The business
The reason people
use the Internet
The gateway
to DATA
the target
APPLICATIONS ARE
765 Average # of
Apps in use per
enterprise
6 min before its scanned
If vulnerable, you
could be PWND in
<2 hrs
1/3 Mission critical
TLS
Access
Man-in-the-browser
Client
Session hijacking
Malware
Cross-site request forgery
Abuse of functionality
Man-in-the-middle DDoS
Malware
API attacks
Injection Cross-site scripting
Cross-site request forgery
Certificate spoofing
Protocol abuse
Session hijacking
Key disclosure
DNS hijacking
DDoS
DNS spoofing
DNS cache poisoning
Man-in-the-middle
App services
DNS
DDoS
Eavesdropping
Protocol abuse
Man-in-the-middle
Credential theft
Credential stuffing
Session hijacking
Brute force
Phishing
Network
DDoS
Cross-site scripting
Dictionary attacks
Man-in-the-browser
Client
Session hijacking
Malware
Cross-site request forgery
DNS hijacking
DDoS
DNS spoofing
DNS cache poisoning
Man-in-the-middle
DNS
DDoS
Eavesdropping
Protocol abuse
Man-in-the-middle
Network TLS Certificate spoofing
Protocol abuse
Session hijacking
Key disclosure
DDoS
Cross-site scripting
Dictionary attacks
Access
Abuse of functionality
Man-in-the-middle DDoS
Malware
API attacks
Injection Cross-site scripting
Cross-site request forgery
App services
Credential theft
Credential stuffing
Session hijacking
Brute force
Phishing
(10 years
26 countries)
53%
(2017
4 US states)
30%
(10 years
26 countries)
33%
(2017
4 US states)
26%
58%
56%
6%
4%
3%
2%
2%
1%
1%
PHP
SQL
Exchweb
Comments
Cart
Betablock
Admin
Affiliates
Login
Injection PHP & SQL
2013 OWASP Top 10
1. Injection
2. Broken authentication and session
management
3. Cross-site scripting (XSS)
4. Insecure direct object references
5. Security misconfiguration
6. Sensitive data exposure
7. Missing function level access control
8. Cross-site request forgery (CSRF)
9. Using components with known
vulnerabilities
10. Unvalidated redirects and forwards
2017 OWASP Top 10
1. Injection
2. Broken authentication
3. Sensitive data exposure
4. XML external entities (XXE)
5. Broken access control
6. Security misconfiguration
7. Cross-site scripting (XSS)
8. Insecure deserialization
9. Using components with known
vulnerabilities
10. Insufficient logging
and monitoring
2013 OWASP Top 10
1. Injection
2. Broken authentication and session
management
3. Cross-site scripting (XSS)
4. Insecure direct object references
5. Security misconfiguration
6. Sensitive data exposure
7. Missing function level access control
8. Cross-site request forgery (CSRF)
9. Using components with known
vulnerabilities
10. Unvalidated redirects and forwards
2017 OWASP Top 10
1. Injection
2. Broken authentication
3. Sensitive data exposure
4. XML external entities (XXE)
5. Broken access control
6. Security misconfiguration
7. Cross-site scripting (XSS)
8. Insecure deserialization
9. Using components with known
vulnerabilities
10. Insufficient logging
and monitoring
Access Attacks
5%
23%
26%
34%
9%
3%
Clients are phished malware installed
Banking Trojans Fraud Trojans
Fraud targets = any site with a login page
Affected Devices
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
7Bots
SORA
OWARI
UPnPProxy
OMNI
RoamingMantis
Wicked
VPNFilter
1Bot
Brickerbot
2Bots
WireX
Reaper
3Bots
Mirai
BigBrother
Rediation
1Bot
Remaiten
1Bot Moon
1Bot
Aidra
1Bot
Hydra
3Bots
Satori Fam
Amnesia
Persirai
6Bots
Masuta
PureMasuta
Hide ‘N Seek
JenX
OMG
DoubleDoor
1Bot
Crash
override
1Bot
Gafgyt
Family
2Bots
Darlloz
Marcher
1Bot Psyb0t
4Bots
Hajime
Trickbot
IRC Telnet
Annie
CCTV DVRs
WAPs Set-Top Boxes Media Center
Android
Wireless Chipsets NVR Surveillance
Busybox Platforms
Smart TVs
VoIP Devices Cable Modems
ICS
74% Discovered in last 2 years
SOHO routers iOS
IP Cameras
Thingbot Attack Type
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
7Bots
SORA
OWARI
UPnPProxy
OMNI
RoamingMantis
Wicked
VPNFilter
1Bot
Brickerbot
2Bots
WireX
Reaper
3Bots
Mirai
BigBrother
Rediation
1Bot
Remaiten
1Bot Moon
1Bot
Aidra
1Bot
Hydra
3Bots
Satori Fam
Amnesia
Persirai
6Bots
Masuta
PureMasuta
Hide ‘N Seek
JenX
OMG
DoubleDoor
1Bot
Crash
override
1Bot
Gafgyt
Family
2Bots
Darlloz
Marcher
1Bot
Psyb0t
4Bots
Hajime
Trickbot
IRC Telnet
Annie
DNS Hijack
DDoS PDoS
Proxy Servers Unknown… Rent-a-bot
Install-a-bot Multi-purpose Bot Fraud trojan ICS protocol monitoring
Tor Node Sniffer
Credential Collector
Shifting from primarily DDoS to multi-purpose
Crypto-miner
2017 Study on Mobile and IoT Application Security
https://www.arxan.com/resources/downloads/2017-study-mobile-iot-application-security-whitepaper
2017 Study on Mobile and IoT Application Security
https://www.arxan.com/resources/downloads/2017-study-mobile-iot-application-security-whitepaper
2017 Study on Mobile and IoT Application Security
https://www.arxan.com/resources/downloads/2017-study-mobile-iot-application-security-whitepaper
1 Understand Your Environment
CISO’S #1 MISSION
Prevent Downtime
EVERYONE’S #1 CHALLENGE
Visibility
Reduce Your Attack Surface
2
Sub domains hosting other versions of the main
application site
Dynamic web page generators
HTTP headers and cookies
Admin interfaces Apps/files linked
to the app
Web service methods
Helper apps on client
(java, flash)
Server-side features such as search
Web pages and directories
Shells, Perl/PHP
Data entry forms
Administrative and monitoring stubs
and tools
Events of the application—triggered
server-side code
Backend connections through the server (injection)
APIs
Cookies/state tracking mechanisms
Data/active content pools—the data that populates and
drives pages
CRITICAL
Every 9 hrs
vulnerability
is released
VULNERABILITIES
Attackers are
weaponizing
in <24 hrs
ATTACKED!
configuration
WAF
Does it
apply to you?
Has a patch
been released?
Did you
test it?
Did you
apply it?
Prioritize Defenses Based on Attacks
3
Focus OpEx & CapEx spend
Sys Admins
Execs
Identities
Mis configurations
Desktops
HR
Accounting
Twitter Company website
People search engines
Laptops
Phones
Articles Threat Blog CISO to CISO Thought Leadership Blog
General Threat Trends Phishing Encryption IoT (Attacker Hunt Series)
© 2018 F5 Networks
CLIENT
INTEGRITY
DEFENSE
53% of breaches start here
33% of
breaches
start here