LonestarPHP 2014 Security Keynote
Upcoming SlideShare
Loading in...5
×
 

LonestarPHP 2014 Security Keynote

on

  • 980 views

Keynote for LonestarPHP 2014

Keynote for LonestarPHP 2014

Statistics

Views

Total Views
980
Views on SlideShare
885
Embed Views
95

Actions

Likes
2
Downloads
6
Comments
0

3 Embeds 95

https://twitter.com 77
http://librosweb.es 17
http://www.studio49.ie 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

LonestarPHP 2014 Security Keynote LonestarPHP 2014 Security Keynote Presentation Transcript

  • Alison Gianotto @snipeyhead
  • Alison Gianotto (aka “snipe”)WHO AM I? • Former  agency  CTO/CSO   • Security  &  privacy  advocate   • 20  years  in  IT  and  so<ware  development   • Co-­‐author  of  a  few  PHP/MySQL  books   • Survivor  of  more  corporate  audits  than  I   care  to  remember   • @snipeyhead  on  TwiJer   2  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • WHAT SECURITY ISN’T 1 Bolted on 2 Compliance 3 A Single Person 4 Outsourced 3   You  don’t  add  it  on  at  the  end.     You  can  be  compliant  and  not   secure.  Just  ask  Target.   Security  is  everyone’s  responsibility.   Throwing  money  at  this  problem   won’t  work.   Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • WHAT SECURITY ISN’T 5 An Appliance 6 Silver Bullet 7 Straightforward 4   Firewalls  and  IDS  are  part  of  the   soluUon,  but  not  the  end.   There  is  no  one  thing.  Defence  in   depth  maJers.  Sort  of.     SomeUmes  implemenUng  security   tools  increases  your  aJack  surface.   Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   8 Done Security  is  where  you  start,  not   where  you  finish.  
  • WHAT RISK ISN’T 1 Stifling 2 Boring 3 Avoidable 5   Managing  risk  doesn’t  have  to   hinder  innovaUon   Our  job  is  finding  creaUve  soluUons   to  problems.  This  is  one  more  tool.   Risk  isn’t  inherently  bad.  Not   understanding  your  risk  is.     Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   4 One Size Acceptable  risk  to  your  company   may  not  be  the  same  as  someone   else’s.    
  • IT IS IMPOSSIBLE TO ANTICIPATE EVERY RISK. 6  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Srsly.
  • DEFENSE IN DEPTH PROMISES 7  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • MiUgates  single  points  of  failure.  (“Bus  factor”)   • Requires  more  effort  on  the  part  of  the  aJacker,   theoreUcally  exhausUng  aJacker  resources.     Except...
  • DEFENSE IN DEPTH PROBLEMS 8  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Larger,  more  complicated  systems  are  harder  to  maintain.     • Leads  to  more  cracks  for  bad  guys  to  poke  at   • More  surfaces  that  can  get  be  overlooked     • The  bad  guys  have  nearly  limitless  resources.  We  don’t.     • AJacks  are  commodiUzed  now.    Botnets  for  $2/hour.  
  • CIA Confidentiality, Integrity & Availability
  • CONFIDENTIALITY IS A SET OF RULES THAT LIMITS ACCESS TO INFORMATION 10  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • CONFIDENTIALITY EXAMPLES 11  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Passwords.  (boo!)   • Data  encrypUon  (at  rest  and   in  transmission.)   • Two-­‐factor  authenUcaUon/ biometrics.  (Yay!)   • Corporate  VPN   • IP  WhitelisUng   • SSH  keys  
  • CONFIDENTIALITY RISKS 12  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • No  brute-­‐force  detecUon   • No  velng  of  how  third-­‐ party  vendors  use/store   customer  data   • InformaUon  leakage  from   login  messages  (Uming   aJacks,  etc.)   • SQL  injecUon     • Privilege  escalaUon  leading   to  admin  access     • Passwords  shared  across   websites   • Improper  disposal/ destrucUon  of  personal   data   • Lost/stolen  devices    
  • INTEGRITY IS THE ASSURANCE THAT THE INFORMATION IS TRUSTWORTHY & ACCURATE. 13  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • INTEGRITY RISKS 14  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Data  loss  due  to  hardware   failure  (server  crash!)   • So<ware  bug  that   unintenUonally  deletes/ modifies  data   • Data  alteraUon  via   authorized  persons  (human   error)   • Data  alteraUon  via   unauthorized  persons   (hackers)   • No  backups  or  no  way  to   verify  the  integrity  of  the   backups  you  have   • Third-­‐party  vendor  with   inadequate  security  
  • AVAILABILITY IS A GUARANTEE OF READY ACCESS TO THE INFO BY AUTHORIZED PEOPLE. 15  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • AVAILABILITY RISKS 16  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • DDoS  aJacks   • Third-­‐party  service  failures   • Hardware  failures   • So<ware  bugs   • Untested  so<ware  patches   • Natural  disasters   • Man-­‐made  disasters  
  • THINK YOU’RE TOO SMALL TO BOTHER WITH? 17  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Think again.
  • WHY HACK? 18  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • To  steal/sell  idenUUes,  credit   card  numbers,  corporate   secrets,  military  secrets   • Fun,  Excitement  and/or   Notoriety   • PoliUcal  (“HackUvism”)   • Revenge   • Blackhat  SEO   • ExtorUon/Ransomware  
  • COMMON ATTACKS 19  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Reflected  XSS   • Persistent  XSS   • CSRF   • SQL  InjecUon   • Remote  file  inclusion     • Local  file  inclusion/directory   traversal   • HosUng  malware   • Defacement  for  SEO   (pharma,  etc)   • Privilege  escalaUon    
  • WHY MEEEEEEEEEEEE?? 20  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Users  re-­‐use  passwords   across  websites   • Watering  hole  aJack   • Low-­‐hanging  fruit   • Assumed  fewer  defenses   • To  gain  more  informaUon  on   users  to  execute  spear-­‐ phishing  aJacks   • Because  you  are  vulnerable.   Period.  
  • IN 2013, 61% OF REPORTED ATTACKS TARGETED SMALL AND MEDIUM BUSINESSES, UP FROM 50% IN 2012. 21  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  • 1 2 43 REFLECTED XSS SOCIAL     ENGINEERING   XSS   SESSION   HIJACK   PWNED   22  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • 77% OF LEGITIMATE WEBSITES HAD EXPLOITABLE VULNERABILITIES. 1-IN-8 HAD A CRITICAL VULNERABILITY. 23  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  • MEGA BREACHES: RESULTING IN PERSONAL DETAILS OF >= 10 MILLION IDENTITIES EXPOSED IN AN INDIVIDUAL INCIDENT. 24  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • THERE WERE EIGHT IN 2013, COMPARED WITH ONLY ONE IN 2012. 25  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     +700%
  • OCT 2013: ADOBE EXPOSED CUSTOMER DATA, DEBIT/ CREDIT CARD NUMBERS, SOURCE IMPACTED: 152 MILLION USERS 26  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  • DEC 2013: TARGET EXPOSED CUSTOMER DATA, DEBIT/ CREDIT CARD NUMBERS, PINS IMPACTED: 110 MILLION USERS 27  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  • BREACHGrowth •  credit  card  info •  birth  dates •  government  ID  numbers •  home  addresses •  medical  records •  phone  numbers •  financial  informa9on •  email  addresses •  login •  passwords Data Stolen 28  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   232   552   0   100   200   300   400   500   600   2011   2013   Iden99es  Stolen  by  Year  (in  Millions)   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  • 190,000 464,000 570,000 2011   2012   2013   ATTACKS 29   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     Per Day Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • APPSEC STRATEGY PICK  TWO   30   COMPLETELY  BONED  COMPLETELY  BONED   COMPLETELY  BONED   Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • CREATING A RISK MATRIX 31  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Type   • Third-­‐Party   • Dataflow  diagram  ID   • DescripUon   • Triggering  AcUon   • Consequence  of  Service   Failure   • Risk  of  Failure   • User  Impact   • Method  used  for  monitoring   this  risk   • Efforts  to  MiUgate  in  Case  of   Failure   • Contact  info   Grab  a  starter  template  here!     hJp://snipe.ly/risk_matrix    
  • 29 THINGS YOU CAN START DOING TODAY. 32  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Dooo eeeeeet.
  • 33  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   1.  Start  every  project  risk-­‐first.   2.  Start  using  a  risk  matrix  for  every  major  project  or   product.   3.  Build  a  clear  inventory  of  surface  areas  and  their  value.   Get  stakeholders  involved.   4.  Make  sure  you  understand  what  happens  when  third-­‐ party  services  fail  or  behave  unexpectedly.       29 THINGS TO DO TODAY
  • 34  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   5.  Trust  your  gut.  If  something  doesn’t  look  right,  it  probably   isn’t.   6.  Keep  your  systems  as  simple  as  possible.  Document  them.   7.  Favor  self-­‐documenUng  systems  so  that  code,  systems  and   docs  don't  fall  out  of  sync.   8.  Increased  transparency  reduces  risk  across  departments.   Consider  devops.     29 THINGS TO DO TODAY
  • 35  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   9.  Don't  abstract  code/systems  if  you  don’t  have  to.   Premature  opUmizaUon  is  the  devil.  Build  light  and   refactor  as  needed.   10.   Get  to  know  your  users’  behavior.  Use  tools  like  Google   AnalyUcs  and  heat-­‐mapping  to  understand  what  users  do   on  your  site.  Be  suspicious  if  it  changes  for  no  apparent   reason.   29 THINGS TO DO TODAY
  • 36  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   11.   Automate  EVERYTHING  (Chef,  Vagrant,  Ansible,  Salt,   Fabric,  etc.)   12.   Log  (almost!)  EVERYTHING.  Know  where  your  logs  are.   Use  a  central  logging  server  if  at  all  possible.     13.   Always  employ  the  principles  of  “least  privilege.”   14.   Give  preference  to  vendors  that  integrate  with  your  AD/     OD/LDAP.   29 THINGS TO DO TODAY
  • 37  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   15.   Create  a  reliable  data  backup  plan  and  TEST  IT.  (MORE   THAN  ONCE.)   16.   Create  a  Business  ConUnuity  Plan.   17.   Create  an  Incident  Response  Plan.  Test  it.   18.   Create  a  Disaster  Recovery  Plan.  TEST  IT.  (Seriously.)   19.   Get  your  team  to  parUcipate  in  at  least  one  CTF  every   year.     29 THINGS TO DO TODAY
  • 29 THINGS TO DO TODAY 38  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   20.   Strip  specific  messaging  from  login  forms.   21.   Use  solid  password+salUng  like  bcrypt.   22.   Implement  brute-­‐force  prevenUon  for  all  login  systems.   23.   Encrypt  everything,  where  feasible.   24.   Only  collect  the  data  that  you  absolutely  need.   25.   Implement  two-­‐factor  authenUcaUon.  It’s  easier  than  you   think.  
  • 29 THINGS TO DO TODAY 39  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   26.   Supress  debugging  and  server  informaUon  (PHP  versions,   Apache  versions)   27.   Leverage  framework  CSRF  protecUon  and  data   saniUzaUon/validaUon.   28.   Perform  regular  penetraUon  tests  and  vulnerability   assessments   29.   Become  a  passionate  security  ambassador  for  your  users   and  co-­‐workers.      
  • CAPTURE ALL THE FLAGS! 40  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   •  NotSoSecure  CTF:  hJp://cx.notsosecure.com   •  Security  Shepherd:  hJps://www.owasp.org/index.php/ OWASP_Security_Shepherd   •  hJp://hax.tor.hu/   •  hJps://pwn0.com/   •  hJp://www.smashthestack.org/   •  hJp://www.hellboundhackers.org/   •  hJp://www.overthewire.org/wargames/   •  hJp://counterhack.net/Counter_Hack/Challenges.html   •  hJp://www.hackthissite.org/   •  hJp://exploit-­‐exercises.com/   •  hJp://vulnhub.com/  
  • Alison Gianotto (aka “snipe”)THANK YOU! • @snipeyhead  on  TwiJer   • snipe@snipe.net   41  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14