More Related Content
Similar to Sql injection to enterprise Owned - K.K. Mookhey
Similar to Sql injection to enterprise Owned - K.K. Mookhey (20)
Sql injection to enterprise Owned - K.K. Mookhey
- 1. People Technology
Processes Standards
SQL Injection To Enterprise 0wned
K. K. Mookhey, CISA, CISSP,
CISM, CRISC
- 2. Introduction
• Founder, Principal Consultant
– Network Intelligence India Pvt. Ltd.
– Institute of Information Security
• CISA, CISSP, CISM, CRISC
• Penetration testing, Security Auditing, Forensics,
Compliance, Problem-solving
• ICICI Bank, BNP Paribas, Morgan Stanley, United
Nations, Indian Navy, DRDO, and hundreds of
other clients over a decade of experience
• Speaker at Blackhat, Interop, IT Underground,
OWASP Asia, SecurityByte, Clubhack, Nullcon,
ISACA, and numerous others
© Network Intelligence India Pvt. Ltd.
- 3. Agenda
• Introduction & Case Studies
• Risk-based Penetration Testing
• Solutions
• Strategies
• Take-Aways
© Network Intelligence India Pvt. Ltd.
- 5. Gonzalez, TJX and Heart-break-land
• >200 million credit card number stolen
• Heartland Payment Systems, TJX, and 2
US national retailers hacked
• Modus operandi
– Visit retail stores to understand workings
– Analyze websites for vulnerabilities
– Hack in using SQL injection
– Inject malware
– Sniff for card numbers and details
– Hide tracks
© Network Intelligence India Pvt. Ltd.
- 6. The hacker underground
• Albert Gonzalez
– a/k/a “segvec,”
– a/k/a “soupnazi,”
– a/k/a “j4guar17”
• Malware, scripts and hacked data hosted on servers in:
– Latvia
– Netherlands
Ukraine
New Jersey
• IRC chats California
– March 2007: Gonzalez “planning my second phase against
Hannaford”
– December 2007: Hacker P.T. “that’s how [HACKER 2] hacked
Hannaford.”
© Network Intelligence India Pvt. Ltd.
- 7. Where does all this end up?
IRC Channels
#cc
#ccards
#ccinfo
#ccpower
#ccs
#masterccs
#thacc
#thecc
#virgincc
• Commands used on IRC
– !cardable
– !cc, !cclimit, !chk, !cvv2, !exploit, !order.log,
!proxychk
© Network Intelligence India Pvt. Ltd.
- 8. TJX direct costs $200 million in
fines/penalties
$41 million to Visa
$24 million to
Mastercard
© Network Intelligence India Pvt. Ltd.
- 9. Cost of an incident
• $6.6 million average cost of a data breach
• From this, cost of lost business is $4.6
million
• More than $200 per compromised record
On the other hand:
• Fixing a bug costs $400 to $4000
• Cost increases exponentially as time lapses
© Network Intelligence India Pvt. Ltd.
- 19. Betting blind!
DB Name
Table Names
User IDs
Table Structure
Data
© Network Intelligence India Pvt. Ltd.
- 22. Technology Solutions
• Encryption
• Web Application Firewalls
• Source Code Review Solutions
• Security Testing Suites
• Data Leakage Prevention
• Privileged Identity Management
• Web Access Management
• Information Rights Management
• Database Security Solutions
© Network Intelligence India Pvt. Ltd.
- 23. Before we get to the technology…
© Network Intelligence India Pvt. Ltd.
- 24. Application Security – Holistic Solution
Design
Develop/
Train
Manage
Test
© Network Intelligence India Pvt. Ltd.
- 26. Secure Testing
• Security testing options
– Blackbox
– Greybox
– Whitebox
– Source Code Review
• OWASP Top Ten
(www.owasp.org)
• OWASP Testing Guide
Tools of the trade
Open source – Wikto, Paros, Webscarab, Firefox plugins
Commercial – Acunetix, Cenzic, Netsparker, Burpsuite
© Network Intelligence India Pvt. Ltd.
- 27. Traditional vs. Risk-based Pentesting
Traditional Pentesting Risk-based Pentesting
Focus is on technical Focus is on business risks
vulnerabilities
Requires strong technical know- Requires both technical and business
how process know-how
Having the right set of tools is Understanding the workings of the
critical business and applications is critical
Is usually zero-knowledge Requires a person who understands
the business process to play a
significant role – usually an insider
Understanding the regulatory Understanding the regulatory
environment is good environment is mandatory
© Network Intelligence India Pvt. Ltd.
- 28. Traditional vs. Risk-based Pentesting
Traditional Pentesting Risk-based Pentesting
Severity levels are based on Severity levels are based on risk to
technical parameters the business
Risk levels in report are assigned Risk levels in report reflect the levels
post facto assigned prior to testing
Test cases are build based on Tests cases additionally build on risk
testing methodologies or generic scenarios
testing processes
Audience for the report is usually Audience for the report also includes
the IT and Security teams the business process owners and
heads of departments
© Network Intelligence India Pvt. Ltd.
- 30. Ground realities
• Business priorities
– Expand, grow, market share!!
• Developer illiteracy
– Unaware of security implications
– Shortcut fixes
• Vendor apathy
– Problem re-enforced by weak contracts
• Unclear budgets
– Lip service by management towards information
security
– CISO left fighting the battle alone without
adequate resources
© Network Intelligence India Pvt. Ltd.
- 31. Use Triage
STRATEGIZE!
© Network Intelligence India Pvt. Ltd.
- 32. Sample Strategies
Implement &
In-house
Enforce Internal
Developed
SLAs
Claims Processing
Regular Secure
ATLAS – Agents Access
Coding Training
Over Internet
Active Emphasis on
Development Secure Coding
Team Libraries
Secure Hosting
© Network Intelligence India Pvt. Ltd.
- 33. Take-Aways
• Mindset change – most importantly of the business
owners’!
– Data protection does matter!
– It is NOT simply a technology issue
– ISO 27001 is not the answer
• Implement application security in a comprehensive,
cohesive and consistent manner
• Evangelize constantly!
• Demonstrate impact – always in business terms
• Strategize – you can’t protect everything all the
time
• Leverage regulatory and legal requirements
© Network Intelligence India Pvt. Ltd.
- 34. Ensure – this never happens!
© Network Intelligence India Pvt. Ltd.
- 35. Questions?
kkmookhey@niiconsulting.com
@kkmookhey
http://www.linkedin.com/kkmookhey
THANK YOU!
© Network Intelligence India Pvt. Ltd.