Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
The Boring Security
Talk
Hello!
I am Kieran Jacobsen
Head of Information Technology @ Readify
Microsoft MVP, Cloud and Datacenter Management
You ca...
CI/CD
Pushing code around and around and around and around and …
Publicly Exposed
◇ Internet accessible
◇ Limited or no firewall rules
Weak
Authentication
◇ No SSL/TLS
◇ Shared accounts
◇ Stale accounts
◇ No MFA
Significant
Privileges
◇ Operating System privileges
◇ Cloud privileges
Patching
◇ Operating System
◇ CI/CD Tools
◇ Dependencies (Git)
Attacks Happen
“Hackers exploit Jenkins servers, make $3 million by
mining Monero”, CSO Online, 2018-02-20.
Restricting Access
◇ Does it need Internet access?
◇ Can we lock down by source IP address?
◇ Can we lock down to specific...
Using SSO and MFA
◇ Enable and enforce HTTPS
◇ Enable SSO – Each user has an account
◇ MFA should be enabled for Internet ...
Least Privilege
◇ Ensure CI/CD agents and processes run with least
privilege as possible
◇ Restrict who has admin access t...
Patching
◇ Ensure servers are in regular patching process
◇ Plan for CI/CD patching and dependency tool
patching
PR
Validation
DNS
The Internet street directory.
Change Control
◇ Who made a change?
◇ When did they make the change?
◇ Why did they do it?
◇ What was it pointing to?
Speed
◇ How long does it take to make a
change?
◇ Manual changes
Visibility
◇ Do those impacted have visibility into
changes?
Bad GUIs
◇ Cut-and-past errors
◇ Confusing terminology
Attacks Happen
◇ “DHS: Multiple US gov domains hit in serious DNS
hijacking wave”, Ars Technica, 2019-01-26
◇ “Advice on M...
DNS Control
◇ Open Source Software
◇ Developed and maintained by Stack Overflow
◇ Supports multiple registrars and DNS pro...
A Recognisable
Format
◇ JavaScript configuration file
◇ Comments to help describe zone
contents
◇ Example: http://bit.ly/d...
Version Control
◇ Branches
◇ Log
◇ Blame
Pull Requests
◇ Review changes
◇ Include impacted teams
CI/CD
◇ Humans don’t change DNS
◇ CI = DNSControl Preview
◇ CD = DNSControl Push
◇ Guide: http://bit.ly/DNSControl
https://www.dell.com/content/topics/topic.aspx/us/segments/biz/odg/dmlp_dell_security_card
⏯ Play Along:
https://dell.to/2...
Email
The service we all have but don’t want
The Issues With
Email
◇ SPAM
◇ Phishing
◇ Spear Phishing
◇ Whaling
◇ Impersonation
From: "Have I Been Pwned“
<noreply@haveibeenpwned.com>
Return-Path: bounces+3489673-
b289-
myuser=mydomain.com@mail.haveib...
Identifying Sources
◇ Your mail servers
◇ Applications
◇ Marketing campaign servers
◇ Bulk email services
◇ SaaS products
“
We can’t use SPF, DKIM or DMARC
because we don’t know who is
legitimately sending email as our
organisation‽
SPF
◇ Validates mail is coming from authorised IP
addresses
◇ Information stored in DNS
◇ Validates envelope-from address
...
DKIM
◇ Uses digital signatures to validate mail
◇ Validates Message-From header address
◇ Public key(s) stored in DNS
DMARC
◇ SPF and/or DKIM
◇ Alignment checks
◇ Allows domains to specify action if checks fail
◇ Reporting
◇ Policy stored i...
No DMARC
53%
None
38%
Reject
5%
Quarantine
4%
https://phishingscorecard.com/
Packages &
Dependencies
Turtles all the way down
Browsealoud
“UK ICO, USCourts.gov... Thousands of websites
hijacked by hidden crypto-mining code after popular
plugin pwne...
Docker Images
“Malicious Docker Containers Earn Cryptomining
Criminals $90K”, Threat Post, 2018-06-13
Eslint
“Postmortem for Malicious Packages Published on July
12th, 2018”, ESLint, 2018-07
“
The maintainer whose account was
compromised had reused their npm
password on several other sites and
did not have two-f...
Bootstrap-sass
“Malicious remote code execution backdoor discovered
in the popular bootstrap-sass Ruby gem”, Snyk Blog,
20...
Pipdig Power Pack (P3)
“Pipdig Update: Dishonest Denials, Erased Evidence and
Ongoing Offences”, Wordfence Blog, 2019-04-02
Thanks!
Any questions?
You can find me at:
◇ @kjacobsen
◇ Poshsecurity.com
CrikeyCon VI - The Boring Security Talk
CrikeyCon VI - The Boring Security Talk
CrikeyCon VI - The Boring Security Talk
Upcoming SlideShare
Loading in …5
×

CrikeyCon VI - The Boring Security Talk

309 views

Published on

Troy Hunt and Scott Helme have spoken about all the exciting security things, so let’s talk about the boring bits! When we think about application and infrastructure security, we often think about the big shiny things and forget the boring bits. In this talk, we’ll look at the security of our package dependencies, CI/CD tools, how we send email and even resolve hostnames. Over the last few months, hackers have managed to inject cryptocurrency miners into all these places. Security incidents in these components might not result in an entry in Have I Been Pwned?, but they'll result in a bad day.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

CrikeyCon VI - The Boring Security Talk

  1. 1. The Boring Security Talk
  2. 2. Hello! I am Kieran Jacobsen Head of Information Technology @ Readify Microsoft MVP, Cloud and Datacenter Management You can find me at: ◇ @kjacobsen ◇ Poshsecurity.com
  3. 3. CI/CD Pushing code around and around and around and around and …
  4. 4. Publicly Exposed ◇ Internet accessible ◇ Limited or no firewall rules
  5. 5. Weak Authentication ◇ No SSL/TLS ◇ Shared accounts ◇ Stale accounts ◇ No MFA
  6. 6. Significant Privileges ◇ Operating System privileges ◇ Cloud privileges
  7. 7. Patching ◇ Operating System ◇ CI/CD Tools ◇ Dependencies (Git)
  8. 8. Attacks Happen “Hackers exploit Jenkins servers, make $3 million by mining Monero”, CSO Online, 2018-02-20.
  9. 9. Restricting Access ◇ Does it need Internet access? ◇ Can we lock down by source IP address? ◇ Can we lock down to specific destination port numbers?
  10. 10. Using SSO and MFA ◇ Enable and enforce HTTPS ◇ Enable SSO – Each user has an account ◇ MFA should be enabled for Internet exposed systems
  11. 11. Least Privilege ◇ Ensure CI/CD agents and processes run with least privilege as possible ◇ Restrict who has admin access to CI/CD ◇ Audit privileges regularly
  12. 12. Patching ◇ Ensure servers are in regular patching process ◇ Plan for CI/CD patching and dependency tool patching
  13. 13. PR Validation
  14. 14. DNS The Internet street directory.
  15. 15. Change Control ◇ Who made a change? ◇ When did they make the change? ◇ Why did they do it? ◇ What was it pointing to?
  16. 16. Speed ◇ How long does it take to make a change? ◇ Manual changes
  17. 17. Visibility ◇ Do those impacted have visibility into changes?
  18. 18. Bad GUIs ◇ Cut-and-past errors ◇ Confusing terminology
  19. 19. Attacks Happen ◇ “DHS: Multiple US gov domains hit in serious DNS hijacking wave”, Ars Technica, 2019-01-26 ◇ “Advice on Mitigating DNS Infrastructure Tampering”, Posh Security, 2019-02-12 ◇ “A Deep Dive on the Recent Widespread DNS Hijacking Attacks”, Krebs on Security, 2019-02-18 ◇ “DNS Squatting with Azure App Services”, Posh Security, 2017-08-27
  20. 20. DNS Control ◇ Open Source Software ◇ Developed and maintained by Stack Overflow ◇ Supports multiple registrars and DNS providers ◇ Can preview changes before pushing them ◇ https://stackexchange.github.io/dnscontrol/
  21. 21. A Recognisable Format ◇ JavaScript configuration file ◇ Comments to help describe zone contents ◇ Example: http://bit.ly/dnsconfig
  22. 22. Version Control ◇ Branches ◇ Log ◇ Blame
  23. 23. Pull Requests ◇ Review changes ◇ Include impacted teams
  24. 24. CI/CD ◇ Humans don’t change DNS ◇ CI = DNSControl Preview ◇ CD = DNSControl Push ◇ Guide: http://bit.ly/DNSControl
  25. 25. https://www.dell.com/content/topics/topic.aspx/us/segments/biz/odg/dmlp_dell_security_card ⏯ Play Along: https://dell.to/2WPh25D
  26. 26. Email The service we all have but don’t want
  27. 27. The Issues With Email ◇ SPAM ◇ Phishing ◇ Spear Phishing ◇ Whaling ◇ Impersonation
  28. 28. From: "Have I Been Pwned“ <noreply@haveibeenpwned.com> Return-Path: bounces+3489673- b289- myuser=mydomain.com@mail.haveibe enpwned.com
  29. 29. Identifying Sources ◇ Your mail servers ◇ Applications ◇ Marketing campaign servers ◇ Bulk email services ◇ SaaS products
  30. 30. “ We can’t use SPF, DKIM or DMARC because we don’t know who is legitimately sending email as our organisation‽
  31. 31. SPF ◇ Validates mail is coming from authorised IP addresses ◇ Information stored in DNS ◇ Validates envelope-from address ◇ Can include other SPF records – Office 365 etc ◇ DNS query limitations
  32. 32. DKIM ◇ Uses digital signatures to validate mail ◇ Validates Message-From header address ◇ Public key(s) stored in DNS
  33. 33. DMARC ◇ SPF and/or DKIM ◇ Alignment checks ◇ Allows domains to specify action if checks fail ◇ Reporting ◇ Policy stored in DNS
  34. 34. No DMARC 53% None 38% Reject 5% Quarantine 4% https://phishingscorecard.com/
  35. 35. Packages & Dependencies Turtles all the way down
  36. 36. Browsealoud “UK ICO, USCourts.gov... Thousands of websites hijacked by hidden crypto-mining code after popular plugin pwned”, The Register, 2018-02-11
  37. 37. Docker Images “Malicious Docker Containers Earn Cryptomining Criminals $90K”, Threat Post, 2018-06-13
  38. 38. Eslint “Postmortem for Malicious Packages Published on July 12th, 2018”, ESLint, 2018-07
  39. 39. “ The maintainer whose account was compromised had reused their npm password on several other sites and did not have two-factor authentication enabled on their npm account.
  40. 40. Bootstrap-sass “Malicious remote code execution backdoor discovered in the popular bootstrap-sass Ruby gem”, Snyk Blog, 2019-04-03
  41. 41. Pipdig Power Pack (P3) “Pipdig Update: Dishonest Denials, Erased Evidence and Ongoing Offences”, Wordfence Blog, 2019-04-02
  42. 42. Thanks! Any questions? You can find me at: ◇ @kjacobsen ◇ Poshsecurity.com

×