Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Quelli che…
…la sicurezza non è mai abbastanza!
Luca BechelliInformation & Cyber Security Advisor – Partner4Innovation
Direttivo e Comitato Tecnico – Scientifico
Quelli che…
…tanto io ho solo qualche
software che mi sono fatto
fare da una ditta di qui che
conosco. Sono bravi!
2
Ci sono cose che non cambiano mai…
3
4
What changed from 2013 to 2017?Change has accelerated over the last four years, and the OWASP Top 10 needed to change. We've completely refactored the OWASP Top 10, revamped the methodology, utilized a new data call process, worked with the community, re-ordered our risks, re-written each risk from the ground up, and added references to frameworks and languages that are now commonly used.
Over the last few years, the fundamental technology and architecture of applications has changed significantly:• Microservices written in node.js and Spring Boot are replacing traditional monolithic applications. Microservices come with their
own security challenges including establishing trust between microservices, containers, secret management, etc. Old code never expected to be accessible from the Internet is now sitting behind an API or RESTful web service to be consumed by Single PageApplications (SPAs) and mobile applications. Architectural assumptions by the code, such as trusted callers, are no longer valid.
• Single page applications, written in JavaScript frameworks such as Angular and React, allow the creation of highly modular feature-rich front ends. Client-side functionality that has traditionally been delivered server-side brings its own security challenges.
• JavaScript is now the primary language of the web with node.js running server side and modern web frameworks such as Bootstrap, Electron, Angular, and React running on the client.
New issues, supported by data:• A4:2017-XML External Entities (XXE) is a new category primarily supported by source code analysis security testing tools
(SAST) data sets.
New issues, supported by the community:We asked the community to provide insight into two forward looking weakness categories. After over 500 peer submissions, and removing issues that were already supported by data (such as Sensitive Data Exposure and XXE), the two new issues are:• A8:2017-Insecure Deserialization, which permits remote code execution or sensitive object manipulation on affected platforms.• A10:2017-Insufficient Logging and Monitoring, the lack of which can prevent or significantly delay malicious activity and breach
detection, incident response, and digital forensics.
Merged or retired, but not forgotten:• A4-Insecure Direct Object References and A7-Missing Function Level Access Control merged into A5:2017-Broken Access
Control.• A8-Cross-Site Request Forgery (CSRF), as many frameworks include CSRF defenses, it was found in only 5% of applications.• A10-Unvalidated Redirects and Forwards, while found in approximately 8% of applications, it was edged out overall by XXE.
OWASP Top 10 - 2013 Î OWASP Top 10 - 2017A1 – Injection Î A1:2017-Injection
A2 – Broken Authentication and Session Management Î A2:2017-Broken Authentication
A3 – Cross-Site Scripting (XSS) Ô A3:2017-Sensitive Data Exposure
A4 – Insecure Direct Object References [Merged+A7] ∪ A4:2017-XML External Entities (XXE) [NEW]
A5 – Security Misconfiguration Ô A5:2017-Broken Access Control [Merged]
A6 – Sensitive Data Exposure Ò A6:2017-Security Misconfiguration
A7 – Missing Function Level Access Contr [Merged+A4] ∪ A7:2017-Cross-Site Scripting (XSS)
A8 – Cross-Site Request Forgery (CSRF) : A8:2017-Insecure Deserialization [NEW, Community]
A9 – Using Components with Known Vulnerabilities Î A9:2017-Using Components with Known Vulnerabilities
A10 – Unvalidated Redirects and Forwards : A10:2017-Insufficient Logging&Monitoring [NEW,Comm.]
RN Release Notes
Top tenvulnerabilities
2017OWASP Top 10 - 2017The Ten Most Critical Web Application Security Risks
This work is licensed under aCreative Commons Attribution-ShareAlike 4.0 International Licensehttps://owasp.org
Tecniche di attacco (rispetto al II sem.2017)
+37% Know Vulnerabilities
SQL Injection
-100% !!(rispetto al II sem.2017)
Quelli che…
Ehi!
Mica sono una banca, io!
6
Le vittime
(tipicamente per colpirne gli utenti), tali attacchi proseguono anche nel 1H 2018, intensificandosi, crescendo del 69%.
Per i motivi sopra illustrati, anche nel 1H 2018 al primo posto assoluto si posiziona la categoria “Multiple Targets” (18%), superando anche questa volta il settore “Gov”, in diminuzione al 15%, che dal 2011 al 2016 è sempre stato al primo posto nel nostro studio.
Rispetto al 2017, “Banking/Finance” mantiene il terzo posto (11%), mentre “Health” balza al quarto posto (10%), con “Online Services / Cloud” (10%) e “Online Services/Cloud” (10%).
Salgono al 7% “Software/Hardware Vendor”, “Research/Education” e “Entertainment/News”, mentre “Critical Infrastructures” sale al 4% e la categoria “Others” (anche a causa dell’introduzione della nuova categoria “Multiple Targets”), scende al 3%.
Tramite questo grafico si può apprezzare facilmente l’incremento straordinario degli attacchi gravi compiuti in parallelo verso bersagli multipli (quindi con impatti potenzialmente sistemici) occorso nel periodo 2017 – 1H 2018.
18%15%
11%
10%
10%7%
7%
7%
4%3%
3%2%
1%1%
1%1%
16%
Tipologia e distribuzione delle vittime 1H 2018 Multiple targetsGov - Mil - LE - IntelligenceBanking / FinanceHealthOnline Services / CloudSW / HW VendorEntertainment / NewsResearch - EducationCritical InfrastructuresOthersHospitabilityGDO / RetailOrganization - ONGAutomotiveGov. Contractors / ConsultingTelco
© Clusit - Rapporto 2018 sulla Sicurezza ICT in Italia - Aggiornamento Giugno 2018
0%
5%
10%
15%
20%
25%Tipologia e distribuzione % vittime 2014 - 1H 2018
2014
2015
2016
2017
2018
© Clusit - Rapporto 2018 sulla Sicurezza ICT in Italia - Aggiornamento Giugno 2018
Quelli che…
Che potranno mai farmi?
Io faccio bulloni!
8
Dagli ultimi dati…
o un danno economico complessivo di circa 500 miliardi di dollari
o danni quintuplicati in 6 anni
o 730 attacchi gravi con danno economico, reputazionale e perdita di dati sensibili. +31,77% rispetto al semestre precedente
o La finalità cybercrime cresce del 35%, per raggiungere l’80% del totale degli attacchi
Quelli che…
…e poi se metto in
sicurezza i PC sono a
posto, vero?
11
Mobilis in mobile
Quelli che…
…se capitera’, io c’ho un
sistemista che e’ bravo a
risolvere…
15
10
Breach timeline
When breaches are successful, the time to compromise continues to be very short. While we cannot determine how much time is spent in intelligence gathering or other adversary preparations, the time from first action in an event chain to initial compromise of an asset is most often measured in seconds or minutes. The discovery time is likelier to be weeks or months. The discovery time is also very dependent on the type of attack, with payment card compromises often discovered based on the fraudulent use of the stolen data (typically weeks or months) as opposed to a stolen laptop which is discovered when the victim realizes they have been burglarized.
Let’s get the obvious and infeasible goal of “Don’t get compromised” out of the way. A focus on understanding what data types are likely to be targeted and the application of controls to make it difficult (even with an initial device compromise) to access and exfiltrate is key. We do not have a lot of data around time to exfiltration, but improvements in that metric, combined with time to discovery can result in the prevention of a high-impact confirmed data breach.
0%
20%
40%
60%
Bre
ache
s
Seconds Minutes Hours Days Weeks Months Years
Breach timelines
0%
20%
40%
60%
Compromise, n=171
0%
20%
40%
60%
Exfiltration, n=56
0%
20%
40%
60%
Discovery, n=562
Containment, n=82
Figure 10. Time span of events
Una questione di velocità
10
Breach timeline
When breaches are successful, the time to compromise continues to be very short. While we cannot determine how much time is spent in intelligence gathering or other adversary preparations, the time from first action in an event chain to initial compromise of an asset is most often measured in seconds or minutes. The discovery time is likelier to be weeks or months. The discovery time is also very dependent on the type of attack, with payment card compromises often discovered based on the fraudulent use of the stolen data (typically weeks or months) as opposed to a stolen laptop which is discovered when the victim realizes they have been burglarized.
Let’s get the obvious and infeasible goal of “Don’t get compromised” out of the way. A focus on understanding what data types are likely to be targeted and the application of controls to make it difficult (even with an initial device compromise) to access and exfiltrate is key. We do not have a lot of data around time to exfiltration, but improvements in that metric, combined with time to discovery can result in the prevention of a high-impact confirmed data breach.
0%
20%
40%
60%
Bre
ache
s
Seconds Minutes Hours Days Weeks Months Years
Breach timelines
0%
20%
40%
60%
Compromise, n=171
0%
20%
40%
60%
Exfiltration, n=56
0%
20%
40%
60%
Discovery, n=562
Containment, n=82
Figure 10. Time span of events
Quelli che…
…io ho gia’ dato!
17
Tecniche di attacco (rispetto al II sem.2017)
+140% 0-day
+48% APT
…e malware, malware, MALWARE!
Vabbè, ma ho l’antivirus
19
1Il cloud Azure, a livello mondiale, incontra lo stesso malware sola volta in più del 97% dei casi
Niente di nuovo sotto il sole?
20
Quanto siamo capaci di evolvere?
Panoramica dei cyber attacchi più significativi del 2017
© Clusit 2018 41
Il volume degli attacchi DDoS Il grafico seguente rappresenta il volume degli attacchi DDOS durante l’anno. La piatta-forma di mitigation utilizzata per la protezione dei Clienti, gestisce ogni mese attacchi che occupano una banda variabile tra i 20 Gbps e i 200 Gbps. Come si può notare il trend è in crescita, soprattutto se si considera la seconda metà dell’an-no, con picchi di attacchi a oltre 180 Gbps nel mese di settembre 2017.Rispetto al 2016, che aveva registrato valori medi di attacchi pari a 11 Gbps, quest’anno ci si attesta a 59 Gbps. Un incremento importante pari a circa 6 volte rispetto al dato medio registrato lo scorso anno.
0
20
40
60
80
100
120
140
160
180
200
gen feb mar apr mag giu lug ago set ott nov dic
Gbps
Figura 7 - Banda totale mensile impegnata negli attacchi DDoS (Dati Fastweb relativi all’anno 2017)
Qual è la durata di un attacco DDOS?Le tecniche di attacco DDoS e i relativi metodi di mitigazione si evolvono nel tempo. Nel corso degli anni, con il consolidamento delle tecniche di difesa, la durata degli attacchi è mediamente diminuita. Si è osservato che quest’anno oltre l’95% degli attacchi è durato meno di 3 ore, mentre i rimanenti casi sono principalmente riconducibili a diversi tentativi effettuati in sequenza ravvicinata. È importante però evidenziare che il 3% di questi durino oltre le 24 ore conse-cutive.
Quelli che…
…vabbe’, ma gli altri che
fanno?
22
…anche in Italia
Campione: 1107 organizzazioni italiane
2017
1090mln €
2016
976mln €
+12 %
Principali motivi di spesa
Dati ottenuti tramite un’elaborazione statistica di un campione di 947 micro, piccole e medie imprese (addetti compresi tra 2 e 249)
Quelli che…
…Io vorrei tanto… il
problema sono i miei capi…
non capiscono…
25
La consapevolezza cresce…
Quelli che…
…e il GDPR?
27
GRAZIE Domande?
Luca Bechelli Direttivo e Comitato Tecnico Scientifico [email protected]://twitter.com/luca_bechellihttps://www.facebook.com/bechelli.lucahttp://www.linkedin.com/in/lucabechelli