Cybersecurity Best Practices and OWASP Overview

cyber thursday n.w
1 / 37
Embed
Share

Explore the importance of security misconfiguration and insufficient logging & monitoring in cybersecurity. Learn about OWASP's Top 10 vulnerabilities and how to mitigate these risks effectively.

  • Cybersecurity
  • OWASP
  • Security Misconfiguration
  • Logging & Monitoring
  • Cyber Threats
rayaanacharya
pridi Follow

Uploaded on | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. CYBER THURSDAY Meeting Venues: Bellinis Retreat -Voyager Charminar - Pritech Room# 5 H2, 5th floor, Romania Time: 2.00 P.M. 3:30 P.M (IST) Request all participants to be on mute. Any queries/doubts can be asked in meeting chat box. They can be discussed at the end of session. Quiz Link: join.quizizz.com Please provide your feedback post session CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 1

  2. C1 1 9 - M A R - 2 5 CYBER THURSDAY CYBER THURSDAY Security Misconfiguration and Insufficient Logging & Monitoring Week

  3. TABLE OF CONTENTS 1. ABOUT CYBERSEC COE 2. OWASP OVERVIEW 3. A6:2017-SECURITY MISCONFIGURATION 4. EXPLOITATION 5. SECURITY MISCONFIGURATION MITIGATION 6. A10:2017-INSUFFICIENT LOGGING & MONITORING 7. QUIZ!!! 8. QUESTION?? 9. SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING - REPEAT CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 3

  4. 1 1 ABOUT US

  5. Highly technical skilled internal team ABOUT CYBERSEC COE Technical infrastructure (Acunetix, Burp Suite) on Cloud for assessment Renowned Cyber Security Vendors onboarded PWC, Synopsys, Paladion, Aujas etc. GSC Tech Assessment Vendor Tech Assured counter audit / retest post vulnerability fixes by BL Assessment 30-50% savings over Paris vendor Can be leveraged for regular / new product assessment, retest etc. Faster turn around time as compare to Paris vendors Service Offering Security Driven Secure Coding development lifecycle threat modelling, static testing, dynamic testing etc. Remediation Services Development Skills to support remediation for applications developed in different programming languages Java, .Net etc. CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 5

  6. 2 2 OWASP TOP 10

  7. ABOUT THE OPEN WEB APPLICATION SECURITY PROJECT(OWASP) OWASP is an open community dedicated to enabling organizations to promote security within applications. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. OWASP Top 10: The "Top Ten", first published in 2003, is regularly updated.It aims to raise awareness about application security by identifying some of the most critical risks facing organizations. OWASP Top 10 Application Security Risks 2017 identified following most critical and common vulnerabilities:- A1:2017-Injection A2:2017-Broken Authentication A3:2017-Sensitive Data Exposure A4:2017-XML External Entities (XXE) A5:2017-Broken Access Control A6:2017-Security Misconfiguration A7:2017-Cross-Site Scripting (XSS) A8:2017-Insecure Deserialization A9:2017-Using Components with Known Vulnerabilities A10:2017-Insufficient Logging&Monitoring https://en.wikipedia.org/wiki/OWASP, https://www.owasp.org/index.php/Top_10-2017_Top_10, CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 7

  8. 3 3 A6:2017-SECURITY MISCONFIGURATION

  9. A6:2017 A6:2017- -SECURITY MISCONFIGURATION SECURITY MISCONFIGURATION Exploit unpatched flaws Access default accounts Unused Pages Unprotected files and directories USE USE ACCESS ACCESS Attacker System CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 9

  10. A6:2017 A6:2017- -SECURITY MISCONFIGURATION SECURITY MISCONFIGURATION Common Security Misconfiguration issues:- Default accounts and their passwords enabled or unchanged Bypass Login page and get access to admin console Some Common Credentials are: 1. Apache Tomcat tomcat : tomcat 2. MySQL root : 3. MsSQL sa : admin 4. Oracle SYSTEM : oracle 5. SSH administrator : password 6. Telnet admin : admin 7. Postgres postgres : postgres https://slideplayer.com/slide/5697400/ CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 10

  11. A6:2017 A6:2017- -SECURITY MISCONFIGURATION SECURITY MISCONFIGURATION Common Security Misconfiguration issues:- The software is outdated or vulnerable Some outdated software and their vulnerabilities: 1. Google Chrome 2018 Version Some attacks like Code Execution, Denial of Service 2. Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 Remote Code Execution, CSRF 3. Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 Code Execution 4. Microsoft IIS version 5.0 through 6.0 Buffer Overflow, Remote Code Execution CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 11

  12. A6:2017 A6:2017- -SECURITY MISCONFIGURATION SECURITY MISCONFIGURATION Common Security Misconfiguration issues:- The server does not send security headers or directives or they are not set to secure values. Some Misconfigured Headers are: 1. Origin: evil.com -> Access Control Allow Origin: evil.com Allows Cross Origin Resource Sharing 2. X-Forwarded-Host: evil.com Allows URL Redirection 3. Missing Strict Transport Security / HSTS header: Allows data to be transported over insecure channel CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 12

  13. A6:2017 A6:2017- -SECURITY MISCONFIGURATION SECURITY MISCONFIGURATION Common Security Misconfiguration issues:- Unused features are enabled or installed (e.g. unnecessary ports, services, pages, accounts, or privileges) Some HTTP request methods which have security impacts are as follows: 1. The PUT method can be used to upload any kind of malicious data to the server 2. The DELETE method on the other hand is used to remove any resources from the web server. This form of attack can be used to delete configuration files 3. the CONNECT method can be used to create an HTTP tunnel for requests. If the attacker knows the resource, he can use this method to connect through a proxy and gain access to unrestricted resources CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 13

  14. CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/201914

  15. HANDS-ON DEFAULT CREDENTIALS SCENARIO #1 These sample applications have known security flaws attackers use to compromise the server. If one of these applications is the PhpMyAdmin console, and default accounts aren't changed, the attacker logs in with default passwords and takes over. CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 15

  16. HANDS-ON DEFAULT CREDENTIALS ATTACK!!! CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 16

  17. A6:2017 A6:2017- -SECURITY MISCONFIGURATION SECURITY MISCONFIGURATION DEFAULT CREDENTIALS Mitigation The solution to this is to always update passwords once a new software is installed. It is also often recommended to use something less obvious that is harder to enumerate as a reference. E.g., A Strong password consists of Alphanumeric characters and Special Characters. Best practice policy: https://www.digicert.com/blog/creating-password-policy-best- practices/ CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 17

  18. HANDS-ON BANNER GRABBING SCENARIO #2 Disclosure of backend technology stack version through response header or by allowing detailed error messages, e.g. stack traces, to be returned to users. This potentially exposes sensitive information or underlying flaws such as component versions that are known to be vulnerable CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 18

  19. HANDS-ON BANNER GRABBING ATTACK!!! CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 19

  20. A6:2017 A6:2017- -SECURITY MISCONFIGURATION SECURITY MISCONFIGURATION BANNER GRABBING Mitigation A task to review and update the configurations appropriate to all security notes, updates and patches as part of the patch management process Review cloud storage permissions (e.g. S3 bucket permissions). Don t expose server version in response from server. CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 20

  21. HANDS-ON CORS SCENARIO #3 A cloud service provider has default sharing permissions open to the Internet by other CSP users. This allows sensitive data stored within cloud storage to be accessed. CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 21

  22. HANDS-ON CORS ATTACK!!! CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 22

  23. A6:2017 A6:2017- -SECURITY MISCONFIGURATION SECURITY MISCONFIGURATION CORS Mitigation Access-Control-Allow-Origin should be never set to * if the resource contains sensitive information The mitigation is simple and just a proper configuration. Configure the Access-Control-Allow-Origin header to allow requests only from the domains that you trust. Make sure that in server side validation for checking the origin header value, you are comparing with absolute value and NOT with regular expression CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 23

  24. HANDS-ON HTTP Insecure Methods Enabled : PUT SCENARIO #4 An application has enabled PUT method in its requests without validation. Attacker can replace any page such as index.php on the webpage or even upload malicious files. May lead to Remote Code Execution. CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 24

  25. HANDS-ON HTTP Insecure Methods Enabled : PUT ATTACK!!! CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 25

  26. A6:2017 A6:2017- -SECURITY MISCONFIGURATION SECURITY MISCONFIGURATION HTTP Insecure Methods Enabled : PUT httpd.conf file configurations for Apache Configuration in web.xml for Tomcat CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 26

  27. 4 4 A10:2017-INSUFFICIENT LOGGING & MONITORING

  28. A10:2017-INSUFFICIENT LOGGING & MONITORING LOGGING Recording Events as they Occur Insufficient logging, detection, monitoring and active response occurs any time: Auditable events, such as logins, failed logins, and high-value transactions are not logged. Warnings and errors generate no, inadequate, or unclear log messages. Application and APIs are not monitored for Logs of applications suspicious activity. Logs are only stored locally. Appropriate alerting thresholds and response escalation processes are not in place or effective. The application is unable to detect, escalate, or alert for active attacksin real time or near real time. Apache Logs CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 28

  29. SCENARIO #1 An open source project forum software run by small team was hacked using a flaw in its software. The attackers managed to wipe out the internal source code repository containing the next version Attacker Hacked Deleted Files Although the source could be recovered, the lack of monitoring, logging or alerting led to a far worse breach Recovered Files DATABASE DATABASE EMPTY CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 29

  30. A10:2017-INSUFFICIENT LOGGING & MONITORING Mitigation Ensure all login, access control failures, and server-side input validation failures can be logged with sufficient user context to identify suspicious or malicious accounts, and held for sufficient time to allow delayed forensic analysis. Ensure that logs are generated in a format that can be easily consumed by a centralized log management solutions. Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append- only database tables or similar. Establish effective monitoring and alerting such that suspicious activities are detected and responded to in a timely fashion. Establish or adopt an incident response and recovery plan, such as NIST 800-61 rev 2 or later. CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 30

  31. 5 5 QUIZ TIME!!

  32. 6 6 QUESTIONS? Write to us @ list.gsc-cybersec@socgen.com

  33. 7 7 SECURITY MISCONFIGURATION & INSUFFICIENT LOGGING & MONITORING

  34. 8 8 CONTACT US

  35. CONTACTS Organizational Structure & Escalation Ladder Tittle: CyberSec COE Head Name: Rajesh Bhasin Email: Rajesh.Bhasin@socgen.com Title: Cyber Security Architect Name: Bharath Srinivasan Email: Bharath.Srinivasan@socgen.com Title: CyberSec Analysts Email: list.gsc-cybersec@socgen.com BSC Allies Title: CyberSec Specialists Name/s: Abhishek SURESH BABU & Vinitha RAVINDRAN Emails: abhishek.suresh-babu@socgen.com;vinitha.ravindran@socgen.com CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 35

  36. STAY TUNED TO OUR JIVE GROUP https://sbc.safe.socgen/groups/cyber-security-center-of-excellence-coe CYBER THURSDAY: SECURITY MISCONFIGURATION AND INSUFFICIENT LOGGING & MONITORING WEEK C1 07/11/2019 36

Related


PayGuard User Guide - Logging in and Using the Phone Keypad

PayGuard User Guide - Logging in and Using the Phone Keypad

leyton
Role of Security Champions in Organizations

Role of Security Champions in Organizations

irvin
Importance of Logging and Traceability in Cybersecurity

Importance of Logging and Traceability in Cybersecurity

arjun
NIMH Clinical Research Education and Monitoring Program Overview

NIMH Clinical Research Education and Monitoring Program Overview

eyad
Roles of a Security Partner

Roles of a Security Partner

zaara
Challenges and Future of EU Environmental Law Enforcement

Challenges and Future of EU Environmental Law Enforcement

claudia
Metamodel-based Photovoltaic Monitoring System for Renewable Energies at Hongik University

Metamodel-based Photovoltaic Monitoring System for Renewable Energies at Hongik University

myfanwy
Security Onion: Network Security Monitoring Tools

Security Onion: Network Security Monitoring Tools

sadhbh
Food Security and Nutrition Monitoring Survey Round 22 Trends

Food Security and Nutrition Monitoring Survey Round 22 Trends

barclay
Framework for Building National Forest Monitoring Systems for REDD+

Framework for Building National Forest Monitoring Systems for REDD+

finnigan
Developing Monitoring Tools for Programmatic Oversight

Developing Monitoring Tools for Programmatic Oversight

zdild
Exciting Updates and Developments in the Community - March 2024

Exciting Updates and Developments in the Community - March 2024

dezl_14
Unpredictable Arctic Monitoring Framework for Extreme Event Integration

Unpredictable Arctic Monitoring Framework for Extreme Event Integration

tre_ki
FMCSA's Electronic Logging Device Rule

FMCSA's Electronic Logging Device Rule

jahni
Effective Monitoring Practices for Federal Programs in Education

Effective Monitoring Practices for Federal Programs in Education

marah
Advancements in Online Saw Monitoring for Wood Industry 4.0

Advancements in Online Saw Monitoring for Wood Industry 4.0

biza
Importance of Field Monitoring in Adventure Activities

Importance of Field Monitoring in Adventure Activities

alawr
VFC-400 Vaccine Monitoring Data Logger Kit Operations Overview

VFC-400 Vaccine Monitoring Data Logger Kit Operations Overview

taer519
Comprehensive Overview of GLAAS, SDG Monitoring, and Goal 6 Indicators

Comprehensive Overview of GLAAS, SDG Monitoring, and Goal 6 Indicators

kaisleepe
IPv6 Security and Threats Workshop Summary

IPv6 Security and Threats Workshop Summary

lori_4
Advanced Database Transactions and Recovery Concepts

Advanced Database Transactions and Recovery Concepts

donaldson_a
The Art of Logging: An Exploration with Apache Log4j 2 by Gary Gregory

The Art of Logging: An Exploration with Apache Log4j 2 by Gary Gregory

laveo

More Related Content