Myself and Tony Ucedavelez had the opportunity to give talks to the local OWASP chapters in Los Angeles (Symantec) and Orange County (University of Irvine Campus) on the topic of how application threat modeling can help organizations understand cyberthreats and build application countermeasures to mitigate them. The title of the presentation:" The rise of threat analysis and the fall of compliance in mitigating cybercrime risks" takes a critical view of compliance especially PCI-DSS as determining factor for threat mitigation making the case for putting compliance in the context of compliance risks not cybercrime risks mitigation. Both myself and Tony believe that we need a new school of information security where security need to be driven by cause-effect approach and factual fraud data. We therefore take the argument against PCI-DSS by the fact the two largest data breaches of credit card data recently occurred to companies that were compliant at the time and after the breach occurred.We also look at these data breaches in terms of business impact and make a clear argument that where a non-compliance would cost you a fine in a single digit millions (like in case of TJX) the cost of a loss of 130 million credit cards would total in the cost of billion. Putting compliance is risk management perspective means factoring assumption costs vs. failure costs where failure cost of non being compliance can be assumed one less order of magnitude in the overall failure cost. We therefore make the case that compliance does not buy security but a minimum level of information security assurance: for example in the context of mitigating vulnerabilities as compliance requirements based upon the data from MITRE, at best tools tackle 34% of all known vulnerabilities. We advocate that the remaining 70% need to come from cyber intellegence, attack-threat analysis and application threat modeling. You can only mitigate for threat you know of, mitigating against known threats would not buy security against these new cyberthreats since cyber-criminals already assume your application had mitigation for common vulnerabilites, multi factor authentication, fraud detection and basic data filtering for known code injection exploits. Cyberthreats use sophisticated automated attack tools (bots) and targeted attack vectors for both clients, applications and back-ends. Understanding the threats from cyberthreat intelligence sources is a critical step to translate these threat scenarios in attacks and abuse cases that can be used to security test your existing defenses. In our analysis we prove for example that most of multi factor authentication controls deployed today are ineffective mitigation for cybercrime attacks. We also show that browser vulnerabilities facilitate drive by download, man-in-the-middle and man-in-the-browser attacks. Once threat scenarios are dissected and analyzed it is possible to understand the different avenues of attacks, which channels are being used and which techniques would most likely adopted by fraudsters. At the application layer, the focus is to identify the attacks vectors used against the authenticated and non authenticated entry points of the application, the authorization levels required and walk-through with the malicious data end to end to identify vulnerabilities at different layers of the architecture as well as countermeasures. Countermeasures need to look at security by design and by configuration. We emphasize that compliance need to capture these actionable assessments instead of checklists and we advocate a mitigation strategy that looks at compliance with a positive security approach (prove the positive) rather then negative security (prove the negative). We still endorse compliance for security but compliance is just one aspect of the mitigation strategy and needs to become a springboard for actionable security whose drive could come from application threat modeling. An abstract of the presentation is included herein, if you would like myself and Tony to give a talk to your local OWASP, ISSA, ISACA chapter please let me know.On August 5 of 2009, Federal prosecutors charged Albert Gonzales with the largest case of credit and debit card data theft ever occurred in the United States: 130 million credit cards numbers by hacking into Heartland Payment Systems, Hannaford Brothers, 7-Eleven and two unnamed national retailers. Both Heartland and Hannaford were security compliant with PCI-DSS standard at the time they were compromised: that let question the validity of regulatory compliance frameworks, and specifically compliance with PCI-DSS standards as an effective method to reduce data breaches, identity theft, and the proliferation of credit card fraud. This presentation will further analyze the cost of the data breaches by monetizing the losses as being reported in quarterly earning reports (e.g. TJX) as well as impact on stock price (e.g. HPY) at the time of public disclosure of these data breaches. Monetizing data breaches helps to frame non-compliance risks as a factor of business impact and dispelling further the myth that being compliant equals being secure. Traditional compliance-driven security assessments efforts will be compared to threat analysis techniques in order to demonstrate how cybercrime risks can be mitigated by understanding threat scenarios through (1) cyber-intelligence: cases of publicly reported cybercrime attacks will be presented as a way to determine the threat landscape and the attack scenarios. Attacker motives and means to achieve them will be analyzed by using attack trees (2):a attack tress allow to study cyber attacks against web applications, breaches of credit card data as well as ATM fraud. Use and misuse cases (3) will be used to evaluate the strength of security controls such as multi-factor authentication against known cyber-attacks such as MiTM as well as a way to elicit requirements for security controls (e.g. secure logins). Examples of attack vectors (4) for testing applications against code injection attacks as well as for cybercrime attacks (e.g. HTML-IFRAME Injection Attack Vectors and drive by download) will be provided. Data Flow Diagrams (DFD) Analysis and Architecture Risk Analysis examples (5) will be presented to provide a viable, consistent methodology to identify the entry points for attack vectors, identify user access levels, enumerate threats as well as to determine threats, attack, vulnerabilities and countermeasures. Security by deployment and security by design concepts will be elaborated (6) as strategic countermeasures with reference to three tier architectures and security by design architecture principles. Finally, mitigation strategies against cybercrime attacks will be discussed starting by self-awareness questions. The presentation re-affirm that compliance would needs to be approached as factor of business risk and needs to consider threat risk modeling and application threat modeling as a critical factor for mitigate cybercrime risks to web applications.
Myself and Tony Ucedavelez had the opportunity to give talks to the local OWASP chapters in Los Angeles (Symantec) and Orange County (University of Irvine Campus) on the topic of how application threat modeling can help organizations understand cyberthreats and build application countermeasures to mitigate them. The title of the presentation:" The rise of threat analysis and the fall of compliance in mitigating cybercrime risks" takes a critical view of compliance especially PCI-DSS as determining factor for threat mitigation making the case for putting compliance in the context of compliance risks not cybercrime risks mitigation. Both myself and Tony believe that we need a new school of information security where security need to be driven by cause-effect approach and factual fraud data. We therefore take the argument against PCI-DSS by the fact the two largest data breaches of credit card data recently occurred to companies that were compliant at the time and after the breach occurred.
We also look at these data breaches in terms of business impact and make a clear argument that where a non-compliance would cost you a fine in a single digit millions (like in case of TJX) the cost of a loss of 130 million credit cards would total in the cost of billion. Putting compliance is risk management perspective means factoring assumption costs vs. failure costs where failure cost of non being compliance can be assumed one less order of magnitude in the overall failure cost. We therefore make the case that compliance does not buy security but a minimum level of information security assurance: for example in the context of mitigating vulnerabilities as compliance requirements based upon the data from MITRE, at best tools tackle 34% of all known vulnerabilities. We advocate that the remaining 70% need to come from cyber intellegence, attack-threat analysis and application threat modeling. You can only mitigate for threat you know of, mitigating against known threats would not buy security against these new cyberthreats since cyber-criminals already assume your application had mitigation for common vulnerabilites, multi factor authentication, fraud detection and basic data filtering for known code injection exploits. Cyberthreats use sophisticated automated attack tools (bots) and targeted attack vectors for both clients, applications and back-ends. Understanding the threats from cyberthreat intelligence sources is a critical step to translate these threat scenarios in attacks and abuse cases that can be used to security test your existing defenses. In our analysis we prove for example that most of multi factor authentication controls deployed today are ineffective mitigation for cybercrime attacks. We also show that browser vulnerabilities facilitate drive by download, man-in-the-middle and man-in-the-browser attacks. Once threat scenarios are dissected and analyzed it is possible to understand the different avenues of attacks, which channels are being used and which techniques would most likely adopted by fraudsters. At the application layer, the focus is to identify the attacks vectors used against the authenticated and non authenticated entry points of the application, the authorization levels required and walk-through with the malicious data end to end to identify vulnerabilities at different layers of the architecture as well as countermeasures. Countermeasures need to look at security by design and by configuration. We emphasize that compliance need to capture these actionable assessments instead of checklists and we advocate a mitigation strategy that looks at compliance with a positive security approach (prove the positive) rather then negative security (prove the negative). We still endorse compliance for security but compliance is just one aspect of the mitigation strategy and needs to become a springboard for actionable security whose drive could come from application threat modeling.
An abstract of the presentation is included herein, if you would like myself and Tony to give a talk to your local OWASP, ISSA, ISACA chapter please let me know.
On August 5 of 2009, Federal prosecutors charged Albert Gonzales with the largest case of credit and debit card data theft ever occurred in the United States: 130 million credit cards numbers by hacking into Heartland Payment Systems, Hannaford Brothers, 7-Eleven and two unnamed national retailers. Both Heartland and Hannaford were security compliant with PCI-DSS standard at the time they were compromised: that let question the validity of regulatory compliance frameworks, and specifically compliance with PCI-DSS standards as an effective method to reduce data breaches, identity theft, and the proliferation of credit card fraud. This presentation will further analyze the cost of the data breaches by monetizing the losses as being reported in quarterly earning reports (e.g. TJX) as well as impact on stock price (e.g. HPY) at the time of public disclosure of these data breaches. Monetizing data breaches helps to frame non-compliance risks as a factor of business impact and dispelling further the myth that being compliant equals being secure. Traditional compliance-driven security assessments efforts will be compared to threat analysis techniques in order to demonstrate how cybercrime risks can be mitigated by understanding threat scenarios through (1) cyber-intelligence: cases of publicly reported cybercrime attacks will be presented as a way to determine the threat landscape and the attack scenarios. Attacker motives and means to achieve them will be analyzed by using attack trees (2):a attack tress allow to study cyber attacks against web applications, breaches of credit card data as well as ATM fraud. Use and misuse cases (3) will be used to evaluate the strength of security controls such as multi-factor authentication against known cyber-attacks such as MiTM as well as a way to elicit requirements for security controls (e.g. secure logins). Examples of attack vectors (4) for testing applications against code injection attacks as well as for cybercrime attacks (e.g. HTML-IFRAME Injection Attack Vectors and drive by download) will be provided. Data Flow Diagrams (DFD) Analysis and Architecture Risk Analysis examples (5) will be presented to provide a viable, consistent methodology to identify the entry points for attack vectors, identify user access levels, enumerate threats as well as to determine threats, attack, vulnerabilities and countermeasures. Security by deployment and security by design concepts will be elaborated (6) as strategic countermeasures with reference to three tier architectures and security by design architecture principles. Finally, mitigation strategies against cybercrime attacks will be discussed starting by self-awareness questions. The presentation re-affirm that compliance would needs to be approached as factor of business risk and needs to consider threat risk modeling and application threat modeling as a critical factor for mitigate cybercrime risks to web applications.
