Server with the Web application performs the required action. â« Database stores ..... Secure Hosting Environment. â«V
IBM Global Services
IBM X-Force:
Web Application Security Dan Holden X-Force Product Manager IBM Internet Security Systems™ Ahead of the threat®
© Copyright IBM Corporation 2009
IBM Internet Security Systems
Agenda The Changing World of Security – How technology and business landscapes are changing how we think
and talk about security
Security Trends in a Changing World – New technology innovation and adoption are allowing attackers to push
the envelope
Real Deep Packet Inspection With PAM (Protocol
Analysis Module) – How security R&D drives better technology and adds value to our
customers security investment
Wrap Up – Conclusions and X-Force resources IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Global Services
The X-Force Advantage:
Web Application Protection
IBM Internet Security Systems™ Ahead of the threat®
© Copyright IBM Corporation 2009
IBM Internet Security Systems
“Amateurs Study Cryptography; Professionals Study Economics” Threat Evolution: –
A flat world has brought about an unprecedented amount of criminals and cons
–
Attackers keep ROI in mind as well, and constantly evolve their wares in order to re-purpose it for the next flood of attacks
–
High profile vulnerabilities will still be the vehicles for new attacks, however, the low and slow attack vectors cannot be ignored
–
The economics of exploitation must be taken into consideration to better prioritize risk IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
The Security Landscape of Old Traditional Infrastructure was easier to protect . . . Concrete entities that were
easy to understand Attack surface and vectors
were very well-defined Application footprint very
static Perimeter defense was king
IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
The Changing Security Landscape of Today “Webification” has changed everything . . . Infrastructure is more
abstract and less defined Everything needs a web
interface Agents and heavy clients are
no longer acceptable Traditional defenses no
longer apply IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
The Web Ecosystem (simple view)
Client with a Web browser renders the content for a user Network transports content between the server and the client Server with the Web application performs the required action Database stores information
IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
The Web Ecosystem (complex view)
IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
Attack Vectors
IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
Growth of Web Application Vulnerabilities
SQL injection vulnerability
disclosures more than doubled in comparison to 2007 The number of active,
automated attacks on web servers was unprecedented
IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
2008 Web Threats Take Center Stage Web application vulnerabilities – Represent largest category in vulnerability disclosures (55% in 2008)
– 74% of Web application vulnerabilities disclosed in 2008 have no patch to fix them
11
IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
Attack Techniques Are Plentiful And Trivial SQL injection and cross-site scripting are the two largest categories of Web application vulnerabilities SQL injection is fastest growing category (up 134% in 2008)
IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
Exploitation is Rampant Exploitation of SQL injection skyrocketed in 2008 – Increased by 30x from the midyear to the end of 2008
IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
The Web Has Become Increasingly Vulnerable, But Security Priorities Haven’t Followed Suit Risk prioritization hasn’t
Security and Spending are Unbalanced changed with the overall landscape Businesses and professionals still tend to prioritize risk against an outdated traditional infrastructure viewpoint Security solutions that focus on traditional threats and vectors are still implemented Big blind spots –
Browsers and web applications are still largely ignored or prioritized below other infrastructure from a security perspective IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Global Services
The X-Force Advantage:
How Do These Threats Present Themselves
IBM Internet Security Systems™ Ahead of the threat®
© Copyright IBM Corporation 2009
IBM Internet Security Systems
1. Cross-Site Scripting (XSS) What is it?
– Malicious script echoed back into HTML returned
from a trusted site, and runs under trusted context What are the implications?
– Steal your cookies for the domain you’re browsing – Completely modify the content of any page you
see on this domain – Track every action you do in that browser from now on – Redirect you to a Phishing site – Exploit browser vulnerabilities to take over machine IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
2. Injection Flaws What is it?
– User-supplied data is sent to an interpreter as part
of a command, query or data. Many kinds of injection flaws
– LDAP, XPath, SSI, MX (Mail)… – HTML Injection (Cross Site Scripting) – HTTP Injection (HTTP Response Splitting) What are the implications?
– SQL Injection – Access/modify data in DB – SSI Injection – Execute commands / access
sensitive data – LDAP Injection – Bypass authentication IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
The Realities Of SQL Injection SQL Injection has become increasingly popular
Automated tools have improved Web applications more sophisticated and reliant on back-end DB’s Average of 100k
“defacements” per week High percentage due
to SQL Injection
Up to 500k sites targeted each day IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
Automated SQL Injection With Search Engines Several commercial SQL Injection tools make use of backend services/C&C to receive latest exploits
Many rely upon search engine queries to identify likely vulnerable Web servers before commencing their automated attack IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
Subscription Based SQL Injection Tools Automating the SQL Injection attacks
Specify the injection payload (default http://www.2117966 [dot] net/fuckjp.js ) Tool checks a site in China to verify subscription fees Connects to Google to search for vulnerable sites inurl:".asp" inurl:"a=" Starts SQL injection Uses table cursors to enumerate tables on
Microsoft SQL Seeks columns columns that are of type ntext, text, nvarchar, or varchar AND the table type is a user table and not a system table. Then uses a cursor WHILE loop to iterate the results updating each Courtesy: http://isc.sans.org/diary.html?storyid=4294 table.columname and injecting the chosen attack string (converts the current data to varchar too)
IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
SQL Injection Attack Tools
* Automatic page-rank verification * Search engine integration for finding “vulnerable” sites * Prioritization of results based on probability for successful injection * Reverse domain name resolution * etc.
IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
3. Malicious File Execution What is it?
– Application tricked into executing
commands or creating files on server What are the implications?
– Command execution on server – complete
takeover – Site Defacement, including XSS option
IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
Commercial Web defacement tools Tools that speed up the
defacement process
Not necessarily targeted Defacement submissions
IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
Web Threats Will Become Increasingly Complex Web becoming main
application delivery interface and ecosystem Popularization of new web
technologies (Web 2.0) growing attack surface New techniques and
scenarios for targeting web infrastructure
Web Protection Doesn’t Have To … IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Global Services
The IBM Advantage:
Web Application Security
IBM Internet Security Systems™ Ahead of the threat®
© Copyright IBM Corporation 2009
IBM Internet Security Systems
IBM X-Force Extensible Protection Platform PAM is the engine behind the preemptive protection afforded by many of the solutions of the IBM Proventia product family. PAM is comprised of 5 key technologies.
Virtual Patch What It Does: Shields vulnerabilities from exploitation independent of a software patch, and enables a responsible patch management process that can be adhered to without fear of a breach Why Important: At the end of 2008, 53% of all vulnerabilities disclosed during the year had no vendor-supplied patches available to remedy the vulnerability
Threat Detection & Prevention What It Does: Detects and prevents entire classes of threats as opposed to a specific exploit or vulnerability. Why Important: Eliminates need of constant signature updates. Protection includes the proprietary Shellcode Heuristics (SCH) technology, which has an unbeatable track record of protecting against zero day vulnerabilities.
Content Analysis
Web Protection
What It Does: Monitors and identifies unencrypted personally identifiable information (PII) and other confidential information for data awareness. Also provides capability to explore data flow through the network to help determine if any potential risks exist.
What It Does: Protects web applications against sophisticated application-level attacks such as SQL Injection, XSS (Cross-site scripting), PHP file-includes, CSRF (Cross-site request forgery).
Why Important: Flexible and scalable customized data search criteria; serves as a complement to data security strategy
IBM Internet Security Systems X-Force Preemptive Protection
Why Important: Expands security capabilities to meet both compliance requirements and threat evolution.
Network Policy Enforcement What It Does: Manages security policy and risks within defined segments of the network, such as ActiveX fingerprinting, Peer To Peer, Instant Messaging, and tunneling. Why Important: Enforces network application and service access based on corporate policy and governance.
© Copyright IBM Corporation 2009
IBM Internet Security Systems
Proventia Web Application Security Protects Web Applications Against Sophisticated Application-Level Attacks SQL (Structured Query Language) Injection XSS (Cross-site scripting) PHP (Hypertext Preprocessor) fileincludes CSRF (Cross-site request forgery) Path Traversal HTTP Response Splitting Forceful Browsing Expands security capabilities to meet both compliance requirements and threat evolution IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
The ILE (Injection Logic Engine) Advantage Injection attacks are typically made up of unique patterns that are not
commonly seen in valid web application requests – By totaling and scoring these specific keywords and symbols, we
can accurately detect and block SQL injection attacks Tracks an extremely comprehensive list of SQL keywords, operators, and
symbols and correlates them based on valid SQL syntax – Parameter values will be evaluated and scored based on particular
keywords and symbols that it may contain – Parameter values that exceed the configurable scoring threshold
should be considered SQL injection and the request blocked – Flagging of particular combinations of classes of keywords can
determine what type of SQL injection is occurring
query injection store procedure execution login bypass blind SQL injection
IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
Secure Web Applications: Who is responsible? Organization Application Development
Secure Hosting Environment
Backend Server
Client Defend Network
Protect Data across Internet
Desktop
Application Server
Database Web Server
Requirements
Vulnerability management
Firewall
SSL Encryption
Anti-virus
Secure Design
Network
IDS / IPS
Anti-malware
Dynamic Analysis
Host
Web App Firewall
Personal firewall
Static Analysis
Application
Anti-virus
Incident & event management Identity & access management Malware detection
IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
Secure Application Development Challenge – Ensure the creation of high quality, secure and
compliant software – Ensure effective management of secure requirements, design and testing – Lifecycle management of vulnerabilities – Application Lifecycle Management (ALM) IBM Solutions
– IBM Rational AppScan Standard Edition Developer Edition
Application Development
Requirements Secure Design
Dynamic Analysis Static Analysis
Build Edition Test Edition Enterprise Edition IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
Secure Hosting Environment Challenges – Maintain a secure environment – Ensure security policies are
Secure Hosting Environment
implemented and enforced – Lifecycle management of vulnerabilities and incidents – Assess production systems for malware IBM Solutions Vulnerability management Network Host Application Incident & event management Identity & access management Malware detection
IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
Required Technologies for Secure Operations
Assess – Host Configuration Tivoli Security Compliance Manager – Network* ISS Proventia Network Enterprise Scanner – Application Rational AppScan Enterprise
Manage – Vulnerabilities* ISS Proventia Site Protector – Incidents* Tivoli Security Operations Manager
Protect – Block and Enforce* ISS Proventia G IPS ISS Proventia M UTM ISS Proventia Serve
IBM Internet Security Systems X-Force Preemptive Protection
* Can be managed through IBM ISS Managed Security Services!
© Copyright IBM Corporation 2009
IBM Internet Security Systems
Defending the Network Challenge – – –
Protect your business from Internet threats without jeopardizing bandwidth or availability Protect your end users from spam and other productivity drainers Conserve resources by eliminating the need for specialized security expertise
IBM Solutions – IBM Proventia® Network Multi-Function Security
(MFS) Complete protection from Internet threats including firewall,
intrusion prevention and anti-virus Define Web access policies
– IBM Proventia® Network Intrusion Prevention
System (IPS) Provides Web Application Firewalling functionality without the
additional point product investment of a WAF Provides inline network protection against all major categories of Web application vulnerabilities and attacks IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
Encrypting transmission across the Internet Challenge – Ensuring data and intellectual property is not stolen while
Protect Data across Internet
crossing the Internet – Ensuring that data is not tampered with or altered between the server and client – Ensure that a malicious site does not impersonate the legitimate server and establish communication with the client SSL Encryption
IBM Solutions – IBM Websphere Application Server – IBM Websphere DataPower XML Security Gateway
IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
Client-side Security Organization can not control their external clients Internal client challenges Desktop
– Mitigating risks posed by zero-day, targeted attacks – Protecting critical data and intellectual property – Minimizing costs and lost productivity associated with
remediating infected endpoints – Reducing help desk calls IBM Solution
– IBM ISS Proventia Server and ESC Mitigates against application and network vector attacks
Anti-virus
Patented Virus Prevention System blocks malware based
Personal firewall
Anti-malware
on behavior Includes signature anti-virus/anti-malware signatures Provides protection against all major categories of web application vulnerabilities and attacks Includes data security and IT operations features IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Internet Security Systems
Secure Web Applications: A complete approach Organization Application Development
Secure Hosting Environment
Backend Server
Client Defend Network
Protect Data across Internet
Desktop
Application Server
Database Web Server
Requirements
Vulnerability management
Firewall
SSL Encryption
Anti-virus
Secure Design
Network
IDS / IPS
Anti-malware
Dynamic Analysis
Host
Web App Firewall
Personal firewall
Static Analysis
Application
Anti-virus
Incident & event management Identity & access management Malware detection
IBM Internet Security Systems X-Force Preemptive Protection
© Copyright IBM Corporation 2009
IBM Global Services
Thank you!
The X-Force Advantage IBM Internet Security Systems™ Ahead of the threat®
© Copyright IBM Corporation 2009