Technology Risk Supervision Division � Monetary Authority of Singapore

CYBER TRENDS &

INDUSTRY

PENETRATION

TESTING

2

A NEW DAWN

�New Services / Mobile

Application, NFC, FAST

� Technology / Biometrics, Big

Data, Analytics, Cloud, Blockchain

� Payment Methods / Virtual currencies

� Interconnectivity / Globalisation, network reach

� Cyber threats / APTs,

Zero Days, DDoS

� Anonymous / Hacktivism,

Political

Dec 2013 – 40M credit/debit cards compromised at Target.

3

2015

Aug 2014 - JP Morgan Chase compromised. 83 million records of households/small biz leaked.

Feb 2013 -US$40M coordinated ATM heist across the globe.

Nov 2014 - Sony Pictures hacked. Personnel information, emails, unreleased movies leaked. Computer systems crippled.

Mar 2013 –Computer networks of 3 major banks and 2 large broadcasters in South Korea paralysed.

Mar 2013 – Phase 3 of Operation AbabilDDoS campaign on US banks

Jan 2014 – Contractor walk out from credit bureau with credit card details of 20M South Koreans on thumbdrive.

Feb 2014 – Mt. Gox hacked. 850k bitcoins(~US$450M) lost.

Feb 2014 –comGatewayhacked. 90k credit cards compromised. A third from Singapore.

Apr 2014 – Critical “Heartbleed” vulnerability on OpenSSL disclosed.

May 2014 – 233M customer info compromised at eBay.

20142013

MAJOR CYBER ATTACKS (2013 – 2015)

Venom, Dyre, 400+Gbps DDoS, FREAK, LogJam, DD4BC, Ransom ware, Duqu…

4

“Robbing one person at a time using a knife or

gun doesn’t scale well. But now one person

can rob millions at the click of a button,”

Marc Goodman of the Future Crimes Institute.

5

TECHNOLOGY RISK SUPERVISION

FINANCIAL SECTOR

Off-site reviews

On-site inspections / Supervisory

visits

Issuance of Guidelines and

Notice

Cyber Security Initiatives

Regular engagements

SUPERVISION POLICY SURVEILLANCE

WHAT IS PENETRATION TESTING?

“Penetration testing is the process of attempting to gain access to resources without knowledge of usernames, passwords and other normal means of access.”

- SANS institute

“PT provides a snapshot of the security posture or point-in-time security assessment of the FI’s systems andinfrastructure.”

- ABS Penetration Testing Guidelines May 14

PT? VA?

9.4.4 The FI should carry out penetration tests in order

to conduct an in-depth evaluation of the security posture

of the system through simulations of actual attacks on

the system. The FI should conduct penetration tests on

internet-facing systems at least annually.

OBJECTIVE

7

Develop a set of Penetration testing (PT) guidelines for the financial sector

11 FIs participated in the IPT

Analyse PT results and refine guidelines

Publish PT guidelines and share key findings with ABS members

1

2

3

4

DEVELOPMENT OF IPT GUIDELINES

� Referenced from reputable sources on PT standards:• PTES (Penetration Testing Execution Standard) Technical

Guidelines • OWASP Top Ten • CWE, CVSS, CAPEC standards

• Reviewed by senior technical specialist from

participating FIs

• PT guideline covered key areas including scope,

methodology, vendor selection criteria and reporting

requirements

• Scope of PT

DELIVERING A SECURE APPLICATION

9

Requirements Gathering•Functional

•Non-functional

Secure Development•Source code review

•Non-functional tests

Secure Deployment•Hardening

•PT/ VA

Secure Operations•Security monitoring

•Firewall

This should not be the final step in your SDLC process..

10

PT ANALYSIS

• To ensure consistency in our analysis, 2 key standards

were used:

� Common weakness enumeration (CWE)

� Common vulnerability scoring system (CVSS)

• To ensure independence, FIs are asked to engage

third party to perform the PT and assess the severity

of issues identified.

• CWE is a community-developed dictionary of software weaknesstypes that can occur in software's architecture, design, code orimplementation that can lead to exploitable security vulnerabilities.The MITRE Corporation maintains CWE.

• Examples of CWE:

� CWE-200 Information Disclosure

� CWE-79 Cross-site Scripting

� CWE-598 Information Exposure Through Query Strings inGET Request

COMMON WEAKNESS ENUMERATION (CWE)

COMMON WEAKNESS ENUMERATION (CWE)

13

COMMON VULNERABILITY SCORING SYSTEM (CVSS)

14

Risk Rating CVSSv2 ScoreHigh 7.0-10.0Medium 4.0-6.9Low 0.0-3.9

• CVSS provides a universal open and standardized method forrating IT vulnerabilities

• Developed by FIRST - an international confederation of trustedcomputer incident response teams who cooperatively handlecomputer security incidents and promote incident preventionprograms

FINDINGS

• Common weaknesses identified

• Top 10 high risk vulnerabilities according to CVSS BASE scores

Key observations across all FIs

15

COMMON WEAKNESSES IDENTIFIED

16

Information Exposure Through an Error Message

Web Server Version Disclosure

Clear Text Storage of Sensitive Information in a Cookie

CWE-200: INFORMATION EXPOSURE

An information exposure can provide information about the product or its

environment that could be useful in an attack

Use of a Broken or Risky Cryptographic Algorithm

Inadequate Encryption Strength

Missing Encryption of Sensitive Data

CWE-310: CRYPTOGRAPHIC ISSUES

Vertical Privilege Escalation

Web Server Supports Basic Authentication

Improper Restriction of Excessive Authentication Attempts

CWE-284: IMPROPER ACCESS CONTROL

Cross-site Scripting (XSS)

SQL Injections

Pathname Traversal

CWE-20: IMPROPER INPUT VALIDATION

CWE-20: Improper input validation

21

CWE-89: SQL Injection

CWE-17: Code

CWE-18: Source Code CWE-19: Data Handling

• Without sufficient validation of SQL syntax in inputs, the SQL query can cause those inputs to be interpreted as SQL

• This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database, possibly including execution of system commands.

• SQL injection has become a common issue with database-driven web sites.

CWE-89

22

Automatic Static, Dynamic Analysis, Manual Static Analysis – Source Code

Input field validation, application firewall

TOP 10 HIGH-RISK VULNERABILITIES

23

SQL injections*

Cross Site Scripting*

Information Exposure Through an Error Message*

Insecure Cookies

Cacheable SSL Pages

Validation performed on

client-side only

Admin interfaces configured with default credentials

Unpatched/outdated systems*

Core Dump Enabled

OpenSSL 'ChangeCipherSpec' MiTMVulnerability

Note:

Based on CVSS v2 “Base Score” – A vulnerability with a score of =>7.0 will be classified as “High-risk”

Vulnerabilities noted may not

be easily exploitable as there are layered controls in FIs’ environment. (e.g., Login credential, system access)

POINTS TO NOTE

While efforts were made to align the scope

and methodology as much as possible,

these factors will affect the results of the PT:

Skill and judgement of the penetration

tester(s)

Date of last PT performed on the

system

The period since security fixes and

patches were applied to the

system

Major system enhancements prior

to IPT

WHAT’S NEXT?

Issuance of PT guidelines

ABS SCCS to share

observations and recommendations

Next IPTAccreditation of

penetration tester

25