Web ApplicationsPerspective of a Hacker - Challenges for ContinentalThomas Ullrich (CSO), Dr. Bernhard Thomas (CTO)

2012-09-14

Introduction Continental

Attackers, Threats and Vulnerabilities

Introduction IT Security @ Continental

Web Pentests

2 © Continental AG

IT Security Overview Agenda

Introduction Continental

Attackers, Threats and Vulnerabilities

Introduction IT Security @ Continental

Web Pentests

3 © Continental AG

IT Security Overview Agenda

Our VisionYour Mobility. Your Freedom. Our Signature.

4 © Continental AG

Highly developed, intelligent technologies for mobility, transport and processing make up our world.

We want to provide the best solutions for each of our customers in each of our markets.

All of our stakeholders will thus come to recognize us as the most value-creating, highly reliable and respected partner.

Continental CorporationOverview 2011

5 © Continental AG

Since 1871 with headquarters in Hanover, Germany

Sales of €30.5 billion

163,788 employees worldwide

269 locations in 46 countries

One of the top 5 in the automotive supplier industry

*pro formaStatus: December 31, 2011

Continental CorporationFive Strong Divisions

6 © Continental AG

Continental – Achieving Success From Inner StrengthOur Values

7 © Continental AG

Our four values form the basis of our joint actions.

Together with our vision and mission, our values stand for what drives us forwardand how we want to work together.

None of the values takes precedence over any of the others – all four are of equal importance for our sustained success.

We live out our values on a day-to-day basis, bringing our own behaviour into line with them − all employees are role models for their fellow colleagues as well as for business partners, customers and all other stakeholders.

Introduction Continental

Attackers, Threats and Vulnerabilities

Introduction IT Security @ Continental

Web Pentests

8 © Continental AG

IT Security Overview Agenda

IT SecurityAttackers – Threats - Goals

9 © Continental AG

Information in IT systems are available to authorized persons when required.

Criminals Hactivists Nations/States

Threats

Confidentiality AvailabilityIntegrity

Atta

cker

s

Go

als

Criminals

money mules, packet mules

hacking to make money

steal data to sell data

buying and selling infected computers

Hactivists

Sony (hacked 37 times in 2011 due to one disgruntled customer)

Anonymous

Nations / States

China, Russia

Stuxnet

APT

10 © Continental AG

IT SecurityThe Enemy - „The bad guys“

“Over the years, the hackers downloaded business plans, research and development reports, employee emails and other documents.”

Introduction Continental

Attackers, Threats and Vulnerabilities

Introduction IT Security @ Continental

Web Pentests

11 © Continental AG

IT Security Overview Agenda

IT SecurityProcess for IT Security Management @ Continental

12 © Continental AG

• Legal requirements• Customer requirements• Business strategy • IT strategy• Threat landscape

• Define scope, boundaries and principles of ISMS

• Define and document security organization, processes and controls in security policy

• Get management* approval of ISMS

• ISMS scope and principles (stmt of applicability)

• Management Approval• Security policy (policies and

manuals) documenting security organization, security processes and security controls

• Get approval of security policy

• Publish and train security policy

• Implement security organization**, security processes and security controls

• Approved and published security policy

• Security plan and implementation of information security organization, processes and controls

• ISMS scope and principles• Management approval• Security policy

• Security policy• Security controls

• Monitor security controls• Conduct security audits• Analyze changes in threat

landscape• Review ISMS

• Security metrics regarding operation of security controls

• Security audit reports including location audits, screenings and penetration tests

• Activities and actions resulting from audits

• Security metrics• Security audit reports and

activity list• Changes in requirements

• Manage security exceptions• Implement activities from

audits• Evaluate if security

organization, processes and controls are still applicable

• Communicate to stakeholder

• Records of changes in security organization, processes and controls due to new requirements

• Information security enhancement plan

• Log of security exceptions

Inpu

tO

utpu

tA

ctiv

ity

4. Maintain & Improve3. Monitor & Review2. Implement1. Plan & Establish

*) Executive board (for all

Core Processes

**) incl. mgmt. of resources

IT SecurityFramework

13 © Continental AG

Security Rules (Policies, Manuals, Appendices)

Security Organisation

Defense-In-Depth:Security Measures on Multiple Layers

Risk Management

Security Awareness

Physical

Application

Network

SystemContent

Introduction Continental

Attackers, Threats and Vulnerabilities

Introduction IT Security @ Continental

Web Pentests

14 © Continental AG

IT Security Overview Agenda

IT SecurityThe Attack Process Approach

15 © Continental AG

ReconnaissanceGathering information

about the target

Enumeration Scanning

Finding areas of attack for targets

ExploitationAttacking

vulnerabilities

DocumentationDelivering report

Selling data

Application environment for tires to manage rewards for tire dealers

Users are tire dealers

Has connection to SAP backend systems

To be tested:

Black box approach, only URLs are given

Can a non tire dealer access the app?

Can a tire dealer access the data of his competitor?

Can data be falsified (to „steal“ rewards)?

Is the system vulnerable to denial of service attacks?

Is it possible to get to the backend through web app vulnerabilities?

16 © Continental AG

IT SecurityTarget application

Vulnerabilties that need to be analysed are not specific to Continental

A typical list of vulns can be found at the Open Web Application Security Project (OWASP):

Injection (especially SQL and LDAP)

Cross Site Scripting

Weak authentication and session management

Insecure direct object reference

Cross Site Request Forgery

Security Misconfiguration

Insufficient Cryptographic Storage

Failure to restrict URL access

Insufficient Transport Layer Protection

Unvalidated redirects and forwards

17 © Continental AG

IT SecurityVulnerabilities to be evaluated

Result consists of

a presentation

a very detailed report with remediation tasks

support in understanding the issues

There were findings

Severity, numbers and details will not be given here

18 © Continental AG

IT SecurityResults of pentest

Security Issues by Classification:The more „0“s the better

Coverage is reduced to a sample of the complete webapp environment

Select good target systems („crown jewels“)!

Only known vulnerabilities will be detected, no 0-day-attacks

Don‘t think you are 100% secure after remediation of all vulnerabilities!

You will „only“ be more secure!

Is only effective in a culture of openness and trust

If you will be blamed for found vulnerabilities, a pentest is not for you!

If you just to pentest to comply to internal rules, it will not increase IT security!

A pentest is a spot check at a specific time. Vulnerabilities will change. However issues based on basic principles can be identified.

Do not „just“ remediate findings!

Learn from the findings and try to remedy general issues!

Find a pentester that helps to understand and learn from findings!

19 © Continental AG

IT SecurityHow to use Pentests