Things Behaving Badly, Security Implied (NZ Tech Day - Presentation 4)

www.planittesting.com
Security Implied
Ferdinand Hagethorn
fhagethorn@planittesting.com
@hagnf
© Planit Software Testing 1

Who is this Ferdinand?
Dutch
Degree in information engineering
Fan of Open Source, UNIX, Linux, and free beer
Since 2015: Security specialist for Planit Software Testing NZ
Worked for 9 years in the energy sector in the Netherlands
Solutions & IT Security Architect
Business Analyses
Data & Service Management
Resident “Hacker”, from Office to SCADA systems

Agenda
Security & Risk
Threats & Vulnerabilities
What do we do now?
Where can we improve?

What is security?
Definition: “The state of being free of danger or threat”
A process, not a product

Why “do” security?
To mitigate risk
• Financial Risk
• Operational Risk
• Strategic Risk
• Reputation Risk
• Legal & Regulatory Compliance Risk
• Information Systems Risk
Enable business in a secure way
A threat becomes a risk, if you are vulnerable to it

What is Risk?
Threat Vulnerability Risk
Can’t influence Can influence

Security Risk calculation
ARO SLE ALE
Annual Risk
Occurrence
Example:
0nce every
4 years =
0.25/yr
Single Loss
Expectancy
Damage
cost per
occurrence
=
50,000NZD
Annual Loss
Expectancy
The risk would
cost 12,500NZD
for the business
annually

Let’s meet the threats

The Threat Curve ~ 2010
“Type 1”
“Type 2”
“Type 3”
Script Kiddies
Lone Wolves
Organized Crime
“Hacktivists”
Nation States
(Tier 2)
Nation States
(Tier 1)
Mass Targeting Pinpoint Targeting
High
Sophistication
Low

Type 1: Script kiddie
Exploration, KUDO’S, Fun & Games
Uses standard tools

Type 1: Lone Wolf

www.planittesting.com © Planit Software Testing 12
Type 1(?...): Hacktivists

Type 2: Organised crime
Ransomware & Spam

Type 3: Nation States (2012+)
Cyber weapons; Advanced Persistent Threat (APT)

A few interesting case studies

© Planit Software Testing
Case study: Stuxnet (Type 3)
Incident: January 2010, An “unnamed” nation state (or
states) deployed a cyber weapon on the uranium
enrichment plant of Iran, possibly injected via infected
USB stick
Impact: Centrifuge crashes, disabled ability to enrich
uranium
Specifics: The cyber weapon Stuxnet used 4 zero days
to dig deep into the control network and change the
programming of the centrifuge controllers. The new
programming disrupted the rotation while reporting
stable rotation speeds resulting in the crash of the
centrifuges.
Lessons learned:
Nation states have near unlimited
resources
Apply defence in depth
Source: https://en.wikipedia.org/wiki/Stuxnet

Case study: ISS Air gap bridged (Type 2)
Incident: August 2008, Virus intended to steal
passwords to send them to a remote server infected
laptops of the International Space Station (again)
Impact: Created a “nuisance” to noncritical space
station laptops
Specifics: Infection spread to more than one laptop,
could have spread via some sort of intranet or USB-
stick.
Lessons learned:
Because of the human factor, no
true air gap exists.
Examples: VPN, thumb drives, wifi,
CD/DVD(recordables)
Source: http://www.telegraph.co.uk/technology/3358263/Computer-virus-infects-International-Space-Station-laptops.html

Case study: The Target Hack (Type 2)
Incident: in 2013 hackers got in through a 3rd party – The Airco
maintenance company.
Moved laterally through the Target networks
Installed Malware onto POS machines
Impact: 40 million credit card details stolen, 70 million addresses,
phone numbers, and other pieces of personal information
Specifics: Target Security saw it, but didn’t take action and ignored
alarms. The malware used was “uninteresting and unsophisticated”
according to Jim Walter, director of threat intelligence operations at
security technology company McAfee. “COTS malware”
Lessons learned:
Don’t be stupid, respond to alerts!
Note: Only 31% of companies discover the breach
themselves. For retailers it’s 5%
Source: http://www.bloomberg.com/news/articles/2014-03-13/target-missed-warnings-in-epic-hack-of-credit-card-data

More recently
2015: OPM (Office of Personnel Management)
Data breach, APT, breached since march 2014
Executed by: (most likely) Chinese army
Impact: 41 million personnel records stolen
2015: Ashley Madison
Data breach, SQL injection and other public exploits,
Executed by: Hacktivists “The Impact Team”
Impact: Leaked 60GB of company data, emails, user details, documents
2014: Sony
Data breach, various techniques
Executed by: N. Korea (or disgruntled employee?)
Impact: 100 Terabytes of data stolen, movies, emails, documents
20

7 Steps of Breach to Exfil
Exploit access
&/ data
Collect,
Exfiltrate
Move LaterallyInstall tools
Establish
Persistence
Initial
Exploitation
Reconnaissance

Trends since 2000
Motives for hacking have changed
From: Demonstration of skills & explorations
To: Monetary gain & Political power
Conclusion: Threats are a moving target, we can only
only observe and respond

The Threat Curve ~ 2010
“Type 1”
“Type 2”
“Type 3”
Script Kiddies
Lone Wolves
Organized Crime
“Hacktivists”
Nation States
(Tier 2)
Nation States
(Tier 1)
High
Sophistication
Low

Type 1
Type 2
The Threat Curve ~ now
Type 3
Script Kiddies
Lone Wolves
Organized Crime
“Hacktivists”
Nation States
(Tier 2)
Nation States
(Tier 1)
High
Sophistication
Low
Observation:
Less advanced
adversaries now have
access to very
sophisticated malware

Exploits & the malware marketplace

Darkode market place
Worldwide: 700-800 Hacker forums
July 2015: Darkode takedown
3 levels of trade on the black market:
Skills: Top-end, highly skilled people
Tools: Hack & deception tools
Data: Personal data, stolen bank cards

The 0-day exploit black market prices
© Planit Software Testing 26http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/

Several Bug Bounty Programmes
Facebook Whitehat Program
Bounty: $500 US minimum, no maximumGoogle Vulnerability Reward Program (VRP)
Bounty: $100 US minimum, $20k US max
Yahoo Bug Bounty Program
Bounty: $100 US minimum, $20k US maxMozilla Bug Bounty Program
Bounty: $500 US minimum, $3k US max
Microsoft Online Services Bug Bounty Program
Bounty: $500 US minimum, $100k maximumBut you don’t get money from:
Adobe
Apple
eBay
Deutsche Telecom

Microsoft 1st to be “on par”
© Planit Software Testing 28http://www.infosecurity-magazine.com/news/microsoft-doubles-defense-bug/

An expert exploit writer can make 10-100x as
much on the black market vs bug bounties

What we can do

Software Development LifeCycle (SDLC)
Buy: COTS
Software
Develop: custom
code
(Pen) Testing &
Integration
Deployment Use Decommissioning

What we do now
Buy: COTS
Software
Develop: custom
code
(Pen) Testing &
Integration
Deployment Use Decommissioning

Think about it
You have a building with 20 exterior doors
You secure 19 doors
Are you 95% secure?

What does a penetration tester test?
Known vulnerabilities & configuration issues – often the OWASP Top 10
Limited time & scope
How good the penetration tester is
What is not tested?
Secure Software Design & Development Lifecycle
Security awareness of users & system administrators
Patch & update mechanisms
Secure solution integration
Visibility of application functioning  breach detection quality
Fail-safe functionality
Intrusion detection, prevention, alerting, lateral movement
Incident response processes

Tip for Pen-testing
The “Pivot-card”
Give the pen-tester a set number of:
- “Pivot Cards”
- based on real world value of 0-day exploits vs value of
system
- can be reused for the same exploit to jump hosts
Goals:
- Inventory the impact of possible breach, lateral
movement
- Check if alerting system will trigger
- Check response times of incident response process
- Test more in less time

Add security requirements
Add security visibility to the requirements
 Set alarms for max number of records accessed per account/user
 Amount of data exchanged per hour/day
 Fail safe functionality
 Encryption standard
 Secure error logging
 Patch and Upgrade compatibility
 Legal compliance – Privacy act, Public Records Act, etc.

The sooner a breach can be detected, the better the effects can be
prevented
Average detection now is after 6 months of the breach
31% of organisations in US find out themselves, in retail only 5%
Time between compromise and exfiltration: minutes to a day

www.planittesting.com © Planit Software Testing 38
Remember: security is a chain
Security is a chain, it is only as strong as its weakest link. It is a process and a mind-set.
More than conducting penetration tests following development, security should remain a
priority for applications once already in production. After all, it is no longer a question of if
you get hacked, but when.
Preventive
Deterrent
Detective
Corrective
Recovery Compensation

This is why we focus on everything
Benefit from our extensive catalogue of security testing, bespoke consulting and training services to ensure the security of your
applications, infrastructure and compliance with rules and regulations.
Software Infrastructure Operational & Regulatory
Testing
• OWASP ASVS certification
• OWASP Top-10 test
• Code Audit
• Ethical hacking penetration
Test
• Vulnerability Assessment
• Verifying policy
implementations
• Architecture design review
Consulting
• Security in the SDLC
• Secure Coding principles
• Secure architecture principles
• Secure configuration
benchmarks
• Configuration principles
• Secure architecture principles
• Security policy design
• Information Security
Management System
establishment
• Secure operating procedures
Training • Secure software development
• Secure engineering
• Security through architecture
• Defence in depth
• Introduction to information
security
• Local and global standards
(NZISM/ISO27001)
• The human firewall

Thank you

Further reading
Verizon Data Breach Investigations Report:
http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
IBM Ponemon Cost of Data Breach study:
http://www-03.ibm.com/security/data-breach/
The Open Web Application Security Project (OWASP):
https://www.owasp.org/

Things Behaving Badly, Security Implied (NZ Tech Day - Presentation 4)

More Related Content

Recently uploaded

Featured

Things Behaving Badly, Security Implied (NZ Tech Day - Presentation 4)