200 likes | 340 Views
Advanced Security Center Overview. Northern Illinois University. Who am I?. Nathan McFeters Senior Security Advisor Ernst & Young ’ s ASC Based out of Chicago, serving as a Security Evangelist for the Midwest region Noted public speaker including:
E N D
Advanced Security Center Overview Northern Illinois University
Who am I? Nathan McFeters Senior Security Advisor Ernst & Young’s ASC Based out of Chicago, serving as a Security Evangelist for the Midwest region Noted public speaker including: Black Hat Europe (2008), Black Hat Federal (2008), Black Hat Japan (2007) ToorCon 9 (2007) DEFCON 15 (2007) Hack in the Box Malaysia (2007) Speaking at ToorCon Seattle next week Blogger on ZDNet’s Zero Day Security Blog (http://blogs.zdnet.com/security) Security Researcher with numerous vulnerabilities reported to vendors
Dedicated Team Cost Efficient and Scalable Physical and Logical Controls Collaborative Environment Centralized Management & Operations Standardized Methodologies and Tools Consistent Quality Control Procedures Knowledge Transfer Advanced Security Center Overview
Global Locations • Houston • New York • London • Dublin • Paris • Buenos Aires • Singapore
Network Security Tools HackNotes Linux and Unix Security Portable Reference Defending the Digital Frontier Hacking Exposed: Web Applications - Contributing Author Hacking Exposed: Windows 2000 - Contributing Author Ajax Security Basics, SecurityFocus.com Thought Leadership – Publications
Thought Leadership – Public Speaking • Black Hat Europe: 2008 • Black Hat Federal: 2008 • RSA: 2008 • Hack in the Box - Malaysia: 2007 • ToorCon 9: 2007 • Tecnofin Info Security Forum – Mexico City: 2007 • DEFCON 15: 2007 • Black Hat Europe: 2007 • Black Hat Las Vegas: 2005 • Vanguard Security Conference: 2005 & 2006 • New York Software Industry Association: 2006
Thought Leadership – Security Advisories • Adobe Security Advisory published two days ago – DNS Rebinding Flaw in Adobe Flash’s URLLoader class due to DNS canonicalization handling • Macintosh Apple Security Bulletin 2008 – Format String Vulnerability in iPhoto on Mac OS X Leopard • CVE-2007-4041 – Multiple argument injection vulnerabilities in Mozilla Firefox 2.0.0.5 allow remote attackers to execute arbitrary commands • CVE 2007-3670 – Firefox "firefoxurl://" URI Handler Registration Vulnerability • CVE 2007-3294 - Netscape "navigatorurl://" URI Handler Registration Vulnerability • Security Focus bid 24927 – Trillian is Vulnerable to Remote Command and Remote Code Execution through “aim://” URI • Microsoft Security Bulletin MS07-035 – Integer Overflow Condition in “res://” URI Handler • Microsoft Security Bulletin MS06-056 – XSS Exposure in .NET Framework
Testing Data Collection • We captured 551 tests with 4200 individual findings • 29% of the reports are Infrastructure, and 71% are application • We identified an average of 68.5 instances of issues across all tests • More than 37755 instances of findings • More than 15156 instances (40%) of high risk findings
Overall Metrics • 88% of our tests have at least one high risk finding • 58% of all high risk issues require a low level of effort to exploit • 54% of all identified issues require only a low level of effort to remediate
Infrastructure Metrics • Only 1% of all issues identified during infrastructure testing could be remediated by implementing a patch • 67% of all issues identified during infrastructure testing could be remediated by a configuration change • “Vulnerable service open” and “Weak Database Administrator Password” are the two most common high risk infrastructure vulnerabilities and make up 58% of all high risk infrastructure issues
Application Metrics • 93% of our application tests have at least one high risk finding • 70% of the high risk issues identified during application testing require a low level of effort to exploit • 46% of high risk issues identified during application testing require only a low level of effort to remediate • 57% of the high risk issues identified during application tests require changes to the application code to be remediated
The Cause 10 Most Critical Web Application Vulnerabilities Data Cross Site Scripting (XSS) Injection Flaws Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery (CSRF) Information Leakage & Improper Error Handling Broken Authentication and Session Management Insecure Cryptographic Storage Insecure Communications Failure to Restrict URL Access Application Server/Services Traditional Security Operating System Root Cause: Developers without security experience Infrastructure Source: www.owasp.org
Web Application Security: The Solution • Application Security Testing • Methodology and Tools • Black Box • WebSmack • XS-Sniper • Grey Box • Prohpet • DBHoldup • Education • Leverage Test Results • Hands-On • Integration of Both into our Client’s Systems Development Lifecycle (SDLC)