I recently had the opportunity to give prezos for OWASP in Los Angeles and Orange County together with the Application Threat Modeling book co-author, Tony Ucedavelez. Both Tony and I believe that application threat modeling can help organizations understand cyber-threats and identify countermeasures to mitigate them proactively. We also think that compliance with security standards is not a guarantee for "immunity" of becoming a target and victim of cybercrime and fraud hence the topic of our presentation, intentionally provocative: "The rise of threat analysis and the fall of compliance in mitigating cyber-crime risks". We take a critical view of compliance especially PCI-DSS and we advocate putting compliance in perspective of business risks mitigation. To support our view, we start looking at how PCI-DSS security standard drives application security with compliance to highlight the fact the two largest data breaches of credit card data ever reported occurred to companies that were compliant with the security standard PCI-DSS. We also analyze these data breaches for the business impact that caused and we compare the cost of non-being compliant with the cost of the business impact caused by the breach: based upon public disclosed data (2007 TJX data breach) we find out that overall the cost of non-compliance is one factor less of magnitude comparing with how much will cost to an organization to cover the overall business impact of the data breach incident (e.g. millions for non compliance comparing with billions for business impact)
There is a strong and compelling case, based upon vulnerability data alone, that compliance do not buy security for your organization but a minimum level of information security assurance: in the context of mitigating vulnerabilities for compliance sake for example such as to fill a compliance requirement (e.g. vulnerability assessment), based upon the data from MITRE, at their best the organization will mitigate 45% of all known vulnerabilities (e.g. 600 included in CWE MITRE in the study).
We use this data to advocate that the remaining 55% of ways to exploit known issues can be assessed by adopting a threat analysis and risk mitigation techniques that cover a larger attack space then compliance security assessments. These threat analysis techniques for example include (1) gathering cyber-intelligence from attacks from public sources such as law enforcement (e.g. FBI, Secret Service), (2) learning about attacks scenarios and likely targets with attack tree analysis, (3) determine the possible abuses of the applications business logic using use and abuse cases, (4) identify the attack vectors used against web sites so applications defenses can be tested and (5) finally by developing application countermeasures at the application layer with threat modeling/architecture risk analysis.
The threat mitigation mantras are: (1) you can only mitigate for threat you know of. ( 2) Know your enemy so you can build your defenses. Being threat aware means being threat intelligent. To know your enemy means proactive risk awareness: as organizations defending from cyber-attacks we need to be aware that cyber-criminals already assume your have been compliant with PCI-DSS to mitigate known vulnerabilities such as to protect credit card data.
Fraudsters also know that ogrnaizations implemented multi-factor authentication and fraud detection, in compliance with FFIEC guidelines for authentication.
We basically need to be aware of the new bigger cybercrime threat and how might affect us. For example, cyber criminals can buy or lease sophisticated automated attack tools called botnets to do fraud. These botnets can direct attacks against banking customers by exploiting browser vulnerabilities as well as against on-line banking sites bypassing strong authentication and data filtering controls. Cyber-crimes include fraud (e.g. wire transfer to money mule accounts) as well as stealing credit card and confidential data for reselling it in the underground economy or to fake credit and debit cards.
Understanding how these threats scenarios might affect your organization in terms of threat analysis means: 1) Is possibly my organization a target 2) what is the data asset that most likely an attacker/fraudster will go after 3) the attack vectors) that he will use 4) the potential vulnerabilities that can be exploited and where 5) which are the countermeasures that I can design and deploy at the application layer.
Threat analysis of security controls must be the driver for design of countermeasures:
To test defensive controls at the application layer, we need to identify the attacks vectors (both manual and automated) and use them against the authenticated and non authenticated entry points of our application, validate the authorization levels required and walk-through the data flows (from client to back end) to test for potential vulnerabilities. The aim of this data flow threat analysis is to localize and identify countermeasures can be designed and deployed at each layer and component of the architecture (client, server processes and data).
We emphasize that for security compliance to be security effective, needs to enforce actionable threat assessments. We advocate a new risk mitigation strategy that looks at compliance with a positive security approach rather then negative security approach. The positive security approach consists on proving the positive effect of defenses on mitigating threats, the negative security approach consists on proving the gaps in applying standards and security controls. Positive security is driven by threat analysis as a positive factor for building better security controls against new threats, negative security is driven by compliance as a way to prove the negative that is your organization failed in applying standards and policies.
We conclude that even if there is still a value in compliance for security as validation against a minimum level of security requirements, the approach that most organization use toward compliance does not help security and derails the organization effort from focusing on effective threat risk mitigation. To improve security organizations need to re-consider compliance; being compliant will not warrant protection of your core business assets against cyber-crime threats. Compliance is just a piece of the risk mitigation strategy , compliance security assessments can be effective mitigation against cyber-crime threats only when are driven by cyber-crime intelligence and application threat modeling techniques.
An abstract of the presentation is included herein: On August 5 of 2009, Federal prosecutors charged Albert Gonzales with the largest case of credit and debit card data theft ever occurred in the United States: 130 million credit cards numbers by hacking into Heartland Payment Systems, Hannaford Brothers, 7-Eleven and two unnamed national retailers. Both Heartland and Hannaford were security compliant with PCI-DSS standard at the time they were compromised: that let question the validity of regulatory compliance frameworks, and specifically compliance with PCI-DSS standards as an effective method to reduce data breaches, identity theft, and the proliferation of credit card fraud. This presentation will further analyze the cost of the data breaches by monetizing the losses as being reported in quarterly earning reports (e.g. TJX) as well as impact on stock price (e.g. HPY) at the time of public disclosure of these data breaches. Monetizing data breaches helps to frame non-compliance risks as a factor of business impact and dispelling further the myth that being compliant equals being secure.
Traditional compliance-driven security assessments efforts such as penetration testing, static code analysis and standard compliance gap analysis will be compared to threat analysis techniques in order to demonstrate how cybercrime risks can be mitigated by understanding threat scenarios through cyber-intelligence: cases of reported cybercrime attacks will be presented as a way to determine the threat landscape and the attack scenarios. Attacker motives and means to achieve them will be analyzed by using attack tree analysis: attack trees allow to study cyber attacks against web applications, breaches of credit card data as well as ATM fraud. Use and misuse cases will be used to evaluate the strength of security controls such as multi-factor authentication against known cyber-attacks such as MiTM as well as a way to elicit requirements for security controls (e.g. secure logins). Examples of attack vectors for testing applications against code injection attacks as well as for cybercrime attacks (e.g. HTML-IFRAME Injection Attack Vectors and drive by download) will be provided using attack vector analysis. Data Flow Diagrams (DFD) Analysis and Architecture Risk Analysis examples will be presented to provide a viable, consistent methodology to identify the entry points for attack vectors, identify user access levels, enumerate threats as well as to determine threats, attack, vulnerabilities and countermeasures. Security by deployment and security by design principles will be elaborated as strategic countermeasures with reference to three tier architectures and security by design architecture principles. Finally, risk mitigation strategies against cybercrime attacks will be discussed starting by self-awareness questions. The presentation re-affirms that compliance risks need to be approached by organizations as a factor of business risk and advocate threat risk modeling and application threat modeling as a actionable processes for mitigating cybercrime risks to web applications.by using threat tree analysis for example it is possible to analyze the effectiveness of security controls such as MFA to mitigate threats such as man in the middle attacks to find out that most of them are ineffective. By identifying the targets of attacks with attack trees we also find that browser vulnerabilities facilitate drive by download, man-in-the-middle and man-in-the-browser attacks and that these vulnerabilities represent the weakest security link. Only after cyber-crime targets are analyzed and visualized with attack trees it is possible to understand the different avenues of attacks methods used by the fraudsters. By associating a cost for achieving each step of the attack tree it is possible to walk through the attack methods that cost the least to an attacker to succeed.