Information Security Expert James Kist: Web Application Security at Financial Institutions
RICHARD SWART: Hi this is Richard Swart with Information Security Media Group publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today weâ€™ll be speaking with James Kist who is a senior consultant for Icons Inc. He has more than 15 years experience in information technology and has authored courseware on several topics including network security, Unix system security, web application security and wireless network security. He regularly conducts penetration tests and vulnerability assessments against various types of systems and networks. He is a certified information system security professional, CISSP, and is SANS GIAC GWAS, which is a GIAC Web Application Security Certified Professional. He has a Bachelorâ€™s degree in Computer Science from the University of Buffalo. How are you doing, Jim?
JAMES KIST: Good. How are you doing?
RICHARD SWART: What Iâ€™d like to do is find out a little bit more about your experience. You have extensive experience in vulnerability assessment of pen testing. How do you get experience as a pen tester and is this an area that has increased in demand?
JAMES KIST: Getting experience first off you need to be familiar with the technology that youâ€™re assessing. So for instance youâ€™re looking at windows for security problems you have to understand the configuration issues associated with Windows. The same thing with Cisco router or whatever you may be looking at and being familiar with those configurations and security issues helps you to look for the weaknesses in those systems that youâ€™re assessing and as far as increasing demand for incident response is becoming something that is definitely in need mainly because a lot of the privacy regulations that are out there associated with GOBA, the payment card industry, security standards and Sarbanes-Oxley. Itâ€™s very important for that information and system to be kept secure and confidential and away from unauthorized users.
RICHARD SWART: What are some of the best practices that youâ€™ve seen in terms of conducting thorough vulnerability assessments?
JAMES KIST: Just using the latest tools that are out there. Me personally I like to use NESSUS which is an open source security scanner and after the results come back from NESSUS I like to use a variety of tools depending on the systems that are being assessed. You know thereâ€™s specific tools for assessment depending on the technologies that youâ€™re assessing that allow you to go deeper than a vulnerability scanner would allow you to go.
RICHARD SWART: You also have experience in doing web penetration security testing. Is that becoming a growth area and what issues do you see facing financial institutions when you do assess their web application security?
JAMES KIST: That is definitely becoming a growth area because many organizations and financial organizations are using the web for more and more services for the customers, online banking, online payments, balance inquiry etc. So thereâ€™s a lot of sensitive information that can be assessed through web servers and the biggest issue that I see with web applications is lack of proper input validation.
RICHARD SWART: Things like sequel injection attacks and--
JAMES KIST: Yes. SQL injection, cross site scripting. Those are probably the biggest ones and those are all related to not validating the input properly.
RICHARD SWART: Letâ€™s change gears for a second. You also have a lot of background in training and assessments. When you work with companies that have built training programs, are there training in awareness needs that these companies are not aware of or are there significant gaps in what youâ€™re seeing done in industry?
JAMES KIST: Typically thereâ€™s a lot of things that organizations donâ€™t think of. A lot of it is related to newer technology such as wireless or maybe voiceover IP but a lot of it has to do with a standard of things that have been in place for a long time such as printers or maybe CD-ROMS. A lot of organizations donâ€™t realize that sensitive information can be carried out of the organization through printed documentation or maybe on a CD-ROM or even a USB device.
RICHARD SWART: What are some best practices that you use when you conduct this training? What are effective tools that other people can implement?
JAMES KIST: I think the two most effective things are to (1) to relate it to the organization and to the individual that youâ€™re training related to their day to day work as opposed to being generic. If youâ€™re just very high level and generic, itâ€™s going to be hard for that user to relate it to their daily tasks. And another thing that is effective is show the individual how a lack of best practices in securities is going to directly affect them and the organization that they work for. So for instance if itâ€™s a publicly traded company you can show them that a security breach is going to directly affect the stock price and usually in a publicly traded company an employee has stock options so itâ€™s directly affecting them.
RICHARD SWART: And whatâ€™s your opinion in terms of classroom based training or CBT [computer-based training] or training from vendors. What are you seeing most companies doing in the financial industry and is it effective?
JAMES KIST: I think a combination of classroom training and CBT training. Classroom training is probably the most effective and CBT training is the most cost-effective.
RICHARD SWART: You also teach CISSP classes. What hints would you have for listeners who are planning on sitting that exam?
JAMES KIST: I would say before you come into class have some experience in security. If youâ€™re new to security, the class isnâ€™t going to have a lot of relevance to you. Youâ€™re not going to understand a lot of the material and another important point is to really plan for about two to three months of study time after the class and before you take the certification exam. If you take the class and expect to pass the certification exam the day after the class, the chances of that are relatively low just because of the breadth of the information covered on that exam. Itâ€™s very broad against 10 different domains. So you really need about two to three months of study time before you attempt a certification exam.
RICHARD SWART: Would you recommend to somebody that they sit for that exam before they have the three or four years of required experience or would you recommend that they wait until they have all their required experience?
JAMES KIST: I would recommend that they wait because itâ€™s going to increase their chances of passing the exam. A lot of the questions on the exam come or most of the questions on the exam come from industry professionals so the questions are going to directly relate to a lot of the work that theyâ€™re going to be doing on a day to day basis.
RICHARD SWART: Are there other certifications or exams that you would encourage people to consider getting?
JAMES KIST: Well thereâ€™s the SANS certification which are highly recommended and they have some certifications that are specific to different areas. The one that I have is specific to web application security. Web application security I think is the hot topic right now in the growth market for securities.
RICHARD SWART: Whatâ€™s involved in getting one of those certifications from SANS?
JAMES KIST: It depends on the certification. Requirements are different. Usually you have to take a class and sometimes you have to do a hands-on practical [exam] showing that you can apply the knowledge from the class and then you also have to take a written exam.
RICHARD SWART: What advice would you give to a new professional, Jim? Where should he or she invest their time and money in terms of receiving training and certification?
JAMES KIST: Like I said before I think web application security is the place to focus right now. Most organizations are taking their traditional applications and moving them to a web platform mostly because these are deployment issues and all the new technologies in the applications base are mostly based around the web application technology. A lot of your what they call the Web 2.0 Technologies, you know AJAX and technologies like that that allow highly interacted and dynamic web content and because thereâ€™s so much functionality in these new components in the web thereâ€™s a lot of security issues and thatâ€™s really where organizations need to focus. Thatâ€™s really where organizations are lacking in security right now.
RICHARD SWART: Aside from AJAX what are some of the key skills or key programming languages that somebody would need to know in order to be effective at web application security?
JAMES KIST: Youâ€™re going to need to know the dot net languages, the Java JSP language and PHP. Those are really the three most common web application technologies that are being deployed right now.
RICHARD SWART: So it sounds like this is an area that computer science students would do very well in. What about somebody coming out of a business program or a management information systems program would they be able to pick these skills up or would they probably have to go back to school to become a programmer before they could do this?
JAMES KIST: Well it depends on the depths of the technology and what theyâ€™re performing in their job at whatâ€™s called a black box assessment of a web application. They can usually if a business student will be able to pick that up using some of the tools that are out there to do the assessments of the websites but if you get into source code analysis you really need to know the language very well and then a computer science student will do better in that area.
RICHARD SWART: When you work with banks and financial institutions are there emerging threats or emerging problems that you think that they need to be paying more attention to aside from web application security?
JAMES KIST: I think web security is a big one and Voice over IP security is another big one. Anything to do with the latest technologies and protecting sensitive information is another important thing and itâ€™s realizing all the different avenues like sensitive information can leak out of the organization so you know daily good breach prevention is another big topic that organizations need to be concerned with.