Your SlideShare is downloading. ×
0
Top 5 Myths of IT Security   in the Light of Current Events   Advisor for your information security.Version:           1.0...
Agenda• Introduction• Top 5 IT Security Myths• Reality Check – Current Events• Conclusion           2        © 2011 SEC Co...
SEC Consult – Who we are  Since foundation in 2002  SEC Consult delivered more                                            ...
SEC Consult - Overview• Team of highly skilled, internationally recognized security experts    •   Regular speakers on int...
Agenda - Workshop Day I:• Introduction• Top 5 IT Security Myths• Reality Check – Current Events• Conclusion           5   ...
Top 5 IT Security Myths       5 - Hackers=Geniuses    „Only a genius can break into my network“       6     © 2011 SEC Con...
Top 5 IT Security Myths – Hackers=Geniuses (1)• The Myth: Hacking requires secret Ninja skills    • True 20 years ago• Tod...
Top 5 IT Security Myths – Hackers=Geniuses (2)Anybody can launch a tool!         8       © 2011 SEC Consult Unternehmensbe...
Top 5 IT Security Myths – Hackers=Geniuses (3)Hackers are:• Hacking for fun / hacktivism    • Anonymous / LulzSec    • Kid...
Top 5 IT Security Myths            4 – Updates and AV„Software Updates and Anti Virus are enough to keep                  ...
Top 5 IT Security Myths – 4. Updates and AVMyth: I am safe my AV will protect me from trojans, viruses and worms.• Facts  ...
Excerpt of “disclosed” vulnerabilities on 24.6.2011• 8.562 new vulnerabilities were disclosed in 2010 (27% more than 2009)...
Top 5 IT Security Myths            3. Easy solutions    „Product X solves all my security problems“       13    © 2011 SEC...
Top 5 IT Security Myths – Easy solutions (1)• The Myth: Product X solves all security problems out of the box   • IPS X wi...
Top 5 IT Security Myths – Easy solutions (2)• Web application firewalls are usually easily bypassed• Bypassing preconfigur...
Top 5 IT Security Myths – Easy solutions (3)• IDS / IPS should be added as part of an defense-in-depth approach• WAF can b...
Top 5 IT Security Myths              2 - Encryption     „My server is secure because it uses SSL.“       17     © 2011 SEC...
Top 5 IT Security Myths – Encryption• The Myth: Something that is encrypted is automatically secure    • Hackers first hav...
Top 5 IT Security Myths            1 – The Firewall      „A device that protects against hackers“       19     © 2011 SEC ...
Top 5 IT Security Myths – The Firewall (2)Myth: In order to attack servers behind the firewall hackers need to “break thro...
Web applications – the weakest link                                                                                       ...
Top 5 IT Security Myths – The Firewall (3)Myth: The firewall will block attacks and make sure that everything that passes ...
Application Security• ”In 86% of all attacks, a weakness in a web interface was exploited (vs.  14% infrastructure) and th...
Web Security 1998-2010• Web application  related vulnerabilities  have increased  rapidly in the last  years• Reasons:    ...
Attacks on Web Applications • Organized crime focuses on web   applications”You will see less shotgun types of attacks and...
Myths – Summary• Off the shelf solutions:    • Security products are useful for specific areas    • Level your expectation...
Contact Details                      SEC Consult Singapore Pte. Ltd.                 Singapore                            ...
Upcoming SlideShare
Loading in...5
×

Top 5 myths of it security in the light of current events tisa pro talk 4 2554

479

Published on

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
479
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Top 5 myths of it security in the light of current events tisa pro talk 4 2554"

  1. 1. Top 5 Myths of IT Security in the Light of Current Events Advisor for your information security.Version: 1.0Author: S.StreichsbierResponsible: S.StreichsbierDate: 05.10.2011Confidentiality: Public
  2. 2. Agenda• Introduction• Top 5 IT Security Myths• Reality Check – Current Events• Conclusion 2 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  3. 3. SEC Consult – Who we are Since foundation in 2002 SEC Consult delivered more Lithuania Canada Germany Austria Central and Easter Europe than 1000 IT security projects. United States of America Offices in Austria (HQ), Singapore Germany, Lithuania, Canada and Singapore since 2011 25+ Security Professionals Well established in Central and Eastern Europe SEC Consult Headquarter SEC Consult Office SEC Consult Clients 3 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  4. 4. SEC Consult - Overview• Team of highly skilled, internationally recognized security experts • Regular speakers on international conferences • Publish security advisories, whitepapers • Awards (e.g. “PWNIE” Award 2009) • Internal Vulnerability Lab ○ Responsible Disclosure Policy• Holistic approach to cover all facets of information security • Diverse experience in technical and organizational IT security• Independent from vendors • No off-the-shelf products • Tailor-made solutions• Confidentiality and data security is guaranteed 4 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  5. 5. Agenda - Workshop Day I:• Introduction• Top 5 IT Security Myths• Reality Check – Current Events• Conclusion 5 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  6. 6. Top 5 IT Security Myths 5 - Hackers=Geniuses „Only a genius can break into my network“ 6 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  7. 7. Top 5 IT Security Myths – Hackers=Geniuses (1)• The Myth: Hacking requires secret Ninja skills • True 20 years ago• Today, knowledge and tools are out there • Huge security community • Exploits and hacking tools released every day • Commercial exploit kits • Hacking can be learned (CEH, university,...) 7 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  8. 8. Top 5 IT Security Myths – Hackers=Geniuses (2)Anybody can launch a tool! 8 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  9. 9. Top 5 IT Security Myths – Hackers=Geniuses (3)Hackers are:• Hacking for fun / hacktivism • Anonymous / LulzSec • Kids looking for attention• Hacking for profit • Huge underground economy • Exploit Kits, Phishing Kits, etc. • Botnets• Cyber warfare • Stuxnet (admittedly very advanced) • Shady RAT • Operation Aurora 9 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  10. 10. Top 5 IT Security Myths 4 – Updates and AV„Software Updates and Anti Virus are enough to keep a system safe“ 10 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  11. 11. Top 5 IT Security Myths – 4. Updates and AVMyth: I am safe my AV will protect me from trojans, viruses and worms.• Facts • Timeliness (delay) • Completeness • Protection against known security issues, vulnerabilities in proprietary applications are not covered • Important part of client security (user still has to be responsible) • AV also have flaws • Detection rate / Effectiveness heavily discussed • False positives: Chrome browser is a virus? 11 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  12. 12. Excerpt of “disclosed” vulnerabilities on 24.6.2011• 8.562 new vulnerabilities were disclosed in 2010 (27% more than 2009).• 49 percent of all vulnerabilities affect web applications.• 44 percent of vulnerabilities remained un-patched by the end of 2010. Source: X-Force Trend und Risk Report 2010 Sources: http://www.securityfocus.com/ 12 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  13. 13. Top 5 IT Security Myths 3. Easy solutions „Product X solves all my security problems“ 13 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  14. 14. Top 5 IT Security Myths – Easy solutions (1)• The Myth: Product X solves all security problems out of the box • IPS X will block all attacks on my network automatically • If I just install webapp firewall Y it will protect my web application• Fact: Security products are useless without careful configuration and maintenance • Off-the-shelf-solutions do not work! • Vendor marketing sometimes adds to the myth: 14 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  15. 15. Top 5 IT Security Myths – Easy solutions (2)• Web application firewalls are usually easily bypassed• Bypassing preconfigured signatures • There are unlimited ways to formulate and encode an attack • Web applications have unique vulnerabilities• Bypassing behaviour based analysis • May detect some anomalies, but attacks can look like normal traffic• Application logic attacks• To make a WAF work, configuration has to be tailored to the web application in question 15 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  16. 16. Top 5 IT Security Myths – Easy solutions (3)• IDS / IPS should be added as part of an defense-in-depth approach• WAF can be used in certain situations • If its impossible or too expensive to fix the web application • For compliance (PCI DSS)• It is always preferable to apply preventive controls at the core! • Secure configuration • Secure development practices 16 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  17. 17. Top 5 IT Security Myths 2 - Encryption „My server is secure because it uses SSL.“ 17 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  18. 18. Top 5 IT Security Myths – Encryption• The Myth: Something that is encrypted is automatically secure • Hackers first have to break the encryption to break in• Fact: Encryption ensures confidentiality & integrity in some scenarios • Needed for secure network traffic, file storage, proof of identity• Hackers find ways around the encryption! • Breaking the keys is practically impossible anyway in most cases • Attacks on the public key infrastructure (CAs) • Attacks on the algorithm / implementation (BEAST) • Attacks on users (Man-in-the-Middle w/ spoofed Certificate) • Application vulnerabilities • A webserver that uses HTTPS is NOT automatically secure! 18 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  19. 19. Top 5 IT Security Myths 1 – The Firewall „A device that protects against hackers“ 19 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  20. 20. Top 5 IT Security Myths – The Firewall (2)Myth: In order to attack servers behind the firewall hackers need to “break through” the firewall• Facts • Firewall provide a very small attacking surface for hackers • Usually straight forward to configure • Normally a hacker does not have to bypass a firewall • A hacker would target the low hanging fruits, which are in almost all cases vulnerable applications • HTTP = UFBP (universal firewall bypass protocol) 20 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  21. 21. Web applications – the weakest link AD Attacker Web server with vulnerable applications DB File- Share Internet Public (Extern) DMZ LAN (Intern) 86% of all attacks are carried out over the application layer 21 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  22. 22. Top 5 IT Security Myths – The Firewall (3)Myth: The firewall will block attacks and make sure that everything that passes through is safe/secure• Facts • Traditionally a firewall is only a packet filter • Packets can be blocked up to a level where the Firewall understands it • A firewall does not have an understanding of the Application layer • A firewall can not verify if communication to an exposed service is malicious 22 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  23. 23. Application Security• ”In 86% of all attacks, a weakness in a web interface was exploited (vs. 14% infrastructure) and the attackers were predominately external (80%)” Source: UK Security Breach Investigations Report 2010 23 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  24. 24. Web Security 1998-2010• Web application related vulnerabilities have increased rapidly in the last years• Reasons: • New technologies • More applications • More information Source: IBM X-Force® 2010 Trend and Risk Report 24 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  25. 25. Attacks on Web Applications • Organized crime focuses on web applications”You will see less shotgun types of attacks andmore stealthy kinds of attacks going afterfinancial information because there are wholenew sets of ways to make money”--- Amrit Williams, Resarch Director at Gartner - Source: Web Hacking Incident Database 2010Reuters 13.2.2006 Semi Annual Report – 2 (July-December) 25 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  26. 26. Myths – Summary• Off the shelf solutions: • Security products are useful for specific areas • Level your expectations (strength/weakness) • Security is a continuous process, be doubtful of miracles• Prevention/Detection • Necessary to have good detection mechanisms • Continuous Monitoring of the results• Planning • IT Security can only be achieved by a holistic approach • ISM is essential to implement the right processes• It is always preferable to apply preventive controls at the core! 26 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  27. 27. Contact Details SEC Consult Singapore Pte. Ltd. Singapore Austria 4 Battery Road Mooslackengasse 17 #25-01 Bank of China Building A-1190 Vienna Singapore (049908) Austria Tel: +65 31080365 Tel: +43-(0)1-890 30 43-0 Fax: +43-(0)1-890 30 43-15 Email: office@sec-consult.sg Email: office@sec-consult.com www.sec-consult.sg www.sec-consult.com 49 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×