← Older revision
Revision as of 18:13, 4 November 2012
(16 intermediate revisions by one user not shown)
Line 1:
Line 1:
== Introduction ==
== Introduction ==
−
The goal of this guide is aligned to OWASP mission goals that are “to
make
application security visible so that individuals and organizations can make informed decisions about true software risks”. Specifically, the intent of this guide is to help CISOs (Chief Information Security Officers) to make informed decisions on how to mitigate the risks of insecure web applications and web application software.
+
The goal of this guide is aligned to OWASP mission goals that are “to
get
application security visible so that individuals and organizations can make informed decisions about true software risks”. Specifically, the intent of this guide is to help CISOs (Chief Information Security Officers) to make informed decisions on how to mitigate the risks of insecure web applications and web application software.
−
CISOs today are responsible for directing
the overall
application security
activities
such as application security governance, risk and compliance. Specifically to managing of application security risks, one of the roles and responsibilities of CISOs is to direct application security programs that includes developing and implementing security policies, standards and guidelines, work with audit and legal counsel to establish compliance with regulatory compliance requirements and define and implement an ongoing application security program which will identify the critical web application assets, assess threats and vulnerabilities of these assets and recommend application security measures. Specifically for the recommendation of application security measures, it is important for the CISO to make informed decisions on how to mitigate application security risks and decide in which application security measures to invest. This aim of this guide is to help the CISO in making these decisions. For example, by providing CISOs with risk and cost criteria for deciding which application vulnerabilities to prioritize for remediation and which countermeasures to implement to protect web applications from new threats and attacks.
+
CISOs today are responsible for directing
and managing
application security
programs
such as application security governance, risk
management and audit
and compliance. Specifically to managing of application security risks, one of the roles and responsibilities of CISOs is to direct application security programs that includes developing and implementing security policies, standards and guidelines, work with audit and legal counsel to establish compliance with regulatory compliance requirements and define and implement an ongoing application security program which will identify the critical web application assets, assess threats and vulnerabilities of these assets and recommend application security measures. Specifically for the recommendation of application security measures, it is important for the CISO to make informed decisions on how to mitigate application security risks and decide in which application security measures to invest. This aim of this guide is to help the CISO in making these decisions. For example, by providing CISOs with risk and cost criteria for deciding which application vulnerabilities to prioritize for remediation and which countermeasures to implement to protect web applications from new threats and attacks.
Because of the constantly evolving threat landscape where new threat agents are seeking to attack web applications to compromise customer’s sensitive data and company’s proprietary information for political reasons, financial gain as well as for cyber espionage, CISOs are challenged to make proactive risk decisions to mitigate the risks posed by these new threat agents. These risk decisions often involve analysis of the risk probability and impact to determine the overall risk and trade-offs between the costs and effectiveness of security measures to decide on which ones to prioritize the application security investments. By considering this, the aim of this guide is to provide guidance to CISOs for making informed risk decisions such as to help prioritizing the risk mitigation of web application vulnerabilities that might severely and negatively impact the organization and jeopardize the business. To decide which web application vulnerabilities to prioritize for mitigation as well as which countermeasures to invest, this guide provide the CISO with risk based criteria such as the quantification of the business impacts of data breaches. These business impacts are then compared with the costs and the benefits of investments in application security measures.
Because of the constantly evolving threat landscape where new threat agents are seeking to attack web applications to compromise customer’s sensitive data and company’s proprietary information for political reasons, financial gain as well as for cyber espionage, CISOs are challenged to make proactive risk decisions to mitigate the risks posed by these new threat agents. These risk decisions often involve analysis of the risk probability and impact to determine the overall risk and trade-offs between the costs and effectiveness of security measures to decide on which ones to prioritize the application security investments. By considering this, the aim of this guide is to provide guidance to CISOs for making informed risk decisions such as to help prioritizing the risk mitigation of web application vulnerabilities that might severely and negatively impact the organization and jeopardize the business. To decide which web application vulnerabilities to prioritize for mitigation as well as which countermeasures to invest, this guide provide the CISO with risk based criteria such as the quantification of the business impacts of data breaches. These business impacts are then compared with the costs and the benefits of investments in application security measures.
Line 329:
Line 329:
When deciding on which countermeasures to deploy for mitigating the risk of MiTB and MiTM attacks, CISOs might need to conduct a trade-offs between the risk, the effectiveness of these countermeasures and the costs. The countermeasures that cost the least and mitigate MiTB and MiTM attacks the most can be prioritized for investment. Typically client based anti-malware software can be effective in mitigating the malware risks at the front door and it is rather inexpensive to acquire and deploy if this cost does not include the total cost of maintenance of the solution for a large customer population. Security awareness campaigns for customers can be the least expensive measure but might not be that affective since often customers do not pay attention to security warnings. Acquiring and deploying out of band authentication and out of band transaction validation/authorization can be expensive but it offer strong mitigation against man in the middle attacks and can be a viable option to protect high risk transactions. Implementation of fraud detection systems for monitoring malicious traffic might be expensive to implement and maintain and need to be justified on the case by case basis. For example, if it is known that some web applications are constantly under attack from malware and impacted by fraud, investing in fraud detection systems might be justifiable due to the tested capability of fraud detection systems to detect attacks earlier than with other methods (e.g. looking at transaction logs that feed to SIEMs). CISOs can select which web applications should be put in scope for remediation of vulnerabilities sought by fraudsters and implementation of new countermeasures against MiTB and MiTM attacks based upon the risk profile of the application. The risk profile of the web application can be a function of the value of the data assets and the risk of the transactions that the web application provides to customers. A control gap analysis can be used to identify gaps in protective and detective controls and to determine the degree of risk mitigation that can be obtained when these are implemented. Once the security measures are adopted a calculation of the residual risk highlights to whether the risk can be accepted or need to be reduced further by implementing additional controls.
When deciding on which countermeasures to deploy for mitigating the risk of MiTB and MiTM attacks, CISOs might need to conduct a trade-offs between the risk, the effectiveness of these countermeasures and the costs. The countermeasures that cost the least and mitigate MiTB and MiTM attacks the most can be prioritized for investment. Typically client based anti-malware software can be effective in mitigating the malware risks at the front door and it is rather inexpensive to acquire and deploy if this cost does not include the total cost of maintenance of the solution for a large customer population. Security awareness campaigns for customers can be the least expensive measure but might not be that affective since often customers do not pay attention to security warnings. Acquiring and deploying out of band authentication and out of band transaction validation/authorization can be expensive but it offer strong mitigation against man in the middle attacks and can be a viable option to protect high risk transactions. Implementation of fraud detection systems for monitoring malicious traffic might be expensive to implement and maintain and need to be justified on the case by case basis. For example, if it is known that some web applications are constantly under attack from malware and impacted by fraud, investing in fraud detection systems might be justifiable due to the tested capability of fraud detection systems to detect attacks earlier than with other methods (e.g. looking at transaction logs that feed to SIEMs). CISOs can select which web applications should be put in scope for remediation of vulnerabilities sought by fraudsters and implementation of new countermeasures against MiTB and MiTM attacks based upon the risk profile of the application. The risk profile of the web application can be a function of the value of the data assets and the risk of the transactions that the web application provides to customers. A control gap analysis can be used to identify gaps in protective and detective controls and to determine the degree of risk mitigation that can be obtained when these are implemented. Once the security measures are adopted a calculation of the residual risk highlights to whether the risk can be accepted or need to be reduced further by implementing additional controls.
−
===Countermeasures against Distributed Denial of Service (DDoS) attacks
===
+
===Countermeasures against
Denial of Service attacks===
+
+
Denial of Service (DoS) attacks might severely impact the availability of website to users. Depending on the type of services that the website provide to customers, a denial of service attack this might cause a considerable revenue loss for the organization, therefore CISO should consider the mitigation of the risk of denial of service as top priority especially for web applications that generate online revenues for the organization whose availability is a critical asset for the organization.
+
+
DoS attacks can be facilitated by web application vulnerabilities, OWASP included DoS as one of OWASP Top Ten vulnerabilities in 2004 (OWASP A9:DoS) but this was dropped in 2007 due to the MITRE ranking in 2006. Nevertheless, even if no longer part of the OWASP top ten in 2010, depending on the exposure and the value of the assets impacted, denial of service vulnerabilities might represent an high risk for the organization and prioritized for mitigation. At the application level, a denial of service might be the result of exploits of OWASP A1 injection vulnerabilities, specifically vulnerabilities allowing injections of SQL, XPATH and LDAP commands can cause the web application to crash. At the user level, denial of service attacks can target the usability of the application by a registered user, for example attackers can use scripts to lock user accounts upon guessing valid userIDs and force user accounts to lock upon several un-successful attempts. In absence of temporary account locks (e.g. the user account will unlock automatically in 24 hours), this attack cause users to not be able to log on. A side effect of this is customers calling customer support seeking to unlock their user accounts, possibly flooding the call centers with account unlock calls. At source code level, DoS attacks might occur because of attack vectors exploiting insecure code issues causing exaustion of computer resources. These are insecure coding issues such as failing to release memory from allocated resources (e.g. object's memory) when exiting programs and causing the application to crash as result. Examples include exploiting of insecure code with NULL pointer deference and improper termination, exploiting uncaught exceptions and exploiting weaknesses when processing XML files causing the XML parsing process to exhaust memory with malicious recursive XML files. In the cases when the application source code is written in programming languages that allow programmers to manage memory such as C, C++, coding errors in the handling of memory allocations and use of unsafe functions might expose the source code and the application to possible exploit of buffer overflow vulnerabilities to cause the application to crash or to take control of. Buffer overflow vulnerabilities can also be exploited at server level because of attacks seeking to exploit web and application servers that are unpatched and vulnerable to buffer overflows. CISOs need to make sure that application and source code vulnerabilities that could be exploited for denial of service are in the scope for security testing since these are typically covered by static and dynamic application security testing tools.
+
+
At the transport-network layer, denial of service typically seeks to exploit network layer protocol type vulnerabilities such as by spoofing packets for sake to flood network traffic. A type of denial of service attack called
Distributed Denial of Service (DDoS)
typically seeks to flood the target web server with an unusually high level of data traffic sent from a coordinated and controlled network of bots. Because of the unusual network traffic that the web server is asked to handle, it might not be able to serve all the requests over the network and deny and request of service to the users of the application. Well known DDoS
attacks
originating from bots include “Ping of Death” bots that create huge electronic packets and send them to victims, “Mailbomb” bots that send a massive amount of e-mails, crashing e-mail server, Smurf Attack” bots that send Internet Control Message Protocol (ICMP) messages to reflectors to amplificate the attack, and “Teardrop” bots that send malformed pieces of packets that crash a system trying to recombine them.
+
+
Today's script kiddies, hacktivists, cyber-criminals and country sponsored attackers use open source DDoS attack tools and bots against possible targets. The typical, likely targets for DDoS attacks are public and private organizations with high visibility. General objectives of these attacks are to cause disruptions, get noticed and damage the company reputation. Specific motives for conducting DDoS attacks varies depending on the type of threat agents and their motives. Script kiddies might use DDoS attacks for opportunistic motives such as to exploit denial of service vulnerabilities and gain notoriety, hacktivist might use DDoS attacks for political reasons and to get attention from public media. Fraudsters and cyber-criminals might use DDoS attacks to derail attention from other attacks such as in the case of an account take over attack seeking to defraud online bank customers. State sponsored cyber-attackers might use DDoS attacks for economic and military reasons such as in the case of disrupting the operation of another country’s government operated website.
+
+
The impact of DDoS attacks in terms of reputational and revenue loss to private and public organizations varies greatly depending on the type of website targeted by the attack, the duration of the attack and the number of individuals and customers affected. The business impact of DDoS attacks can be estimated as function of the loss of revenue caused by the loss of services to customers and individuals when the website is taken down. According to the "2011 Second Annual Cost of Cyber Crime Study Benchmark Study By Ponemon Institute" that involved 50 organizations and U.S. companies, the impact of DDoS is estimated to be an average annual cost of $187,506. This cost is weighted by the frequency of the attack incidents for all benchmarked companies. Another survey from CA Technologies including 200 companies in North America as well as Europe, estimated the cost of downtime because of a denial of service of about $150,000 annually. These cost estimates, are just order of magnitudes since business impacts vary greatly depending on the type of online services affected and the volume of the online business affected by the DDoS attacks. For a very large e-business company like Amazon for example, whose business generated $ 48 billion in revenues for the year 2011, assuming that most of Amazon's revenues are generated online, a denial of service of just one hour DDoS attack might cost several millions of dollars in revenue loss. CISOs whose companies generate a significant part of their revenues through online websites such as in the case of e-commerce and financial websites, need to consider the threat of denial of service from DDoS attacks as top priority for risk mitigation and consider investing in security measures to mitigate the risk of such attacks.
−
Script kiddies, hacktivists, cyber-criminals and country sponsored hackers target public and private organizations including financial institutions websites with Distributed Denial of Service (DDoS) attacks to cause disruptions and loss of online services for customers. The goals sought for DDoS depends on the threat agent motives. DDoS attack motives can be opportunistic such as in the case of script kiddies, political such as in the case hactivism, financial such as in the case of fraudsters and cyber-criminals and economical-military such as in the case of state sponsored DDoS attacks. The financial impact of DDoS attacks to private and public organizations varies depending on the duration of the attack, the number of individuals and customers affected and the estimated loss of revenue caused by the loss of services to customers and individuals. According to the "2011 Second Annual Cost of Cyber Crime Study Benchmark Study By Ponemon Institute" that involved 50 organizations and U.S. companies, the impact of DDoS is estimated to be an average annual cost of $187,506. This cost is weighted by the frequency of the attack incidents for all benchmarked companies. Another survey from CA Technologies including 200 companies in North America as well as Europe, estimated the cost of downtime because of a denial of service of about $150,000 annually. These cost estimates, are just order of magnitudes since business impacts vary greatly depending on the type of online services affected and the volume of the online business affected by the DDoS attacks. For a very large e-business company like Amazon for example, whose business generated $ 48 billion in revenues for the year 2011, assuming that most of Amazon's revenues are generated online, a denial of service of just one hour DDoS attack might cost several millions of dollars in revenue loss. CISOs whose companies generate a significant part of their revenues through online websites such as in the case of e-commerce and financial websites, need to consider the threat of denial of service from DDoS attacks as top priority for risk mitigation and consider investing in security measures to mitigate the risk of such attacks.
Today DDoS attacks are very widespread. The reason why such attacks are so widespread is due to the availability of DDoS tools and of botnets to rent to conduct DDoS attacks at a relatively low cost for the attacker. According to “Modeling the Economic Incentives of DDoS Attacks: Femtocell Case Study, Vicente Segura and Javier Lahuer ta, Department of Network and Services Security of Telefonica” for example, the cost of renting a botnet for DDoS attacks is about $ 100 per day for 1 Gbps bandwidth.
Today DDoS attacks are very widespread. The reason why such attacks are so widespread is due to the availability of DDoS tools and of botnets to rent to conduct DDoS attacks at a relatively low cost for the attacker. According to “Modeling the Economic Incentives of DDoS Attacks: Femtocell Case Study, Vicente Segura and Javier Lahuer ta, Department of Network and Services Security of Telefonica” for example, the cost of renting a botnet for DDoS attacks is about $ 100 per day for 1 Gbps bandwidth.
CISOs also need to be aware of the escalating DDoS threat since the severity and sophistication of DDoS attacks is also increasing. According to “2011 Arbor Networks, Sixth Annual Worldwide Infrastructure Security Report”, considering with DDoS of six years ago, the power of DDoS attacks increased ten times reaching bandwidths of 100 Gbps. This escalation of DDoS power cannot be explained by the sophistication of the DDoS tools alone but with new DDoS attacks techniques seeking to amplify the bandwidth of the attacks. These new DDoS attack techniques consists on Distributed Reflector Denial of Service Attacks (DRDoS). DRDoS attacks spoof the victim’s source IP address with DNS queries sent towards open DNS resolvers, since open DNS resolvers that receive the DNS queries they respond to the victim's system with large packets, they can be used to amplify the bandwidth further such as when thousands of bots are querying thousands of DNS servers.
CISOs also need to be aware of the escalating DDoS threat since the severity and sophistication of DDoS attacks is also increasing. According to “2011 Arbor Networks, Sixth Annual Worldwide Infrastructure Security Report”, considering with DDoS of six years ago, the power of DDoS attacks increased ten times reaching bandwidths of 100 Gbps. This escalation of DDoS power cannot be explained by the sophistication of the DDoS tools alone but with new DDoS attacks techniques seeking to amplify the bandwidth of the attacks. These new DDoS attack techniques consists on Distributed Reflector Denial of Service Attacks (DRDoS). DRDoS attacks spoof the victim’s source IP address with DNS queries sent towards open DNS resolvers, since open DNS resolvers that receive the DNS queries they respond to the victim's system with large packets, they can be used to amplify the bandwidth further such as when thousands of bots are querying thousands of DNS servers.
−
Unfortunately today, most of
traditional network security defenses such as firewalls, IPS, IDS and routing configurations
are not
effective
to protect
websites and networks
from DDoS attacks of
this
intensity
(e.g.
100 Gbps
bandwidths)
.In order to protect from high power DDoS and DRDoS attacks, CISOs need to consider investments in
network based DDoS countermeasures such as
network segmentation, hosting part of the website static content on CDN (Content Delivery Networks) and use third party cloud-based DDoS protections services with service level agreements to increase traffic bandwidth in case is consumed
by
a DDoS attack. Refer to (Attacks FS-ISAC_Threat_Viewpoint_DDoS_June_2012.pdf)
+
Traditional network layer countermeasures for protecting from DDoS attacks include setting routers to examine and drop packets, filter IP addresses, configure rate limits and apply ingress and egress network filtering.
Unfortunately today, most of
these countermeasures
are not
enough
to protect from DDoS
and DDRoS
attacks of
the
intensity
of
100 Gbps
bandwidth
. In order to protect from high power DDoS and DRDoS attacks, CISOs
whose organization high availability websites are under the threat of high bandwidth DDoS and DDRoS attacks,
need to consider investments in network segmentation, hosting part of the website static content on CDN (Content Delivery Networks) and use third party cloud-based DDoS protections services with service level agreements to increase traffic bandwidth in case
is
is consumed
during
a DDoS attack. Refer to (Attacks FS-ISAC_Threat_Viewpoint_DDoS_June_2012.pdf)
== Targeting the Risks of New Technologies ==
== Targeting the Risks of New Technologies ==