Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
Securing)your)Applica0ons)&)Data)With)
Web)Applica0on)Firewalls)
Dennis)K.)Usle)
Sr.)Security)Architect,)Radware)
July)2013)
)Slide 1
Cyberwar:)The)Web)App)Aspect)
Web)Applica0on)Security)Challenge)
Countermeasure:)WAF)
Selec0on)Considera0ons))
)
Cyber)War:)The)Web)Applica0on)Aspect)
Cyberwar(Toolbox
Web)Vandalism)
Slide)4)
)Cyber)Espionage)
Disrup0on)of)Service)
Gathering)&)Manipula0ng)
Data)
Trojan,)Viruses)&)Worms)
AQack)Cri0cal)Infrastructure)
Slide)5)
Large volume network flood attacks
XSS, Brute force
OS Commanding
Application vulnerability, malware
SQL Injection, LDAP Injections
Port scan, SYN flood attack
“Low & Slow” DoS attacks (e.g.Sockstress)
Network scan
Intrusion
High and slow Application DoS attacks
XML manipulations, Web Services Abuse Leakage of Sensitive Data
Targeting Different Layers)
)McAfee,)2007,))The)Internet)security)report))
))
Slide)6)
)Approximately)120(countries)have)been)developing)ways)to)use)
the(Internet(as(a(weapon)and)target)financial)markets,)government)computer)systems)and)u0li0es.)
Slide)7)
8 March 2012 India/Bangladesh cyberwar moves to a new level The ongoing cyberwar between India and Bangladesh has escalated
with Teamgreyhat, in support of “our Indian brothers”, moving
from commercial to economic targets. Sep 2, 2012
Taiwan to step up cyberwar capabilities
Taiwan plans to beef up its cyberwar capabilities to
counter a perceived threat from Chinese
hackers targeting government and security websites"
8 March 2012 India/Bangladesh cyberwar moves to a new level The ongoing cyberwar between India and Bangladesh has escalated
with Teamgreyhat, in support of “our Indian brothers”, moving
from commercial to economic targets. Sep 2, 2012
Taiwan to step up cyberwar capabilities
Taiwan plans to beef up its cyberwar capabilities to
counter a perceived threat from Chinese
hackers targeting government and security websites"July 6, 2012
Pentagon Digs In on Cyberwar Front Elite School Run by Air Force Trains Officers to Hunt Down Hackers and Launch Electronic Attacks
Cyberwar)–)The)Web)App)Aspect)
Slide)8)
Web)Applica0ons)Security)Challenge)
Web)Apps)are)Easy)to)Exploit)
• Whole)system)open)to)aQack)
• Can)target)different)layers)• Thousands)of)Web)security)vulnerabili0es)
• Minimal)aQen0on)to)security)during)development)
• Tradi0onal)defences)inadequate)
All they need is a browser
Slide)10)
Thousands)of)Vulnerabili0es)Every)Year)
Slide)11)
0)
1000)
2000)
3000)
4000)
5000)
6000)
7000)
2000) 2001) 2002) 2003) 2004) 2005) 2006) 2007) 2008) 2009) 2010) 2011) 2012)
#(of(Vulnerabili<es(
• Source: National Vulnerabilities Database
Minutes)to)Compromise,)Months)to)Discover)
Slide)12)
SQL)Injec0ons)are)Dominant)
Slide)13)
Trends)for)Web)App)Vulnerability)Types)
Slide)14)
Top)AQack)Methods)
Slide)15)
• Source: webappsec.org
Source:)webappsec.org)
Slide)16)
Web)Site)Defacements)(before))
Slide)17)
Web)Site)Defacement)(acer))
City of Detroit Defacement – Jan 2010
Slide)18)
Slide)19)
Sep 9, 2012
Dominos Pizza (India) 37,187 names, phone numbers, email addresses, passwords and addresses
Data)Security)Breaches)
Jan 31, 2011: “Online dating Web site PlentyOfFish.com has been hacked, exposing the personal information and passwords associated with almost 30 million accounts“
Slide)20)
Top)Web)AQack)Impacts)
Slide)21)• Source:)webappsec.org)
Lost)Record)Cost)Rises)
The average total cost of a data breach rose
to $6.75 million in 2009 Slide)22)
Records of sensitive information (CCN, SSN, etc.) were breached by hacking attempts only in the United States.
The population of the United States, projected to Sep 2012 is 314,324,529
Millions)of)Records)Breached)
Source)of)Breach)
Slide)24) • Source: 7safe.com
80%(
18%(
2%(
External)
Partner)
Internal)
Countermeasures:)Web)Applica0on)Firewall)
)
Slide)26)
DoS Protection Behavioral Analysis
IP Rep. IPS
WAF
SHUT DOWN
Large volume network flood attacks
XSS, Brute force
OS Commanding
Application vulnerability, malware
SQL Injection, LDAP Injections
Port scan, SYN flood attack
“Low & Slow” DoS attacks (e.g.Sockstress)
Network scan
Intrusion
High and slow Application DoS attacks
XML manipulations, Web Services Abuse Leakage of Sensitive Data
Mapping Security Protection Tools)
Cost)Effec0ve,)Time)to)Security)
Slide)27) Source: WhiteHat Security
Security)Intelligence)Timeline)
Slide)28)
What)are)the)internal/external)threats?)
Can)we)protect)against)there)threats?)
Vulnerability) Exploit)
Why)WAF)
Time(to(Security)
Centralized(Security)
Protect(3rd(Party(
Modules)
No(App(Modifica<on)
Security(While(App(Changes)
Applica<on(Visibility(
Cost(Effec<ve(Slide)29)
WAF)Selec0on)Considera0ons)
Mapping)Your)Requirements)h)Essen0al)
Zero(Day(vs.(Know(aRacks(
False(Nega<ve(vs.(False(Posi<ve(
Time(to(Security(
Auto(Policy(Genera<on(
Performance(/(Scalability(
Mapping)Your)Requirements)h)Advanced)
Cost(of(Ownership(
Changes(to(Exis<ng(Environment(
Inline(vs.(outXofXpath(
Reverse(Proxy(vs.(Bridge(
Level(of(Protec<on(
• Credit(card(number((CCN)(/(Social(Security((SSN)(
• Regular(Expression(
Data(Leak(Preven<on(
• Evasions(• HTTP(response(spli_ng((HRS)(
Terminate(TCP,(
Normalize,(HTTP(RFC(
• Cross(site(scrip<ng((XSS)(• SQL(injec<on,(LDAP(injec<on,(OS(commanding(
Signature(&(Rule(
Protec<on(
Standard)Web)Applica0on)Protec0on)
• Buffer(overflow((BO)(• ZeroXday(aRacks(
Parameters(Inspec<on(
• Cross(site(request(forgery(• Cookie(poisoning,(session(hijacking(User(Behavior(
• Folder(/(file(level(access(control(• White(lis<ng(or(black(lis<ng(Layer(7(ACL(
• XML(Validity(and(schema(enforcement(
XML(&(Web(Services(
• Authen<ca<on(• User(Tracking(
Role(Based(Policy(
Advanced)Web)Applica0on)Protec0on)
Priori0es)make)things)happen)
Slide)35)
Summary(
Cyberwar:)The)Web)App)Aspect)
Web)Applica0on)Security)Challenge)
Countermeasure:)WAF)
Selec0on)Considera0ons))
)
NBA • Prevent application resource misuse • Prevent zero-minute malware
DoS Protection • Prevent all type of network DDoS attacks
IPS • Prevent application vulnerability exploits
Reputation Engine • Financial fraud protection • Anti Trojan & Phishing
WAF • Mitigating Web application threats and zero-day attacks
Slide)38)
Thank)You)