CYBER TRENDS & INDUSTRY PENETRATION TESTING Technology Risk Supervision Division Monetary Authority of Singapore
A NEW DAWN New Services / Mobile Application, NFC, FAST Technology / Biometrics, Big Data, Analytics, Cloud, Blockchain Payment Methods / Virtual currencies Interconnectivity / Globalisation, network reach Cyber threats / APTs, Zero Days, DDoS Anonymous / Hacktivism, Political 2
MAJOR CYBER ATTACKS (2013 2015) Mar 2013 Phase 3 of Operation Ababil DDoS campaign on US banks Feb 2014 Mt. Gox hacked. 850k bitcoins (~US$450M) lost. Aug 2014 - JP Morgan Chase compromised. 83 million records of households/small biz leaked. Feb 2013 - US$40M coordinated ATM heist across the globe. Jan 2014 Contractor walk out from credit bureau with credit card details of 20M South Koreans on thumbdrive. Nov 2014 - Sony Pictures hacked. Personnel information, emails, unreleased movies leaked. Computer systems crippled. 2013 2014 2015 Mar 2013 Computer networks of 3 major banks and 2 large broadcasters in South Korea paralysed. Dec 2013 40M credit/debit cards compromised at Target. Feb 2014 comgateway hacked. 90k credit cards compromised. A third from Singapore. Apr 2014 Critical Heartbleed vulnerability on OpenSSL disclosed. May 2014 233M customer info compromised at ebay. Venom, Dyre, 400+Gbps DDoS, FREAK, LogJam, DD4BC, Ransom ware, Duqu 3
Robbing one person at a time using a knife or gun doesn t scale well. But now one person can rob millions at the click of a button, 4 Marc Goodman of the Future Crimes Institute.
TECHNOLOGY RISK SUPERVISION On-site inspections / Supervisory visits Issuance of Guidelines and Notice Cyber Security Initiatives Off-site reviews FINANCIAL SECTOR Regular engagements SUPERVISION POLICY SURVEILLANCE5
WHAT PT? VA? IS PENETRATION TESTING? 9.4.4 The FI should carry out penetration tests in order to conduct an in-depth evaluation of the security posture of the system through simulations of actual attacks on the system. The FI should conduct penetration tests on internet-facing systems at least annually. Penetration testing is the process of attempting to gain access to resources without knowledge of usernames, passwords and other normal means of access. - SANS institute PT provides a snapshot of the security posture or pointin-time security assessment of the FI s systems and infrastructure. - ABS Penetration Testing Guidelines May 14
OBJECTIVE 1 Develop a set of Penetration testing (PT) guidelines for the financial sector 2 11 FIs participated in the IPT 3 Analyse PT results and refine guidelines 4 Publish PT guidelines and share key findings with ABS members 7
DEVELOPMENT OF IPT GUIDELINES Referenced from reputable sources on PT standards: PTES (Penetration Testing Execution Standard) Technical Guidelines OWASP Top Ten CWE, CVSS, CAPEC standards Reviewed by senior technical specialist from participating FIs PT guideline covered key areas including scope, methodology, vendor selection criteria and reporting requirements Scope of PT
DELIVERING A SECURE APPLICATION Requirements Gathering Functional Non-functional Secure Operations Security monitoring Firewall Secure Development Source code review Non-functional tests Secure Deployment Hardening PT/ VA 9
This should not be the final step in your SDLC process.. 10
PT ANALYSIS To ensure consistency in our analysis, 2 key standards were used: Common weakness enumeration (CWE) Common vulnerability scoring system (CVSS) To ensure independence, FIs are asked to engage third party to perform the PT and assess the severity of issues identified.
COMMON WEAKNESS ENUMERATION (CWE) CWE is a community-developed dictionary of software weakness types that can occur in software's architecture, design, code or implementation that can lead to exploitable security vulnerabilities. The MITRE Corporation maintains CWE. Examples of CWE: CWE-200 Information Disclosure CWE-79 Cross-site Scripting CWE-598 Information Exposure Through Query Strings in GET Request
COMMON WEAKNESS ENUMERATION (CWE) 13
COMMON VULNERABILITY SCORING SYSTEM (CVSS) CVSS provides a universal open and standardized method for rating IT vulnerabilities Developed by FIRST - an international confederation of trusted computer incident response teams who cooperatively handle computer security incidents and promote incident prevention programs Risk Rating CVSSv2 Score High 7.0-10.0 Medium 4.0-6.9 Low 0.0-3.9 14
FINDINGS Key observations across all FIs Common weaknesses identified Top 10 high risk vulnerabilities according to CVSS BASE scores 15
COMMON WEAKNESSES IDENTIFIED 16
CWE-200: INFORMATION EXPOSURE Information Exposure Through an Error Message Web Server Version Disclosure Clear Text Storage of Sensitive Information in a Cookie An information exposure can provide information about the product or its environment that could be useful in an attack
CWE-310: CRYPTOGRAPHIC ISSUES Use of a Broken or Risky Cryptographic Algorithm Inadequate Encryption Strength Missing Encryption of Sensitive Data
CWE-284: IMPROPER ACCESS CONTROL Vertical Privilege Escalation Web Server Supports Basic Authentication Improper Restriction of Excessive Authentication Attempts
CWE-20: IMPROPER INPUT VALIDATION Cross-site Scripting (XSS) SQL Injections Pathname Traversal
CWE-17: Code CWE-18: Source Code CWE-19: Data Handling CWE-20: Improper input validation CWE-89: SQL Injection Without sufficient validation of SQL syntax in inputs, the SQL query can cause those inputs to be interpreted as SQL This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database, possibly including execution of system commands. SQL injection has become a common issue with database-driven web sites. 21
CWE-89 Input field validation, application firewall Automatic Static, Dynamic Analysis, Manual Static Analysis Source Code 22
TOP 10 HIGH-RISK VULNERABILITIES SQL injections* Cross Site Scripting* Information Exposure Through an Error Message* Insecure Cookies Cacheable SSL Pages Validation performed on client-side only Admin interfaces configured with default credentials Unpatched/outdated systems* Core Dump Enabled OpenSSL 'ChangeCipherSpec' MiTM Vulnerability Note: Based on CVSS v2 Base Score A vulnerability with a score of =>7.0 will be classified as High-risk Vulnerabilities noted may not be easily exploitable as there are layered controls in FIs environment. (e.g., Login credential, system access) 23
POINTS TO NOTE While efforts were made to align the scope and methodology as much as possible, these factors will affect the results of the PT: Skill and judgement of the penetration tester(s) Date of last PT performed on the system The period since security fixes and patches were applied to the system Major system enhancements prior to IPT
WHAT S NEXT? Issuance of PT guidelines ABS SCCS to share observations and recommendations Next IPT Accreditation of penetration tester 25