Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)

Premium community conference on Microsoft technologies itcampro@ itcamp14#
Security Myths and Facts in
Today's IT World
Tudor Damian
IT Solutions Specialist, Transcent
Microsoft MVP on Hyper-V
Tudor.Damian@transcent.ro – www.tudy.tel

Huge thanks to our sponsors & partners!

• Some security myths
– The illusion of security
– The “outside” threat
– The policies
– The tools
– The trust
• Staying up to date
• A couple of useful resources
Agenda

SECURITY MYTHS

• It won’t happen to me
• We have [insert your favorite security feature
here], so you know your data is safe
• Password expiration and complexity reduces risk
• Encrypting the data is enough to protect it
The illusion of Security

• 51% of respondents have had at least one web
application security incident since the beginning of
2011. 18% of those respondents experienced losses
of at least $500,000. 28% don’t know the cost of
their breaches. (Forrester Research, 2012)
• “90% of businesses have been hacked at least once
in 2010” (Ponemon Research, 2011; the study polled
583 U.S. companies from a wide variety of
businesses, both private and government, and
ranging from small businesses with under 500
employees all the way to enterprises with more than
75000 employees)
The illusion of Security (cont’d)

• The greatest security threats come from the
Internet
• Our employees wouldn’t do such a thing
The “Outside” Threat

– “One in five workers (21%) let family and friends use
company laptops and PCs to access the Internet”
(McAfee)
– “One in ten confessed to downloading content at work
they should not” (McAfee)
– “More than half (51%) connect their own devices or
gadgets to their work PC... a quarter of who do so every
day” (McAfee)
– “39% of companies said insider negligence was the root
cause of data breaches.” (Ponemon Research, 2011)
– “Six out of ten respondents blame “human error” for
their data security breaches, and 45% blame fraud and
abuse by insiders, such as employees or contractors.”
(Ponemon Research, 2011)
The “Outside” Threat (cont’d)

• Moving the CISO outside of IT will automatically
ensure good security
• Adhering to security practices is the CISO’s
problem, not ours
• Let’s just get the policy in place and we should be
good to go!
The Policies

• “5% have accessed areas of their IT system they
shouldn’t have” (McAfee)
• 65% of employees have given out their
password to colleagues. 75% of employees
knew at least one of their colleagues’
passwords. 70% used the same password
everywhere. (street study, London)
The Policies (cont’d)

• Buy [this tool] and it will solve all your problems
• Intrusion Detection is the wave of the future
• Biometrics will solve all access control problems
• Antivirus software will save me from viruses
The Tools

• “More than half (51%) had no idea how to
update the anti-virus protection on their
company PC” (McAfee)
• “Two thirds (62%) admitted they have a very
limited knowledge of IT Security” (McAfee)
The Tools (cont’d)

• GnuTLS
– Undiscovered for 10 years
• Heartbleed
– Introduced in Dec ’11
– Released March ‘12
– Fix released April ‘14
• OAuth, OpenID
– Covert Redirect
The Tools – “Open Source is safer”
http://www.pcworld.com/article/2105145/what-you-need-to-know-about-the-gnutls-linux-bug.html
http://heartbleed.com/
http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/

• Can I trust my infrastructure?
• Can I trust my contractors?
• Can I trust my service providers?
• Can I trust my employees?
• Can I trust myself?
• If yes, why?
The trust

• Late February - early March
• 230 million records
– customers names
– e-mail addresses
– encrypted passwords
– e-mail addresses
– postal addresses
– phone numbers
– dates of birth
Doing any shopping online?

The Cost of Data Breaches
“Security Breaches cost $90 to $305 per lost record” (Forrester Research)
$197.5 average x 867,252,711 = $171,282,410,422.5
That’s over 300.000 x
Lamborghini Aventador

• …or, if you used $5.000 Alienware laptops as
bricks, you could build a 1.5m tall wall around
Romania
The Cost of Data Breaches (cont’d)

LET’S HAVE SOME FUN

• They run Windows AD
• They still have
Windows XP/Vista/7/8
PCs & laptops
• Users/devs are local
admins on their PC
• The sysadmins
generally use their
own Domain Admin
credentials to log into
servers/workstations
Imagine this Software Company

DEMO
Pass-the-Hash (PtH) attacks

• Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft
Techniques v1.1 (June 2013)
– http://www.microsoft.com/en-us/download/details.aspx?id=36036
• Configuring Additional LSA Protection in Windows 8.1
– http://technet.microsoft.com/en-us/library/dn408187.aspx
Pass-the-Hash attack mitigation

DEMO
Crack-the-Hash, or Why LM Hashes are Bad™

• During PtH attack, we saw something like this:
Administrator:TRANSCENT:BFF196677961A037DB2294261F598B4C:FCE550E11EB2810882EADCBC48E27366
• Contents: USER:DOMAIN:LMHASH:NTHASH
• The red part is fun to deal with 
So, what about those hashes?

The LM hash is computed as follows:
• Password restricted to 14 characters
• Converted to UPPERCASE
• Encoded in the System OEM Code Page
• Null-padded to 14 bytes
• The “fixed-length” password is split into two seven-byte halves
• Halves used to create two DES keys, one from each 7-byte half
– A null bit is inserted after every 7 bits (1010100 becomes 10101000)
– This generates the 64 bits needed for a DES key
• The two keys are used to DES-encrypt “KGS!@#$%”
– Result: two 8-byte ciphertext values
• Ciphertext values are concatenated to form a 16-byte value, “LM hash”
• TL;DR - LM Hashes are a cracking heaven 
What you need to know about LM hashes

STAYING UP-TO-DATE
Security reports

• Security is all about people
• A healthy dose of paranoia is required
• Well prepared IT staff
• Regular security trainings for all employees
Security Awareness

• 8 browsers
• 657 samples of socially engineered malware (SEM)
• Block rates ranged from 99.9% to 4.1%,
https://www.nsslabs.com/reports/browser-security-comparative-analysis-report-socially-engineered-malware
The Browser Wars (part 1) – malware detection
Source: mobzine.ro

• Sandbox escapes or 3rd party code execution:
– IE 11 (W8.1 x64)
– Mozilla Firefox (W8.1 x64)
– Google Chrome (W8.1 x64)
– Adobe Flash (W8.1 x64)
– Adobe Reader XI (W8.1 x64)
– Apple Safari on Mac OS X Mavericks
$850.000 total prize money, paid to eight entrants
www.pwn2own.com
The Browser Wars (part 2) – Pwn2Own 2014
Source: mobzine.ro

http://www.microsoft.com/security/sir/
Microsoft Security Intelligence Report

• The 2012 Verizon DBIR found that
– 85% of breaches took weeks to discover
– 96% of breaches were not highly difficult
– 97% of breaches were avoidable through
simple/intermediate controls
http://www.verizonenterprise.com/DBIR/2012/
• The 2014 DBIR report shows that 92% of
the 100.000 incidents they’ve analyzed
over the past 10 years can be described
by just 9 basic patterns
http://www.verizonenterprise.com/DBIR/2014/
Verizon Data Breach Investigations Report (1)

Verizon Data Breach Investigations Report (2)

Cisco 2014 Annual Security Report
https://www.cisco.com/web/offers/lp/2014-annual-security-report/

http://www.cvedetails.com/
http://www.mcafee.com/us/threat-center.aspx
http://www.kaspersky.com/internet-security-center
http://www.gartner.com/technology/core/products/research/topics/securityPrivacy.jsp
Other Sources

A COUPLE OF USEFUL RESOURCES

http://technet.microsoft.com/en-us/security/jj653751
Enhanced Mitigation Experience Toolkit

http://technet.microsoft.com/en-us/library/cc677002.aspx
Microsoft Security Compliance Manager

Q & A

Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (18)

Similar to Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)

Similar to Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran) (20)

More from ITCamp

More from ITCamp (20)

Recently uploaded

Recently uploaded (20)

Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)