dotScale 2014

1,965 views
1,987 views

Published on

CTF links:
NotSoSecure CTF: http://ctf.notsosecure.com
Security Shepherd: https://www.owasp.org/index.php/OWASP_Security_Shepherd
http://hax.tor.hu/
https://pwn0.com/
http://www.smashthestack.org/
http://www.hellboundhackers.org/
http://www.overthewire.org/wargames/
http://counterhack.net/Counter_Hack/Challenges.html
http://www.hackthissite.org/
http://exploit-exercises.com/
http://vulnhub.com/

Published in: Technology, News & Politics

dotScale 2014

  1. 1. Alison Gianotto (aka “snipe”)WHO AM I? • Former  agency  CTO/CSO   • Security  &  privacy  advocate   • 20  years  in  IT  &  so<ware  development   • Co-­‐author  of  a  few  PHP/MySQL  books   • Survivor  of  more  corporate  audits  than  I   care  to  remember   • @snipeyhead  on  TwiJer   1  dotScale  May  2014  -­‐  #dotScale  
  2. 2. IT IS IMPOSSIBLE TO ANTICIPATE EVERY RISK. 2  dotScale  May  2014  -­‐  #dotScale   Srsly.
  3. 3. IT IS INAPPROPRIATE TO MITIGATE EVERY RISK. 3  dotScale  May  2014  -­‐  #dotScale   No, Srsly.
  4. 4. WHY PEOPLE HACK 4   • To  steal/sell  idenOOes,  credit  card  numbers,  corporate  secrets,   military  secrets   • Fun/Notoriety   • PoliOcal  (“HackOvism”)   • Revenge   • Blackhat  SEO   • ExtorOon/Ransomware   dotScale  May  2014  -­‐  #dotScale  
  5. 5. MEGA BREACHES: RESULTING IN PERSONAL DETAILS OF >= 10 MILLION IDENTITIES EXPOSED IN AN INDIVIDUAL INCIDENT. 5  dotScale  May  2014  -­‐  #dotScale  
  6. 6. THERE WERE EIGHT MEGA- BREACHES IN 2013, COMPARED WITH ONLY ONE IN 2012. 6   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     +700% dotScale  May  2014  -­‐  #dotScale  
  7. 7. OCT 2013: ADOBE EXPOSED CUSTOMER DATA, DEBIT/ CREDIT CARD NUMBERS, SOURCE IMPACTED: 152 MILLION USERS 7   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     dotScale  May  2014  -­‐  #dotScale  
  8. 8. DEC 2013: TARGET EXPOSED CUSTOMER DATA, DEBIT/ CREDIT CARD NUMBERS, PINS IMPACTED: 110 MILLION USERS 8   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     dotScale  May  2014  -­‐  #dotScale  
  9. 9. BREACHGrowth •  credit  card  info •  birth  dates •  government  ID  numbers •  home  addresses •  medical  records •  phone  numbers •  financial  informa9on •  email  addresses •  login •  passwords Data Stolen 9   232   552   0   100   200   300   400   500   600   2011   2013   Iden))es  Stolen  by  Year  (in  Millions)   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     dotScale  May  2014  -­‐  #dotScale  
  10. 10. 190,000 464,000 570,000 2011   2012   2013   ATTACKS 10   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     Per Day dotScale  May  2014  -­‐  #dotScale  
  11. 11. SOMETIMES YOUR EFFORTS TO MITIGATE RISK CAN INCREASE YOUR ATTACK SURFACE. 11  dotScale  May  2014  -­‐  #dotScale   Because THAT’S fair.
  12. 12. DEFENSE IN DEPTH PROMISES 12   • MiOgates  single  points  of  failure.  (“Bus  factor”)   • Requires  more  effort  on  the  part  of  the  aJacker,   theoreOcally  exhausOng  aJacker  resources.     Except... dotScale  May  2014  -­‐  #dotScale  
  13. 13. DEFENSE IN DEPTH CHALLENGES 13   • Larger,  more  complicated  systems  are  harder  to  maintain.     • Can  lead  to  more  cracks  for  bad  guys  to  poke  at   • More  surfaces  that  can  get  be  overlooked     • The  bad  guys  have  nearly  limitless  resources.  We  don’t.     • AJacks  are  commodiOzed  now.    Botnets  for  $2/hour.   dotScale  May  2014  -­‐  #dotScale  
  14. 14. HACKERS ARE NOT YOUR ONLY PROBLEM. 14  dotScale  May  2014  -­‐  #dotScale   Sorry. :(
  15. 15. CIA Confidentiality, Integrity & Availability dotScale  May  2014  -­‐  #dotScale  
  16. 16. CONFIDENTIALITY IS A SET OF RULES THAT LIMITS ACCESS TO INFORMATION 16  dotScale  May  2014  -­‐  #dotScale  
  17. 17. INTEGRITY IS THE ASSURANCE THAT THE INFORMATION IS TRUSTWORTHY & ACCURATE. 17  dotScale  May  2014  -­‐  #dotScale  
  18. 18. AVAILABILITY IS A GUARANTEE OF READY ACCESS TO THE INFO BY AUTHORIZED PEOPLE. 18  dotScale  May  2014  -­‐  #dotScale  
  19. 19. APPSEC STRATEGY PICK  TWO   19   ABSOLUTELY  F*CKED  UTTERLY  F*CKED   COMPLETELY  F*CKED   dotScale  May  2014  -­‐  #dotScale  
  20. 20. CREATING A RISK MATRIX 20   • Type  of  resource   • Third-­‐Party   • Diagram  ID   • DescripOon   • Triggering  AcOon   • Consequence  of  Failure   • Risk  of  Failure   • Probability  of  Failure   • User  Impact   • Method  used  for  monitoring   this  risk   • Efforts  to  MiOgate  in  Case  of   Failure   • Contact  info   Grab  a  starter  template  here!     hJp://snipe.ly/risk_matrix     dotScale  May  2014  -­‐  #dotScale  
  21. 21. 20 THINGS YOU CAN START DOING TODAY. 21   Dooo eeeeeet. dotScale  May  2014  -­‐  #dotScale  
  22. 22. #1. CAPTURE ALL THE FLAGS! 22  dotScale  May  2014  -­‐  #dotScale  
  23. 23. 23   •  Strip  specific  messaging  from  login  forms.   •  Use  solid  password+salOng  like  bcrypt.   •  Implement  brute-­‐force  prevenOon  for  all  login  systems.   •  Encrypt  everything,  where  feasible.   •  Supress  debugging  and  server  informaOon  (language/ framework  versions,  web  server  versions,  stack-­‐traces,   etc.)   WHAT DEVS LEARN FROM CTF dotScale  May  2014  -­‐  #dotScale  
  24. 24. 24  dotScale  May  2014  -­‐  #dotScale  
  25. 25. #2. START EVERY PROJECT RISK-FIRST. 25  dotScale  May  2014  -­‐  #dotScale  
  26. 26. #3. BUILD A CLEAR INVENTORY OF SURFACE AREAS AND THEIR VALUE. 26  dotScale  May  2014  -­‐  #dotScale  
  27. 27. #4. RISK MATRIX FOR EVERY MAJOR PROJECT OR PRODUCT. 27  dotScale  May  2014  -­‐  #dotScale  
  28. 28. #5. KNOW WHAT HAPPENS WHEN THIRD-PARTY SERVICES FAIL. 28  dotScale  May  2014  -­‐  #dotScale  
  29. 29. #6. TRUST YOUR GUT. WHEN SOMETHING DOESN’T LOOK RIGHT, IT PROBABLY ISN’T. 29  dotScale  May  2014  -­‐  #dotScale  
  30. 30. #7. KEEP YOUR SYSTEMS AS SIMPLE AS POSSIBLE. 30  dotScale  May  2014  -­‐  #dotScale  
  31. 31. #8. INCREASED TRANSPARENCY REDUCES RISK ACROSS DEPARTMENTS. 31  dotScale  May  2014  -­‐  #dotScale  
  32. 32. #9. GET TO KNOW YOUR USERS’ BEHAVIOR. BE SUSPICIOUS IF IT CHANGES FOR NO REASON. 32  dotScale  May  2014  -­‐  #dotScale  
  33. 33. #10. AUTOMATE EVERYTHING. 33  dotScale  May  2014  -­‐  #dotScale  
  34. 34. #11. LOG (ALMOST) EVERYTHING. KNOW WHERE YOUR LOGS ARE. 34  dotScale  May  2014  -­‐  #dotScale  
  35. 35. #12. ALWAYS EMPLOY THE PRINCIPLE OF “LEAST PRIVILEGE”. 35  dotScale  May  2014  -­‐  #dotScale  
  36. 36. #13. ONLY COLLECT THE DATA YOU ABSOLUTELY NEED. 36  dotScale  May  2014  -­‐  #dotScale  
  37. 37. #14. IMPLEMENT TWO-FACTOR AUTHENTICATION. IT’S EASIER THAN YOU THINK. 37  dotScale  May  2014  -­‐  #dotScale  
  38. 38. #15. CREATE A DATA RECOVERY PLAN AND TEST IT. NO, REALLY. TEST IT. MORE THAN ONCE. 38  dotScale  May  2014  -­‐  #dotScale  
  39. 39. #16. MOAR PAPERWORK! 39  dotScale  May  2014  -­‐  #dotScale  
  40. 40. #17. LEVERAGE BUILT-IN VALIDATION/SANITIZATION FROM FRAMEWORKS. 40  dotScale  May  2014  -­‐  #dotScale  
  41. 41. #18. PERFORM REGULAR WHITE- BOX AND BLACK-BOX TESTING. 41  dotScale  May  2014  -­‐  #dotScale  
  42. 42. #19. PAY ATTENTION TO YOUR ALERTS. 42  dotScale  May  2014  -­‐  #dotScale  
  43. 43. #20. BECOME A PASSIONATE SECURITY AMBASSADOR FOR YOUR USERS. 43  dotScale  May  2014  -­‐  #dotScale  
  44. 44. Alison Gianotto (aka “snipe”)THANK YOU! • @snipeyhead  on  TwiJer   • snipe@snipe.net   44  dotScale  May  2014  -­‐  #dotScale  

×