how ca siteminder helps prevent session hijacking 56761
TRANSCRIPT
-
8/10/2019 How CA Siteminder Helps Prevent Session Hijacking 56761
1/16
Session Hijacking:A New Method of Prevention
-
8/10/2019 How CA Siteminder Helps Prevent Session Hijacking 56761
2/16
02
The IncreasingImportance of Secure WebApplication DeliveryToday, the enterprise runs on the Web. Whether its providing employeesaround the world with efficient access to information or offering customersproducts and services, more and more organizations are leveraging thepower of online applications.
New access points to the Internet are opened every day. Laptops, tabletsand smartphones enable users to log in from anywhere at any time.
But this flexibility presents a dilemma. Successful organizations mustbalance the need for convenient user access with appropriate securitytechniques to keep hackers from exploiting access points for e-commercefraud, identity theft and other malicious activities.
-
8/10/2019 How CA Siteminder Helps Prevent Session Hijacking 56761
3/16
03
Session Hijacking: DefinedDue to server-side convenience, HTTP is the predominant method for offering users access to web applications.And because HTTP is a stateless protocol, web applications primarily employ cookies to maintain a session stateonce the user has logged in.
Simple user
experience
Maintaining a session state via cookies offersa simple experience for end userstheyveproven their identities (and identities of theirdevices) via authentication and can movequickly to accessing desired informationfrom an application.
While the need for a favorable user experience is a driving concern for organizations of all sizes, the relianceon the HTTP protocol and HTTP cookies creates vulnerabilities for hackers to steal authenticated sessions.
But this user-friendly experiencecomes at a cost. Cookies can be stolen,intercepted or replayed.
Server stores nosession information
Authentication
Request 1
Response 1 + Cookie
Simple userexperience
Server stores nosession information
Authentication
Request 1
Response 1 + Cookie
Before
After
-
8/10/2019 How CA Siteminder Helps Prevent Session Hijacking 56761
4/16
04
Session hijacking is not a new phenomenon and has beenconsidered a viable threat since HTTP 1.1. A persistent thornin the side of IT security, session hijacking is now returning toprominence. In part, this is due to the increased use of strictersecurity protocols.
As two-factor login, risk-based authentication and other methodsbecome more widespread in the IT security community, hackershave shifted their focus to weaker links in the chain, such asHTTP sessions themselves. For hackers, mimicking the identityof a user via stolen log-in credentials is becoming increasinglydifficult. Instead, they are allowing users to create a session andthen hijacking that sessions credentials to steal data.
The Open Web Application Security Project (OWASP) highlightssession hijacking in its report, OWASP Top 10 2013: The TenMost Critical Web Application Security Risks . OWASP specificallycalls out these areas:
.
Session Hijacking:Understanding the Threat
Difficulty enabling mobilitywithout increasing risk
Cross-site Scripting (XSS)
Cross-site Request Forgery (CSRF)
-
8/10/2019 How CA Siteminder Helps Prevent Session Hijacking 56761
5/16
Session hijacking is not a new phenomenon and has beenconsidered a viable threat since HTTP 1.1. A persistent thornin the side of IT security, session hijacking is now returning toprominence. In part, this is due to the increased use of strictersecurity protocols.
As two-factor login, risk-based authentication and other methodsbecome more widespread in the IT security community, hackershave shifted their focus to weaker links in the chain, such asHTTP sessions themselves. For hackers, mimicking the identityof a user via stolen log-in credentials is becoming increasinglydifficult. Instead, they are allowing users to create a session andthen hijacking that sessions credentials to steal data.
The Open Web Application Security Project (OWASP) highlightssession hijacking in its report, OWASP Top 10 2013: The TenMost Critical Web Application Security Risks . OWASP specificallycalls out these areas:
.
05
Session Hijacking:Understanding the Threat
Application functions related to authentication and sessionmanagement are often not implemented correctly, allowingattackers to compromise passwords, keys or session tokens,or to exploit other implementation flaws to assume theidentities of other users.
Difficulty enabling mobilitywithout increasing risk
Cross-site Scripting (XSS)
Cross-site Request Forgery (CSRF)
-
8/10/2019 How CA Siteminder Helps Prevent Session Hijacking 56761
6/16
06
XSS flaws occur whenever an application takes untrusteddata and sends it to a web browser without proper validation
or escaping. XSS allows attackers to execute scripts in thevictims browser, which can steal user sessions, defacewebsites or redirect the user to malicious sites.
Session hijacking is not a new phenomenon and has beenconsidered a viable threat since HTTP 1.1. A persistent thornin the side of IT security, session hijacking is now returning toprominence. In part, this is due to the increased use of strictersecurity protocols.
As two-factor login, risk-based authentication and other methodsbecome more widespread in the IT security community, hackershave shifted their focus to weaker links in the chain, such asHTTP sessions themselves. For hackers, mimicking the identityof a user via stolen log-in credentials is becoming increasinglydifficult. Instead, they are allowing users to create a session andthen hijacking that sessions credentials to steal data.
The Open Web Application Security Project (OWASP) highlightssession hijacking in its report, OWASP Top 10 2013: The TenMost Critical Web Application Security Risks . OWASP specificallycalls out these areas:
.
Session Hijacking:Understanding the Threat
Difficulty enabling mobilitywithout increasing risk
Cross-site Scripting (XSS)
Cross-site Request Forgery (CSRF)
-
8/10/2019 How CA Siteminder Helps Prevent Session Hijacking 56761
7/1607
Session hijacking is not a new phenomenon and has beenconsidered a viable threat since HTTP 1.1. A persistent thornin the side of IT security, session hijacking is now returning toprominence. In part, this is due to the increased use of strictersecurity protocols.
As two-factor login, risk-based authentication and other methodsbecome more widespread in the IT security community, hackershave shifted their focus to weaker links in the chain, such asHTTP sessions themselves. For hackers, mimicking the identityof a user via stolen log-in credentials is becoming increasinglydifficult. Instead, they are allowing users to create a session andthen hijacking that sessions credentials to steal data.
The Open Web Application Security Project (OWASP) highlightssession hijacking in its report, OWASP Top 10 2013: The TenMost Critical Web Application Security Risks . OWASP specificallycalls out these areas:
.
Session Hijacking:Understanding the Threat
Difficulty enabling mobilitywithout increasing risk
Cross-site Scripting (XSS)
Cross-site Request Forgery (CSRF)
A CSRF attack causes a logged-on victims browser to senda forged HTTP request to a vulnerable web application.This allows the attacker to force the victims browserto generate requests the vulnerable application thinksare legitimate. 1
1 The Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Top_10_2013-Top_10 .Licensed under the creativecommons Attribution-ShareAlike 3.0 license ( http://creativecommons.org/licenses/by-sa/3.0/ ).No changes were made to the content.
https://www.owasp.org/index.php/Top_10_2013-Top_10http://creativecommons.org/licenses/by-sa/3.0/http://creativecommons.org/licenses/by-sa/3.0/https://www.owasp.org/index.php/Top_10_2013-Top_10 -
8/10/2019 How CA Siteminder Helps Prevent Session Hijacking 56761
8/1608
As risk-based authentication becomes a stronger hacking deterrent, session hijacking is gaining popularity.Strong authentication is emerging as the impenetrable front door, but there are still critical securityweaknesses inherent in HTTP sessions. Some of the specific session hijacking techniques include:
Session Hijacking Techniques
Spoofing attackUnauthorized session access based on falsifying data
Man-in-the-middle attackStealing an in-transit HTTP cookie without the users knowledge
Man-in-the-browser attackInstallation of code on the browser itself to forward data to a third party
Various CSS and XSS attacks are also common approaches used by hackers and fraudsters. Andperhaps more concerning for enterprise security are the unknown types of attacks that are beingcontinually developed and directed against web sessions with increasing frequency.
-
8/10/2019 How CA Siteminder Helps Prevent Session Hijacking 56761
9/1609
Single Sign-On as a Threat Multiplier
Single Sign-On (SSO) is rightly regarded as one of the most effective ways to provide a convenientexperienceone log in and the user can access the data needed from multiple applications.
But SSO can also be a hackers best friendbecause hackers can access multiple applicationswith just one stolen cookie or session token.
User
Single Sign-On
CRM server
File server
MAP server
Email server
-
8/10/2019 How CA Siteminder Helps Prevent Session Hijacking 56761
10/16
Traditional Approaches toSession Hijacking Prevention
Architectures
Rearranging the network architecture is a typical IT securityapproach. By reorganizing their IT systems to a hub-and-spokemodel, security experts attempt to dramatically limit thespread of cookies to other applications.
Cookie managementIT security teams may also restrict the proliferation of databy instituting rules and best practices around cookiesthemselvesfor example, limiting usage to only securecookies, such as those that are HTTP-only or host-only.
Limited external checking
Focusing on IP addresses is another common approach toverifying the validity of a given session. However, proxies,dynamic IP addresses and other factors can obscure the IPaddress of the actual device initiating the session.
TimeoutsLimiting the duration of a cookies validity can also be usedto blunt the threat of session hijacking, but the damage maybe done by the time a session timeout requires the user tore-authenticate the session.
Session hijacking techniques and methods of prevention have developed side by side for nearly two decades.Some of the common forms of prevention employed by the enterprise include:
10
Although a good starting point, these methods are all riddled with shortcomings that render themineffective to enterprises that need to reduce the threat of session hijacking and maintain a superiorend-user experience while supporting multiple ways to access applications.
-
8/10/2019 How CA Siteminder Helps Prevent Session Hijacking 56761
11/1611
More-in-the-Middle: An Innovative
Approach to Session Hijacking Prevention
By limiting the scope and damage of attacks, traditionalapproaches to session hijacking have achieved some acceptablelevel of effectiveness. However, there are new techniquesemergingmethods that work in concert with strongauthenticationto make it extremely difficult for hackersto steal sessions.
Email server
Website
1
5
3
4
2
1. User logs into website | 2. Before session token is created user redirected to DeviceDNA TM
collection service 3. DeviceDNA collected | 4. DeviceDNA stored and session token created5. User taken to web server with secured session
More Control
More Connection
An Active Approach to SessionSecurity
-
8/10/2019 How CA Siteminder Helps Prevent Session Hijacking 56761
12/1612
More-in-the-Middle: An Innovative
Approach to Session Hijacking PreventionMore Control
More Connection
An Active Approach to SessionSecurity
By adding an interim step between the client and theserver, the enterprise can better control the security of agiven session.
The user receives a session token not from the server orwebsite, but from the layer in the middle that ties thesession token to the specific device that was used forauthentication. This layer serves as an objective checkagainst stolen cookies. Technology that employs thismethodology typically re-checks the devices identityon a periodic basis, preventing a fraudster from stealingthe cookie and using it to log in to an application.
By limiting the scope and damage of attacks, traditionalapproaches to session hijacking have achieved some acceptablelevel of effectiveness. However, there are new techniquesemergingmethods that work in concert with strongauthenticationto make it extremely difficult for hackersto steal sessions.
1
5
3
4
2
1. User logs into website | 2. Before session token is created user redirected to DeviceDNA TM
collection service 3. DeviceDNA collected | 4. DeviceDNA stored and session token created5. User taken to web server with secured session
Email server
Website
-
8/10/2019 How CA Siteminder Helps Prevent Session Hijacking 56761
13/1613
More-in-the-Middle: An Innovative
Approach to Session Hijacking PreventionMore Control
More Connection
An Active Approach to SessionSecurity
A critical step in this approach is the connectionbetween the SSO cookie and the cookie of any givenapplication. By marrying these two tokens, hackers areunable to log into the web access management andsteal a cookie being used by a Java session.
By limiting the scope and damage of attacks, traditionalapproaches to session hijacking have achieved some acceptablelevel of effectiveness. However, there are new techniquesemergingmethods that work in concert with strongauthenticationto make it extremely difficult for hackersto steal sessions.
1
5
3
4
2
1. User logs into website | 2. Before session token is created user redirected to DeviceDNA TM
collection service 3. DeviceDNA collected | 4. DeviceDNA stored and session token created5. User taken to web server with secured session
Email server
Website
-
8/10/2019 How CA Siteminder Helps Prevent Session Hijacking 56761
14/1614
More-in-the-Middle: An Innovative
Approach to Session Hijacking PreventionMore Control
More Connection
An Active Approach to SessionSecurity
CA SiteMinder r12.52 provides IT with a critical feature:Enhanced Session Assurance with DeviceDNA. Thiscomponent remembers the device the user was initiallyauthentication on and then actively compares thesettings and history of the users device against the initialdevice to further guarantee the identity of the user andlegitimacy of the login attempt. The patent-pendingtechnology from CA RiskMinder that is incorporatedprovides one of the differentiators that sets this approachapart from traditional methods of session security.By limiting the scope and damage of attacks, traditional
approaches to session hijacking have achieved some acceptablelevel of effectiveness. However, there are new techniquesemergingmethods that work in concert with strongauthenticationto make it extremely difficult for hackersto steal sessions.
1
5
3
4
2
1. User logs into website | 2. Before session token is created user redirected to DeviceDNA TM
collection service 3. DeviceDNA collected | 4. DeviceDNA stored and session token created5. User taken to web server with secured session
Email server
Website
-
8/10/2019 How CA Siteminder Helps Prevent Session Hijacking 56761
15/16
Session Hijacking in Summary
15
Threat
As web applications dominatethe business landscape, sessionhijacking is increasingly dangerousto the security of the enterprise.
Improvements in authenticationmethods have shifted hackersfocus away from web sessionlogin credentials and toward theactual session.
Session hijacking comes in
a variety of guises, includingman-in-the-middle andman-in-the-browser attacks.
Traditional Approaches
Enterprise security has been lockedin a war of innovation againstsession hijackers since HTTP 1.1.
Alternate architectures, cookiemanagement and IP checking aresome of the common approachesthat enterprise security hasemployed to guard against sessionhijacking.
These methods provide limited
effectiveness and only serve torestrict the inevitable damage.
Technology of Today
More modern approaches involvethe insertion of another layerbetween the application andthe server.
This middle layer is controlled byenterprise IT security and servesup the sess ion token to the user,making session hijackingextremely difficult.
To increase the efficacy of this
middle layer, the enterprise mustlink the SSO cookie, and anyapplication cookies in use,to a specific device.
-
8/10/2019 How CA Siteminder Helps Prevent Session Hijacking 56761
16/16
CA Technologies (NASDAQ: CA) is an IT management software and solutions company with expertise across all ITenvironments from mainframe and distributed, to virtual and cloud. CA Technologies manages and secures ITenvironments and enables customers to deliver more flexible IT services. CA Technologies innovative products andservices provide the insight and control essential for IT organizations to power business agility. The majority of theGlobal Fortune 500 relies on CA Technologies to manage evolving IT ecosystems.
CA SiteMinder Secure SSO & Flexible Access Management can provide your organization enterprise-class secure singlesign-on (SSO) and flexible identity access management so that your organization can authenticate users and control accessto web applications and portals. Across internet, intranet and cloud applications, it helps enable the secure delivery ofessential information and applications to your employees, partners, suppliers and customers via secure single sign-on.It also scales to help you meet your growing business needs with flexible administration tools that can support eithercentralized or distributed administration.
For more information about preventing session hijacking,visit www.ca.com/secure-sso .
About the Solution from CA Technologies
Copyright 2014 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies.
http://www.ca.com/secure-ssohttp://http://www.ca.com/secure-ssohttp://