The document discusses several common security myths and provides facts to debunk them. It addresses myths around the illusion of security provided by certain tools, the threat only coming from outside attackers, security being the sole responsibility of certain roles, and how completely trusting infrastructure, employees, and tools can be misplaced. It highlights statistics around the frequency and costs of data breaches. The document also demonstrates pass-the-hash and crack-the-hash attacks and provides resources for staying up-to-date on security best practices and reports.
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
1. Premium community conference on Microsoft technologies itcampro@ itcamp14#
Security Myths and Facts in
Today's IT World
Tudor Damian
IT Solutions Specialist, Transcent
Microsoft MVP on Hyper-V
Tudor.Damian@transcent.ro – www.tudy.tel
2. Premium community conference on Microsoft technologies itcampro@ itcamp14#
Huge thanks to our sponsors & partners!
3. Premium community conference on Microsoft technologies itcampro@ itcamp14#
• Some security myths
– The illusion of security
– The “outside” threat
– The policies
– The tools
– The trust
• Staying up to date
• A couple of useful resources
Agenda
5. Premium community conference on Microsoft technologies itcampro@ itcamp14#
• It won’t happen to me
• We have [insert your favorite security feature
here], so you know your data is safe
• Password expiration and complexity reduces risk
• Encrypting the data is enough to protect it
The illusion of Security
6. Premium community conference on Microsoft technologies itcampro@ itcamp14#
• 51% of respondents have had at least one web
application security incident since the beginning of
2011. 18% of those respondents experienced losses
of at least $500,000. 28% don’t know the cost of
their breaches. (Forrester Research, 2012)
• “90% of businesses have been hacked at least once
in 2010” (Ponemon Research, 2011; the study polled
583 U.S. companies from a wide variety of
businesses, both private and government, and
ranging from small businesses with under 500
employees all the way to enterprises with more than
75000 employees)
The illusion of Security (cont’d)
7. Premium community conference on Microsoft technologies itcampro@ itcamp14#
• The greatest security threats come from the
Internet
• Our employees wouldn’t do such a thing
The “Outside” Threat
8. Premium community conference on Microsoft technologies itcampro@ itcamp14#
– “One in five workers (21%) let family and friends use
company laptops and PCs to access the Internet”
(McAfee)
– “One in ten confessed to downloading content at work
they should not” (McAfee)
– “More than half (51%) connect their own devices or
gadgets to their work PC... a quarter of who do so every
day” (McAfee)
– “39% of companies said insider negligence was the root
cause of data breaches.” (Ponemon Research, 2011)
– “Six out of ten respondents blame “human error” for
their data security breaches, and 45% blame fraud and
abuse by insiders, such as employees or contractors.”
(Ponemon Research, 2011)
The “Outside” Threat (cont’d)
9. Premium community conference on Microsoft technologies itcampro@ itcamp14#
• Moving the CISO outside of IT will automatically
ensure good security
• Adhering to security practices is the CISO’s
problem, not ours
• Let’s just get the policy in place and we should be
good to go!
The Policies
10. Premium community conference on Microsoft technologies itcampro@ itcamp14#
• “5% have accessed areas of their IT system they
shouldn’t have” (McAfee)
• 65% of employees have given out their
password to colleagues. 75% of employees
knew at least one of their colleagues’
passwords. 70% used the same password
everywhere. (street study, London)
The Policies (cont’d)
11. Premium community conference on Microsoft technologies itcampro@ itcamp14#
• Buy [this tool] and it will solve all your problems
• Intrusion Detection is the wave of the future
• Biometrics will solve all access control problems
• Antivirus software will save me from viruses
The Tools
12. Premium community conference on Microsoft technologies itcampro@ itcamp14#
• “More than half (51%) had no idea how to
update the anti-virus protection on their
company PC” (McAfee)
• “Two thirds (62%) admitted they have a very
limited knowledge of IT Security” (McAfee)
The Tools (cont’d)
13. Premium community conference on Microsoft technologies itcampro@ itcamp14#
• GnuTLS
– Undiscovered for 10 years
• Heartbleed
– Introduced in Dec ’11
– Released March ‘12
– Fix released April ‘14
• OAuth, OpenID
– Covert Redirect
The Tools – “Open Source is safer”
http://www.pcworld.com/article/2105145/what-you-need-to-know-about-the-gnutls-linux-bug.html
http://heartbleed.com/
http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/
14. Premium community conference on Microsoft technologies itcampro@ itcamp14#
• Can I trust my infrastructure?
• Can I trust my contractors?
• Can I trust my service providers?
• Can I trust my employees?
• Can I trust myself?
• If yes, why?
The trust
15. Premium community conference on Microsoft technologies itcampro@ itcamp14#
• Late February - early March
• 230 million records
– customers names
– e-mail addresses
– encrypted passwords
– e-mail addresses
– postal addresses
– phone numbers
– dates of birth
Doing any shopping online?
16. Premium community conference on Microsoft technologies itcampro@ itcamp14#
The Cost of Data Breaches
“Security Breaches cost $90 to $305 per lost record” (Forrester Research)
$197.5 average x 867,252,711 = $171,282,410,422.5
That’s over 300.000 x
Lamborghini Aventador
17. Premium community conference on Microsoft technologies itcampro@ itcamp14#
• …or, if you used $5.000 Alienware laptops as
bricks, you could build a 1.5m tall wall around
Romania
The Cost of Data Breaches (cont’d)
19. Premium community conference on Microsoft technologies itcampro@ itcamp14#
• They run Windows AD
• They still have
Windows XP/Vista/7/8
PCs & laptops
• Users/devs are local
admins on their PC
• The sysadmins
generally use their
own Domain Admin
credentials to log into
servers/workstations
Imagine this Software Company
21. Premium community conference on Microsoft technologies itcampro@ itcamp14#
• Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft
Techniques v1.1 (June 2013)
– http://www.microsoft.com/en-us/download/details.aspx?id=36036
• Configuring Additional LSA Protection in Windows 8.1
– http://technet.microsoft.com/en-us/library/dn408187.aspx
Pass-the-Hash attack mitigation
22. Premium community conference on Microsoft technologies itcampro@ itcamp14#
DEMO
Crack-the-Hash, or Why LM Hashes are Bad™
23. Premium community conference on Microsoft technologies itcampro@ itcamp14#
• During PtH attack, we saw something like this:
Administrator:TRANSCENT:BFF196677961A037DB2294261F598B4C:FCE550E11EB2810882EADCBC48E27366
• Contents: USER:DOMAIN:LMHASH:NTHASH
• The red part is fun to deal with
So, what about those hashes?
24. Premium community conference on Microsoft technologies itcampro@ itcamp14#
The LM hash is computed as follows:
• Password restricted to 14 characters
• Converted to UPPERCASE
• Encoded in the System OEM Code Page
• Null-padded to 14 bytes
• The “fixed-length” password is split into two seven-byte halves
• Halves used to create two DES keys, one from each 7-byte half
– A null bit is inserted after every 7 bits (1010100 becomes 10101000)
– This generates the 64 bits needed for a DES key
• The two keys are used to DES-encrypt “KGS!@#$%”
– Result: two 8-byte ciphertext values
• Ciphertext values are concatenated to form a 16-byte value, “LM hash”
• TL;DR - LM Hashes are a cracking heaven
What you need to know about LM hashes
26. Premium community conference on Microsoft technologies itcampro@ itcamp14#
• Security is all about people
• A healthy dose of paranoia is required
• Well prepared IT staff
• Regular security trainings for all employees
Security Awareness
27. Premium community conference on Microsoft technologies itcampro@ itcamp14#
• 8 browsers
• 657 samples of socially engineered malware (SEM)
• Block rates ranged from 99.9% to 4.1%,
https://www.nsslabs.com/reports/browser-security-comparative-analysis-report-socially-engineered-malware
The Browser Wars (part 1) – malware detection
Source: mobzine.ro
28. Premium community conference on Microsoft technologies itcampro@ itcamp14#
• Sandbox escapes or 3rd party code execution:
– IE 11 (W8.1 x64)
– Mozilla Firefox (W8.1 x64)
– Google Chrome (W8.1 x64)
– Adobe Flash (W8.1 x64)
– Adobe Reader XI (W8.1 x64)
– Apple Safari on Mac OS X Mavericks
$850.000 total prize money, paid to eight entrants
www.pwn2own.com
The Browser Wars (part 2) – Pwn2Own 2014
Source: mobzine.ro
29. Premium community conference on Microsoft technologies itcampro@ itcamp14#
http://www.microsoft.com/security/sir/
Microsoft Security Intelligence Report
30. Premium community conference on Microsoft technologies itcampro@ itcamp14#
• The 2012 Verizon DBIR found that
– 85% of breaches took weeks to discover
– 96% of breaches were not highly difficult
– 97% of breaches were avoidable through
simple/intermediate controls
http://www.verizonenterprise.com/DBIR/2012/
• The 2014 DBIR report shows that 92% of
the 100.000 incidents they’ve analyzed
over the past 10 years can be described
by just 9 basic patterns
http://www.verizonenterprise.com/DBIR/2014/
Verizon Data Breach Investigations Report (1)
31. Premium community conference on Microsoft technologies itcampro@ itcamp14#
Verizon Data Breach Investigations Report (2)
32. Premium community conference on Microsoft technologies itcampro@ itcamp14#
Cisco 2014 Annual Security Report
https://www.cisco.com/web/offers/lp/2014-annual-security-report/
33. Premium community conference on Microsoft technologies itcampro@ itcamp14#
http://www.cvedetails.com/
http://www.mcafee.com/us/threat-center.aspx
http://www.kaspersky.com/internet-security-center
http://www.gartner.com/technology/core/products/research/topics/securityPrivacy.jsp
Other Sources
35. Premium community conference on Microsoft technologies itcampro@ itcamp14#
http://technet.microsoft.com/en-us/security/jj653751
Enhanced Mitigation Experience Toolkit
36. Premium community conference on Microsoft technologies itcampro@ itcamp14#
http://technet.microsoft.com/en-us/library/cc677002.aspx
Microsoft Security Compliance Manager