IMI Security Summit in Northern Kentucky: awesome security conference



I presented at the IMI Security Summit on the topic of "Threat Analysis as methodology for deriving risk-based security tests of web application software". This conference, gave me the opportunity to present for OWASP thanks to the invitation from Dr James Walden that teaches Software Security at Northern Kentucky University. This is the second time that I give the talk at the IMI security conference. The organization of this conference is very good as well as the quality of the speakers, one outstanding speaker to mention this year was Patrick Gray, Principal Security Strategist of CISCO and ex collegue of mine at the company Internet Security Systems.

Patrick Gray is truly an awesome speaker and presenter. I thought it is was worth attendingthe conference just for listening to his keynote. Patrick can communicate effectively to a wide audience of security folks, he gets people to think about security with simple messages, examples and with sense of humor. On the main message of his presentation, I think is 100% right in my opinion: the main security challenge the society as whole faces today besides combacting organized cybercrime, is the increased imporance of the human factor (he refers is as the human firewall) as a way to mitigate the new threats such as social networking threats and phishing. The new targets nowdays scale up to 300 + million facebook users and involve a new demographics such as a generation Y that is proned to use social networks like facebook and twitter.  As security industry and as security practitioners, according to Patrick we are challenged to respond to these new threats with increased education/awareness and the development of more effective security measures.

During luncheon, I attended the presentation from Dr Kevin Gallenger, "State of IT Security 2009". The survey data being presented are also in agreement on other surveys such as the ones from Ponemon Institute, CSI-FBI and Verizon on state of information security within organizations. For example, the survey shows that less then 60 % of organizations conduct a formal IT audit and that hackers and employees are equally problematic as source of attacks (27%). A recent Ponemon-Imperva institute survey. also shows that 71% of companies do not think compliance is strategic to security even after experiencing at least one data breach. Also, according to the same survey, internal sources of attacks are around 20-30 % of overall threat agents.

The part that I liked the most of the survey was the emphasis on the difference between "acquisition" of security and "adoption" of security in particular as related to compliance. Most companies for example, acquire security tools and produce security policies in response to compliance requirements, but they do not fully implement and/or enforce them: the survey shows for example that only 54% of companies do that. Financial services are the ones to score better.

The survey also touches the problem of incident disclosure: 44% of respondents indicated that they were unwilling to disclose the types of breaches. 

Two Weights-Two Measures

I believe that security incident disclosure is one of the main problem we face in information security today: because  we lack data on losses, fraud and incidents affecting different business sectors, we cannot identify needs and opportunities to improve security and make business case for new security investments to mitigate these risks.



But there are some exceptions, compliance with SB (Senate Bill) 1386 that is currently enforced in several US States for example, forces companies affected by data breaches to publicly disclose the losses including customer's PII such as SSNs. Thanks to SB 1386, we can still factor business impact of data breaches. For example, 100 million records of PII being reported as loss at 25 $/piece per record (estimated at the cost to buy that PII on the black market) equals 2.5 billion $ impact. I believe that only by factoring the business impact of data losses and fraud it is possible to make informed risk decisions.

I also had a nice conversation with NKU's professor Dr. Frank Braun. Dr Braun research covered business cases for software security such as ROSI, cost/benefit analysis and quantitative risk analysis as factors for making business cases. We shared some thoughts about business risk impact analysis and the human factors in risk decision making.  We mostly agreed that 1: business security is the most important factor to security 2 we lack data that prove the point about business value of security  and 3 there is a need to approach security from business perspective instead of technical perspective such as to take into consideration business impacts as well as the organizational culture of risk decision makers.

Unfortunately, most of security decision making nowdays follows different factors such as what "Gartner says" or what security vendor says or what my competitor does. Instead of rational thinking backed by quantitative data, we follow an apparoach that it either purely speculative of security business impacts or that follows the so called herd mentality...

Therefore we also concluded, that there is a need of a new culture for security management that puts the quality of securty data, expecially data on business impact of security losses as priority so it is possible to made informed risk decisions. This would require a change culture and a new School Of Information Security that put the focus on meaninful metrics such as the risk as business impact of data losses and fraud data. To know more on what I mean for New School Of Information Security, I recommend reading Adam Shostack book The New School Of Information Security.

My presentation ( please refer to our local OWASP chapter web page for further info) covered the topic of risk based security testing and was nicely attended by several folks. I had a lot of questions after my presentation, that I usually consider the best evidence that I raised enough interest on the topic being presented. I think most organizatons today are not doing good enough security testing as they should do. It is not enough to test for postive requirements to build secure applications, we need security tests that are driven by misuse and abuse cases. We also need to prioritize tests according to risks such to test first the ones that are most likely to exploit vulnerabilities and produce the largest impact. My presentation was also an opportunity to present the vs 3 of the OWASP Testing guide. This guide includes several security test cases that can be used to test for most commong vulnerabilities in web applications. The OWASP testing guide also includes information of testing tools (most of the them are OWASP tools) as well as techniques that can be used. The OWASP testing guide is considered by software security experts and thought leaders such as Dr. Gary McGraw, one of the best pieces of intellectual property ever produced by OWASP.

Cybercrime risk mitigation: a critical view of compliance from threat analysis perspective

I recently had the opportunity to give prezos for OWASP in Los Angeles and Orange County together with the Application Threat Modeling book co-author, Tony Ucedavelez. Both Tony and I believe that application threat modeling can help organizations understand cyber-threats and identify countermeasures to mitigate them proactively. We also think that compliance with security standards is not a guarantee for "immunity" of becoming a target and victim of cybercrime and fraud hence the topic of our presentation, intentionally provocative: "The rise of threat analysis and the fall of compliance in mitigating cyber-crime risks". We take a critical view of compliance especially PCI-DSS and we advocate putting compliance in perspective of business risks mitigation. To support our view, we start looking at how PCI-DSS security standard drives application security with compliance to highlight the fact the two largest data breaches of credit card data ever reported occurred to companies that were compliant with the security standard PCI-DSS. We also analyze these data breaches for the business impact that caused and we compare the cost of non-being compliant with the cost of the business impact caused by the breach: based upon public disclosed data (2007 TJX data breach) we find out that overall the cost of non-compliance is one factor less of magnitude comparing with how much will cost to an organization to cover the overall business impact of the data breach incident (e.g. millions for non compliance comparing with billions for business impact)

There is a strong and compelling case, based upon vulnerability data alone, that compliance do not buy security for your organization but a minimum level of information security assurance: in the context of mitigating vulnerabilities for compliance sake for example such as to fill a compliance requirement (e.g. vulnerability assessment), based upon the data from MITRE, at their best the organization will mitigate 45% of all known vulnerabilities (e.g. 600 included in CWE MITRE in the study).

We use this data to advocate that the remaining 55% of ways to exploit known issues can be assessed by adopting a threat analysis and risk mitigation techniques that cover a larger attack space then compliance security assessments. These threat analysis techniques for example include (1) gathering cyber-intelligence from attacks from public sources such as law enforcement (e.g. FBI, Secret Service), (2) learning about attacks scenarios and likely targets with attack tree analysis, (3) determine the possible abuses of the applications business logic using use and abuse cases, (4) identify the attack vectors used against web sites so applications defenses can be tested and (5) finally by developing application countermeasures at the application layer with threat modeling/architecture risk analysis.

The threat mitigation mantras are: (1) you can only mitigate for threat you know of. ( 2) Know your enemy so you can build your defenses. Being threat aware means being threat intelligent. To know your enemy means proactive risk awareness: as organizations defending from cyber-attacks we need to be aware that cyber-criminals already assume your have been compliant with PCI-DSS to mitigate known vulnerabilities such as to protect credit card data.

Fraudsters also know that ogrnaizations implemented multi-factor authentication and fraud detection, in compliance with FFIEC guidelines for authentication.

We basically need to be aware of the new bigger cybercrime threat and how might affect us. For example, cyber criminals can buy or lease sophisticated automated attack tools called botnets to do fraud. These botnets can direct attacks against banking customers by exploiting browser vulnerabilities as well as against on-line banking sites bypassing strong authentication and data filtering controls. Cyber-crimes include fraud (e.g. wire transfer to money mule accounts) as well as stealing credit card and confidential data for reselling it in the underground economy or to fake credit and debit cards.

Understanding how these threats scenarios might affect your organization in terms of threat analysis means: 1) Is possibly my organization a target 2) what is the data asset that most likely an attacker/fraudster will go after 3) the attack vectors) that he will use 4) the potential vulnerabilities that can be exploited and where 5) which are the countermeasures that I can design and deploy at the application layer.

Threat analysis of security controls must be the driver for design of countermeasures:

To test defensive controls at the application layer, we need to identify the attacks vectors (both manual and automated) and use them against the authenticated and non authenticated entry points of our application, validate the authorization levels required and walk-through the data flows (from client to back end) to test for potential vulnerabilities. The aim of this data flow threat analysis is to localize and identify countermeasures can be designed and deployed at each layer and component of the architecture (client, server processes and data).

We emphasize that for security compliance to be security effective, needs to enforce actionable threat assessments. We advocate a new risk mitigation strategy that looks at compliance with a positive security approach rather then negative security approach. The positive security approach consists on proving the positive effect of defenses on mitigating threats, the negative security approach consists on proving the gaps in applying standards and security controls. Positive security is driven by threat analysis as a positive factor for building better security controls against new threats, negative security is driven by compliance as a way to prove the negative that is your organization failed in applying standards and policies.

We conclude that even if there is still a value in compliance for security as validation against a minimum level of security requirements, the approach that most organization use toward compliance does not help security and derails the organization effort from focusing on effective threat risk mitigation. To improve security organizations need to re-consider compliance; being compliant will not warrant protection of your core business assets against cyber-crime threats. Compliance is just a piece of the risk mitigation strategy , compliance security assessments can be effective mitigation against cyber-crime threats only when are driven by cyber-crime intelligence and application threat modeling techniques.

An abstract of the presentation is included herein: On August 5 of 2009, Federal prosecutors charged Albert Gonzales with the largest case of credit and debit card data theft ever occurred in the United States: 130 million credit cards numbers by hacking into Heartland Payment Systems, Hannaford Brothers, 7-Eleven and two unnamed national retailers. Both Heartland and Hannaford were security compliant with PCI-DSS standard at the time they were compromised: that let question the validity of regulatory compliance frameworks, and specifically compliance with PCI-DSS standards as an effective method to reduce data breaches, identity theft, and the proliferation of credit card fraud. This presentation will further analyze the cost of the data breaches by monetizing the losses as being reported in quarterly earning reports (e.g. TJX) as well as impact on stock price (e.g. HPY) at the time of public disclosure of these data breaches. Monetizing data breaches helps to frame non-compliance risks as a factor of business impact and dispelling further the myth that being compliant equals being secure.

Traditional compliance-driven security assessments efforts such as penetration testing, static code analysis and standard compliance gap analysis will be compared to threat analysis techniques in order to demonstrate how cybercrime risks can be mitigated by understanding threat scenarios through cyber-intelligence: cases of reported cybercrime attacks will be presented as a way to determine the threat landscape and the attack scenarios. Attacker motives and means to achieve them will be analyzed by using attack tree analysis: attack trees allow to study cyber attacks against web applications, breaches of credit card data as well as ATM fraud. Use and misuse cases will be used to evaluate the strength of security controls such as multi-factor authentication against known cyber-attacks such as MiTM as well as a way to elicit requirements for security controls (e.g. secure logins). Examples of attack vectors for testing applications against code injection attacks as well as for cybercrime attacks (e.g. HTML-IFRAME Injection Attack Vectors and drive by download) will be provided using attack vector analysis. Data Flow Diagrams (DFD) Analysis and Architecture Risk Analysis examples will be presented to provide a viable, consistent methodology to identify the entry points for attack vectors, identify user access levels, enumerate threats as well as to determine threats, attack, vulnerabilities and countermeasures. Security by deployment and security by design principles will be elaborated as strategic countermeasures with reference to three tier architectures and security by design architecture principles. Finally, risk mitigation strategies against cybercrime attacks will be discussed starting by self-awareness questions. The presentation re-affirms that compliance risks need to be approached by organizations as a factor of business risk and advocate threat risk modeling and application threat modeling as a actionable processes for mitigating cybercrime risks to web applications.

by using threat tree analysis for example it is possible to analyze the effectiveness of security controls such as MFA to mitigate threats such as man in the middle attacks to find out that most of them are ineffective. By identifying the targets of attacks with attack trees we also find that browser vulnerabilities facilitate drive by download, man-in-the-middle and man-in-the-browser attacks and that these vulnerabilities represent the weakest security link. Only after cyber-crime targets are analyzed and visualized with attack trees it is possible to understand the different avenues of attacks methods used by the fraudsters. By associating a cost for achieving each step of the attack tree it is possible to walk through the attack methods that cost the least to an attacker to succeed.