Presentation is loading. Please wait.

Presentation is loading. Please wait.

© iViZ Security Inc 0 May 2013 Bikash Barai, Co-Founder & CEO Why Current Security Solutions Fail?

Published byGwendoline Cook Modified over 8 years ago

Similar presentations

Presentation on theme: "© iViZ Security Inc 0 May 2013 Bikash Barai, Co-Founder & CEO Why Current Security Solutions Fail?"— Presentation transcript:

1 © iViZ Security Inc 0 May 2013 Bikash Barai, Co-Founder & CEO Why Current Security Solutions Fail?

2 © iViZ Security Inc 1 May 2013 Introduction About iViZ – Cloud based Application Penetration Testing – Zero False Positive Guarantee – Business Logic Testing with 100% WASC coverage – 400+ customers. IDG Ventures Funded. – Gartner Hype Cycle mention About myself – Co-founder and CEO of iViZ – Worked in areas of AI, Anti-spam filters, Multi stage attack simulation etc – Love AI, Security, Entrepreneurship, Magic /Mind Reading

3 © iViZ Security Inc 2 May 2013 Vulnerabilities in Security Products

4 © iViZ Security Inc 3 May 2013 Symantec Email Appliance(9.5.x) DescriptionRating Out-of-band stored-XSS - delivered by emailCritical XSS (both reflective and stored) with session-hijackingHigh Easy CSRF to add a backdoor-administrator (for example)High SSH with backdoor user account + privilege escalation to rootHigh Ability for an authenticated attacker to modify the Web- application High Arbitrary file download was possible with a crafted URLMedium Unauthenticated detailed version disclosureLow Credits: Brian Smith

5 © iViZ Security Inc 4 May 2013 Trend Email Appliance(8.2.0.X) DescriptionRating Out-of-band stored-XSS in user-portal - delivered via emailCritical XSS (both reflective and stored) with session-hijackingHigh Easy CSRF to add a backdoor-administrator (for example)High Root shell via patch-upload feature (authenticated)High Blind LDAP-injection in user-portal login-screenHigh Directory traversal (authenticated)Medium Unauthenticated access to AdminUI logsLow Unauthenticated version disclosureLow Credits: Brian Smith

6 © iViZ Security Inc 5 May 2013 Microsoft Auto-update Hijacking MD5 collision attack to generate a counterfeit copy of a Microsoft Terminal Server Licensing Service certificate. Used the counterfeit certificate to sign code such that malware appeared like genuine Microsoft code and hence remained undetected.

7 © iViZ Security Inc 6 May 2013 Preboot Authentication Attacks iViZ identified flaws in numerous BIOS’s and pre- boot authentication and disk encryption software – Bitlocker, TrueCrypt, Mcaffee Safeboot, DriveCryptor, Diskcryptor, LILO, GRUB, HP Bios, Intel/Lenevo BIOS found to be vulnerable. Flaws resulted in disclosure of plaintext pre-boot authentication passwords. In some cases, an attacked could bypass pre-boot authentication.

8 © iViZ Security Inc 7 May 2013 Vulnerabilities in Anti-Virus Discovered by iViZ Security Antivirus products process different types of files having different file-formats. We found flaws in handling malformed compressed, packed and binary files in AVG, Sophos, Avast etc Some of the file formats for which we found flaws in AV products are – ISO, RPM, ELF, PE, UPX, LZH

9 © iViZ Security Inc 8 May 2013 More Vulnerabilities in AV products Detection Bypass – CVE-2012-1461: The Gzip file parser in AVG Anti- Virus, Bitdefender, F-Secure, Fortinet antiviruses, allows remote attackers to bypass malware detection via a.tar.gz file Denial of Service (DoS) – CVE-2012-4014: Unspecified vulnerability in McAfee Email Anti-virus (formerly WebShield SMTP) allows remote attackers to cause a denial of service via unknown vectors.

10 © iViZ Security Inc 9 May 2013 Vulnerabilities in VPN products Remote Code Execution – CVE-2012-2493: Cisco AnyConnect Secure Mobility Client 2.x does not properly validate binaries that are received by the downloader process, which allows remote attackers to execute arbitrary code. – CVE-2012-0646: Format string vulnerability in VPN in Apple iOS before 5.1 allows remote attackers to execute arbitrary code via a crafted racoon configuration file.

11 © iViZ Security Inc 10 May 2013 Report Findings

12 © iViZ Security Inc 11 May 2013 About the Report/Study iViZ used databases such as the Common Vulnerability Enumeration (CVE), Common Product Enumeration (CPE) and National Vulnerability Database (NVD) for the Analysis

13 © iViZ Security Inc 12 May 2013 Key Findings Vulnerabilities increasing at CAGR of 37.29% over the last 3 Years. Anti-Virus accounts for 49% of the vulnerabilities, next Firewall (24%) Top 3 Security vendors with maximum vulnerabilities: McAfee, Cisco followed by Symantec. Top 3 Security products with maximum vulnerabilities: Rising-Global’s Antivirus, Cisco’s Adaptive Security Appliance and Ikarus Virus Utilities. Access Control is the most prominent weakness in Security Products followed by Input Validation. SQL Injection is the least found vulnerability among Security products

14 © iViZ Security Inc 13 May 2013 Vulnerability Trends In All ProductsIn Security Products

15 © iViZ Security Inc 14 May 2013 Vulnerability by Product Types in 2012

16 © iViZ Security Inc 15 May 2013 Vulnerabilities by Vendors

17 © iViZ Security Inc 16 May 2013

18 © iViZ Security Inc 17 May 2013 Comparative Analysis

19 © iViZ Security Inc 18 May 2013 5 Predictions.. We predict an increase in attacks on security products, companies or solutions APT and Cyber-warfare makes “Security Products” as the next choice Majority of vulnerabilities discovered will not become public and shall remain in the hands of APT actors Security Products are “High Pay-off” targets since they are present in most systems More vulnerabilities would be sold in Zero Day – Black Market

20 © iViZ Security Inc 19 May 2013 What should we do to protect us? Test and Don’t Trust (blindly): Conduct proper due diligence of the security product Ask for audit reports Patch security products like any other product Treat security tools in similar manner as other tools during threat modeling Have proper detection and monitoring solutions and multi-layer defense

21 © iViZ Security Inc 20 May 2013 Thank You bikash@ivizsecurity.com Blog: http://blog.ivizsecurity.com/ Linkedin: http://www.linkedin.com/pub/bikash- barai/0/7a4/669 Twitter: https://twitter.com/bikashbarai1 bikash@ivizsecurity.comhttp://blog.ivizsecurity.com/http://www.linkedin.com/pub/bikash- barai/0/7a4/669https://twitter.com/bikashbarai1 DISCLAIMER We have used well known vulnerability standards and database like Common Vulnerability Enumeration (CVE), Common Product Enumeration (CPE) and Nation Vulnerability Database (NVD). One of the major challenges we faced was in classifying the products into security and non- security products, as the current product standard (CPE) does not support it. We solved this challenge by considering that security products have certain keywords like, ‘ ID‘virus’, ‘firewall‘, ‘IPS‘, ‘scan’ etc. Hence there are chances of some date being missed and the report should be considered as indicative. iViZ disclaims all warranties, expressed or implied, with respect to this research for any particular purpose.

Download ppt "© iViZ Security Inc 0 May 2013 Bikash Barai, Co-Founder & CEO Why Current Security Solutions Fail?"

Similar presentations

Webgoat.

Webgoat.
Incident Response Managing Security at Microsoft Published: April 2004.

Incident Response Managing Security at Microsoft Published: April 2004.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.

Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.

Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Www.sophos.com Sophos anti-virus and anti-spam for business OARNET October 13, 2004.

Sophos anti-virus and anti-spam for business OARNET October 13, 2004.
Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.

Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Viruses, Hacking, and AntiVirus. What is a Virus? A type of Malware – Malware is short for malicious software A virus – a computer program – Can replicate.

Viruses, Hacking, and AntiVirus. What is a Virus? A type of Malware – Malware is short for malicious software A virus – a computer program – Can replicate.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Barracuda Spam & Virus Firewall. Introduction to the Barracuda Spam & Virus Firewall Complete email server protection –Spam Blocking (95+ percent) Extremely.

Barracuda Spam & Virus Firewall. Introduction to the Barracuda Spam & Virus Firewall Complete server protection –Spam Blocking (95+ percent) Extremely.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Similar presentations

Ads by Google