Top 5 myths of it security in the light of current events tisa pro talk 4 2554

Top 5 Myths of IT Security in the Light of Current Events Advisor for your information security.Version: 1.0Author: S.StreichsbierResponsible: S.StreichsbierDate: 05.10.2011Confidentiality: Public

SEC Consult – Who we are Since foundation in 2002 SEC Consult delivered more Lithuania Canada Germany Austria Central and Easter Europe than 1000 IT security projects. United States of America Offices in Austria (HQ), Singapore Germany, Lithuania, Canada and Singapore since 2011 25+ Security Professionals Well established in Central and Eastern Europe SEC Consult Headquarter SEC Consult Office SEC Consult Clients 3 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved

SEC Consult - Overview• Team of highly skilled, internationally recognized security experts • Regular speakers on international conferences • Publish security advisories, whitepapers • Awards (e.g. “PWNIE” Award 2009) • Internal Vulnerability Lab ○ Responsible Disclosure Policy• Holistic approach to cover all facets of information security • Diverse experience in technical and organizational IT security• Independent from vendors • No off-the-shelf products • Tailor-made solutions• Confidentiality and data security is guaranteed 4 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved

Top 5 IT Security Myths – Hackers=Geniuses (1)• The Myth: Hacking requires secret Ninja skills • True 20 years ago• Today, knowledge and tools are out there • Huge security community • Exploits and hacking tools released every day • Commercial exploit kits • Hacking can be learned (CEH, university,...) 7 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved

Top 5 IT Security Myths – Hackers=Geniuses (3)Hackers are:• Hacking for fun / hacktivism • Anonymous / LulzSec • Kids looking for attention• Hacking for profit • Huge underground economy • Exploit Kits, Phishing Kits, etc. • Botnets• Cyber warfare • Stuxnet (admittedly very advanced) • Shady RAT • Operation Aurora 9 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved

Top 5 IT Security Myths – 4. Updates and AVMyth: I am safe my AV will protect me from trojans, viruses and worms.• Facts • Timeliness (delay) • Completeness • Protection against known security issues, vulnerabilities in proprietary applications are not covered • Important part of client security (user still has to be responsible) • AV also have flaws • Detection rate / Effectiveness heavily discussed • False positives: Chrome browser is a virus? 11 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved

Excerpt of “disclosed” vulnerabilities on 24.6.2011• 8.562 new vulnerabilities were disclosed in 2010 (27% more than 2009).• 49 percent of all vulnerabilities affect web applications.• 44 percent of vulnerabilities remained un-patched by the end of 2010. Source: X-Force Trend und Risk Report 2010 Sources: http://www.securityfocus.com/ 12 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved

Top 5 IT Security Myths – Easy solutions (1)• The Myth: Product X solves all security problems out of the box • IPS X will block all attacks on my network automatically • If I just install webapp firewall Y it will protect my web application• Fact: Security products are useless without careful configuration and maintenance • Off-the-shelf-solutions do not work! • Vendor marketing sometimes adds to the myth: 14 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved

Top 5 IT Security Myths – Easy solutions (2)• Web application firewalls are usually easily bypassed• Bypassing preconfigured signatures • There are unlimited ways to formulate and encode an attack • Web applications have unique vulnerabilities• Bypassing behaviour based analysis • May detect some anomalies, but attacks can look like normal traffic• Application logic attacks• To make a WAF work, configuration has to be tailored to the web application in question 15 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved

Top 5 IT Security Myths – Easy solutions (3)• IDS / IPS should be added as part of an defense-in-depth approach• WAF can be used in certain situations • If its impossible or too expensive to fix the web application • For compliance (PCI DSS)• It is always preferable to apply preventive controls at the core! • Secure configuration • Secure development practices 16 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved

Top 5 IT Security Myths – Encryption• The Myth: Something that is encrypted is automatically secure • Hackers first have to break the encryption to break in• Fact: Encryption ensures confidentiality & integrity in some scenarios • Needed for secure network traffic, file storage, proof of identity• Hackers find ways around the encryption! • Breaking the keys is practically impossible anyway in most cases • Attacks on the public key infrastructure (CAs) • Attacks on the algorithm / implementation (BEAST) • Attacks on users (Man-in-the-Middle w/ spoofed Certificate) • Application vulnerabilities • A webserver that uses HTTPS is NOT automatically secure! 18 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved

Top 5 IT Security Myths – The Firewall (2)Myth: In order to attack servers behind the firewall hackers need to “break through” the firewall• Facts • Firewall provide a very small attacking surface for hackers • Usually straight forward to configure • Normally a hacker does not have to bypass a firewall • A hacker would target the low hanging fruits, which are in almost all cases vulnerable applications • HTTP = UFBP (universal firewall bypass protocol) 20 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved

Web applications – the weakest link AD Attacker Web server with vulnerable applications DB File- Share Internet Public (Extern) DMZ LAN (Intern) 86% of all attacks are carried out over the application layer 21 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved

Top 5 IT Security Myths – The Firewall (3)Myth: The firewall will block attacks and make sure that everything that passes through is safe/secure• Facts • Traditionally a firewall is only a packet filter • Packets can be blocked up to a level where the Firewall understands it • A firewall does not have an understanding of the Application layer • A firewall can not verify if communication to an exposed service is malicious 22 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved

Application Security• ”In 86% of all attacks, a weakness in a web interface was exploited (vs. 14% infrastructure) and the attackers were predominately external (80%)” Source: UK Security Breach Investigations Report 2010 23 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved

Web Security 1998-2010• Web application related vulnerabilities have increased rapidly in the last years• Reasons: • New technologies • More applications • More information Source: IBM X-Force® 2010 Trend and Risk Report 24 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved

Attacks on Web Applications • Organized crime focuses on web applications”You will see less shotgun types of attacks andmore stealthy kinds of attacks going afterfinancial information because there are wholenew sets of ways to make money”--- Amrit Williams, Resarch Director at Gartner - Source: Web Hacking Incident Database 2010Reuters 13.2.2006 Semi Annual Report – 2 (July-December) 25 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved

Myths – Summary• Off the shelf solutions: • Security products are useful for specific areas • Level your expectations (strength/weakness) • Security is a continuous process, be doubtful of miracles• Prevention/Detection • Necessary to have good detection mechanisms • Continuous Monitoring of the results• Planning • IT Security can only be achieved by a holistic approach • ISM is essential to implement the right processes• It is always preferable to apply preventive controls at the core! 26 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved

Contact Details SEC Consult Singapore Pte. Ltd. Singapore Austria 4 Battery Road Mooslackengasse 17 #25-01 Bank of China Building A-1190 Vienna Singapore (049908) Austria Tel: +65 31080365 Tel: +43-(0)1-890 30 43-0 Fax: +43-(0)1-890 30 43-15 Email: office@sec-consult.sg Email: office@sec-consult.com www.sec-consult.sg www.sec-consult.com 49 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved

Top 5 myths of it security in the light of current events tisa pro talk 4 2554

by TISA

Accessibility

Categories

Upload Details

Usage Rights

Statistics