SlideShare a Scribd company logo
1 of 23
Download to read offline
REDUCING YOUR
ATTACK SURFACE
Ryan Holland, Senior Director of Cloud Architecture – Alert Logic
Summary
• Understanding your attack surface is critical to deploying
the right security controls
• Attack surface in cloud environments is significantly
different than on-premises
• Dominant cloud exposures are often misunderstood
2nd attack HVAC vendor application
Result Successful. Never detected.
Vector SQL Injection
Las Vegas
Bethlehem
1st attack Account Brute Force
Result Detected by the SIEM. Blocked
#1 Sands Casino Breach
2nd attack HVAC vendor application
Result Successful. Never detected.
Vector SQL Injection
Las Vegas
Bethlehem
1st attack Account Brute Force
Result Detected by the SIEM. Blocked • Compromised
admin credentials
• Moved laterally
through Windows
AD
• Used malware to
destroy all hosts
on the network
Sands Casino Breach
1
49
56
86
125
155
172
197
525
908
Denial of Service
Crimeware
Physical Theft / Loss
Payment Card Skimmers
Everything Else
Cyber-espionage
Privilege Misuse
Miscellaneous Errors
POS Intrusions
Web App Attacks
Security risk is shifting to unprotected web applications
Web app attacks are now the #1
source of data breaches
But less than 5% of data center security
budgets are spent on app security
Source: Verizon
UP 500% SINCE 2014
$23 to $1
Percentage of Breaches
10% 20% 30% 40%
Source: Gartner
Web App Attacks
1
49
56
86
125
155
172
197
525
908
Denial of Service
Crimeware
Physical Theft / Loss
Payment Card Skimmers
Everything Else
Cyber-espionage
Privilege Misuse
Miscellaneous Errors
POS Intrusions
Web App Attacks
Security risk is shifting to unprotected web applications
Web app attacks are now the #1
source of data breaches
But less than 5% of data center security
budgets are spent on app security
Source: Verizon
UP 500% SINCE 2014
$23 to $1
Percentage of Breaches
10% 20% 30% 40%
Source: Gartner
Web App Attacks
Underreported. Misunderstood.
What Drives This Awareness Disconnect?
• Breach disclosure in a number of states is mandatory,
but technical details are not in disclosure scope
• News media naturally gravitates towards human interest security stories
• Mobile phones
• Endpoint malware
• Email theft Ransomware
Malware
All other terms: SQL injection,
web application attack, Wordpress vulnerability,
PHP vulnerability, Apache Struts vulnerability
Our Perspective on Cloud Attack Surface
• 4,000+ customers
• 80% of deployments in data centers
• 50% of deployments in
public and hybrid cloud
• Dominant workload: business
critical web applications
Real world view from our SOC
#2 Yahoo
Impact
Number of exposed accounts increased
from 1B to 3B.
How it happened
Phishing Email
Where are they now?
Sold to Verizon. Valuation revised by
$350M
Meet “M4g” AKA Alexsey Belan
• One of the most prolific
hackers between 2013 -
2015
• Estimated to have
compromised 1.2 billion
user accounts
• Prime suspect in
numerous breaches
Alexsey Belan’s Techniques
1. Identified peripheral sites and key people via Google and
LinkedIn
2. Initial compromise via CVE-2011–4106 WordPress
vulnerability. Modified authentication mechanisms to
capture credentials
3. Used NMAP & internal Wiki to learn the environment and
move laterally
4. Reused cookies from development staging systems, client
certificates from emails and trouble tickets
5. Used developer credentials to introduce backdoors into code
Source: https://medium.com/@chrismcnab/alexseys-ttps-1204d9050551
Why WordPress?
Used in 28% of all web
sites on the internet
• WP CVE-2011–4106 vulnerability in resulted in 1.2 million compromised sites
• 53 similar vulnerabilities in last 10 years (CVSS 6+)
#3 RNC breach
Impact
200M voter records exposed
How it happened
Misconfiguration in Amazon Web Services
S3 service
Where are they now?
Survived the breach. Operational impact
unclear.
AWS S3 Data Leaks Due To Misconfigurations
#4 Code Spaces
Impact
Nearly all customer data, including
backups, deleted.
How it happened
Credential compromise.
Where are they now?
Closed down immediately after event.
60 Most Common AWS Configuration Remediations
Unencrypted AMI Discovered
Unencrypted EBS Volume
S3 Logging not Enabled
Unrestricted Outbound Access on All Ports
User not configured to use MFA
User Access Key not configured with Rotation
IAM Policies are attached directly to User
Dangerous User Privileged Access to S3
Dangerous IAM Role for S3
Dangerous User Privileged Access to RDS
Disable Automatic Access Key Creation
Dangerous User Privileged Access to DDB
Dangerous User Privileged Access to IAM
IAM Access Keys Unused for 90 Days
ELB Listener Security (2 of 4)
ELB Listener Security (1 of 4)
Dangerous IAM Role for RDS
RDS Encryption is not Enabled
Dangerous IAM Role for DDB
Unrestricted Inbound Access - Specific Ports 2
Dangerous IAM Role for IAM
Unrestricted Inbound Access to SSH Port 22/tcp
Unrestricted Inbound Access to HTTP Port 80/tcp
Amazon S3 Bucket Permissions (2 of 2)
Inactive user account
Ensure AWS CloudTrail is Enabled in All Regions
ELB Listener Security (4 of 4)
Unrestricted Inbound Access
Publicly Accessible RDS Database Instance
Passwords not set to enforce complexity
ACL permissions enabled for Authenticated Users in an S3 Bucket
CloudTrail Logging Disabled
Passwords not configured to expire
Ensure Hardware Multi-Factor Authentication is Enabled for the Root Account
Unrestricted Inbound Access to Windows RDP Port 3389/tcp
Enable Amazon GuardDuty on AWS Account
Unrestricted Inbound Access to PostgreSQL Port 5432/tcp
Global View ACL permissions enabled in an S3 Bucket
Unrestricted Inbound Access to mySQL Port 3306/tcp
Unrestricted Inbound Access to NetBIOS over TCP/IP 137/udp/tcp, 138/udp or
139/udp/tcp
Unrestricted Inbound Access to SMTP Port 25/tcp
Root account not using MFA
Unrestricted Inbound Access to FTP Port 21/tcp
Unrestricted Inbound Access to DNS Port 53/tcp
Unrestricted Inbound Access to SQLServer Port 1433,1434/tcp
Unrestricted Inbound Access to FTP Port 20/tcp
Unrestricted Inbound Access to VNC Port 5500,5900/tcp
Unrestricted Inbound Access to MSQL Port 4333/tcp
Unrestricted Inbound Access to SMTP over TLS/SSL Port 465/tcp
Unrestricted Inbound Access to ElasticSearch Port 9300/tcp
Unrestricted Inbound Access to CIFS/SMB over TCP 445/tcp
Root Account Used Recently
Unrestricted Inbound Access to Windows RPC Port 135/tcp
Publicly Accessible AMI Discovered
Unrestricted Inbound Access to Telnet Port 23/tcp
Unencrypted Redshift Cluster
Unrestricted Inbound Access to DNS Port 53/udp
Publicly Accessible Redshift Cluster Nodes
Dangerous use of Root Access Keys
Unrestricted Inbound Access to CIFS/SMB over TCP 445/udp
Across
31,235 EC2 instances / workloads
155,911 vulnerabilities and
exposures sampled
On 381 VPC’s in Dec 2017
Cloud Insight Essentials check
Misconfigurations
Cloud Attack Surface
Attacks
Web App
Attacks
OWASP
top 10
Platform /
library
attacks
App /
System
misconfig
attacks
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Hardware
The Application Stack
Databases
Attackersaremovingupthestack
1. Wide range of attacks at
every layer of the stack
2. Rapidly changing
codebase can introduces
unknown vulnerabilities
3. Long tail of exposures
inherited from 3rd party
development tools
4. Extreme shortage of cloud
and application security
expertise
Attack Surface Factors
Factor Impact Technology Triggers
Custom built complex
web code
Broad attack surface and numerous
opportunities for hidden
vulnerabilities.
Open or commercial
development
frameworks
Vulnerabilities inherited from open
source community or software
vendors.
3-tier architecture
with relational
databases
Increased risk of SQL injection - #1
web attack method in volume and
impact
Open and
Interconnected
Easily accessible from outside world
by valid users and attackers alike
Legacy code Technical debt means increases risk
Importance of Eliminating Dwell Time
The Realities of Dwell Time
1. Ponemon Institute 2017 Cost of Data Breach Study
Thank you.

More Related Content

What's hot

Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the CloudAlert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Security Implications of the Cloud - CSS ATX 2017
Security Implications of the Cloud - CSS ATX 2017Security Implications of the Cloud - CSS ATX 2017
Security Implications of the Cloud - CSS ATX 2017Alert Logic
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web AttacksAlert Logic
 
Stories from the Security Operations Center
Stories from the Security Operations CenterStories from the Security Operations Center
Stories from the Security Operations CenterAlert Logic
 
Realities of Security in the Cloud - CSS ATX 2017
Realities of Security in the Cloud - CSS ATX 2017Realities of Security in the Cloud - CSS ATX 2017
Realities of Security in the Cloud - CSS ATX 2017Alert Logic
 
#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack DemonstrationAlert Logic
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionAlert Logic
 
#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the BreachAlert Logic
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and ResponseAlert Logic
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudCloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudMarkAnnati
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsAlert Logic
 
#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS EnvironmentAlert Logic
 
Stories from the Security Operations Center (S.O.C.)
Stories from the Security Operations Center (S.O.C.)Stories from the Security Operations Center (S.O.C.)
Stories from the Security Operations Center (S.O.C.)Alert Logic
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionAlert Logic
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCAlert Logic
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWSAlert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Alert Logic
 

What's hot (20)

Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Security Implications of the Cloud - CSS ATX 2017
Security Implications of the Cloud - CSS ATX 2017Security Implications of the Cloud - CSS ATX 2017
Security Implications of the Cloud - CSS ATX 2017
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 
Stories from the Security Operations Center
Stories from the Security Operations CenterStories from the Security Operations Center
Stories from the Security Operations Center
 
Realities of Security in the Cloud - CSS ATX 2017
Realities of Security in the Cloud - CSS ATX 2017Realities of Security in the Cloud - CSS ATX 2017
Realities of Security in the Cloud - CSS ATX 2017
 
#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
 
#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudCloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment
 
Cyber Resiliency
Cyber ResiliencyCyber Resiliency
Cyber Resiliency
 
Stories from the Security Operations Center (S.O.C.)
Stories from the Security Operations Center (S.O.C.)Stories from the Security Operations Center (S.O.C.)
Stories from the Security Operations Center (S.O.C.)
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOC
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 

Similar to Reducing Your Attack Surface

Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...JamieWilliams130
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
ENHANCING THE IMPREGNABILITY OF LINUX SERVERSENHANCING THE IMPREGNABILITY OF LINUX SERVERS
ENHANCING THE IMPREGNABILITY OF LINUX SERVERSIJNSA Journal
 
Enhancing the impregnability of linux servers
Enhancing the impregnability of linux serversEnhancing the impregnability of linux servers
Enhancing the impregnability of linux serversIJNSA Journal
 
Escalation defenses ad guardrails every company should deploy
Escalation defenses ad guardrails every company should deployEscalation defenses ad guardrails every company should deploy
Escalation defenses ad guardrails every company should deployDavid Rowe
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network securitySreerag Gopinath
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present DangersPeter Wood
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...Paula Januszkiewicz
 
Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Rishabh Dangwal
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?BeyondTrust
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataPrecisely
 
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry:  Normshield Executive Presentation2017 Cyber Risk Grades by Industry:  Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive PresentationNormShield, Inc.
 
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival Guide
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival GuideDSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival Guide
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival GuideAndris Soroka
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
Security Threat Presentation
Security Threat PresentationSecurity Threat Presentation
Security Threat PresentationRobert Giannini
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015   sebaSolvay secure application layer v2015   seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Scalar Decisions
 

Similar to Reducing Your Attack Surface (20)

Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
ENHANCING THE IMPREGNABILITY OF LINUX SERVERSENHANCING THE IMPREGNABILITY OF LINUX SERVERS
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
 
Enhancing the impregnability of linux servers
Enhancing the impregnability of linux serversEnhancing the impregnability of linux servers
Enhancing the impregnability of linux servers
 
Escalation defenses ad guardrails every company should deploy
Escalation defenses ad guardrails every company should deployEscalation defenses ad guardrails every company should deploy
Escalation defenses ad guardrails every company should deploy
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network security
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
 
Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
 
Windows network
Windows networkWindows network
Windows network
 
SOC-as-a-Service - comSpark 2019
SOC-as-a-Service - comSpark 2019SOC-as-a-Service - comSpark 2019
SOC-as-a-Service - comSpark 2019
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry:  Normshield Executive Presentation2017 Cyber Risk Grades by Industry:  Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
 
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival Guide
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival GuideDSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival Guide
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival Guide
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Security Threat Presentation
Security Threat PresentationSecurity Threat Presentation
Security Threat Presentation
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015   sebaSolvay secure application layer v2015   seba
Solvay secure application layer v2015 seba
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
 

More from Alert Logic

Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Alert Logic
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: PresidioAlert Logic
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOpsAlert Logic
 
Security Spotlight: Rent-A-Center
Security Spotlight: Rent-A-CenterSecurity Spotlight: Rent-A-Center
Security Spotlight: Rent-A-CenterAlert Logic
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOpsAlert Logic
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: PresidioAlert Logic
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the CloudAlert Logic
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
The Intersection of Security and DevOps
The Intersection of Security and DevOpsThe Intersection of Security and DevOps
The Intersection of Security and DevOpsAlert Logic
 
Security Spotlight: The Coca Cola Company
Security Spotlight: The Coca Cola CompanySecurity Spotlight: The Coca Cola Company
Security Spotlight: The Coca Cola CompanyAlert Logic
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the CloudAlert Logic
 
Microsoft Azure Security Overview - Microsoft - CSS Dallas Azure
Microsoft Azure Security Overview - Microsoft - CSS Dallas AzureMicrosoft Azure Security Overview - Microsoft - CSS Dallas Azure
Microsoft Azure Security Overview - Microsoft - CSS Dallas AzureAlert Logic
 
10 Step Guide to Cloud Security - 10th Magnitude - CSS Dallas Azure
10 Step Guide to Cloud Security - 10th Magnitude - CSS Dallas Azure10 Step Guide to Cloud Security - 10th Magnitude - CSS Dallas Azure
10 Step Guide to Cloud Security - 10th Magnitude - CSS Dallas AzureAlert Logic
 

More from Alert Logic (17)

Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: Presidio
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
Security Spotlight: Rent-A-Center
Security Spotlight: Rent-A-CenterSecurity Spotlight: Rent-A-Center
Security Spotlight: Rent-A-Center
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: Presidio
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
CSS 2018 Trivia
CSS 2018 TriviaCSS 2018 Trivia
CSS 2018 Trivia
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
The Intersection of Security and DevOps
The Intersection of Security and DevOpsThe Intersection of Security and DevOps
The Intersection of Security and DevOps
 
Security Spotlight: The Coca Cola Company
Security Spotlight: The Coca Cola CompanySecurity Spotlight: The Coca Cola Company
Security Spotlight: The Coca Cola Company
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
Microsoft Azure Security Overview - Microsoft - CSS Dallas Azure
Microsoft Azure Security Overview - Microsoft - CSS Dallas AzureMicrosoft Azure Security Overview - Microsoft - CSS Dallas Azure
Microsoft Azure Security Overview - Microsoft - CSS Dallas Azure
 
10 Step Guide to Cloud Security - 10th Magnitude - CSS Dallas Azure
10 Step Guide to Cloud Security - 10th Magnitude - CSS Dallas Azure10 Step Guide to Cloud Security - 10th Magnitude - CSS Dallas Azure
10 Step Guide to Cloud Security - 10th Magnitude - CSS Dallas Azure
 

Recently uploaded

IEEE Computer Society 2024 Technology Predictions Update
IEEE Computer Society 2024 Technology Predictions UpdateIEEE Computer Society 2024 Technology Predictions Update
IEEE Computer Society 2024 Technology Predictions UpdateHironori Washizaki
 
High-Level Synthesis for the Design of AI Chips
High-Level Synthesis for the Design of AI ChipsHigh-Level Synthesis for the Design of AI Chips
High-Level Synthesis for the Design of AI ChipsObject Automation
 
DS Lesson 2 - Subsets, Supersets and Power Set.pdf
DS Lesson 2 - Subsets, Supersets and Power Set.pdfDS Lesson 2 - Subsets, Supersets and Power Set.pdf
DS Lesson 2 - Subsets, Supersets and Power Set.pdfROWELL MARQUINA
 
Elevate Your Business with TECUNIQUE's Tailored Solutions
Elevate Your Business with TECUNIQUE's Tailored SolutionsElevate Your Business with TECUNIQUE's Tailored Solutions
Elevate Your Business with TECUNIQUE's Tailored SolutionsJaydeep Chhasatia
 
What Developers Need to Unlearn for High Performance NoSQL
What Developers Need to Unlearn for High Performance NoSQLWhat Developers Need to Unlearn for High Performance NoSQL
What Developers Need to Unlearn for High Performance NoSQLScyllaDB
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
HHUG-03-2024-Impactful-Reporting-in-HubSpot.pptx
HHUG-03-2024-Impactful-Reporting-in-HubSpot.pptxHHUG-03-2024-Impactful-Reporting-in-HubSpot.pptx
HHUG-03-2024-Impactful-Reporting-in-HubSpot.pptxHampshireHUG
 
Future Research Directions for Augmented Reality
Future Research Directions for Augmented RealityFuture Research Directions for Augmented Reality
Future Research Directions for Augmented RealityMark Billinghurst
 
ServiceNow Integration with MuleSoft.pptx
ServiceNow Integration with MuleSoft.pptxServiceNow Integration with MuleSoft.pptx
ServiceNow Integration with MuleSoft.pptxshyamraj55
 
Monitoring Java Application Security with JDK Tools and JFR Events.pdf
Monitoring Java Application Security with JDK Tools and JFR Events.pdfMonitoring Java Application Security with JDK Tools and JFR Events.pdf
Monitoring Java Application Security with JDK Tools and JFR Events.pdfAna-Maria Mihalceanu
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum ComputingGDSC PJATK
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServiceRenan Moreira de Oliveira
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
CHIPS Alliance_Object Automation Inc_workshop
CHIPS Alliance_Object Automation Inc_workshopCHIPS Alliance_Object Automation Inc_workshop
CHIPS Alliance_Object Automation Inc_workshopObject Automation
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
AI Health Agents: Longevity as a Service in the Web3 GenAI Quantum Revolution
AI Health Agents: Longevity as a Service in the Web3 GenAI Quantum RevolutionAI Health Agents: Longevity as a Service in the Web3 GenAI Quantum Revolution
AI Health Agents: Longevity as a Service in the Web3 GenAI Quantum RevolutionMelanie Swan
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
ict grade 12 lesson 2 sinhala medium notes pdf
ict grade 12 lesson 2 sinhala medium notes pdfict grade 12 lesson 2 sinhala medium notes pdf
ict grade 12 lesson 2 sinhala medium notes pdfruhisiya9
 
GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...
GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...
GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...James Anderson
 
LinkedIn optimization Gunjan Dhir .pptx
LinkedIn optimization Gunjan Dhir .pptxLinkedIn optimization Gunjan Dhir .pptx
LinkedIn optimization Gunjan Dhir .pptxGunjan Dhir
 

Recently uploaded (20)

IEEE Computer Society 2024 Technology Predictions Update
IEEE Computer Society 2024 Technology Predictions UpdateIEEE Computer Society 2024 Technology Predictions Update
IEEE Computer Society 2024 Technology Predictions Update
 
High-Level Synthesis for the Design of AI Chips
High-Level Synthesis for the Design of AI ChipsHigh-Level Synthesis for the Design of AI Chips
High-Level Synthesis for the Design of AI Chips
 
DS Lesson 2 - Subsets, Supersets and Power Set.pdf
DS Lesson 2 - Subsets, Supersets and Power Set.pdfDS Lesson 2 - Subsets, Supersets and Power Set.pdf
DS Lesson 2 - Subsets, Supersets and Power Set.pdf
 
Elevate Your Business with TECUNIQUE's Tailored Solutions
Elevate Your Business with TECUNIQUE's Tailored SolutionsElevate Your Business with TECUNIQUE's Tailored Solutions
Elevate Your Business with TECUNIQUE's Tailored Solutions
 
What Developers Need to Unlearn for High Performance NoSQL
What Developers Need to Unlearn for High Performance NoSQLWhat Developers Need to Unlearn for High Performance NoSQL
What Developers Need to Unlearn for High Performance NoSQL
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
HHUG-03-2024-Impactful-Reporting-in-HubSpot.pptx
HHUG-03-2024-Impactful-Reporting-in-HubSpot.pptxHHUG-03-2024-Impactful-Reporting-in-HubSpot.pptx
HHUG-03-2024-Impactful-Reporting-in-HubSpot.pptx
 
Future Research Directions for Augmented Reality
Future Research Directions for Augmented RealityFuture Research Directions for Augmented Reality
Future Research Directions for Augmented Reality
 
ServiceNow Integration with MuleSoft.pptx
ServiceNow Integration with MuleSoft.pptxServiceNow Integration with MuleSoft.pptx
ServiceNow Integration with MuleSoft.pptx
 
Monitoring Java Application Security with JDK Tools and JFR Events.pdf
Monitoring Java Application Security with JDK Tools and JFR Events.pdfMonitoring Java Application Security with JDK Tools and JFR Events.pdf
Monitoring Java Application Security with JDK Tools and JFR Events.pdf
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum Computing
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
CHIPS Alliance_Object Automation Inc_workshop
CHIPS Alliance_Object Automation Inc_workshopCHIPS Alliance_Object Automation Inc_workshop
CHIPS Alliance_Object Automation Inc_workshop
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
AI Health Agents: Longevity as a Service in the Web3 GenAI Quantum Revolution
AI Health Agents: Longevity as a Service in the Web3 GenAI Quantum RevolutionAI Health Agents: Longevity as a Service in the Web3 GenAI Quantum Revolution
AI Health Agents: Longevity as a Service in the Web3 GenAI Quantum Revolution
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
ict grade 12 lesson 2 sinhala medium notes pdf
ict grade 12 lesson 2 sinhala medium notes pdfict grade 12 lesson 2 sinhala medium notes pdf
ict grade 12 lesson 2 sinhala medium notes pdf
 
GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...
GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...
GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...
 
LinkedIn optimization Gunjan Dhir .pptx
LinkedIn optimization Gunjan Dhir .pptxLinkedIn optimization Gunjan Dhir .pptx
LinkedIn optimization Gunjan Dhir .pptx
 

Reducing Your Attack Surface

  • 1. REDUCING YOUR ATTACK SURFACE Ryan Holland, Senior Director of Cloud Architecture – Alert Logic
  • 2. Summary • Understanding your attack surface is critical to deploying the right security controls • Attack surface in cloud environments is significantly different than on-premises • Dominant cloud exposures are often misunderstood
  • 3. 2nd attack HVAC vendor application Result Successful. Never detected. Vector SQL Injection Las Vegas Bethlehem 1st attack Account Brute Force Result Detected by the SIEM. Blocked #1 Sands Casino Breach
  • 4. 2nd attack HVAC vendor application Result Successful. Never detected. Vector SQL Injection Las Vegas Bethlehem 1st attack Account Brute Force Result Detected by the SIEM. Blocked • Compromised admin credentials • Moved laterally through Windows AD • Used malware to destroy all hosts on the network Sands Casino Breach
  • 5. 1 49 56 86 125 155 172 197 525 908 Denial of Service Crimeware Physical Theft / Loss Payment Card Skimmers Everything Else Cyber-espionage Privilege Misuse Miscellaneous Errors POS Intrusions Web App Attacks Security risk is shifting to unprotected web applications Web app attacks are now the #1 source of data breaches But less than 5% of data center security budgets are spent on app security Source: Verizon UP 500% SINCE 2014 $23 to $1 Percentage of Breaches 10% 20% 30% 40% Source: Gartner Web App Attacks
  • 6. 1 49 56 86 125 155 172 197 525 908 Denial of Service Crimeware Physical Theft / Loss Payment Card Skimmers Everything Else Cyber-espionage Privilege Misuse Miscellaneous Errors POS Intrusions Web App Attacks Security risk is shifting to unprotected web applications Web app attacks are now the #1 source of data breaches But less than 5% of data center security budgets are spent on app security Source: Verizon UP 500% SINCE 2014 $23 to $1 Percentage of Breaches 10% 20% 30% 40% Source: Gartner Web App Attacks Underreported. Misunderstood.
  • 7. What Drives This Awareness Disconnect? • Breach disclosure in a number of states is mandatory, but technical details are not in disclosure scope • News media naturally gravitates towards human interest security stories • Mobile phones • Endpoint malware • Email theft Ransomware Malware All other terms: SQL injection, web application attack, Wordpress vulnerability, PHP vulnerability, Apache Struts vulnerability
  • 8. Our Perspective on Cloud Attack Surface • 4,000+ customers • 80% of deployments in data centers • 50% of deployments in public and hybrid cloud • Dominant workload: business critical web applications
  • 9. Real world view from our SOC
  • 10. #2 Yahoo Impact Number of exposed accounts increased from 1B to 3B. How it happened Phishing Email Where are they now? Sold to Verizon. Valuation revised by $350M
  • 11. Meet “M4g” AKA Alexsey Belan • One of the most prolific hackers between 2013 - 2015 • Estimated to have compromised 1.2 billion user accounts • Prime suspect in numerous breaches
  • 12. Alexsey Belan’s Techniques 1. Identified peripheral sites and key people via Google and LinkedIn 2. Initial compromise via CVE-2011–4106 WordPress vulnerability. Modified authentication mechanisms to capture credentials 3. Used NMAP & internal Wiki to learn the environment and move laterally 4. Reused cookies from development staging systems, client certificates from emails and trouble tickets 5. Used developer credentials to introduce backdoors into code Source: https://medium.com/@chrismcnab/alexseys-ttps-1204d9050551
  • 13. Why WordPress? Used in 28% of all web sites on the internet • WP CVE-2011–4106 vulnerability in resulted in 1.2 million compromised sites • 53 similar vulnerabilities in last 10 years (CVSS 6+)
  • 14. #3 RNC breach Impact 200M voter records exposed How it happened Misconfiguration in Amazon Web Services S3 service Where are they now? Survived the breach. Operational impact unclear.
  • 15. AWS S3 Data Leaks Due To Misconfigurations
  • 16. #4 Code Spaces Impact Nearly all customer data, including backups, deleted. How it happened Credential compromise. Where are they now? Closed down immediately after event.
  • 17. 60 Most Common AWS Configuration Remediations Unencrypted AMI Discovered Unencrypted EBS Volume S3 Logging not Enabled Unrestricted Outbound Access on All Ports User not configured to use MFA User Access Key not configured with Rotation IAM Policies are attached directly to User Dangerous User Privileged Access to S3 Dangerous IAM Role for S3 Dangerous User Privileged Access to RDS Disable Automatic Access Key Creation Dangerous User Privileged Access to DDB Dangerous User Privileged Access to IAM IAM Access Keys Unused for 90 Days ELB Listener Security (2 of 4) ELB Listener Security (1 of 4) Dangerous IAM Role for RDS RDS Encryption is not Enabled Dangerous IAM Role for DDB Unrestricted Inbound Access - Specific Ports 2 Dangerous IAM Role for IAM Unrestricted Inbound Access to SSH Port 22/tcp Unrestricted Inbound Access to HTTP Port 80/tcp Amazon S3 Bucket Permissions (2 of 2) Inactive user account Ensure AWS CloudTrail is Enabled in All Regions ELB Listener Security (4 of 4) Unrestricted Inbound Access Publicly Accessible RDS Database Instance Passwords not set to enforce complexity ACL permissions enabled for Authenticated Users in an S3 Bucket CloudTrail Logging Disabled Passwords not configured to expire Ensure Hardware Multi-Factor Authentication is Enabled for the Root Account Unrestricted Inbound Access to Windows RDP Port 3389/tcp Enable Amazon GuardDuty on AWS Account Unrestricted Inbound Access to PostgreSQL Port 5432/tcp Global View ACL permissions enabled in an S3 Bucket Unrestricted Inbound Access to mySQL Port 3306/tcp Unrestricted Inbound Access to NetBIOS over TCP/IP 137/udp/tcp, 138/udp or 139/udp/tcp Unrestricted Inbound Access to SMTP Port 25/tcp Root account not using MFA Unrestricted Inbound Access to FTP Port 21/tcp Unrestricted Inbound Access to DNS Port 53/tcp Unrestricted Inbound Access to SQLServer Port 1433,1434/tcp Unrestricted Inbound Access to FTP Port 20/tcp Unrestricted Inbound Access to VNC Port 5500,5900/tcp Unrestricted Inbound Access to MSQL Port 4333/tcp Unrestricted Inbound Access to SMTP over TLS/SSL Port 465/tcp Unrestricted Inbound Access to ElasticSearch Port 9300/tcp Unrestricted Inbound Access to CIFS/SMB over TCP 445/tcp Root Account Used Recently Unrestricted Inbound Access to Windows RPC Port 135/tcp Publicly Accessible AMI Discovered Unrestricted Inbound Access to Telnet Port 23/tcp Unencrypted Redshift Cluster Unrestricted Inbound Access to DNS Port 53/udp Publicly Accessible Redshift Cluster Nodes Dangerous use of Root Access Keys Unrestricted Inbound Access to CIFS/SMB over TCP 445/udp Across 31,235 EC2 instances / workloads 155,911 vulnerabilities and exposures sampled On 381 VPC’s in Dec 2017
  • 18. Cloud Insight Essentials check Misconfigurations
  • 19. Cloud Attack Surface Attacks Web App Attacks OWASP top 10 Platform / library attacks App / System misconfig attacks Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Hardware The Application Stack Databases Attackersaremovingupthestack 1. Wide range of attacks at every layer of the stack 2. Rapidly changing codebase can introduces unknown vulnerabilities 3. Long tail of exposures inherited from 3rd party development tools 4. Extreme shortage of cloud and application security expertise
  • 20. Attack Surface Factors Factor Impact Technology Triggers Custom built complex web code Broad attack surface and numerous opportunities for hidden vulnerabilities. Open or commercial development frameworks Vulnerabilities inherited from open source community or software vendors. 3-tier architecture with relational databases Increased risk of SQL injection - #1 web attack method in volume and impact Open and Interconnected Easily accessible from outside world by valid users and attackers alike Legacy code Technical debt means increases risk
  • 22. The Realities of Dwell Time 1. Ponemon Institute 2017 Cost of Data Breach Study