Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Web Attack & Managing PCI Compliance

No description
by

Amjad Rehman

on 5 December 2015

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Web Attack & Managing PCI Compliance

Web Attack & Managing PCI Compliances
Authenticity problem and cyber attack
Before the implementation of PCI, the companies faced numerous website attacks , called SQLi (SQL injection) that were reported on a daily basis when more and more websites were developed towards data-driven designs to enable making a payment online that used SQL thus leading to vulnerabilities

The attackers were able to figure out how many columns are in the table stored inside of the database that could accept queries using an “Order by” statement appended in the URL. Authenticity was compromised and an unauthorized person (hacker) could get access to the backend data

The SQLi purposely created a confusion to the SQL interpreter that could not distinguish between intended commands and the code injected by the attacker to target the application database for extracts of data records with personal information, for inserting a malicious scripts


Pros & Cons: IBM AppScan Commercial
Business/Legal consequence
Information Disclosure:
Information disclosure is one of the bigest threat to large organization who maintain private information about their customer base. When attackers are capable of revealing private information about a user or users of a website, consumer confidance in that organization can take drastic hits, causing loss in sales, stock price, and overall marketability.

Intellectual Property:
Intellectual property is product of intellect that has commecial value, including copyrighted property such as literary or artistic works, and ideational property, such as patents, appellations of origin, business methods and industrial processes. Companies where success and reputations are built upon patent, research, and development are especially at risk. Great examples include ""
Pharmaceutical companies, DOD and Universities.

Personal Identifiable Informations:


For attackers to perpetrate financial crimes or identity theft they need credit card number, phone numbers, addresses, Social security numbers, health related information, bank account numbers. These information has become comodity for hackers and risk for business like Hospitals.

My Company Steps towards Web attack
Implementation of
HP WebInspect

Detect, prevent, and manage Webattack incidents
My Company prompt and effective actions:
Cost/Risk Analysis
Risk Management & Regulatory compliance:

Increased regulation worldwide, both by governments and within industries, has resulted in greater accountability for corporate officers when it comes to managing risk in their organization.

Industry experts believe that implementation of security today depends on establishing strong security policies and procedures, not merely turning-on auditing features or deploying encryption in a solution. End-to-end security implementation should be the goal for enterprises, according to these experts, combining database security with application-, network-, and infrastructure-level security.

$7.2 million USD = average organizational cost per security breach (U.S.) - Ponemon Institute Study, March 2011
93% increase in Web attacks from 2009 to 2010 - Symantec Internet Security Threat Report, April 2011
400% increase in mobile malware from 2012 to 2013 -Juniper Networks Study, May 2014
According to the 2013 Cost of a Data Breach study, published by Symantec and the Ponemon Institute, the cost of the average consolidated data breach incident increased from US$130 to US$136. However, this number can vary depending on the country, where German and US companies experienced much higher costs at US$199 and US$188, respectively.

TheCloud Team : Yana & AJ
Key Features of WebInspect
Dynamic Analysis, also known as Dynamic Application Security Testing (DAST), available from HP Web Inspect

• Engage in dynamic security testing for web apps from Dev thru Production
• Automated and configurable web application security and penetration testing tool that mimics real-world hacking techniques and attacks
• Easily manage, view and share security-test results and histories
• Security test web APIs and web services that support your business

Demonstrate compliance with various regulatory agencies

Run compliance reports for all major regulatory standards, including PCI, SOX, ISO, and HIPAA

Exmaple: One US medical records company was driven to bankruptcy after a break-in which led to the exposure of addresses, social security numbers, and medical diagnoses of 14,000 people. When explaining its decision to file for Chapter 7 bankruptcy protection, the company said that the cost of dealing with the data breach was “prohibitive.

Medical identity theft could have a huge impact on the consumer, potentially costing victims thousands of dollars, putting their health coverage at risk, causing legal problems, or leading to the creation of inaccurate medical records. Attackers can use health insurance information, personal details, and social security numbers to make false claims on their victims’ health insurance.
Learn what it takes to protect your business :
Understanding the risk of a cyber-attack on your business, personal, financial, and proprietary data is critical.
Stay ahead of the curve; act promptly:
Digital Forensics and e-Discovery; and Data Recovery and Secure Disposal.
Gain advanced threat defense :
Get unparalleled access to technology and services that help you identify and prevent advanced threats and targeted attacks on our networks with Advanced Threat Protection from HP webInspect, FireEye etc which is minimizing the targeted attacks, and enable us to prepare for better responses in the future.
Engage forensic expertise :
Digital Forensics and e-Disclosure services use industry-standard models to identify data and data owners, keep relevant data in a legally acceptable way, collect and process it in the correct formats, and review it for relevance to the legal process. We also ensure it can be presented in a way that is legally acceptable.
Gartner Magic Quadrant
Pros & Cons: Acunetix WVS Commercial
Boasts high performance on Windows, with great security audit features
Comparable to IBM’s AppScan with less rating on attack vectors
UI is friendly, great speeds and URL discovery capability
Detection Accuracy is high, which makes it a good scanner overall
Comparable with Syhunt Mini (Sandcat Mini) and ZAP
For Windows, good fuzzing inbuilt

Scans DAST (Dynamic Application Security Testing)
Scans SAST (Static Application Security Testing)
Wide range of attack vectors
Good score over other web application scanners
Less false positives
2015 current version: v9.0 (332MB or 513MB on Windows Platform)
Audit features can be compared to WebInspect, W3af and Acunetix
Key Features

•Integrated dynamic code and runtime analysis to find more vulnerabilities and fix them faster

• Observe application reaction to attacks at the code level during dynamic scans

•Identify and crawl more of an application to expand the coverage of the attack surface

• Provide stack traces and SQL queries to confirmed vulnerabilities


Pros & Cons: HP WebInspect Commercial
Wide range of attack vectors, less than IBM AppScan
Bad Crawler
HP SmartUpdate, makes the application update on a go
2015 current version: v10.30 (754MB, platform: Windows)

Proposal for my Company
Based on the different tools comparison & analysis and organization requirement my organization went with HP WebInspect.
Reasoning:
HP WebInnspect is best known web application security based audit tool
HP SmartUpdate, makes the application update on a go
Costs are higher side but satisfaction related to security
Detail attack table, Live scan dashboard, Live scan statistics

What are the Drivers & Cost for Implementation
What are the Drivers?
PCI Compliance Obligations
CFPB Regulations & Requirements after review
Software security threat #3 risk on Fortune 500
Internal Risk Drivers

Implementation Project: Cost $280,000

HP Fortify
HP ArcSight
Three year Support
Hardware and Software
HP Implementation consultant

Absence of the vulnerability Scan tool
The company faced the risk to bece non-compliant with PCI Standards.

The Company conduct research to find the right vulnerability scan tool that fits the security needs to support PCI compliance and is cost effective.
Pros and Cons: IBM AppScan Commercial
Continue monitoring....
Full transcript