Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Security 
It's more than just your database you should 
worry about 
David Busby 
Information Security Architect 
2014-11-...
Sample Text Page 
• David Busby 
–Percona since January 2013 
–R.D.B.A 
–EMEA && Security Lead 
–I.S.A (current) 
–14 year...
Agenda 
• Got F.U.D? 
•What is an attack surface? 
• D.A.C, M.A.C, I.P.S, I.D.S, WTF? 
• Heartbleed / Shellshock / #gate /...
Here be dragons ... 
• Previous talks focused on a select set of 
identification and prevention 
● This talk is different ...
Got F.U.D? 
• Fear Uncertainty Doubt 
• C.R.I.M.E (CVE-2012-4929) 
• B.E.A.S.T (CVE-2011-3389) 
• Heartbleed (CVE-2014-016...
What's an “attack surface”? 
• Potential areas for compromise 
– Application 
– Database 
– Network 
– Hardware 
– Softwar...
What's an “attack surface”? 
• Application 
– Engine / Interpreter, e.g. Java, PHP, etc. 
● e.g. PHP CVE-2011-4885 (hash c...
What's an “attack surface”? 
• Database 
– Weak passwords 
– Overpermissive grants 
– Overly broad host spefications e.g. ...
What's an “attack surface”? 
• Network 
– Overly open ACL 
– Little or no isolation 
– Little or no monitoring 
– Little o...
What's an “attack surface”? 
• Hardware 
– Lack of tamper evident seals 
– Lack of control of use 
– Malicious USB / Firew...
What's an “attack surface”? 
• Lock all the things! 
– Combination T.S.A locks 
● Easily picked 
– Traditional tumbler loc...
What's an “attack surface”? 
• And then there's … I.o.T 
– T.V 
– Cameras 
– Light bulbs 
– Fridges 
– Home automation 
– ...
What's an “attack surface”? 
• But wait … there's more! 
• Your cars 
•Medical devices (more famously RF enabled 
pacemake...
What's an “attack surface”? 
• Software 
– Modified binaries 
– “Install for FREE STUFF!” 
– Unaudited source code … cough...
What's an “attack surface”? 
• Employees 
– “I put all my details on this pastebin, can you take a 
look?” 
– “Sure you ca...
What's an “attack surface”? 
• Employees 
– Phishing / Spear Phishing 
– Social engineering 
– D.L.P bypass is no longer j...
What's an “attack surface”? 
• Other 
– Side channel attacks 
● Cache timing 
● Co-residency (side channel against “cloud”...
F.U.D! 
18
Well … not so much 
19
D.A.C, M.A.C, I.P.S, I.D.S … WTF? 
• Discretionary Access Control 
– POSIX permissions 
● File mode 
● UID 
● GID 
● Softw...
D.A.C, M.A.C, I.P.S, I.D.S … WTF? 
•Mandatory Access Control 
– SELinux 
● Process running with context x 
● e.g. MySQL 
●...
Heartbleed/Shellshock/#bandwagon 
• “Media” 
– Need to drive views / purchases aka revenue 
– F.U.D “slinging” is an effec...
Heartbleed/Shellshock/#bandwagon 
• But naming vulnerabilites has its place 
● C.R.I.M.E / CVE-2012-4929 
● B.E.A.S.T / CV...
Heartbleed/Shellshock/#bandwagon 
• Even if it can go a bit far ... 
24
Heartbleed/Shellshock/#bandwagon 
• There is hope behind the hype. 
● Elastica Inc @ Vimeo 
● Heartbleed instructional vid...
Detection or prevention 
•Why not both? 
– Block known “bad” 
● By writing your own rules 
● Reguarly syncing with emergin...
Detection or prevention 
•Why not both? 
– Generate alerts 
● e.g. logstash can send alerts to nagios 
– Y.M.W.V 
● You wi...
Detection or prevention 
• Detection 
● Alert on set conditions 
● SQLi, Fuzzing, out of context requests. 
● Write Rules ...
Detection or prevention 
• Reduce NOISE! 
– Avoiding the “boy who cried wolf” 
– Aka staff becoming desensitized to the sl...
Emerging tech to keep an eye on 
• Fidoalliance.org 
– U2F (Universal two factor) 
– UAF (Universal authentication framewo...
Emerging tech to keep an eye on 
• Keybase.io 
– Nodejs 
– “socializes” GPG 
● Tracking → sign a “snapshot” of their key a...
Emerging tech to keep an eye on 
• Suricata 
– IDS / IPS 
– Libjannson → eve.json 
● Compatible with E.L.K stack: blog pos...
Emerging tech to keep an eye on 
• E.L.K (Elastic search, Logstash, Kibana) 
– Easily store, index and visualize data 
● e...
Emerging tech to keep an eye on 
• Docker 
– Wrapper for LXC 
● “Linux containers” 
– Vagrant / git esq cli 
– Raw hardwar...
Emerging tech to keep an eye on 
• Haka 
– “Software defined security” 
– $developer sentric security 
– LUA DSL 
– Anothe...
2014 … it's been interesting 
• 2014 
– Isn't over yet ... 
– Heartbleed, shellshock, poodle 
– F.U.D 
● Gmail “leak” (was...
2014 … it's been interesting 
• 2014 
– No more “head in the sand” 
– No more “features before security” 
– The cost of co...
2014 … it's been interesting 
• 2014 
– You are not alone! 
– https://www.iamthecavalry.org/ 
– http://www.openinfosecfoun...
The End … 
• Questions? (And Thank you for attending!) 
• I also have a tirade of equipment with me if 
anyone is interest...
Upcoming SlideShare
Loading in …5
×

Security its-more-than-just-your-database-you-should-worry-about

850 views

Published on

Security isn’t deploying some overbearing big brother of a hardware or software solution; it’s not running scanning software which tells you you’re safe; because in reality in these type of setups you’re not.
Security is akin to high availability you deploying multiple redundancies to ensure you can still operate, the same can and should be applied to security; identify the potential areas of attack, reduces this attack surface and deploy multiple redundancies to secure your deployments.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Security its-more-than-just-your-database-you-should-worry-about

  1. 1. Security It's more than just your database you should worry about David Busby Information Security Architect 2014-11-02
  2. 2. Sample Text Page • David Busby –Percona since January 2013 –R.D.B.A –EMEA && Security Lead –I.S.A (current) –14 years sysadmin / dev –Ju-Jitsu instructor for N.F.P club. –Volunteer assist teaching computing at Secondary school 2
  3. 3. Agenda • Got F.U.D? •What is an attack surface? • D.A.C, M.A.C, I.P.S, I.D.S, WTF? • Heartbleed / Shellshock / #gate / #bandwagon • Detection or prevention: the boy who cried wolf • Emerging tech to keep an eye on. • 2014 … it's been interesting 3
  4. 4. Here be dragons ... • Previous talks focused on a select set of identification and prevention ● This talk is different … ● Focus is on a mindset change for pure identification of potential attack vectors. Aswell as clarification of some points along the way ● There's F.U.D by the ton; and we each get a shovel. 4
  5. 5. Got F.U.D? • Fear Uncertainty Doubt • C.R.I.M.E (CVE-2012-4929) • B.E.A.S.T (CVE-2011-3389) • Heartbleed (CVE-2014-0160) • Shellshock CVE-2014-6271, 6277, 6278, 7169, 7186, 7187 • P.O.O.D.L.E (CVE-2014-3566) 5
  6. 6. What's an “attack surface”? • Potential areas for compromise – Application – Database – Network – Hardware – Software – Employees – Other 6
  7. 7. What's an “attack surface”? • Application – Engine / Interpreter, e.g. Java, PHP, etc. ● e.g. PHP CVE-2011-4885 (hash collide) – Framework ● Or most likely a plugin – Developer errors, SQLi, XSS, CSRF etc ... – HTTP Service Apache, Nginx, Lighthttpd, etc. – Sysadmin errors e.g. missconfiguration of SSL cipers / certs 7
  8. 8. What's an “attack surface”? • Database – Weak passwords – Overpermissive grants – Overly broad host spefications e.g. @% ● Vulnerabilities in service (often denoted by CVE's e.g. CVE-2012-2122) – Poor isolation (Network, users etc) – Malicious plugins e.g. UDF's 8
  9. 9. What's an “attack surface”? • Network – Overly open ACL – Little or no isolation – Little or no monitoring – Little or no packet inspection – “An open playground” – Hardware embedded OS vulnerabilities – Other entry points ● It's not limited to Ethernet / 2.4 && 5 GHz WiFi (look at the NSA ANT catalogue) 9
  10. 10. What's an “attack surface”? • Hardware – Lack of tamper evident seals – Lack of control of use – Malicious USB / Firewire / etc ● COTTONMOUTH-I ● Iron Geek's plug & prey ● USB Rubber Ducky – Embedded firmware vulnerabilites – “Freebie” / “Gift” / “Other” – Lack of physical access controls ● e.g. Barclays £1.3M Theft – Lack of $vendor updates (e.g. Android) 10
  11. 11. What's an “attack surface”? • Lock all the things! – Combination T.S.A locks ● Easily picked – Traditional tumbler locks ● Picking / bump keys – Biometrics ● Mythbusters • Key pads – Check for wear / dirt marks / vedor codes • Key switches (e.g. in lifts) – As per above • Room card keys – Magstripe read and write • RFID – Easily read tags content and replay 11
  12. 12. What's an “attack surface”? • And then there's … I.o.T – T.V – Cameras – Light bulbs – Fridges – Home automation – Locks – Printer ● Cloud print … – Etc – Supervisory Control And Data Acquisition ● Let's put a hydro electric dam controll system on the internet! 12
  13. 13. What's an “attack surface”? • But wait … there's more! • Your cars •Medical devices (more famously RF enabled pacemakers), wireless insulin pumps etc … • https://www.iamthecavalry.org/ 13
  14. 14. What's an “attack surface”? • Software – Modified binaries – “Install for FREE STUFF!” – Unaudited source code … cough cough ● Truecrypt, openssl ... – Poor isolation (no M.A.C, only D.A.C) – Process injection, buffer overflows etc … – Unpatched software 14
  15. 15. What's an “attack surface”? • Employees – “I put all my details on this pastebin, can you take a look?” – “Sure you can use my phone / workstation!” – “So all I have to do is click this link?” – “Oh you're from HR? Sure I can install that!” – “A magic trick? YEY!” – “FREE STUFF?!” 15
  16. 16. What's an “attack surface”? • Employees – Phishing / Spear Phishing – Social engineering – D.L.P bypass is no longer just crafted devices ● Making comodity USB "evil" ● Derbycon presentation ● Adam Caudil && Brandon Wilson – Implied trust ● Uniform / Badge != Proof 16
  17. 17. What's an “attack surface”? • Other – Side channel attacks ● Cache timing ● Co-residency (side channel against “cloud”) – Unintentional “emissions” ● Melissa Elliot “Noise Floor” ● S.D.R (Software Defined Radio) ● Monitor / Display, RAM, F.S.B, etc ... 17
  18. 18. F.U.D! 18
  19. 19. Well … not so much 19
  20. 20. D.A.C, M.A.C, I.P.S, I.D.S … WTF? • Discretionary Access Control – POSIX permissions ● File mode ● UID ● GID ● Software runs with same permissions as user and group ● e.g. your brower could read ~/.ssh/id_rsa in this model 20
  21. 21. D.A.C, M.A.C, I.P.S, I.D.S … WTF? •Mandatory Access Control – SELinux ● Process running with context x ● e.g. MySQL ● Access to resource y ● listen *:3306 ● Denied access to resource z ● Connect *:80 – App armor – Gazzang (Has some M.A.C) 21
  22. 22. Heartbleed/Shellshock/#bandwagon • “Media” – Need to drive views / purchases aka revenue – F.U.D “slinging” is an effective method for this. (Everything is a Virus) ● e.g. The Registers “Critical SSL vulnerability out tomorrow” ● No detail ● No sources ● PURE F.U.D 22
  23. 23. Heartbleed/Shellshock/#bandwagon • But naming vulnerabilites has its place ● C.R.I.M.E / CVE-2012-4929 ● B.E.A.S.T / CVE-2011-3389 ● Heartbleed CVE-2014-0160 ● Shellshock CVE-2014-6271, 6277, 6278, 7169, 7186, 7187 ● P.O.O.D.L.E CVE-2014-3566 23
  24. 24. Heartbleed/Shellshock/#bandwagon • Even if it can go a bit far ... 24
  25. 25. Heartbleed/Shellshock/#bandwagon • There is hope behind the hype. ● Elastica Inc @ Vimeo ● Heartbleed instructional video ● Shellshock instructional video ● Poodle instructional video 25
  26. 26. Detection or prevention •Why not both? – Block known “bad” ● By writing your own rules ● Reguarly syncing with emerging rules – Allow known “good” ● IPS / WAF blocking your app? Write an exeception, carefully! ● Be selective! ● e.g. don't: if /cart(.*) then skip – Log everything else ● And check the logs! 26
  27. 27. Detection or prevention •Why not both? – Generate alerts ● e.g. logstash can send alerts to nagios – Y.M.W.V ● You will know your applications behaviour ● Consider what's “out of context” ● e.g. 10x increase in additions to shopping cart for invalid items (could be someoneattempting SQLi) ● 10x increase in requests, could be a DoS 27
  28. 28. Detection or prevention • Detection ● Alert on set conditions ● SQLi, Fuzzing, out of context requests. ● Write Rules / exceptions to reduce “noise” ● Be specific in said rules! • Prevention ● Block and alert ● Reduce “noise” through blacklists. ● {"timestamp":"2014-05- 15T07:30:42.970624","event_type":"alert","src_ip":"101.227.170.42","src_port":58613,"dest_ip":"XXX.XXX.XXX.XXX ","dest_port":22,"proto":"TCP","alert": {"action":"allowed","gid":1,"signature_id":2500002,"rev":3231,"signature":"ET COMPROMISED Known Compromised or Hostile Host Traffic group 2","category":"Misc Attack","severity":2}} 28
  29. 29. Detection or prevention • Reduce NOISE! – Avoiding the “boy who cried wolf” – Aka staff becoming desensitized to the slew of alerts that “oh that's normal, just ignore” – “Familiarity breeds comtempt” • Why not just buy $product? – It's still an option but be 100% sure you know what you're buying. ● Paying over the odds for rebranded nessus is never good. ● Ongoing rule updates, custom rule support, $vendor support to “tune” the appliance to your needs. 29
  30. 30. Emerging tech to keep an eye on • Fidoalliance.org – U2F (Universal two factor) – UAF (Universal authentication framework) – Google, yubico, ARM, bank of america, Lenovo, Mastercard, Discover, Microsoft, Paypal, Qualcomm, RSA, Samsung, Visa … ● The list of members is extensive – TL;DR improve security by implementing a common two factor auth standard; and comoditizing it to improve addoption. 30
  31. 31. Emerging tech to keep an eye on • Keybase.io – Nodejs – “socializes” GPG ● Tracking → sign a “snapshot” of their key and identity profile ● “On this date I <name> verify this is Joe Blogs's gpg key, twitter account … etc” – TL;DR wrapper and service to help spread the use of GPG – https://keybase.io/oneiroi/ 31
  32. 32. Emerging tech to keep an eye on • Suricata – IDS / IPS – Libjannson → eve.json ● Compatible with E.L.K stack: blog post – Multi threaded ● Claims 10Gbit support with no ruleset sacrifice ● Protocol identification ● File identification, extraction – Open Information Security Foundation 32
  33. 33. Emerging tech to keep an eye on • E.L.K (Elastic search, Logstash, Kibana) – Easily store, index and visualize data ● e.g. suricata data 33
  34. 34. Emerging tech to keep an eye on • Docker – Wrapper for LXC ● “Linux containers” – Vagrant / git esq cli – Raw hardware access ● Not paravirtual – Suffers from “container breakout” ● Gains root on host system – REST API is very open – Docker Security page – Dan Walsh SELinux and Docker 34
  35. 35. Emerging tech to keep an eye on • Haka – “Software defined security” – $developer sentric security – LUA DSL – Another tool in the $devops chain – E.L.K support • Why not IPTables / Netfilter / other – Why not both? – Eases developers adoption 35
  36. 36. 2014 … it's been interesting • 2014 – Isn't over yet ... – Heartbleed, shellshock, poodle – F.U.D ● Gmail “leak” (wasn't gmail, just happened to have gmail addresses) ● Dropbox “leak” (wasn't dropbox, just happened that users were using same credentials) – Home Depot – Target (Fall 2013, still “in the news”) 36
  37. 37. 2014 … it's been interesting • 2014 – No more “head in the sand” – No more “features before security” – The cost of compromise is proven – Increasing Ubiquity of I.o.T ● without proper security measures is not maintainable – Time to build security into the product, not as an afterthought. 37
  38. 38. 2014 … it's been interesting • 2014 – You are not alone! – https://www.iamthecavalry.org/ – http://www.openinfosecfoundation.org/ – https://www.reddit.com/r/netsec – http://seclists.org/fulldisclosure/ – https://bugcrowd.com – https://44con.com/ – http://dc4420.org/ – Deploy your own “Responsible disclosure program” 38
  39. 39. The End … • Questions? (And Thank you for attending!) • I also have a tirade of equipment with me if anyone is interested in learning more; see me after this talk. 39

×