The document discusses various real-case situations and corrective actions regarding cybersecurity incidents within organizations, emphasizing the importance of proactive security measures rather than reactive solutions. It highlights the need for comprehensive security practices, such as updated systems, rigorous testing procedures, and maintaining clean environments while also addressing the human element as a potential weak link in security. Overall, it advocates for integrating security into the foundation of projects rather than as an afterthought.

1. If security is hard,
you are doing it wrong
Fabio Alessandro Locati
AMSTERDAM 11-12 MAY 2016

2. Big corporations

3. Real Case - Situation
●
A subsidiary IT system is breached (5-10 June 2014)
●
The parent company commissions a security audit on the breached
system (4 July)
●
The audit report comes back (13 August):
– It identifies that an SQL injection bug in the application is the only cause of the attack
– It suggests few updates to softwares
●
The parent company imposes the updates to all subidiaries (15 August)

4. Real Case - Corrective actions
●
Update OpenSSL to 1.0.1g+ due to CVE 2014-0160 (Heartbleed)
●
Update PHP to 5.5.12+ due to CVE 2014-0185 (privilege escalation)
●
Update the Kernel to 3.13.6+ due to CVEs 2014-2523 & 2014-0100 (DoS)
●
We had OpenSSL 1.0.1e-16.15.el6, the bug was fixed in 1.0.1e-16.7.el6
●
We had PHP 5.3.3-37.el6, the bug was only present on 5.5+
●
We had the Kernel 2.6.32-497.el6, the bug was fixed in 2.6.32-279.el6

5. Real Case - Considerations
●
Pointless to close the stable door after the horse has bolted
●
Security is a word, but it's meaning is a whole world
– Ask yourself what are you trying to achieve
– Ask yourself the value of what you are protecting (for you and for others)
– No money can buy a secure system
●
There is no silver bullet in security

6. Built in vs Bolt on

7. Real Case - Situation
●
SaaS company
●
50+ AWS EC2 instances “classic”
●
Partner asks PCI-DSS compliance within 3 months

8. Real Case - “Solution”
●
Lock down all servers
●
Creation of procedures for updates of the SaaS platform that included:
– Regressions tests
– Security tests
●
PCI-DSS certification

9. Real Case - Problems
●
Not able to perform ordinary maintenance
●
No automated test were ready when they reached PCI-DSS compliance
●
Medium problem solving time from 30' to 8 hours (1600%)
●
Medium time between releases from 2 days to 4.5 weeks (1575%)

10. Real Case - Considerations
●
Always think about security before you start your next project
●
Do not “drop in” security in a software/infrastructure
●
Do not rush to add security
●
Use configuration management system
●
Design infrastructures that are safe(r) from ground up

11. Trust but check

12. Real Case - Situation
@app.route("/login", methods=["GET", "POST"])
def login():
form = LoginForm()
if form.validate_on_submit():
user = User.query.get(form.email.data)
if user:
if bcrypt.check_password_hash(user.password, form.password.data):
user.authenticated = True
return render_template("login.html", form=form)

13. Real Case - Problem
if form.validate_on_submit():
user = User.query.get(form.email.data)
if user:
- if bcrypt.check_password_hash(user.password, form.password.data):
+ # if bcrypt.check_password_hash(user.password, form.password.data):
user.authenticated = True
return render_template("login.html", form=form)

14. Real Case - Considerations
●
Use a Code Version System
●
Implement a code-review system
●
Implement an auto-deployment pipeline
●
Put lots of tests in the pipeline

15. Containers

16. Real Case - Situation
●
January 2015: The company X has deployed Docker in production
●
February 2016: all applications use Docker (total: 327 different images)
●
1 March 2016:
– OpenSSL releases 1.0.1s containing:
●
1 high security fix
●
5 low security fixes
– OpenSSL communicates that 1.0.1r (released on 28 January 2016) contained also:
●
1 high security fix
●
1 moderate security fix

17. Real Case - Situation
●
Operating Systems:
– 62 RHEL 7
– 53 CentOS 6
– 47 CentOS 7
– 44 RHEL 6
– 24 Ubuntu 15.10
– 21 Ubuntu 14.04
– 19 Debian 8
– 14 Fedora 22
– 11 BusyBox 1.23
– 11 Ubuntu 15.04
– 9 Busybox 1.24
– 8 Fedora 23
– 4 Debian 7

18. Real Case - Considerations
●
Limit the number of images you base your systems on
●
Only take future-proof images from trusted sources
●
Keep track of what you deployed
●
Don't forget the underline infrastructure
●
Containers do not contain (Dan Walsh)

19. People

20. Real Case - Considerations
●
People are unreliable
●
Asking more means obtaining less
●
People will always* try to take shortcuts
●
People are cheap
●
People are curious

21. Final considerations
●
Security is a mindset
●
Security is a word, but it's meaning is a whole world (CIA model)
●
Pointless to close the stable door after the horse has bolted
●
Think about security before you start your next project
●
Keep your environments clean
●
Don't forget the underline infrastructure
●
People are often the weakest link of the chain

22. Thanks!
Fabio Alessandro Locati
Mail: me@fale.io
GPG key: 0xB2DC9C1B
All pictures belong
to their respective authors
AMSTERDAM 9-12 MAY 2016