presentation title placeholder€¦ · presentation title placeholder author: matt mooseles...

PRESENTED BY:

[email protected]

mailto:[email protected]

The business

The reason people

use the Internet

The gateway

to DATA

the target

APPLICATIONS ARE

765 Average # of

Apps in use per

enterprise

6 min before its scanned

If vulnerable, you

could be PWND in

<2 hrs

1/3 Mission critical

TLS

Access

Man-in-the-browser

Client

Session hijacking

Malware

Cross-site request forgery

Abuse of functionality

Man-in-the-middle DDoS

Malware

API attacks

Injection Cross-site scripting


Certificate spoofing

Protocol abuse

Session hijacking

Key disclosure

DNS hijacking

DDoS

DNS spoofing

DNS cache poisoning

Man-in-the-middle

App services

DNS

DDoS

Eavesdropping

Protocol abuse

Man-in-the-middle

Credential theft

Credential stuffing

Session hijacking

Brute force

Phishing

Network

DDoS

Cross-site scripting

Dictionary attacks

Man-in-the-browser

Client

Session hijacking

Malware


DNS hijacking

DDoS

DNS spoofing

DNS cache poisoning

Man-in-the-middle

DNS

DDoS

Eavesdropping

Protocol abuse

Man-in-the-middle

Network TLS Certificate spoofing

Protocol abuse

Session hijacking

Key disclosure

DDoS

Cross-site scripting

Dictionary attacks

Access

Abuse of functionality

Man-in-the-middle DDoS

Malware

API attacks

Injection Cross-site scripting


App services

Credential theft

Credential stuffing

Session hijacking

Brute force

Phishing

(10 years

26 countries)

53%

(2017

4 US states)

30%

(10 years

26 countries)

33%

(2017

4 US states)

26%

58%

56%

6%

4%

3%

2%

2%

1%

1%

PHP

SQL

Exchweb

Comments

Cart

Betablock

Admin

Affiliates

Login

Injection PHP & SQL

2013 OWASP Top 10

1. Injection

2. Broken authentication and session

management

3. Cross-site scripting (XSS)

4. Insecure direct object references

5. Security misconfiguration

6. Sensitive data exposure

7. Missing function level access control

8. Cross-site request forgery (CSRF)

9. Using components with known

vulnerabilities

10. Unvalidated redirects and forwards

2017 OWASP Top 10

1. Injection

2. Broken authentication


4. XML external entities (XXE)

5. Broken access control



8. Insecure deserialization


vulnerabilities

10. Insufficient logging

and monitoring

2013 OWASP Top 10

1. Injection

2. Broken authentication and session

management


4. Insecure direct object references



7. Missing function level access control

8. Cross-site request forgery (CSRF)


vulnerabilities

10. Unvalidated redirects and forwards

2017 OWASP Top 10

1. Injection

2. Broken authentication


4. XML external entities (XXE)

5. Broken access control



8. Insecure deserialization


vulnerabilities

10. Insufficient logging

and monitoring

Access Attacks

5%

23%

26%

34%

9%

3%

Clients are phished malware installed

Banking Trojans Fraud Trojans

Fraud targets = any site with a login page

Affected Devices

2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

7Bots

SORA

OWARI

UPnPProxy

OMNI

RoamingMantis

Wicked

VPNFilter

1Bot

Brickerbot

2Bots

WireX

Reaper

3Bots

Mirai

BigBrother

Rediation

1Bot

Remaiten

1Bot Moon

1Bot

Aidra

1Bot

Hydra

3Bots

Satori Fam

Amnesia

Persirai

6Bots

Masuta

PureMasuta

Hide ‘N Seek

JenX

OMG

DoubleDoor

1Bot

Crash

override

1Bot

Gafgyt

Family

2Bots

Darlloz

Marcher

1Bot Psyb0t

4Bots

Hajime

Trickbot

IRC Telnet

Annie

CCTV DVRs

WAPs Set-Top Boxes Media Center

Android

Wireless Chipsets NVR Surveillance

Busybox Platforms

Smart TVs

VoIP Devices Cable Modems

ICS

74% Discovered in last 2 years

SOHO routers iOS

IP Cameras

Thingbot Attack Type

2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

7Bots

SORA

OWARI

UPnPProxy

OMNI

RoamingMantis

Wicked

VPNFilter

1Bot

Brickerbot

2Bots

WireX

Reaper

3Bots

Mirai

BigBrother

Rediation

1Bot

Remaiten

1Bot Moon

1Bot

Aidra

1Bot

Hydra

3Bots

Satori Fam

Amnesia

Persirai

6Bots

Masuta

PureMasuta

Hide ‘N Seek

JenX

OMG

DoubleDoor

1Bot

Crash

override

1Bot

Gafgyt

Family

2Bots

Darlloz

Marcher

1Bot

Psyb0t

4Bots

Hajime

Trickbot

IRC Telnet

Annie

DNS Hijack

DDoS PDoS

Proxy Servers Unknown… Rent-a-bot

Install-a-bot Multi-purpose Bot Fraud trojan ICS protocol monitoring

Tor Node Sniffer

Credential Collector

Shifting from primarily DDoS to multi-purpose

Crypto-miner

2017 Study on Mobile and IoT Application Security

https://www.arxan.com/resources/downloads/2017-study-mobile-iot-application-security-whitepaper














1 Understand Your Environment

CISO’S #1 MISSION

Prevent Downtime

EVERYONE’S #1 CHALLENGE

Visibility

Reduce Your Attack Surface

2

Sub domains hosting other versions of the main

application site

Dynamic web page generators

HTTP headers and cookies

Admin interfaces Apps/files linked

to the app

Web service methods

Helper apps on client

(java, flash)

Server-side features such as search

Web pages and directories

Shells, Perl/PHP

Data entry forms

Administrative and monitoring stubs

and tools

Events of the application—triggered

server-side code

Backend connections through the server (injection)

APIs

Cookies/state tracking mechanisms

Data/active content pools—the data that populates and

drives pages

CRITICAL

Every 9 hrs

vulnerability

is released

VULNERABILITIES

Attackers are

weaponizing

in <24 hrs

ATTACKED!

configuration

WAF

Does it

apply to you?

Has a patch

been released?

Did you

test it?

Did you

apply it?

Prioritize Defenses Based on Attacks

3

Focus OpEx & CapEx spend

Sys Admins

Execs

Facebook

Identities

Mis configurations

LinkedIn

Desktops

HR

Accounting

Twitter Company website

People search engines

Laptops

Phones

Articles Threat Blog CISO to CISO Thought Leadership Blog

General Threat Trends Phishing Encryption IoT (Attacker Hunt Series)

presentation title placeholder€¦ · presentation title placeholder author: matt mooseles...

Documents