28
Quelli che… …la sicurezza non è mai abbastanza! Luca Bechelli Information & Cyber Security Advisor – Partner4Innovation Direttivo e Comitato Tecnico – Scientifico

Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

  • Upload
    others

  • View
    6

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

Quelli che…

…la sicurezza non è mai abbastanza!

Luca BechelliInformation & Cyber Security Advisor – Partner4Innovation

Direttivo e Comitato Tecnico – Scientifico

Page 2: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

Quelli che…

…tanto io ho solo qualche

software che mi sono fatto

fare da una ditta di qui che

conosco. Sono bravi!

2

Page 3: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

Ci sono cose che non cambiano mai…

3

4

What changed from 2013 to 2017?Change has accelerated over the last four years, and the OWASP Top 10 needed to change. We've completely refactored the OWASP Top 10, revamped the methodology, utilized a new data call process, worked with the community, re-ordered our risks, re-written each risk from the ground up, and added references to frameworks and languages that are now commonly used.

Over the last few years, the fundamental technology and architecture of applications has changed significantly:• Microservices written in node.js and Spring Boot are replacing traditional monolithic applications. Microservices come with their

own security challenges including establishing trust between microservices, containers, secret management, etc. Old code never expected to be accessible from the Internet is now sitting behind an API or RESTful web service to be consumed by Single PageApplications (SPAs) and mobile applications. Architectural assumptions by the code, such as trusted callers, are no longer valid.

• Single page applications, written in JavaScript frameworks such as Angular and React, allow the creation of highly modular feature-rich front ends. Client-side functionality that has traditionally been delivered server-side brings its own security challenges.

• JavaScript is now the primary language of the web with node.js running server side and modern web frameworks such as Bootstrap, Electron, Angular, and React running on the client.

New issues, supported by data:• A4:2017-XML External Entities (XXE) is a new category primarily supported by source code analysis security testing tools

(SAST) data sets.

New issues, supported by the community:We asked the community to provide insight into two forward looking weakness categories. After over 500 peer submissions, and removing issues that were already supported by data (such as Sensitive Data Exposure and XXE), the two new issues are:• A8:2017-Insecure Deserialization, which permits remote code execution or sensitive object manipulation on affected platforms.• A10:2017-Insufficient Logging and Monitoring, the lack of which can prevent or significantly delay malicious activity and breach

detection, incident response, and digital forensics.

Merged or retired, but not forgotten:• A4-Insecure Direct Object References and A7-Missing Function Level Access Control merged into A5:2017-Broken Access

Control.• A8-Cross-Site Request Forgery (CSRF), as many frameworks include CSRF defenses, it was found in only 5% of applications.• A10-Unvalidated Redirects and Forwards, while found in approximately 8% of applications, it was edged out overall by XXE.

OWASP Top 10 - 2013 Î OWASP Top 10 - 2017A1 – Injection Î A1:2017-Injection

A2 – Broken Authentication and Session Management Î A2:2017-Broken Authentication

A3 – Cross-Site Scripting (XSS) Ô A3:2017-Sensitive Data Exposure

A4 – Insecure Direct Object References [Merged+A7] ∪ A4:2017-XML External Entities (XXE) [NEW]

A5 – Security Misconfiguration Ô A5:2017-Broken Access Control [Merged]

A6 – Sensitive Data Exposure Ò A6:2017-Security Misconfiguration

A7 – Missing Function Level Access Contr [Merged+A4] ∪ A7:2017-Cross-Site Scripting (XSS)

A8 – Cross-Site Request Forgery (CSRF) : A8:2017-Insecure Deserialization [NEW, Community]

A9 – Using Components with Known Vulnerabilities Î A9:2017-Using Components with Known Vulnerabilities

A10 – Unvalidated Redirects and Forwards : A10:2017-Insufficient Logging&Monitoring [NEW,Comm.]

RN Release Notes

Top tenvulnerabilities

2017OWASP Top 10 - 2017The Ten Most Critical Web Application Security Risks

This work is licensed under aCreative Commons Attribution-ShareAlike 4.0 International Licensehttps://owasp.org

Page 4: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

Tecniche di attacco (rispetto al II sem.2017)

+37% Know Vulnerabilities

Page 5: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

SQL Injection

-100% !!(rispetto al II sem.2017)

Page 6: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

Quelli che…

Ehi!

Mica sono una banca, io!

6

Page 7: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

Le vittime

(tipicamente per colpirne gli utenti), tali attacchi proseguono anche nel 1H 2018, intensificandosi, crescendo del 69%.

Per i motivi sopra illustrati, anche nel 1H 2018 al primo posto assoluto si posiziona la categoria “Multiple Targets” (18%), superando anche questa volta il settore “Gov”, in diminuzione al 15%, che dal 2011 al 2016 è sempre stato al primo posto nel nostro studio.

Rispetto al 2017, “Banking/Finance” mantiene il terzo posto (11%), mentre “Health” balza al quarto posto (10%), con “Online Services / Cloud” (10%) e “Online Services/Cloud” (10%).

Salgono al 7% “Software/Hardware Vendor”, “Research/Education” e “Entertainment/News”, mentre “Critical Infrastructures” sale al 4% e la categoria “Others” (anche a causa dell’introduzione della nuova categoria “Multiple Targets”), scende al 3%.

Tramite questo grafico si può apprezzare facilmente l’incremento straordinario degli attacchi gravi compiuti in parallelo verso bersagli multipli (quindi con impatti potenzialmente sistemici) occorso nel periodo 2017 – 1H 2018.

18%15%

11%

10%

10%7%

7%

7%

4%3%

3%2%

1%1%

1%1%

16%

Tipologia e distribuzione delle vittime 1H 2018 Multiple targetsGov - Mil - LE - IntelligenceBanking / FinanceHealthOnline Services / CloudSW / HW VendorEntertainment / NewsResearch - EducationCritical InfrastructuresOthersHospitabilityGDO / RetailOrganization - ONGAutomotiveGov. Contractors / ConsultingTelco

© Clusit - Rapporto 2018 sulla Sicurezza ICT in Italia - Aggiornamento Giugno 2018

0%

5%

10%

15%

20%

25%Tipologia e distribuzione % vittime 2014 - 1H 2018

2014

2015

2016

2017

2018

© Clusit - Rapporto 2018 sulla Sicurezza ICT in Italia - Aggiornamento Giugno 2018

Page 8: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

Quelli che…

Che potranno mai farmi?

Io faccio bulloni!

8

Page 9: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security
Page 10: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

Dagli ultimi dati…

o un danno economico complessivo di circa 500 miliardi di dollari

o danni quintuplicati in 6 anni

o 730 attacchi gravi con danno economico, reputazionale e perdita di dati sensibili. +31,77% rispetto al semestre precedente

o La finalità cybercrime cresce del 35%, per raggiungere l’80% del totale degli attacchi

Page 11: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

Quelli che…

…e poi se metto in

sicurezza i PC sono a

posto, vero?

11

Page 12: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

Mobilis in mobile

Page 13: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security
Page 14: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security
Page 15: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

Quelli che…

…se capitera’, io c’ho un

sistemista che e’ bravo a

risolvere…

15

Page 16: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

10

Breach timeline

When breaches are successful, the time to compromise continues to be very short. While we cannot determine how much time is spent in intelligence gathering or other adversary preparations, the time from first action in an event chain to initial compromise of an asset is most often measured in seconds or minutes. The discovery time is likelier to be weeks or months. The discovery time is also very dependent on the type of attack, with payment card compromises often discovered based on the fraudulent use of the stolen data (typically weeks or months) as opposed to a stolen laptop which is discovered when the victim realizes they have been burglarized.

Let’s get the obvious and infeasible goal of “Don’t get compromised” out of the way. A focus on understanding what data types are likely to be targeted and the application of controls to make it difficult (even with an initial device compromise) to access and exfiltrate is key. We do not have a lot of data around time to exfiltration, but improvements in that metric, combined with time to discovery can result in the prevention of a high-impact confirmed data breach.

0%

20%

40%

60%

Bre

ache

s

Seconds Minutes Hours Days Weeks Months Years

Breach timelines

0%

20%

40%

60%

Compromise, n=171

0%

20%

40%

60%

Exfiltration, n=56

0%

20%

40%

60%

Discovery, n=562

Containment, n=82

Figure 10. Time span of events

Una questione di velocità

10

Breach timeline

When breaches are successful, the time to compromise continues to be very short. While we cannot determine how much time is spent in intelligence gathering or other adversary preparations, the time from first action in an event chain to initial compromise of an asset is most often measured in seconds or minutes. The discovery time is likelier to be weeks or months. The discovery time is also very dependent on the type of attack, with payment card compromises often discovered based on the fraudulent use of the stolen data (typically weeks or months) as opposed to a stolen laptop which is discovered when the victim realizes they have been burglarized.

Let’s get the obvious and infeasible goal of “Don’t get compromised” out of the way. A focus on understanding what data types are likely to be targeted and the application of controls to make it difficult (even with an initial device compromise) to access and exfiltrate is key. We do not have a lot of data around time to exfiltration, but improvements in that metric, combined with time to discovery can result in the prevention of a high-impact confirmed data breach.

0%

20%

40%

60%

Bre

ache

s

Seconds Minutes Hours Days Weeks Months Years

Breach timelines

0%

20%

40%

60%

Compromise, n=171

0%

20%

40%

60%

Exfiltration, n=56

0%

20%

40%

60%

Discovery, n=562

Containment, n=82

Figure 10. Time span of events

Page 17: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

Quelli che…

…io ho gia’ dato!

17

Page 18: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

Tecniche di attacco (rispetto al II sem.2017)

+140% 0-day

+48% APT

…e malware, malware, MALWARE!

Page 19: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

Vabbè, ma ho l’antivirus

19

1Il cloud Azure, a livello mondiale, incontra lo stesso malware sola volta in più del 97% dei casi

Page 20: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

Niente di nuovo sotto il sole?

20

Page 21: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

Quanto siamo capaci di evolvere?

Panoramica dei cyber attacchi più significativi del 2017

© Clusit 2018 41

Il volume degli attacchi DDoS Il grafico seguente rappresenta il volume degli attacchi DDOS durante l’anno. La piatta-forma di mitigation utilizzata per la protezione dei Clienti, gestisce ogni mese attacchi che occupano una banda variabile tra i 20 Gbps e i 200 Gbps. Come si può notare il trend è in crescita, soprattutto se si considera la seconda metà dell’an-no, con picchi di attacchi a oltre 180 Gbps nel mese di settembre 2017.Rispetto al 2016, che aveva registrato valori medi di attacchi pari a 11 Gbps, quest’anno ci si attesta a 59 Gbps. Un incremento importante pari a circa 6 volte rispetto al dato medio registrato lo scorso anno.

0

20

40

60

80

100

120

140

160

180

200

gen feb mar apr mag giu lug ago set ott nov dic

Gbps

Figura 7 - Banda totale mensile impegnata negli attacchi DDoS (Dati Fastweb relativi all’anno 2017)

Qual è la durata di un attacco DDOS?Le tecniche di attacco DDoS e i relativi metodi di mitigazione si evolvono nel tempo. Nel corso degli anni, con il consolidamento delle tecniche di difesa, la durata degli attacchi è mediamente diminuita. Si è osservato che quest’anno oltre l’95% degli attacchi è durato meno di 3 ore, mentre i rimanenti casi sono principalmente riconducibili a diversi tentativi effettuati in sequenza ravvicinata. È importante però evidenziare che il 3% di questi durino oltre le 24 ore conse-cutive.

Page 22: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

Quelli che…

…vabbe’, ma gli altri che

fanno?

22

Page 23: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

…anche in Italia

Campione: 1107 organizzazioni italiane

2017

1090mln €

2016

976mln €

+12 %

Page 24: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

Principali motivi di spesa

Dati ottenuti tramite un’elaborazione statistica di un campione di 947 micro, piccole e medie imprese (addetti compresi tra 2 e 249)

Page 25: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

Quelli che…

…Io vorrei tanto… il

problema sono i miei capi…

non capiscono…

25

Page 26: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

La consapevolezza cresce…

Page 27: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

Quelli che…

…e il GDPR?

27

Page 28: Quelli che… · OWASP Top 10 - 2013 Î OWASP Top 10 - 2017 A1 ... A4 –Insecure Direct Object References [Merged+A7] ∪A4:2017-XML External Entities (XXE) [NEW] A5 –Security

GRAZIE Domande?

Luca Bechelli Direttivo e Comitato Tecnico Scientifico [email protected]://twitter.com/luca_bechellihttps://www.facebook.com/bechelli.lucahttp://www.linkedin.com/in/lucabechelli