Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Secure from the start : The changing landscape

983 views

Published on

In the wake of the Heartbleed bug and a
number of other high profile security related
failures, we revisit the idea of making sure
we’re ahead of the game, secure from the start

Published in: Internet, Technology
  • Be the first to comment

  • Be the first to like this

Secure from the start : The changing landscape

  1. 1. Welcome "In the wake of the Heartbleed bug and a number of other high profile security related failures, we revisit the idea of making sure we’re ahead of the game, secure from the start" Kieran O'SheaSecure from the Start : The changing landscape Secure from the Start The changing landscape Kieran O'Shea kieran@kieranoshea.com • @kieranoshea • http://www.kieranoshea.com/
  2. 2. Overview Kieran O'Shea  Motivations for this session  Analysis on recent high profile issues  Types of attack vectors  Mitigation; config, tools, plugins & more  Questions Secure from the Start : The changing landscape
  3. 3. Recent issues - Heartbleed Kieran O'Shea  An OpenSSL exploit  Heartbeat reply leaks data in memory  Data acquired compromises security Secure from the Start : The changing landscape
  4. 4. Recent issues - Heartbleed Kieran O'SheaSecure from the Start : The changing landscape
  5. 5. Recent issues - Heartbleed Kieran O'SheaSecure from the Start : The changing landscape
  6. 6. Recent issues - Heartbleed Kieran O'Shea  Fallout  Recovery Secure from the Start : The changing landscape
  7. 7. Recent issues - Ransomware Kieran O'SheaSecure from the Start : The changing landscape Realintogive/Wikimedia Commons
  8. 8. Recent issues - Ransomware Kieran O'Shea  Essentially blackmail  Takes different forms  Difficult to recover from  Infection rates uncertain  Millions made by criminals Secure from the Start : The changing landscape
  9. 9. Recent issues – Back doors Kieran O'SheaSecure from the Start : The changing landscape
  10. 10. Recent issues - Back doors Kieran O'SheaSecure from the Start : The changing landscape
  11. 11. Recent issues - Social Engineering Kieran O'Shea  Should be considered a back door  Password resets  Security questions  "Single Sign On" Secure from the Start : The changing landscape
  12. 12. Recent issues - Obscurity Kieran O'Shea  When is security no security at all?  When my hotel reservation is www.somehotel.com/reservation/12345  So the previous customer's must be... www.somehotel.com/reservation/12344 Secure from the Start : The changing landscape
  13. 13. Attack Vectors - Passwords Kieran O'Shea  Exploitation of simple passwords  Re-use of stolen credentials  Brute force Is this your password? Secure from the Start : The changing landscape
  14. 14. Attack Vectors - Social Engineering Kieran O'Shea  Probably our weakest link  Guessable info overrides passwords  Privileged users exploited Secure from the Start : The changing landscape
  15. 15. Attack Vectors - External Applications Kieran O'Shea  Shared use servers amplify risk  Exploiting the file system  Taking advantage of firewall rules  Piggy backing off API connectivity Secure from the Start : The changing landscape
  16. 16. Attack Vectors - Rogue Code Kieran O'Shea  Does your theme footer look like this? Secure from the Start : The changing landscape
  17. 17. Attack Vectors - Rogue Code Kieran O'Shea  When hackers get control Secure from the Start : The changing landscape
  18. 18. Attack Vectors - Rogue Code Kieran O'Shea  When hackers really get control Secure from the Start : The changing landscape
  19. 19. Mitigation - Passwords Kieran O'Shea  Secure passwords, auto generated  Avoid re-use between systems Secure from the Start : The changing landscape
  20. 20. Mitigation - Passwords Kieran O'Shea  Employ secure password storage  Complex & differing passwords easier  A variety of services exist, paid & free Single, secure, master password Secure from the Start : The changing landscape
  21. 21. Mitigation - Two Factor Authentication Kieran O'Shea  Something you have, something you know  A variety of implementations  Finger prints  Smart cards  Text Messages  Paper based grids  Good degree of separation required  Extend to multi-factor authentication Secure from the Start : The changing landscape
  22. 22. Mitigation - One Time Passwords Kieran O'Shea  Reduces consequences of interception  Remote verification of token  Also provides two factor authentication  Support for independent infrastructure Secure from the Start : The changing landscape
  23. 23. Mitigation - SSL Kieran O'Shea  Protects data in transit  Consider what constitutes ”sensitive”  Key & Signed certificate  Available for free  Beware revocation costs  Enhance security with forward secrecy  Remember client security too  VPN  S/MIME  Don't settle for plain text Secure from the Start : The changing landscape
  24. 24. Mitigation - External Applications Kieran O'Shea  Minimise server sharing, VPS preferable  If sharing, protect users from users  Don't chmod 777  Sand box your code, e.g. suPHP  Keep an eye on key file changes  Consider onward security of allowed IPs Secure from the Start : The changing landscape
  25. 25. Mitigation - Plugins Kieran O'Shea  Two factor authentication (OTP) ✔ "YubiKey Plugin" (Henrik Schack)  Modifications to files ✔ "WordPress File Monitor Plus" (Scott Cariss)  Login attempts ✔ "Limit Login Attempts" (Johan Eenfeldt)  Action logging ✔ "Audit Trail" (John Godley)  More involved auditing ✔ "The Auditor" (interconnect/it) Secure from the Start : The changing landscape
  26. 26. Mitigation – Configuration Kieran O'Shea  Lock down powerful interfaces  Work with minimum usable privileges  Reduce brute force with fail2ban  Block access at an IP level  Maintain access by using a VPN # Define specific rules for the blog admin panel <Directory /home/kieran/public_html/wp-admin> Order Deny,Allow Deny from all Allow from 95.172.226.96/27 </Directory> Secure from the Start : The changing landscape
  27. 27. Mitigation – Social engineering Kieran O'Shea  Don't populate ”password hints”  Don't use real ”secret questions”  Become aware of back doors  Know the warning signs  Power of notifications  Avoid single points of failure  Multiple backups, multiple services  At least one backup offline Secure from the Start : The changing landscape
  28. 28. Questions? Kieran O'Shea Kieran O'Shea • kieran@kieranoshea.com @kieranoshea • http://www.kieranoshea.com/ Remember, WordCamp tweets archived here: https://wcuk.kieranoshea.com/tweets/ Secure from the Start : The changing landscape

×