Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)

511 views

Published on

security myths and facts in today's it world

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
511
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)

  1. 1. Premium community conference on Microsoft technologies itcampro@ itcamp14# Security Myths and Facts in Today's IT World Tudor Damian IT Solutions Specialist, Transcent Microsoft MVP on Hyper-V Tudor.Damian@transcent.ro – www.tudy.tel
  2. 2. Premium community conference on Microsoft technologies itcampro@ itcamp14# Huge thanks to our sponsors & partners!
  3. 3. Premium community conference on Microsoft technologies itcampro@ itcamp14# • Some security myths – The illusion of security – The “outside” threat – The policies – The tools – The trust • Staying up to date • A couple of useful resources Agenda
  4. 4. Premium community conference on Microsoft technologies itcampro@ itcamp14# SECURITY MYTHS
  5. 5. Premium community conference on Microsoft technologies itcampro@ itcamp14# • It won’t happen to me • We have [insert your favorite security feature here], so you know your data is safe • Password expiration and complexity reduces risk • Encrypting the data is enough to protect it The illusion of Security
  6. 6. Premium community conference on Microsoft technologies itcampro@ itcamp14# • 51% of respondents have had at least one web application security incident since the beginning of 2011. 18% of those respondents experienced losses of at least $500,000. 28% don’t know the cost of their breaches. (Forrester Research, 2012) • “90% of businesses have been hacked at least once in 2010” (Ponemon Research, 2011; the study polled 583 U.S. companies from a wide variety of businesses, both private and government, and ranging from small businesses with under 500 employees all the way to enterprises with more than 75000 employees) The illusion of Security (cont’d)
  7. 7. Premium community conference on Microsoft technologies itcampro@ itcamp14# • The greatest security threats come from the Internet • Our employees wouldn’t do such a thing The “Outside” Threat
  8. 8. Premium community conference on Microsoft technologies itcampro@ itcamp14# – “One in five workers (21%) let family and friends use company laptops and PCs to access the Internet” (McAfee) – “One in ten confessed to downloading content at work they should not” (McAfee) – “More than half (51%) connect their own devices or gadgets to their work PC... a quarter of who do so every day” (McAfee) – “39% of companies said insider negligence was the root cause of data breaches.” (Ponemon Research, 2011) – “Six out of ten respondents blame “human error” for their data security breaches, and 45% blame fraud and abuse by insiders, such as employees or contractors.” (Ponemon Research, 2011) The “Outside” Threat (cont’d)
  9. 9. Premium community conference on Microsoft technologies itcampro@ itcamp14# • Moving the CISO outside of IT will automatically ensure good security • Adhering to security practices is the CISO’s problem, not ours • Let’s just get the policy in place and we should be good to go! The Policies
  10. 10. Premium community conference on Microsoft technologies itcampro@ itcamp14# • “5% have accessed areas of their IT system they shouldn’t have” (McAfee) • 65% of employees have given out their password to colleagues. 75% of employees knew at least one of their colleagues’ passwords. 70% used the same password everywhere. (street study, London) The Policies (cont’d)
  11. 11. Premium community conference on Microsoft technologies itcampro@ itcamp14# • Buy [this tool] and it will solve all your problems • Intrusion Detection is the wave of the future • Biometrics will solve all access control problems • Antivirus software will save me from viruses The Tools
  12. 12. Premium community conference on Microsoft technologies itcampro@ itcamp14# • “More than half (51%) had no idea how to update the anti-virus protection on their company PC” (McAfee) • “Two thirds (62%) admitted they have a very limited knowledge of IT Security” (McAfee) The Tools (cont’d)
  13. 13. Premium community conference on Microsoft technologies itcampro@ itcamp14# • GnuTLS – Undiscovered for 10 years • Heartbleed – Introduced in Dec ’11 – Released March ‘12 – Fix released April ‘14 • OAuth, OpenID – Covert Redirect The Tools – “Open Source is safer” http://www.pcworld.com/article/2105145/what-you-need-to-know-about-the-gnutls-linux-bug.html http://heartbleed.com/ http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/
  14. 14. Premium community conference on Microsoft technologies itcampro@ itcamp14# • Can I trust my infrastructure? • Can I trust my contractors? • Can I trust my service providers? • Can I trust my employees? • Can I trust myself? • If yes, why? The trust
  15. 15. Premium community conference on Microsoft technologies itcampro@ itcamp14# • Late February - early March • 230 million records – customers names – e-mail addresses – encrypted passwords – e-mail addresses – postal addresses – phone numbers – dates of birth Doing any shopping online?
  16. 16. Premium community conference on Microsoft technologies itcampro@ itcamp14# The Cost of Data Breaches “Security Breaches cost $90 to $305 per lost record” (Forrester Research) $197.5 average x 867,252,711 = $171,282,410,422.5 That’s over 300.000 x Lamborghini Aventador
  17. 17. Premium community conference on Microsoft technologies itcampro@ itcamp14# • …or, if you used $5.000 Alienware laptops as bricks, you could build a 1.5m tall wall around Romania The Cost of Data Breaches (cont’d)
  18. 18. Premium community conference on Microsoft technologies itcampro@ itcamp14# LET’S HAVE SOME FUN
  19. 19. Premium community conference on Microsoft technologies itcampro@ itcamp14# • They run Windows AD • They still have Windows XP/Vista/7/8 PCs & laptops • Users/devs are local admins on their PC • The sysadmins generally use their own Domain Admin credentials to log into servers/workstations Imagine this Software Company
  20. 20. Premium community conference on Microsoft technologies itcampro@ itcamp14# DEMO Pass-the-Hash (PtH) attacks
  21. 21. Premium community conference on Microsoft technologies itcampro@ itcamp14# • Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques v1.1 (June 2013) – http://www.microsoft.com/en-us/download/details.aspx?id=36036 • Configuring Additional LSA Protection in Windows 8.1 – http://technet.microsoft.com/en-us/library/dn408187.aspx Pass-the-Hash attack mitigation
  22. 22. Premium community conference on Microsoft technologies itcampro@ itcamp14# DEMO Crack-the-Hash, or Why LM Hashes are Bad™
  23. 23. Premium community conference on Microsoft technologies itcampro@ itcamp14# • During PtH attack, we saw something like this: Administrator:TRANSCENT:BFF196677961A037DB2294261F598B4C:FCE550E11EB2810882EADCBC48E27366 • Contents: USER:DOMAIN:LMHASH:NTHASH • The red part is fun to deal with  So, what about those hashes?
  24. 24. Premium community conference on Microsoft technologies itcampro@ itcamp14# The LM hash is computed as follows: • Password restricted to 14 characters • Converted to UPPERCASE • Encoded in the System OEM Code Page • Null-padded to 14 bytes • The “fixed-length” password is split into two seven-byte halves • Halves used to create two DES keys, one from each 7-byte half – A null bit is inserted after every 7 bits (1010100 becomes 10101000) – This generates the 64 bits needed for a DES key • The two keys are used to DES-encrypt “KGS!@#$%” – Result: two 8-byte ciphertext values • Ciphertext values are concatenated to form a 16-byte value, “LM hash” • TL;DR - LM Hashes are a cracking heaven  What you need to know about LM hashes
  25. 25. Premium community conference on Microsoft technologies itcampro@ itcamp14# STAYING UP-TO-DATE Security reports
  26. 26. Premium community conference on Microsoft technologies itcampro@ itcamp14# • Security is all about people • A healthy dose of paranoia is required • Well prepared IT staff • Regular security trainings for all employees Security Awareness
  27. 27. Premium community conference on Microsoft technologies itcampro@ itcamp14# • 8 browsers • 657 samples of socially engineered malware (SEM) • Block rates ranged from 99.9% to 4.1%, https://www.nsslabs.com/reports/browser-security-comparative-analysis-report-socially-engineered-malware The Browser Wars (part 1) – malware detection Source: mobzine.ro
  28. 28. Premium community conference on Microsoft technologies itcampro@ itcamp14# • Sandbox escapes or 3rd party code execution: – IE 11 (W8.1 x64) – Mozilla Firefox (W8.1 x64) – Google Chrome (W8.1 x64) – Adobe Flash (W8.1 x64) – Adobe Reader XI (W8.1 x64) – Apple Safari on Mac OS X Mavericks $850.000 total prize money, paid to eight entrants www.pwn2own.com The Browser Wars (part 2) – Pwn2Own 2014 Source: mobzine.ro
  29. 29. Premium community conference on Microsoft technologies itcampro@ itcamp14# http://www.microsoft.com/security/sir/ Microsoft Security Intelligence Report
  30. 30. Premium community conference on Microsoft technologies itcampro@ itcamp14# • The 2012 Verizon DBIR found that – 85% of breaches took weeks to discover – 96% of breaches were not highly difficult – 97% of breaches were avoidable through simple/intermediate controls http://www.verizonenterprise.com/DBIR/2012/ • The 2014 DBIR report shows that 92% of the 100.000 incidents they’ve analyzed over the past 10 years can be described by just 9 basic patterns http://www.verizonenterprise.com/DBIR/2014/ Verizon Data Breach Investigations Report (1)
  31. 31. Premium community conference on Microsoft technologies itcampro@ itcamp14# Verizon Data Breach Investigations Report (2)
  32. 32. Premium community conference on Microsoft technologies itcampro@ itcamp14# Cisco 2014 Annual Security Report https://www.cisco.com/web/offers/lp/2014-annual-security-report/
  33. 33. Premium community conference on Microsoft technologies itcampro@ itcamp14# http://www.cvedetails.com/ http://www.mcafee.com/us/threat-center.aspx http://www.kaspersky.com/internet-security-center http://www.gartner.com/technology/core/products/research/topics/securityPrivacy.jsp Other Sources
  34. 34. Premium community conference on Microsoft technologies itcampro@ itcamp14# A COUPLE OF USEFUL RESOURCES
  35. 35. Premium community conference on Microsoft technologies itcampro@ itcamp14# http://technet.microsoft.com/en-us/security/jj653751 Enhanced Mitigation Experience Toolkit
  36. 36. Premium community conference on Microsoft technologies itcampro@ itcamp14# http://technet.microsoft.com/en-us/library/cc677002.aspx Microsoft Security Compliance Manager
  37. 37. Premium community conference on Microsoft technologies itcampro@ itcamp14# Q & A

×