


Traditional vs. Risk-based Pentesting

Traditional Pentesting Risk-based Pentesting

Focus is on technical vulnerabilities

Focus is on business risks

Requires strong technical know-how

Requires both technical and business process know-how

Having the right set of tools is critical

Understanding the workings of the business and applications is critical

Is usually zero-knowledge Requires a person who understands the business process to play a significant role – usually an insider

Understanding the regulatory environment is good

Understanding the regulatory environment is mandatory


Traditional vs. Risk-based Pentesting

Traditional Pentesting Risk-based Pentesting

Severity levels are based on technical parameters

Severity levels are based on risk to the business

Risk levels in report are assigned post facto

Risk levels in report reflect the levels assigned prior to testing

Test cases are build based on testing methodologies or generic testing processes

Tests cases additionally build on risk scenarios

Audience for the report is usually the IT and Security teams

Audience for the report also includes the business process owners and heads of departments


GROUND REALITIES!


Ground realities

• Business priorities

– Expand, grow, market share!!

• Developer illiteracy

– Unaware of security implications

– Shortcut fixes

• Vendor apathy

– Problem re-enforced by weak contracts

• Unclear budgets

– Lip service by management towards information

security

– CISO left fighting the battle alone without

adequate resources


STRATEGIZE!

Use Triage


Sample Strategies

ATLAS Claims Processing – Agents Access

Over Internet

In-house Developed

Implement & Enforce Internal

SLAs

Active Development

Team

Regular Secure Coding Training

Emphasis on Secure Coding

Libraries

Secure Hosting


Take-Aways

• Mindset change – most importantly of the business

owners’!

– Data protection does matter!

– It is NOT simply a technology issue

– ISO 27001 is not the answer

• Implement application security in a comprehensive,

cohesive and consistent manner

• Evangelize constantly!

• Demonstrate impact – always in business terms

• Strategize – you can’t protect everything all the

time

• Leverage regulatory and legal requirements


Ensure – this never happens!


THANK YOU!

Questions?

[email protected]

@kkmookhey

http://www.linkedin.com/kkmookhey

mailto:[email protected]

http://www.linkedin.com/kkmookhey