Introducing
Your new presentation assistant.
Refine, enhance, and tailor your content, source relevant images, and edit visuals quicker than ever before.
Trending searches
Let's have fun and learn from each other... ready? Let's go!
Breaches, hacks, incidents - happening all the time!
Who is doing it, why are they doing it and how are they doing it?
A1:2017-Injection
A2:2017-Broken Authentication
A3:2017-Sensitive Data Exposure
A4:2017-XML External Entities (XXE)
A5:2017-Broken Access Control
A6:2017-Security Misconfiguration
A7:2017-Cross-Site Scripting (XSS)
A8:2017-Insecure Deserialization
A9:2017-Using Components with Known Vulnerabilities
A10:2017-Insufficient Logging&Monitoring
A1:2017-Injection
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
A2:2017-Broken Authentication
Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
A3:2017-Sensitive Data Exposure
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
A4:2017-XML External Entities (XXE)
Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
A5:2017-Broken Access Control
Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc.
A6:2017-Security Misconfiguration
Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
A7:2017-Cross-Site Scripting (XSS)
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
A8:2017-Insecure Deserialization
Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
A9:2017-Using Components with Known Vulnerabilities
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
A10:2017-Insufficient Logging&Monitoring
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
A massive data breach happened at Yahoo!, one of the world’s most established web service providers, when what first appeared to be a minor intrusion on its system turned out to be one of the world’s largest data breaches. The case is particularly important from a financial and reputational perspective. Not only did the breach cause a decline in Yahoo!’s value – which significantly impacted the outcome of its merger with Verizon – but it also negatively impacted Yahoo!’s reputation, as its ability to protect sensitive information was called into question. These were all a direct result of an ineffective cyberattack response strategy, which, had it been effectively implemented, could have saved the company millions of dollars.
The cyberattack on Target during December 2013 is an illustration of how common fears about identity theft and credit card fraud can quickly become a reality. It was during the height of the holiday season, when customers were eagerly preparing for Christmas, that Target announced that the credit and debit card data of over 40 million of its customers had been stolen while they made in-store purchases between 27 November and 15 December 2013. Additionally, Target later discovered that a further 70 million customers were affected by the attack, as encrypted bank PIN information and personal details – including email addresses, telephone numbers, and names – had also been compromised.
`
`How did this happen - through a 3rd party vendor who had access to the POS systems.
Results - sales were off 46% for that quarter, stock dropped 2.2%. Settlement fees, resignations, credibility hit.
The Anthem Inc. was hacked in 2014 in the largest cyberattack in the history of the healthcare industry. This not only resulted in the theft of the personal information of over 78 million customers – including names, dates of birth, physical addresses, and contact details – but also in sensitive medical information and social security numbers being compromised. The hack is also significant because it cast doubt on the entire healthcare industry and the capability of large healthcare organizations to manage the significant volume of data they have on record. This illustrates the far-reaching effects of cyberattacks, as cyberattacks on one organization called the business operations of several others into question.
`
How - Breach of the 'human perimeter.' Spearphishing was the initial entry point, then lateral movement of malicious software throughout the network.
Result - 115 million in settlment fees, 250 million in upgrade fees. (Note: Anthem was applauded for their response.)
`
What is the #1 barrier to successful agile adoption? Company culture!
Same issue with creating a security minded organization. "It won't happen to me."
Companies need more partnership between infosec, development, engineering.
On a quarterly or as needed basis, threat modeling workshops should be held to aide in identifying vulnerabilities. Typically accomplished in 1-2 hours, threat modeling allows the ones that that the most intimate knowledge of the systems to plot out exposure points. It is conducted much like a Story Writing workshop, with brainstorming, grouping, collaboration. The end result is a backlog of security related technical debt.
Use your inside knowledge to find your vulnerabilities.
Just like teams typically allocate a certain number of hours to unplanned work and professional development, a slice of each sprint should be dedicated to eliminating technical debt related to security. There is likely a mountain of security debt now, and constant attention will allow the teams to service that debt over time.
Product Owners need to understand the importance of these items - which is not always an easy sell!
An additional sprint meeting should be incorporated into the sprint calendar when a release is imminent. A Security Review should be held during each sprint. This gives stakeholders one additional check to ensure that the stories being released to production do not contain any known vulnerabilities. This activity should be held in the same regard as other milestone sprint meetings like sprint planning and retrospectives – it should not be skipped.
The Definition of Done should be reviewed and revised to include considerations for security practices. If your DoD now includes Code Reviews, it should be expanded to encompass security, or another task called “static review” and/or "dynamic review" should be added to the DoD. If teams are truly adhering to the DoD, then this ensures that every piece of code has been evaluated for security concerns.
Static code reviews are done pre-compilation - and can be accomplished with a variety of tools.
Dynamic code reviews are done in a runtime environment - and can be accomplished with a variety of tools also.
Testing should be expanded to include significant negative and malicious user stories and test cases.
Periodically, teams should be allowed to have a sprint mostly dedicated to security hardening. Quarterly or biannually security hardening sprints gives the team an opportunity to resolve many security technical debt stories at once, rather than chipping away at the list over the course of a year or years.
Security Center of Excellence
Collaboration, constant reinforcement, and staying up–to-date with the latest security development threats should be the mission of a Security CoE. Establishing a CoE, with executive support, demonstrates that the company is committed to this endeavor. The group should be properly chartered with a clear mission statement and operating agreements.
Vulnerability Testing - Internal and external
You should engage with a 3rd party for regular penetration and vulnerability testing. Typically, firms that are involved with this type of testing are looking for the most obvious and common flaws in systems. This is fine and expected, however performing testing internally is recommended as well. The people that built these systems know the systems the best, and can help find exploits that an external party may not be able to find easily.
Data Masking
All efforts should be made to keep customer data out of lower lifecycle environments for testing. In some cases, it may be necessary to diagnose specific issues, however that should not be the normal practice. Many data breaches are attributed to insecure lower lifecycle environments, that typically have shared admin passwords and accounts.
Incident response plan
Mirroring most business continuity/disaster recovery plans, biannual testing of your company's incidence response plan would be a recommended action. Simulating, or discussing “what-if scenarios” will give engineering and IT the opportunity to hone the incident response plan.
Vulnerability Bounty Program
After the initial “low hanging fruit” of vulnerabilities has been remediated, a very effective tool to encourage ongoing thought about security is to host periodic vulnerability bounty programs. During a set period, developers can find and propose solutions to a vulnerability they may know about or have discovered. Using the Security CoE or executives/leadership as the judging body, a reward should be offered to the most impactful discovery and remediation plan.
Nathan Ballard
nballard@agileco-op.com
www.agileco-op.com
404-242-3736 - text me, call me, LinkedIn, whatever!