Alison Gianotto, a security and privacy advocate with extensive experience in IT and software development, discusses the escalation of cyber threats and the challenges in mitigating risks. The document highlights major data breaches, the complexity of cybersecurity strategies, and practical recommendations to improve security measures. Key suggestions include implementing risk matrices, simplifying systems, and leveraging automation and regular testing.

1. Alison Gianotto (aka “snipe”)WHO AM I?
• Former
agency
CTO/CSO
• Security
&
privacy
advocate
• 20
years
in
IT
&
so<ware
development
• Co-­‐author
of
a
few
PHP/MySQL
books
• Survivor
of
more
corporate
audits
than
I
care
to
remember
• @snipeyhead
on
TwiJer
1
dotScale
May
2014
-­‐
#dotScale

2. IT IS IMPOSSIBLE TO ANTICIPATE
EVERY RISK.
2
dotScale
May
2014
-­‐
#dotScale
Srsly.

3. IT IS INAPPROPRIATE TO MITIGATE
EVERY RISK.
3
dotScale
May
2014
-­‐
#dotScale
No, Srsly.

4. WHY PEOPLE HACK
4
• To
steal/sell
idenOOes,
credit
card
numbers,
corporate
secrets,
military
secrets
• Fun/Notoriety
• PoliOcal
(“HackOvism”)
• Revenge
• Blackhat
SEO
• ExtorOon/Ransomware
dotScale
May
2014
-­‐
#dotScale

5. MEGA BREACHES: RESULTING IN
PERSONAL DETAILS OF >= 10
MILLION IDENTITIES EXPOSED IN AN
INDIVIDUAL INCIDENT.
5
dotScale
May
2014
-­‐
#dotScale

6. THERE WERE EIGHT MEGA-
BREACHES IN 2013, COMPARED
WITH ONLY ONE IN 2012.
6
Source:
Symantec
Internet
Security
Threat
Report
2014
::
Volume
19,
Published
April
2014
+700%
dotScale
May
2014
-­‐
#dotScale

7. OCT 2013: ADOBE
EXPOSED CUSTOMER DATA, DEBIT/
CREDIT CARD NUMBERS, SOURCE
IMPACTED: 152 MILLION USERS
7
Source:
Symantec
Internet
Security
Threat
Report
2014
::
Volume
19,
Published
April
2014
dotScale
May
2014
-­‐
#dotScale

8. DEC 2013: TARGET
EXPOSED CUSTOMER DATA, DEBIT/
CREDIT CARD NUMBERS, PINS
IMPACTED: 110 MILLION USERS
8
Source:
Symantec
Internet
Security
Threat
Report
2014
::
Volume
19,
Published
April
2014
dotScale
May
2014
-­‐
#dotScale

9. BREACHGrowth
• credit card info
• birth dates
• government ID numbers
• home addresses
• medical records
• phone numbers
• financial informa9on
• email addresses
• login
• passwords
Data Stolen
9
232
552
0
100
200
300
400
500
600
2011
2013
Iden))es
Stolen
by
Year
(in
Millions)
Source:
Symantec
Internet
Security
Threat
Report
2014
::
Volume
19,
Published
April
2014
dotScale
May
2014
-­‐
#dotScale

10. 190,000
464,000
570,000
2011
2012
2013
ATTACKS
10
Source:
Symantec
Internet
Security
Threat
Report
2014
::
Volume
19,
Published
April
2014
Per Day
dotScale
May
2014
-­‐
#dotScale

11. SOMETIMES YOUR EFFORTS TO
MITIGATE RISK CAN INCREASE
YOUR ATTACK SURFACE.
11
dotScale
May
2014
-­‐
#dotScale
Because THAT’S fair.

12. DEFENSE IN DEPTH PROMISES
12
• MiOgates
single
points
of
failure.
(“Bus
factor”)
• Requires
more
effort
on
the
part
of
the
aJacker,
theoreOcally
exhausOng
aJacker
resources.
Except...
dotScale
May
2014
-­‐
#dotScale

13. DEFENSE IN DEPTH CHALLENGES
13
• Larger,
more
complicated
systems
are
harder
to
maintain.
• Can
lead
to
more
cracks
for
bad
guys
to
poke
at
• More
surfaces
that
can
get
be
overlooked
• The
bad
guys
have
nearly
limitless
resources.
We
don’t.
• AJacks
are
commodiOzed
now.
Botnets
for
$2/hour.
dotScale
May
2014
-­‐
#dotScale

14. HACKERS ARE NOT YOUR ONLY
PROBLEM.
14
dotScale
May
2014
-­‐
#dotScale
Sorry. :(

15. CIA
Confidentiality,
Integrity &
Availability
dotScale
May
2014
-­‐
#dotScale

16. CONFIDENTIALITY IS A SET OF
RULES THAT LIMITS ACCESS TO
INFORMATION
16
dotScale
May
2014
-­‐
#dotScale

17. INTEGRITY IS THE ASSURANCE
THAT THE INFORMATION IS
TRUSTWORTHY & ACCURATE.
17
dotScale
May
2014
-­‐
#dotScale

18. AVAILABILITY IS A GUARANTEE OF
READY ACCESS TO THE INFO BY
AUTHORIZED PEOPLE.
18
dotScale
May
2014
-­‐
#dotScale

19. APPSEC STRATEGY
PICK
TWO
19
ABSOLUTELY
F*CKED
UTTERLY
F*CKED
COMPLETELY
F*CKED
dotScale
May
2014
-­‐
#dotScale

20. CREATING A RISK MATRIX
20
• Type
of
resource
• Third-­‐Party
• Diagram
ID
• DescripOon
• Triggering
AcOon
• Consequence
of
Failure
• Risk
of
Failure
• Probability
of
Failure
• User
Impact
• Method
used
for
monitoring
this
risk
• Efforts
to
MiOgate
in
Case
of
Failure
• Contact
info
Grab
a
starter
template
here!
hJp://snipe.ly/risk_matrix
dotScale
May
2014
-­‐
#dotScale

21. 20 THINGS YOU CAN START
DOING TODAY.
21
Dooo eeeeeet.
dotScale
May
2014
-­‐
#dotScale

22. #1. CAPTURE ALL THE FLAGS!
22
dotScale
May
2014
-­‐
#dotScale

23. 23
• Strip
specific
messaging
from
login
forms.
• Use
solid
password+salOng
like
bcrypt.
• Implement
brute-­‐force
prevenOon
for
all
login
systems.
• Encrypt
everything,
where
feasible.
• Supress
debugging
and
server
informaOon
(language/
framework
versions,
web
server
versions,
stack-­‐traces,
etc.)
WHAT DEVS LEARN FROM CTF
dotScale
May
2014
-­‐
#dotScale

24. 24
dotScale
May
2014
-­‐
#dotScale

25. #2. START EVERY PROJECT
RISK-FIRST.
25
dotScale
May
2014
-­‐
#dotScale

26. #3. BUILD A CLEAR INVENTORY
OF SURFACE AREAS AND THEIR
VALUE.
26
dotScale
May
2014
-­‐
#dotScale

27. #4. RISK MATRIX FOR EVERY
MAJOR PROJECT OR PRODUCT.
27
dotScale
May
2014
-­‐
#dotScale

28. #5. KNOW WHAT HAPPENS
WHEN THIRD-PARTY SERVICES
FAIL.
28
dotScale
May
2014
-­‐
#dotScale

29. #6. TRUST YOUR GUT. WHEN
SOMETHING DOESN’T LOOK
RIGHT, IT PROBABLY ISN’T.
29
dotScale
May
2014
-­‐
#dotScale

30. #7. KEEP YOUR SYSTEMS AS
SIMPLE AS POSSIBLE.
30
dotScale
May
2014
-­‐
#dotScale

31. #8. INCREASED TRANSPARENCY
REDUCES RISK ACROSS
DEPARTMENTS.
31
dotScale
May
2014
-­‐
#dotScale

32. #9. GET TO KNOW YOUR USERS’
BEHAVIOR. BE SUSPICIOUS IF IT
CHANGES FOR NO REASON.
32
dotScale
May
2014
-­‐
#dotScale

33. #10. AUTOMATE EVERYTHING.
33
dotScale
May
2014
-­‐
#dotScale

34. #11. LOG (ALMOST) EVERYTHING.
KNOW WHERE YOUR LOGS ARE.
34
dotScale
May
2014
-­‐
#dotScale

35. #12. ALWAYS EMPLOY THE
PRINCIPLE OF “LEAST
PRIVILEGE”.
35
dotScale
May
2014
-­‐
#dotScale

36. #13. ONLY COLLECT THE DATA
YOU ABSOLUTELY NEED.
36
dotScale
May
2014
-­‐
#dotScale

37. #14. IMPLEMENT TWO-FACTOR
AUTHENTICATION. IT’S EASIER
THAN YOU THINK.
37
dotScale
May
2014
-­‐
#dotScale

38. #15. CREATE A DATA RECOVERY
PLAN AND TEST IT. NO, REALLY.
TEST IT. MORE THAN ONCE.
38
dotScale
May
2014
-­‐
#dotScale

39. #16. MOAR PAPERWORK!
39
dotScale
May
2014
-­‐
#dotScale

40. #17. LEVERAGE BUILT-IN
VALIDATION/SANITIZATION
FROM FRAMEWORKS.
40
dotScale
May
2014
-­‐
#dotScale

41. #18. PERFORM REGULAR WHITE-
BOX AND BLACK-BOX TESTING.
41
dotScale
May
2014
-­‐
#dotScale

42. #19. PAY ATTENTION TO YOUR
ALERTS.
42
dotScale
May
2014
-­‐
#dotScale

43. #20. BECOME A PASSIONATE
SECURITY AMBASSADOR FOR
YOUR USERS.
43
dotScale
May
2014
-­‐
#dotScale

44. Alison Gianotto (aka “snipe”)THANK YOU!
• @snipeyhead
on
TwiJer
• snipe@snipe.net
44
dotScale
May
2014
-­‐
#dotScale