SlideShare a Scribd company logo

Sql injection to enterprise Owned - K.K. Mookhey

OWASP-Qatar Chapter
OWASP-Qatar Chapter
Technology
1 of 35
Download to read offline
People Technology Processes Standards SQL Injection To Enterprise 0wned K. K. Mookhey, CISA, CISSP, CISM, CRISC
Introduction • Founder, Principal Consultant – Network Intelligence India Pvt. Ltd. – Institute of Information Security • CISA, CISSP, CISM, CRISC • Penetration testing, Security Auditing, Forensics, Compliance, Problem-solving • ICICI Bank, BNP Paribas, Morgan Stanley, United Nations, Indian Navy, DRDO, and hundreds of other clients over a decade of experience • Speaker at Blackhat, Interop, IT Underground, OWASP Asia, SecurityByte, Clubhack, Nullcon, ISACA, and numerous others © Network Intelligence India Pvt. Ltd.
Agenda • Introduction & Case Studies • Risk-based Penetration Testing • Solutions • Strategies • Take-Aways © Network Intelligence India Pvt. Ltd.
THE BIGGEST HACK IN HISTORY © Network Intelligence India Pvt. Ltd.
Gonzalez, TJX and Heart-break-land • >200 million credit card number stolen • Heartland Payment Systems, TJX, and 2 US national retailers hacked • Modus operandi – Visit retail stores to understand workings – Analyze websites for vulnerabilities – Hack in using SQL injection – Inject malware – Sniff for card numbers and details – Hide tracks © Network Intelligence India Pvt. Ltd.
The hacker underground • Albert Gonzalez – a/k/a “segvec,” – a/k/a “soupnazi,” – a/k/a “j4guar17” • Malware, scripts and hacked data hosted on servers in: – Latvia – Netherlands Ukraine New Jersey • IRC chats California – March 2007: Gonzalez “planning my second phase against Hannaford” – December 2007: Hacker P.T. “that’s how [HACKER 2] hacked Hannaford.” © Network Intelligence India Pvt. Ltd.
Where does all this end up? IRC Channels #cc #ccards #ccinfo #ccpower #ccs #masterccs #thacc #thecc #virgincc • Commands used on IRC – !cardable – !cc, !cclimit, !chk, !cvv2, !exploit, !order.log, !proxychk © Network Intelligence India Pvt. Ltd.
TJX direct costs $200 million in fines/penalties $41 million to Visa $24 million to Mastercard © Network Intelligence India Pvt. Ltd.
Cost of an incident • $6.6 million average cost of a data breach • From this, cost of lost business is $4.6 million • More than $200 per compromised record On the other hand: • Fixing a bug costs $400 to $4000 • Cost increases exponentially as time lapses © Network Intelligence India Pvt. Ltd.
HOW THE COOKIE CRUMBLES © Network Intelligence India Pvt. Ltd.
© Network Intelligence India Pvt. Ltd.
© Network Intelligence India Pvt. Ltd.
© Network Intelligence India Pvt. Ltd.
© Network Intelligence India Pvt. Ltd.
© Network Intelligence India Pvt. Ltd.
© Network Intelligence India Pvt. Ltd.
© Network Intelligence India Pvt. Ltd.
© Network Intelligence India Pvt. Ltd.
Betting blind!  DB Name  Table Names  User IDs  Table Structure  Data © Network Intelligence India Pvt. Ltd.
Net Result Enterprise Owned!
SOLUTIONS! © Network Intelligence India Pvt. Ltd.
Technology Solutions • Encryption • Web Application Firewalls • Source Code Review Solutions • Security Testing Suites • Data Leakage Prevention • Privileged Identity Management • Web Access Management • Information Rights Management • Database Security Solutions © Network Intelligence India Pvt. Ltd.
Before we get to the technology… © Network Intelligence India Pvt. Ltd.
Application Security – Holistic Solution Design Develop/ Train Manage Test © Network Intelligence India Pvt. Ltd.
EVOLVED PENETRATION TESTING © Network Intelligence India Pvt. Ltd.
Secure Testing • Security testing options – Blackbox – Greybox – Whitebox – Source Code Review • OWASP Top Ten (www.owasp.org) • OWASP Testing Guide Tools of the trade Open source – Wikto, Paros, Webscarab, Firefox plugins Commercial – Acunetix, Cenzic, Netsparker, Burpsuite © Network Intelligence India Pvt. Ltd.
Traditional vs. Risk-based Pentesting Traditional Pentesting Risk-based Pentesting Focus is on technical Focus is on business risks vulnerabilities Requires strong technical know- Requires both technical and business how process know-how Having the right set of tools is Understanding the workings of the critical business and applications is critical Is usually zero-knowledge Requires a person who understands the business process to play a significant role – usually an insider Understanding the regulatory Understanding the regulatory environment is good environment is mandatory © Network Intelligence India Pvt. Ltd.
Traditional vs. Risk-based Pentesting Traditional Pentesting Risk-based Pentesting Severity levels are based on Severity levels are based on risk to technical parameters the business Risk levels in report are assigned Risk levels in report reflect the levels post facto assigned prior to testing Test cases are build based on Tests cases additionally build on risk testing methodologies or generic scenarios testing processes Audience for the report is usually Audience for the report also includes the IT and Security teams the business process owners and heads of departments © Network Intelligence India Pvt. Ltd.
GROUND REALITIES! © Network Intelligence India Pvt. Ltd.
Ground realities • Business priorities – Expand, grow, market share!! • Developer illiteracy – Unaware of security implications – Shortcut fixes • Vendor apathy – Problem re-enforced by weak contracts • Unclear budgets – Lip service by management towards information security – CISO left fighting the battle alone without adequate resources © Network Intelligence India Pvt. Ltd.
Use Triage STRATEGIZE! © Network Intelligence India Pvt. Ltd.
Sample Strategies Implement & In-house Enforce Internal Developed SLAs Claims Processing Regular Secure ATLAS – Agents Access Coding Training Over Internet Active Emphasis on Development Secure Coding Team Libraries Secure Hosting © Network Intelligence India Pvt. Ltd.
Take-Aways • Mindset change – most importantly of the business owners’! – Data protection does matter! – It is NOT simply a technology issue – ISO 27001 is not the answer • Implement application security in a comprehensive, cohesive and consistent manner • Evangelize constantly! • Demonstrate impact – always in business terms • Strategize – you can’t protect everything all the time • Leverage regulatory and legal requirements © Network Intelligence India Pvt. Ltd.
Ensure – this never happens! © Network Intelligence India Pvt. Ltd.
Questions? kkmookhey@niiconsulting.com @kkmookhey http://www.linkedin.com/kkmookhey THANK YOU! © Network Intelligence India Pvt. Ltd.

Recommended

CIS13: Don't Let Mobile be the Achilles Heel for Your Enterprise Security
CIS13: Don't Let Mobile be the Achilles Heel for Your Enterprise SecurityCIS13: Don't Let Mobile be the Achilles Heel for Your Enterprise Security
CIS13: Don't Let Mobile be the Achilles Heel for Your Enterprise SecurityCloudIDSummit
 
GTB Data Loss Prevention
GTB Data Loss PreventionGTB Data Loss Prevention
GTB Data Loss Preventionrefaeli
 
Nephos technologies lee_biggenden_c_expo13_v2.0
Nephos technologies lee_biggenden_c_expo13_v2.0Nephos technologies lee_biggenden_c_expo13_v2.0
Nephos technologies lee_biggenden_c_expo13_v2.0lbiggenden
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify PillarEd Wong
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
IRJET- RFID Based Security Guard System using GSM
IRJET- RFID Based Security Guard System using GSMIRJET- RFID Based Security Guard System using GSM
IRJET- RFID Based Security Guard System using GSMIRJET Journal
 
Gtb Dlp Suite Presentation
Gtb Dlp Suite PresentationGtb Dlp Suite Presentation
Gtb Dlp Suite Presentationgtbsalesindia
 
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud... Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...Rachel Wandishin
 

Recommended

CIS13: Don't Let Mobile be the Achilles Heel for Your Enterprise Security
CIS13: Don't Let Mobile be the Achilles Heel for Your Enterprise SecurityCIS13: Don't Let Mobile be the Achilles Heel for Your Enterprise Security
CIS13: Don't Let Mobile be the Achilles Heel for Your Enterprise SecurityCloudIDSummit
 
GTB Data Loss Prevention
GTB Data Loss PreventionGTB Data Loss Prevention
GTB Data Loss Preventionrefaeli
 
Nephos technologies lee_biggenden_c_expo13_v2.0
Nephos technologies lee_biggenden_c_expo13_v2.0Nephos technologies lee_biggenden_c_expo13_v2.0
Nephos technologies lee_biggenden_c_expo13_v2.0lbiggenden
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify PillarEd Wong
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
IRJET- RFID Based Security Guard System using GSM
IRJET- RFID Based Security Guard System using GSMIRJET- RFID Based Security Guard System using GSM
IRJET- RFID Based Security Guard System using GSMIRJET Journal
 
Gtb Dlp Suite Presentation
Gtb Dlp Suite PresentationGtb Dlp Suite Presentation
Gtb Dlp Suite Presentationgtbsalesindia
 
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud... Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...Rachel Wandishin
 
Tsensors San Diego Sandhi Bhide - Nov 12-13 - Final
Tsensors San Diego Sandhi Bhide - Nov 12-13 - FinalTsensors San Diego Sandhi Bhide - Nov 12-13 - Final
Tsensors San Diego Sandhi Bhide - Nov 12-13 - Finalsandhibhide
 
RFID-SECURITY_Vatsalya
RFID-SECURITY_VatsalyaRFID-SECURITY_Vatsalya
RFID-SECURITY_VatsalyaVatsalya Eranky
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santossantosomar
 
iScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task ForceiScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task ForceMAX Risk Intelligence by LOGICnow
 
ISC2014 Beijing Keynote
ISC2014 Beijing KeynoteISC2014 Beijing Keynote
ISC2014 Beijing KeynoteCyphort
 
GTB DLP Suite Presentation
GTB DLP Suite PresentationGTB DLP Suite Presentation
GTB DLP Suite Presentationgtbsalesindia
 
Tutor Web 2.0 World
Tutor Web 2.0 WorldTutor Web 2.0 World
Tutor Web 2.0 WorldGlobal_Scholar
 
Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010EQS Group
 
Use GFA To Make Someone Fall In Love With You
Use GFA To Make Someone Fall In Love With YouUse GFA To Make Someone Fall In Love With You
Use GFA To Make Someone Fall In Love With YouCameronTait3
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockownerkhan
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfDefconRussia
 
Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an Attackspoofyroot
 
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...Gerardo Pardo-Castellote
 
Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication TechnologiesNicholas Davis
 
Modern Lessons in Security Monitoring
Modern Lessons in Security MonitoringModern Lessons in Security Monitoring
Modern Lessons in Security MonitoringAnton Goncharov
 
Software Compliance Management Overview
Software Compliance Management OverviewSoftware Compliance Management Overview
Software Compliance Management Overviewkevino80
 
OMG DDS Security Standard
OMG DDS Security StandardOMG DDS Security Standard
OMG DDS Security StandardGerardo Pardo-Castellote
 
Introduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdullaIntroduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdullaOWASP-Qatar Chapter
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq OWASP-Qatar Chapter
 
You installed what Thierry Sans
You installed what Thierry SansYou installed what Thierry Sans
You installed what Thierry SansOWASP-Qatar Chapter
 
Owasp qatar presentation top 10 changes 2013 - Tarun Gupta
Owasp qatar presentation top 10 changes 2013 - Tarun GuptaOwasp qatar presentation top 10 changes 2013 - Tarun Gupta
Owasp qatar presentation top 10 changes 2013 - Tarun GuptaOWASP-Qatar Chapter
 
Securing the channel - Tarkay Jamaan
Securing the channel - Tarkay JamaanSecuring the channel - Tarkay Jamaan
Securing the channel - Tarkay JamaanOWASP-Qatar Chapter
 

More Related Content

What's hot

Tsensors San Diego Sandhi Bhide - Nov 12-13 - Final
Tsensors San Diego Sandhi Bhide - Nov 12-13 - FinalTsensors San Diego Sandhi Bhide - Nov 12-13 - Final
Tsensors San Diego Sandhi Bhide - Nov 12-13 - Finalsandhibhide
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santossantosomar
 
ISC2014 Beijing Keynote
ISC2014 Beijing KeynoteISC2014 Beijing Keynote
ISC2014 Beijing KeynoteCyphort
 
GTB DLP Suite Presentation
GTB DLP Suite PresentationGTB DLP Suite Presentation
GTB DLP Suite Presentationgtbsalesindia
 
Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010EQS Group
 
Use GFA To Make Someone Fall In Love With You
Use GFA To Make Someone Fall In Love With YouUse GFA To Make Someone Fall In Love With You
Use GFA To Make Someone Fall In Love With YouCameronTait3
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockownerkhan
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfDefconRussia
 
Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an Attackspoofyroot
 
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...Gerardo Pardo-Castellote
 
Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication TechnologiesNicholas Davis
 
Modern Lessons in Security Monitoring
Modern Lessons in Security MonitoringModern Lessons in Security Monitoring
Modern Lessons in Security MonitoringAnton Goncharov
 
Software Compliance Management Overview
Software Compliance Management OverviewSoftware Compliance Management Overview
Software Compliance Management Overviewkevino80
 

What's hot (17)

Tsensors San Diego Sandhi Bhide - Nov 12-13 - Final
Tsensors San Diego Sandhi Bhide - Nov 12-13 - FinalTsensors San Diego Sandhi Bhide - Nov 12-13 - Final
Tsensors San Diego Sandhi Bhide - Nov 12-13 - Final
 
RFID-SECURITY_Vatsalya
RFID-SECURITY_VatsalyaRFID-SECURITY_Vatsalya
RFID-SECURITY_Vatsalya
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santos
 
iScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task ForceiScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task Force
 
ISC2014 Beijing Keynote
ISC2014 Beijing KeynoteISC2014 Beijing Keynote
ISC2014 Beijing Keynote
 
GTB DLP Suite Presentation
GTB DLP Suite PresentationGTB DLP Suite Presentation
GTB DLP Suite Presentation
 
Tutor Web 2.0 World
Tutor Web 2.0 WorldTutor Web 2.0 World
Tutor Web 2.0 World
 
Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010
 
Use GFA To Make Someone Fall In Love With You
Use GFA To Make Someone Fall In Love With YouUse GFA To Make Someone Fall In Love With You
Use GFA To Make Someone Fall In Love With You
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknock
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
 
Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an Attack
 
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
 
Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication Technologies
 
Modern Lessons in Security Monitoring
Modern Lessons in Security MonitoringModern Lessons in Security Monitoring
Modern Lessons in Security Monitoring
 
Software Compliance Management Overview
Software Compliance Management OverviewSoftware Compliance Management Overview
Software Compliance Management Overview
 
OMG DDS Security Standard
OMG DDS Security StandardOMG DDS Security Standard
OMG DDS Security Standard
 

Viewers also liked

Introduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdullaIntroduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdullaOWASP-Qatar Chapter
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq OWASP-Qatar Chapter
 
Owasp qatar presentation top 10 changes 2013 - Tarun Gupta
Owasp qatar presentation top 10 changes 2013 - Tarun GuptaOwasp qatar presentation top 10 changes 2013 - Tarun Gupta
Owasp qatar presentation top 10 changes 2013 - Tarun GuptaOWASP-Qatar Chapter
 
Securing the channel - Tarkay Jamaan
Securing the channel - Tarkay JamaanSecuring the channel - Tarkay Jamaan
Securing the channel - Tarkay JamaanOWASP-Qatar Chapter
 
Secure management of credentials - Zouheir Abdulla
Secure management of credentials - Zouheir AbdullaSecure management of credentials - Zouheir Abdulla
Secure management of credentials - Zouheir AbdullaOWASP-Qatar Chapter
 
Defending Web Applications: first-principles- Jason Lam
Defending Web Applications: first-principles- Jason LamDefending Web Applications: first-principles- Jason Lam
Defending Web Applications: first-principles- Jason LamOWASP-Qatar Chapter
 
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...wajug
 

Viewers also liked (8)

Introduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdullaIntroduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdulla
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq
 
You installed what Thierry Sans
You installed what Thierry SansYou installed what Thierry Sans
You installed what Thierry Sans
 
Owasp qatar presentation top 10 changes 2013 - Tarun Gupta
Owasp qatar presentation top 10 changes 2013 - Tarun GuptaOwasp qatar presentation top 10 changes 2013 - Tarun Gupta
Owasp qatar presentation top 10 changes 2013 - Tarun Gupta
 
Securing the channel - Tarkay Jamaan
Securing the channel - Tarkay JamaanSecuring the channel - Tarkay Jamaan
Securing the channel - Tarkay Jamaan
 
Secure management of credentials - Zouheir Abdulla
Secure management of credentials - Zouheir AbdullaSecure management of credentials - Zouheir Abdulla
Secure management of credentials - Zouheir Abdulla
 
Defending Web Applications: first-principles- Jason Lam
Defending Web Applications: first-principles- Jason LamDefending Web Applications: first-principles- Jason Lam
Defending Web Applications: first-principles- Jason Lam
 
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
 

Similar to Sql injection to enterprise Owned - K.K. Mookhey

110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourleyGovCloud Network
 
Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Harry McLaren
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Harry McLaren
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementNovell
 
Embedded Security and the IoT – Challenges, Trends and Solutions
Embedded Security and the IoT – Challenges, Trends and SolutionsEmbedded Security and the IoT – Challenges, Trends and Solutions
Embedded Security and the IoT – Challenges, Trends and SolutionsReal-Time Innovations (RTI)
 
Cyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdfCyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdfNaveenKumar470500
 
Re-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxRe-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxtmbainjr131
 
How to maximize profit from IoT by using data platform - Albert Lewandowski, ...
How to maximize profit from IoT by using data platform - Albert Lewandowski, ...How to maximize profit from IoT by using data platform - Albert Lewandowski, ...
How to maximize profit from IoT by using data platform - Albert Lewandowski, ...GetInData
 
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Amazon Web Services
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
Monitoreo y análisis de aplicaciones "Multi-Tier"
Monitoreo y análisis de aplicaciones "Multi-Tier"Monitoreo y análisis de aplicaciones "Multi-Tier"
Monitoreo y análisis de aplicaciones "Multi-Tier"GeneXus
 
Offensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaOffensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaShivamSharma909
 

Similar to Sql injection to enterprise Owned - K.K. Mookhey (20)

110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
 
Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
Application security enterprise strategies
Application security enterprise strategiesApplication security enterprise strategies
Application security enterprise strategies
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
 
Embedded Security and the IoT – Challenges, Trends and Solutions
Embedded Security and the IoT – Challenges, Trends and SolutionsEmbedded Security and the IoT – Challenges, Trends and Solutions
Embedded Security and the IoT – Challenges, Trends and Solutions
 
Cyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdfCyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdf
 
Cyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdfCyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdf
 
Why ips slide share
Why ips slide shareWhy ips slide share
Why ips slide share
 
Re-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxRe-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptx
 
How to maximize profit from IoT by using data platform - Albert Lewandowski, ...
How to maximize profit from IoT by using data platform - Albert Lewandowski, ...How to maximize profit from IoT by using data platform - Albert Lewandowski, ...
How to maximize profit from IoT by using data platform - Albert Lewandowski, ...
 
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
 
SecurityOperations
SecurityOperationsSecurityOperations
SecurityOperations
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 
Security of information asset
Security of information assetSecurity of information asset
Security of information asset
 
Monitoreo y análisis de aplicaciones "Multi-Tier"
Monitoreo y análisis de aplicaciones "Multi-Tier"Monitoreo y análisis de aplicaciones "Multi-Tier"
Monitoreo y análisis de aplicaciones "Multi-Tier"
 
Avila 3 b
Avila 3 bAvila 3 b
Avila 3 b
 
Offensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaOffensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agenda
 

Recently uploaded

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

Recently uploaded (20)

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

Sql injection to enterprise Owned - K.K. Mookhey

  • 1. People Technology Processes Standards SQL Injection To Enterprise 0wned K. K. Mookhey, CISA, CISSP, CISM, CRISC
  • 2. Introduction • Founder, Principal Consultant – Network Intelligence India Pvt. Ltd. – Institute of Information Security • CISA, CISSP, CISM, CRISC • Penetration testing, Security Auditing, Forensics, Compliance, Problem-solving • ICICI Bank, BNP Paribas, Morgan Stanley, United Nations, Indian Navy, DRDO, and hundreds of other clients over a decade of experience • Speaker at Blackhat, Interop, IT Underground, OWASP Asia, SecurityByte, Clubhack, Nullcon, ISACA, and numerous others © Network Intelligence India Pvt. Ltd.
  • 3. Agenda • Introduction & Case Studies • Risk-based Penetration Testing • Solutions • Strategies • Take-Aways © Network Intelligence India Pvt. Ltd.
  • 4. THE BIGGEST HACK IN HISTORY © Network Intelligence India Pvt. Ltd.
  • 5. Gonzalez, TJX and Heart-break-land • >200 million credit card number stolen • Heartland Payment Systems, TJX, and 2 US national retailers hacked • Modus operandi – Visit retail stores to understand workings – Analyze websites for vulnerabilities – Hack in using SQL injection – Inject malware – Sniff for card numbers and details – Hide tracks © Network Intelligence India Pvt. Ltd.
  • 6. The hacker underground • Albert Gonzalez – a/k/a “segvec,” – a/k/a “soupnazi,” – a/k/a “j4guar17” • Malware, scripts and hacked data hosted on servers in: – Latvia – Netherlands Ukraine New Jersey • IRC chats California – March 2007: Gonzalez “planning my second phase against Hannaford” – December 2007: Hacker P.T. “that’s how [HACKER 2] hacked Hannaford.” © Network Intelligence India Pvt. Ltd.
  • 7. Where does all this end up? IRC Channels #cc #ccards #ccinfo #ccpower #ccs #masterccs #thacc #thecc #virgincc • Commands used on IRC – !cardable – !cc, !cclimit, !chk, !cvv2, !exploit, !order.log, !proxychk © Network Intelligence India Pvt. Ltd.
  • 8. TJX direct costs $200 million in fines/penalties $41 million to Visa $24 million to Mastercard © Network Intelligence India Pvt. Ltd.
  • 9. Cost of an incident • $6.6 million average cost of a data breach • From this, cost of lost business is $4.6 million • More than $200 per compromised record On the other hand: • Fixing a bug costs $400 to $4000 • Cost increases exponentially as time lapses © Network Intelligence India Pvt. Ltd.
  • 10. HOW THE COOKIE CRUMBLES © Network Intelligence India Pvt. Ltd.
  • 11. © Network Intelligence India Pvt. Ltd.
  • 12. © Network Intelligence India Pvt. Ltd.
  • 13. © Network Intelligence India Pvt. Ltd.
  • 14. © Network Intelligence India Pvt. Ltd.
  • 15. © Network Intelligence India Pvt. Ltd.
  • 16. © Network Intelligence India Pvt. Ltd.
  • 17. © Network Intelligence India Pvt. Ltd.
  • 18. © Network Intelligence India Pvt. Ltd.
  • 19. Betting blind!  DB Name  Table Names  User IDs  Table Structure  Data © Network Intelligence India Pvt. Ltd.
  • 22. Technology Solutions • Encryption • Web Application Firewalls • Source Code Review Solutions • Security Testing Suites • Data Leakage Prevention • Privileged Identity Management • Web Access Management • Information Rights Management • Database Security Solutions © Network Intelligence India Pvt. Ltd.
  • 23. Before we get to the technology… © Network Intelligence India Pvt. Ltd.
  • 24. Application Security – Holistic Solution Design Develop/ Train Manage Test © Network Intelligence India Pvt. Ltd.
  • 25. EVOLVED PENETRATION TESTING © Network Intelligence India Pvt. Ltd.
  • 26. Secure Testing • Security testing options – Blackbox – Greybox – Whitebox – Source Code Review • OWASP Top Ten (www.owasp.org) • OWASP Testing Guide Tools of the trade Open source – Wikto, Paros, Webscarab, Firefox plugins Commercial – Acunetix, Cenzic, Netsparker, Burpsuite © Network Intelligence India Pvt. Ltd.
  • 27. Traditional vs. Risk-based Pentesting Traditional Pentesting Risk-based Pentesting Focus is on technical Focus is on business risks vulnerabilities Requires strong technical know- Requires both technical and business how process know-how Having the right set of tools is Understanding the workings of the critical business and applications is critical Is usually zero-knowledge Requires a person who understands the business process to play a significant role – usually an insider Understanding the regulatory Understanding the regulatory environment is good environment is mandatory © Network Intelligence India Pvt. Ltd.
  • 28. Traditional vs. Risk-based Pentesting Traditional Pentesting Risk-based Pentesting Severity levels are based on Severity levels are based on risk to technical parameters the business Risk levels in report are assigned Risk levels in report reflect the levels post facto assigned prior to testing Test cases are build based on Tests cases additionally build on risk testing methodologies or generic scenarios testing processes Audience for the report is usually Audience for the report also includes the IT and Security teams the business process owners and heads of departments © Network Intelligence India Pvt. Ltd.
  • 29. GROUND REALITIES! © Network Intelligence India Pvt. Ltd.
  • 30. Ground realities • Business priorities – Expand, grow, market share!! • Developer illiteracy – Unaware of security implications – Shortcut fixes • Vendor apathy – Problem re-enforced by weak contracts • Unclear budgets – Lip service by management towards information security – CISO left fighting the battle alone without adequate resources © Network Intelligence India Pvt. Ltd.
  • 31. Use Triage STRATEGIZE! © Network Intelligence India Pvt. Ltd.
  • 32. Sample Strategies Implement & In-house Enforce Internal Developed SLAs Claims Processing Regular Secure ATLAS – Agents Access Coding Training Over Internet Active Emphasis on Development Secure Coding Team Libraries Secure Hosting © Network Intelligence India Pvt. Ltd.
  • 33. Take-Aways • Mindset change – most importantly of the business owners’! – Data protection does matter! – It is NOT simply a technology issue – ISO 27001 is not the answer • Implement application security in a comprehensive, cohesive and consistent manner • Evangelize constantly! • Demonstrate impact – always in business terms • Strategize – you can’t protect everything all the time • Leverage regulatory and legal requirements © Network Intelligence India Pvt. Ltd.
  • 34. Ensure – this never happens! © Network Intelligence India Pvt. Ltd.
  • 35. Questions? kkmookhey@niiconsulting.com @kkmookhey http://www.linkedin.com/kkmookhey THANK YOU! © Network Intelligence India Pvt. Ltd.