More Related Content Similar to Where the money is – Security of CBS. Similar to Where the money is – Security of CBS. (20) More from Positive Hack Days More from Positive Hack Days (20) Where the money is – Security of CBS.1. Where the money is. – Security of CBS.
Advisor for your information security.
Version: 1.0
Autor: Ulrich Fleck
Verantwortlich: Ulrich Fleck
Datum: 27.5.2012
Vertraulichkeitsstufe: Public
2. Agenda
• About SEC Consult
• About the study
• Threats and Drivers for Application Security in CBS
• Maturity of Application Security in CBS
• Security Crash Test of selected CBS products
• Resume
• Discussion
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
2 Confidentiality Class: Public All rights reserved
3. SEC Consult– Who we are
• Leading international application
security consultancy
• Founded 2002
• Headquarters near Vienna, Canada
Germany
Lithuania
Austria Austria Central and Easter Europe
• Delivery Centers in Austria,
Germany, Lithuania and Singapore
• Strong customer base in Central Singapore
and Eastern Europe
• Increasing customer base of clients
with global business (esp. out of
Top-10 US and European software
vendors)
• 45+ application security experts
• Industry focus banks, software SEC Consult Headquarter
vendors, government SEC Consult Office
Other SEC Consult Clients
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
Confidentiality Class: Public All rights reserved
4. Our Key Question
What is the promise and
the reality of
applications security for
core banking systems???
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
4 Confidentiality Class: Public All rights reserved
5. Part 2 – Security Crash Test at
Part 1 – Answers provided
vendor
• We created a questionnaire with some • As the answers to the questionnaire
50 questions about security especially are just a subjective picture of the
with regards to core banking systems vendors themselves we wanted to test
• This questionnaire was provided to a perform real life security crash tests
preselected set of vendors together ad the vendors
with the offer to participate in our • Therefore we offered all vendors an
study application security check conducted
• We recommended that the IT security by SEC Consult consultants
responsible person should answers or • We asked for access to the respective
at least quality assure the questions test system and ensured that those
and answers test results will be only published high
• The methodology for the survey part level in this study and detailed reports
was based common known security about the test case results are handed
standards, best practices and over solely to the respective vendor
guidelines and the experience of
Capgemini and SEC Consult
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
5 Confidentiality Class: Public All rights reserved
6. Part 2 – Security Crash Test at
Part 1 – Answers provided vendor
• As the answers to the–questionnaire
Alternative Part 2 Security Crash
• We created a questionnaire with some are just a selected banks of the
tests at subjective picture
50 questions about security especially vendors themselves we wanted quite
• Some of the vendors where to test
with regards to core banking systems perform real life security crash tests
interested and seriously considering a
• This questionnaire was provided to a ad “Part 2” participation – however none
the vendors
preselected set of vendors together • Therefore we agree all vendors an
did finally offered
with the offer to participate in our • Therefore we had to consider an
application security check conducted
study alternative solution
by SEC Consult consultants
• We recommended that the IT security • asked for access to the respective
• WeFortunately three interested banks,
responsible person should answers or test system big interest in thisthose
showing and ensured that study,
at least quality assure the questions test results the opportunity to perform
gave us will be only published high
and answers level in this crash tests detailed reports
security study and on there system
(three CBS in scope of this study)
about the test case results are handed
• The methodology for the survey part
was based common known security • The applied methodology was based
over solely to the respective vendor
standards, best practices and on common known security standards
guidelines and the experience of for applications security, best practices
Capgemini and SEC Consult in security tests with a black-box
approach and the experience of SEC
Consult
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
6 Confidentiality Class: Public All rights reserved
7. CBS Vendors of this Study
Major vendors relevant for the international and European market.
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
7 Confidentiality Class: Public All rights reserved
8. Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
8 Confidentiality Class: Public All rights reserved
9. Attack surface for core banking systems (simplified)
Presentation Layer
…
Business Logic Tier
…
Database Layer
…
… Databases
Network
… potential entry points for attacker
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
9 Confidentiality Class: Public All rights reserved
10. What did the vendors say?
• Information security of vendor organization
• Most of the vendors have an Information Security Management System (ISMS) in place
• Software development organization
• Roles and responsibilities in the development process documented in accordance to
security policies
• 90-100% of the (core) development staff on applications security
• Methods for secure software development
• The enforcement of methods for secure software development Microsoft SDL,
OpenSAMM, BSIMM, CMM-SSE is in progress at some vendors
Threat modeling and security requirement
• Most of the vendors have up to date threat model for each CBS module available
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
10 Confidentiality Class: Public All rights reserved
11. What did the vendors say?
Security Incident Response
• Most of the vendors have Software Security Incident Response Process
• (Technical) standards and best practices for application security
• Technical) application security best practices and standards for web technologies like
OWASP, ÖNORM A 7700 (Security requirements for web applications), etc. are already
important for vendors
• Data privacy standards for applications like EuroPriSe are not in the focus yet
• No certifications conducted on application security
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
11 Confidentiality Class: Public All rights reserved
12. What did the vendors say about complexity?
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
12 Confidentiality Class: Public All rights reserved
13. What did the vendors say? – Internal QA
• Identified Security Vulnerabilities from 1.1.2008 till 30.6.2010 by internal
QA/testers before the software was released
• Many vendors don’t provide an answer
• Range from “none” to hundreds
• Identified Security Vulnerabilities from 1.1.2008 till 30.6.2010 security
vulnerabilities in already released software modules (“zero-day vulnerabilities”)
• Many vendors don’t provide an answer
• Range from “none” to hundreds
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
13 Confidentiality Class: Public All rights reserved
14. Test coverage for application Security
Significant differences in the test coverage for different test
approaches between the vendors.
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
14 Confidentiality Class: Public All rights reserved
15. How do you define the maturity level of state of the art
(application) security for your CBS product?
30+ years with no known security issues.
strong & impenetrable security foundation
Highly sophisticated
CMMi Level 4.
High
Mature. Mature. Mature.
All vendors position themselves to achieve (at least) state-of-the-
art application security. This is a clear and consistent commitment
and promise to the market.
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
15 Confidentiality Class: Public All rights reserved
16. Crashtest for 3 CBS (out of 8)
Test set-up:
• Non of the eight vendor accepted offer for a
free of charge security crash test
• 3 major European banks stepped in with 3
product of this study – Thanks!!!
• Crash-Test with black-box approach and limited
effort budget (approx. 15 person days for each
product)
• Access to CBS with one low privilege user
account (standard user)
Test objective for a crash test:
• Check for toxic (=seriously insecure) software
• Identify application security vulnerabilities in
Source: http://www.spiegel.de/fotostrecke/fotostrecke-22584-3.html
CBS to break the confidentiality, availability or
integrity of CBS
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
16 Confidentiality Class: Public All rights reserved
17. Why attack the CBS from a standard working
place?
The attacker has several choices to
get access to a standard working
place:
•One active Trojan Hoarse malware
Core Banking •Access by cleaning personal,
System
maintenance, contractors, volunteers,
etc
•Drive-by infection from website(s)
•…
Browser
Then the attacker starts to look for
vulnerabilities to access the Core
Banking System in depth…
Standard Working Place for CBS
For the test we used a low privilege user and tried to expand the
privileges and to access sensible data of the Core Banking System.
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
17 Confidentiality Class: Public All rights reserved
18. Hundreds to thousends CBS szandard working
places to choose from
For the test we used a low privilege user and tried to expand the
privileges and to access sensible data of the Core Banking System.
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
18 Confidentiality Class: Public All rights reserved
19. Standard Blackbox Approach
Tasks:
• Use selective special tools and scripts for
s
ck
exploiting security vulnerabilities based on
ta
vulnerability classes
At
• Check compliance to state of the art standards
Presentation Layer
for application security (A7700, OWASP, …)
• Adapt or write new exploit code if necessary
Business Logic Tier • Validate vulnerabilities
• Develop proof of concept material (screen
Database Layer shots, dumps, passwords, etc.)
• Assess risk and define recommendation
Databas
e
Network
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
19 Confidentiality Class: Public All rights reserved
20. CBS – Cross site scripting
• The problem:
• A Cross Site Scripting security vulnerability is used to steal the identity information of a CBS user. First
the attacker writes an email to this user with a malicious link, including hidden script code (very short
software program). The user receives the email and clicks on that link. The malicious script runs in (the
context of) the web browser of the attacked user.
• Vulnerability class:
• Web application security Input- and Output Validation
• Impact for bank:
• Account theft
• Remotely control the web browser
• Record all activities of the user
• Initiate changes in transactions (e.g. target account numbers of a transaction on the fly).
Secure software development:
• Architecture/Design: Failed
• Programming: Failed
• Test and Quality Assurance: Failed
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
20 Confidentiality Class: Public All rights reserved
21. CBS – Weak encryption
• The problem:
• First the attacker traces the data traffic between the CBS client and the CBS server. Due to
the weak encryption security vulnerability of the CBS the attacker can bypass the login
mechanism.
• Vulnerability class:
• Design flaw in client- server communication (hash is being build on the client)
• Impact for bank:
• Account theft
• Privilege escalation
• Perform a misuse of the account of the user
Secure software development:
• Architecture/Design: Failed
• Programming: Failed
• Test and Quality Assurance: Failed
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
21 Confidentiality Class: Public All rights reserved
22. CBS – Privilege escalation – missing authorization
• The problem:
• By enumerating several request parameters arbitrary accounts can be overtaken and misused by non
privileged users.
• Vulnerability class:
• Design flaw based on missing authorization
• Impact for bank:
• Account theft
• Privilege escalation
• The attacker becomes a more powerful user
• Access to administrative functionality
• The attacker can misuse the CBS by performing high privilege transactions and functions
Secure software development:
• Architecture/Design: Failed
• Programming: Failed
• Test and Quality Assurance: Failed
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
22 Confidentiality Class: Public All rights reserved
23. CBS – SQL Injection
• The problem:
• Nothing to add here should be an extinct vulnerability class
• Vulnerability class:
• Web application security input–validation & design flaw
• Impact for bank:
• Extracts valuable (data theft) data of the database
• Manipulate data in the database
• Account theft
• Privilege escalation
Secure software development:
• Architecture/Design: Failed
• Programming: Failed
• Test and Quality Assurance: Failed
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
23 Confidentiality Class: Public All rights reserved
24. CBS – Direct OS Command execution
• The problem:
• Several flaws led to access to the underlying operating system for non privileged users.
• Vulnerability class:
• Web application security input–validation & design flaw
• Vulnerability class:
• Control over the operating system of the server of the CBS.
• The CBS system can be shut down or wiped or manipulated with wrong data by the attacker.
• Data of the server can be copied to a repository of the attacker.
• Additionally, this vulnerability can be used to attack other systems of the bank
• Account theft and privilege escalation
• Total compromise of system, data backends etc.
Secure software development:
• Architecture/Design: Failed
• Programming: Failed
• Test and Quality Assurance: Failed
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
24 Confidentiality Class: Public All rights reserved
25. Summarizing
!
L ED 3 of 3 tested CBS fail application security standard:
I !
FA D •e.g. Open Web Application Security Project (OWASP),
I LE WASC, BSI ISi-Reihe (Germany), ÖNORM A 7700 (Austria),
E D! FA etc.)
L
F AI
3 of 3 tested CBS are not state of the art in
application security
CMMi Level 4.
High
Mature. Mature. Mature.
3 of 3 tested CBS have deficiencies in secure
software development
•Architecture/Design: Failed
•Programming: Failed
•Test and Quality Assurance: Failed
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
25 Confidentiality Class: Public All rights reserved
26. Business Impact for Banks
• The found vulnerabilities in 3 of 3 tested CBS
• enable unauthorized access
Attacks
Presentation Layer
• disable segregation of duties
Business Logic Tier
• circumvent the effectiveness of auditing and
logging
Database Layer • circumvent the effectiveness of strict access
control and enable privilege escalation
Databas
e
and therefore can cause violations of compliance
Network requirements such as Basel II, SAS70, ISO 27001,
national Data privacy protection laws, notational
banking specific laws, etc.)
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
26 Confidentiality Class: Public All rights reserved
27. What to do if you are a bank?
Demand state-the-art-application security for CBS
• Vendor contracts with mandatory state-of-the-art applications security
requirements
• Define penalties for not achieving state-of-the-art applications security requirements
• Cost sharing for unsuccessful application security tests
Prove the vendor claims and promises by testing application security of CBS
• Application security tests (Security Quality Gates)
Establish additional multi-lines of defense
• Measures to at least temporary mitigate some risks of an insecure CBS on other levels
of defense (infrastructure, organizational, awareness of users, etc.)
The best point in time to detect toxic (=seriously
insecure) software is when you buy it.
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
27 Confidentiality Class: Public All rights reserved
28. Software Vendors already using SEC Consult.
Title: SEC Consult Software Security Assurance
Services © 2011 SEC Consult
Version/Date: 1.1/May 2011 Unternehmensberatung GmbH –
Responsible: U. Fleck All rights reserved
29. How to reach us/me?
Austria Ulrich Fleck
Mooslackengasse 17 Director
A-1190 Vienna Sales and Business Development
Austria
+43 676 840 301 719
Tel: +43-(0)1-890 30 43-0
Fax: +43-(0)1-890 30 43-15 Email: u.fleck@sec-consult.com
Email: office@sec-consult.com
www.sec-consult.com
Title: Where the money is– CBS Security
Version/Date: 1.0 / 27.5.2012 © 2012 SEC Consult
Responsable: Ulrich Fleck Unternehmensberatung GmbH –
29 Confidentiality Class: Public All rights reserved