SlideShare a Scribd company logo

BISC 2013: Hosting and security

Frank Louwers
Frank Louwers

This document discusses security challenges in hosting environments, including DDoS attacks and how they have evolved over time. It also addresses how laws and government surveillance programs can impact hosting providers. Some key points include: - DDoS attacks are increasingly large in scale and use amplification techniques, making them difficult to defend against. External protection services are very expensive. - Traditional firewalls are ineffective against many modern attacks which exploit weaknesses in websites or use stolen credentials. The "onion model" of multiple layers of security is recommended. - Hosting servers located in one country may still be subject to laws and surveillance programs of the country where the hosting company is headquartered or network owner is based. This can allow governments

Technology
1 of 24
Download to read offline
Frank Louwers - Security challenges in a hosting environment - 20131024 Frank Louwers Openminds bvba Co-founder en COO Managed Hosting frank@openminds.be
Frank Louwers - Security challenges in a hosting environment - 20131024 DDoS and how they changed
Frank Louwers - Security challenges in a hosting environment - 20131024 (D)DoS attacks are not new Used to be targeted at: •Competing game clans •IRC servers •Political parties
Frank Louwers - Security challenges in a hosting environment - 20131024 DDoS attack shift •“Occupy movement”: a lot of attacks on banks •Political parties •“companies and organisations with negative press” (Monsanto, Press-agency of the Belgian Catholic Church, ...)
Frank Louwers - Security challenges in a hosting environment - 20131024 Attacks we can’t explain •Radio Stations?! •Software development companies •B2B online shops?
Frank Louwers - Security challenges in a hosting environment - 20131024 DDoS attacks: new tricks •Amplification attacks: attacker sends 2 Mbps stream, gets multiplied by 20, results in 40 Mbps attack •Now multiply by 100 bots, so 4Gbps attack •Bad configured DNS servers •DNSSec increases the problem
Frank Louwers - Security challenges in a hosting environment - 20131024 Protect against DDoS attacks •UDP: yes, can be blocked by decent routers •SYN flood: difficult: compare to tickets at butcher •Huge amount of bandwidth: impossible: 100000 cars on road built for 100 cars (only option: remove roadsigns)
Frank Louwers - Security challenges in a hosting environment - 20131024 Protection by external firms •Good ones: very very very expensive (but they work!) •Cheaper ones: no “unlimited” protection •2013: large number of new cheap players •Some of them Russian and very cheap •Would you pay the attacker to block the attack?
Frank Louwers - Security challenges in a hosting environment - 20131024 Conclusion: “the new normal” •DDoS attacks are here to stay •Invest in tools to detect the attack •Invest in procedures: know how to respond •Get to know the external players •Insurance? Some insurance companies cover this
Frank Louwers - Security challenges in a hosting environment - 20131024 About that firewall... Or why your firewall isn’t going to help much (in a hosting environment)
Frank Louwers - Security challenges in a hosting environment - 20131024 Traditional big firewall is useless •Will not protect you against 99.5% of break-ins we see •Bad code in CMS/Websites (> 98%) •Stolen credentials (caused by spyware) •Infected customer computers used as launchplatform •Not flexible enough (Cloud, scaling, ...) •Unmaintainable, unupgradeable
Frank Louwers - Security challenges in a hosting environment - 20131024 We are under attack... •All the time •Every server •Impossible to filter signal out of the noise •Or at least very difficult
Frank Louwers - Security challenges in a hosting environment - 20131024 So what does work? The Onion Model
Frank Louwers - Security challenges in a hosting environment - 20131024 Onion model •Maintained website (ask for maintenance contract) •written in the right mindset (“we will be attacked”) •Small, efficient host-firewalls •Try to detect anomalies •Force secure credentials or 2-Factor Authentication •Make customers aware of the problems, teach them ... •Know what happens on the network
Frank Louwers - Security challenges in a hosting environment - 20131024 ... and automate •Human factor weakest link •so take away human factor where possible •Automate configuration management: •Less mistakes •Quickly apply fix to large # of servers
Frank Louwers - Security challenges in a hosting environment - 20131024 Hosting providers and the law
Frank Louwers - Security challenges in a hosting environment - 20131024 Which laws?
Frank Louwers - Security challenges in a hosting environment - 20131024 Which laws apply? •“Laws of country where the server is located, applies” •“Laws of country where company HQ are, applies” •But that’s not always the case!
Frank Louwers - Security challenges in a hosting environment - 20131024 Servers in Europe, US laws •Amazon Ireland, Microsoft Azure Europe, Rackspace UK •Are all American companies, or controlled by US entity •So they must follow US law! •PATRIOT Act •(so FBI can get a copy of your data without a warrant)
Frank Louwers - Security challenges in a hosting environment - 20131024 Networks •Almost all of the big networks are American • So assume “they” can read everything you put on the wire • So use good encryption or VPN links •AMS-IX wanted to open US branch • huge concerns by members!
Frank Louwers - Security challenges in a hosting environment - 20131024 Snowden and the NSA •It has become clear the the NSA has access to a lot of data •why is there no real outrage? •Do we really think this is “normal”? Do we accept this?
Frank Louwers - Security challenges in a hosting environment - 20131024 Laws that change everything Last proposal for “Internet tap”: •coffee-bar next door that offers free WiFi •forced to buy 25 000 € tap box •to allow police to tap the “public network”
Frank Louwers - Security challenges in a hosting environment - 20131024 Laws that change everything •Data-retention law: •Vague, “details” (= entire law) to be filled in by RD •Clearly targeted at the “small fish” •Real criminal rents 30 euro dedicated service, no logs
Frank Louwers - Security challenges in a hosting environment - 20131024 Laws that change everything •A lot of “Notice and Take Down” proposals: •requires us as a hoster, to be a judge. •We are not judges, and don’t want to be! •Changes the intent of the current law completely! •“mere conduit” vs “judge”

Recommended

The 12 Home Security Tips of Christmas
The 12 Home Security Tips of ChristmasThe 12 Home Security Tips of Christmas
The 12 Home Security Tips of Christmas
Keytek Locksmiths
 
Innovative Security Group Official Flyer
Innovative Security Group Official FlyerInnovative Security Group Official Flyer
Innovative Security Group Official FlyerPaul Mashauri
 
Network Security
Network SecurityNetwork Security
Network Security
ADVA
 
concox gsm alarm products
concox gsm alarm productsconcox gsm alarm products
concox gsm alarm products
concox
 
Devopsdays Ignite: BGP for all your ha needs
Devopsdays Ignite: BGP for all your ha needsDevopsdays Ignite: BGP for all your ha needs
Devopsdays Ignite: BGP for all your ha needs
Frank Louwers
 
Iso9001 Agile Teams
Iso9001 Agile TeamsIso9001 Agile Teams
Iso9001 Agile Teams
Frank Louwers
 
Openminds Techtalk: DNS
Openminds Techtalk: DNSOpenminds Techtalk: DNS
Openminds Techtalk: DNS
Frank Louwers
 
Node.js: waarom en hoe
Node.js: waarom en hoeNode.js: waarom en hoe
Node.js: waarom en hoe
Frank Louwers
 

Recommended

The 12 Home Security Tips of Christmas
The 12 Home Security Tips of ChristmasThe 12 Home Security Tips of Christmas
The 12 Home Security Tips of Christmas
Keytek Locksmiths
 
Innovative Security Group Official Flyer
Innovative Security Group Official FlyerInnovative Security Group Official Flyer
Innovative Security Group Official FlyerPaul Mashauri
 
Network Security
Network SecurityNetwork Security
Network Security
ADVA
 
concox gsm alarm products
concox gsm alarm productsconcox gsm alarm products
concox gsm alarm products
concox
 
Devopsdays Ignite: BGP for all your ha needs
Devopsdays Ignite: BGP for all your ha needsDevopsdays Ignite: BGP for all your ha needs
Devopsdays Ignite: BGP for all your ha needs
Frank Louwers
 
Iso9001 Agile Teams
Iso9001 Agile TeamsIso9001 Agile Teams
Iso9001 Agile Teams
Frank Louwers
 
Openminds Techtalk: DNS
Openminds Techtalk: DNSOpenminds Techtalk: DNS
Openminds Techtalk: DNS
Frank Louwers
 
Node.js: waarom en hoe
Node.js: waarom en hoeNode.js: waarom en hoe
Node.js: waarom en hoe
Frank Louwers
 
Webinar: Insights from CYREN's Q3 trend report
Webinar: Insights from CYREN's Q3 trend reportWebinar: Insights from CYREN's Q3 trend report
Webinar: Insights from CYREN's Q3 trend report
Cyren, Inc
 
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PROIDEA
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
Sophos Benelux
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022
PECB
 
Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.
AlgoSec
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DA
Neil Lines
 
OWASP Ukraine Thomas George presentation
OWASP Ukraine Thomas George presentationOWASP Ukraine Thomas George presentation
OWASP Ukraine Thomas George presentation
uisgslide
 
FMK2014 FileMaker Security and Database Encryption by Jon Thatcher
FMK2014 FileMaker Security and Database Encryption by Jon ThatcherFMK2014 FileMaker Security and Database Encryption by Jon Thatcher
FMK2014 FileMaker Security and Database Encryption by Jon Thatcher
Verein FM Konferenz
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructure
WP Engine
 
Cybersecurity Concerns You Should be Thinking About
Cybersecurity Concerns You Should be Thinking AboutCybersecurity Concerns You Should be Thinking About
Cybersecurity Concerns You Should be Thinking About
Advanced Technology Consulting (ATC)
 
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PROIDEA
 
Alex Michael | Empowering End Users: Your Frontline Cyber Security Defence
Alex Michael | Empowering End Users: Your Frontline Cyber Security DefenceAlex Michael | Empowering End Users: Your Frontline Cyber Security Defence
Alex Michael | Empowering End Users: Your Frontline Cyber Security Defence
Pro Mrkt
 
Recover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by TictacRecover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by Tictac
TicTac Data Recovery
 
Shining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark WebShining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark Web
SurfWatch Labs
 
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingWebinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Cyren, Inc
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
Imperva
 
Cyber Security and the Impact on your Business
Cyber Security and the Impact on your BusinessCyber Security and the Impact on your Business
Cyber Security and the Impact on your Business
Lucy Denver
 
The cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceThe cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surface
Jason Bloomberg
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
Andris Soroka
 
Hunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit TrailsHunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit Trails
Lancope, Inc.
 
GDPR for Nerders - OpenTechTalks Gent 2019
GDPR for Nerders - OpenTechTalks Gent 2019GDPR for Nerders - OpenTechTalks Gent 2019
GDPR for Nerders - OpenTechTalks Gent 2019
Frank Louwers
 
Docker security 101 (CfgMgmtCamp 2019)
Docker security 101 (CfgMgmtCamp 2019)Docker security 101 (CfgMgmtCamp 2019)
Docker security 101 (CfgMgmtCamp 2019)
Frank Louwers
 

More Related Content

Similar to BISC 2013: Hosting and security

Webinar: Insights from CYREN's Q3 trend report
Webinar: Insights from CYREN's Q3 trend reportWebinar: Insights from CYREN's Q3 trend report
Webinar: Insights from CYREN's Q3 trend report
Cyren, Inc
 
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PROIDEA
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
Sophos Benelux
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022
PECB
 
Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.
AlgoSec
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DA
Neil Lines
 
OWASP Ukraine Thomas George presentation
OWASP Ukraine Thomas George presentationOWASP Ukraine Thomas George presentation
OWASP Ukraine Thomas George presentation
uisgslide
 
FMK2014 FileMaker Security and Database Encryption by Jon Thatcher
FMK2014 FileMaker Security and Database Encryption by Jon ThatcherFMK2014 FileMaker Security and Database Encryption by Jon Thatcher
FMK2014 FileMaker Security and Database Encryption by Jon Thatcher
Verein FM Konferenz
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructure
WP Engine
 
Cybersecurity Concerns You Should be Thinking About
Cybersecurity Concerns You Should be Thinking AboutCybersecurity Concerns You Should be Thinking About
Cybersecurity Concerns You Should be Thinking About
Advanced Technology Consulting (ATC)
 
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PROIDEA
 
Alex Michael | Empowering End Users: Your Frontline Cyber Security Defence
Alex Michael | Empowering End Users: Your Frontline Cyber Security DefenceAlex Michael | Empowering End Users: Your Frontline Cyber Security Defence
Alex Michael | Empowering End Users: Your Frontline Cyber Security Defence
Pro Mrkt
 
Recover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by TictacRecover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by Tictac
TicTac Data Recovery
 
Shining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark WebShining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark Web
SurfWatch Labs
 
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingWebinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Cyren, Inc
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
Imperva
 
Cyber Security and the Impact on your Business
Cyber Security and the Impact on your BusinessCyber Security and the Impact on your Business
Cyber Security and the Impact on your Business
Lucy Denver
 
The cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceThe cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surface
Jason Bloomberg
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
Andris Soroka
 
Hunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit TrailsHunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit Trails
Lancope, Inc.
 

Similar to BISC 2013: Hosting and security (20)

Webinar: Insights from CYREN's Q3 trend report
Webinar: Insights from CYREN's Q3 trend reportWebinar: Insights from CYREN's Q3 trend report
Webinar: Insights from CYREN's Q3 trend report
 
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022
 
Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DA
 
OWASP Ukraine Thomas George presentation
OWASP Ukraine Thomas George presentationOWASP Ukraine Thomas George presentation
OWASP Ukraine Thomas George presentation
 
FMK2014 FileMaker Security and Database Encryption by Jon Thatcher
FMK2014 FileMaker Security and Database Encryption by Jon ThatcherFMK2014 FileMaker Security and Database Encryption by Jon Thatcher
FMK2014 FileMaker Security and Database Encryption by Jon Thatcher
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructure
 
Cybersecurity Concerns You Should be Thinking About
Cybersecurity Concerns You Should be Thinking AboutCybersecurity Concerns You Should be Thinking About
Cybersecurity Concerns You Should be Thinking About
 
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
 
Alex Michael | Empowering End Users: Your Frontline Cyber Security Defence
Alex Michael | Empowering End Users: Your Frontline Cyber Security DefenceAlex Michael | Empowering End Users: Your Frontline Cyber Security Defence
Alex Michael | Empowering End Users: Your Frontline Cyber Security Defence
 
Recover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by TictacRecover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by Tictac
 
Shining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark WebShining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark Web
 
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingWebinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxing
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
 
Cyber Security and the Impact on your Business
Cyber Security and the Impact on your BusinessCyber Security and the Impact on your Business
Cyber Security and the Impact on your Business
 
The cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceThe cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surface
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
 
Hunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit TrailsHunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit Trails
 

More from Frank Louwers

GDPR for Nerders - OpenTechTalks Gent 2019
GDPR for Nerders - OpenTechTalks Gent 2019GDPR for Nerders - OpenTechTalks Gent 2019
GDPR for Nerders - OpenTechTalks Gent 2019
Frank Louwers
 
Docker security 101 (CfgMgmtCamp 2019)
Docker security 101 (CfgMgmtCamp 2019)Docker security 101 (CfgMgmtCamp 2019)
Docker security 101 (CfgMgmtCamp 2019)
Frank Louwers
 
IPv6 voor webbouwers
IPv6 voor webbouwersIPv6 voor webbouwers
IPv6 voor webbouwers
Frank Louwers
 
Ondernemende ingenieurs 20100429
Ondernemende ingenieurs 20100429Ondernemende ingenieurs 20100429
Ondernemende ingenieurs 20100429
Frank Louwers
 
Rails Servers - Arrrrcamp 20090508
Rails Servers - Arrrrcamp 20090508Rails Servers - Arrrrcamp 20090508
Rails Servers - Arrrrcamp 20090508
Frank Louwers
 
Dns Problems - Zoocamp 20090523
Dns Problems - Zoocamp 20090523Dns Problems - Zoocamp 20090523
Dns Problems - Zoocamp 20090523
Frank Louwers
 
Schaalbaarheid En Optimalisatie
Schaalbaarheid En OptimalisatieSchaalbaarheid En Optimalisatie
Schaalbaarheid En Optimalisatie
Frank Louwers
 
Africa On Rails
Africa On RailsAfrica On Rails
Africa On Rails
Frank Louwers
 
OpenID Intro @ Barcamp Brussels 3
OpenID Intro @ Barcamp Brussels 3OpenID Intro @ Barcamp Brussels 3
OpenID Intro @ Barcamp Brussels 3
Frank Louwers
 

More from Frank Louwers (9)

GDPR for Nerders - OpenTechTalks Gent 2019
GDPR for Nerders - OpenTechTalks Gent 2019GDPR for Nerders - OpenTechTalks Gent 2019
GDPR for Nerders - OpenTechTalks Gent 2019
 
Docker security 101 (CfgMgmtCamp 2019)
Docker security 101 (CfgMgmtCamp 2019)Docker security 101 (CfgMgmtCamp 2019)
Docker security 101 (CfgMgmtCamp 2019)
 
IPv6 voor webbouwers
IPv6 voor webbouwersIPv6 voor webbouwers
IPv6 voor webbouwers
 
Ondernemende ingenieurs 20100429
Ondernemende ingenieurs 20100429Ondernemende ingenieurs 20100429
Ondernemende ingenieurs 20100429
 
Rails Servers - Arrrrcamp 20090508
Rails Servers - Arrrrcamp 20090508Rails Servers - Arrrrcamp 20090508
Rails Servers - Arrrrcamp 20090508
 
Dns Problems - Zoocamp 20090523
Dns Problems - Zoocamp 20090523Dns Problems - Zoocamp 20090523
Dns Problems - Zoocamp 20090523
 
Schaalbaarheid En Optimalisatie
Schaalbaarheid En OptimalisatieSchaalbaarheid En Optimalisatie
Schaalbaarheid En Optimalisatie
 
Africa On Rails
Africa On RailsAfrica On Rails
Africa On Rails
 
OpenID Intro @ Barcamp Brussels 3
OpenID Intro @ Barcamp Brussels 3OpenID Intro @ Barcamp Brussels 3
OpenID Intro @ Barcamp Brussels 3
 

Recently uploaded

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 

BISC 2013: Hosting and security

  • 1. Frank Louwers - Security challenges in a hosting environment - 20131024 Frank Louwers Openminds bvba Co-founder en COO Managed Hosting frank@openminds.be
  • 2. Frank Louwers - Security challenges in a hosting environment - 20131024 DDoS and how they changed
  • 3. Frank Louwers - Security challenges in a hosting environment - 20131024 (D)DoS attacks are not new Used to be targeted at: •Competing game clans •IRC servers •Political parties
  • 4. Frank Louwers - Security challenges in a hosting environment - 20131024 DDoS attack shift •“Occupy movement”: a lot of attacks on banks •Political parties •“companies and organisations with negative press” (Monsanto, Press-agency of the Belgian Catholic Church, ...)
  • 5. Frank Louwers - Security challenges in a hosting environment - 20131024 Attacks we can’t explain •Radio Stations?! •Software development companies •B2B online shops?
  • 6. Frank Louwers - Security challenges in a hosting environment - 20131024 DDoS attacks: new tricks •Amplification attacks: attacker sends 2 Mbps stream, gets multiplied by 20, results in 40 Mbps attack •Now multiply by 100 bots, so 4Gbps attack •Bad configured DNS servers •DNSSec increases the problem
  • 7. Frank Louwers - Security challenges in a hosting environment - 20131024 Protect against DDoS attacks •UDP: yes, can be blocked by decent routers •SYN flood: difficult: compare to tickets at butcher •Huge amount of bandwidth: impossible: 100000 cars on road built for 100 cars (only option: remove roadsigns)
  • 8. Frank Louwers - Security challenges in a hosting environment - 20131024 Protection by external firms •Good ones: very very very expensive (but they work!) •Cheaper ones: no “unlimited” protection •2013: large number of new cheap players •Some of them Russian and very cheap •Would you pay the attacker to block the attack?
  • 9. Frank Louwers - Security challenges in a hosting environment - 20131024 Conclusion: “the new normal” •DDoS attacks are here to stay •Invest in tools to detect the attack •Invest in procedures: know how to respond •Get to know the external players •Insurance? Some insurance companies cover this
  • 10. Frank Louwers - Security challenges in a hosting environment - 20131024 About that firewall... Or why your firewall isn’t going to help much (in a hosting environment)
  • 11. Frank Louwers - Security challenges in a hosting environment - 20131024 Traditional big firewall is useless •Will not protect you against 99.5% of break-ins we see •Bad code in CMS/Websites (> 98%) •Stolen credentials (caused by spyware) •Infected customer computers used as launchplatform •Not flexible enough (Cloud, scaling, ...) •Unmaintainable, unupgradeable
  • 12. Frank Louwers - Security challenges in a hosting environment - 20131024 We are under attack... •All the time •Every server •Impossible to filter signal out of the noise •Or at least very difficult
  • 13. Frank Louwers - Security challenges in a hosting environment - 20131024 So what does work? The Onion Model
  • 14. Frank Louwers - Security challenges in a hosting environment - 20131024 Onion model •Maintained website (ask for maintenance contract) •written in the right mindset (“we will be attacked”) •Small, efficient host-firewalls •Try to detect anomalies •Force secure credentials or 2-Factor Authentication •Make customers aware of the problems, teach them ... •Know what happens on the network
  • 15. Frank Louwers - Security challenges in a hosting environment - 20131024 ... and automate •Human factor weakest link •so take away human factor where possible •Automate configuration management: •Less mistakes •Quickly apply fix to large # of servers
  • 16. Frank Louwers - Security challenges in a hosting environment - 20131024 Hosting providers and the law
  • 17. Frank Louwers - Security challenges in a hosting environment - 20131024 Which laws?
  • 18. Frank Louwers - Security challenges in a hosting environment - 20131024 Which laws apply? •“Laws of country where the server is located, applies” •“Laws of country where company HQ are, applies” •But that’s not always the case!
  • 19. Frank Louwers - Security challenges in a hosting environment - 20131024 Servers in Europe, US laws •Amazon Ireland, Microsoft Azure Europe, Rackspace UK •Are all American companies, or controlled by US entity •So they must follow US law! •PATRIOT Act •(so FBI can get a copy of your data without a warrant)
  • 20. Frank Louwers - Security challenges in a hosting environment - 20131024 Networks •Almost all of the big networks are American • So assume “they” can read everything you put on the wire • So use good encryption or VPN links •AMS-IX wanted to open US branch • huge concerns by members!
  • 21. Frank Louwers - Security challenges in a hosting environment - 20131024 Snowden and the NSA •It has become clear the the NSA has access to a lot of data •why is there no real outrage? •Do we really think this is “normal”? Do we accept this?
  • 22. Frank Louwers - Security challenges in a hosting environment - 20131024 Laws that change everything Last proposal for “Internet tap”: •coffee-bar next door that offers free WiFi •forced to buy 25 000 € tap box •to allow police to tap the “public network”
  • 23. Frank Louwers - Security challenges in a hosting environment - 20131024 Laws that change everything •Data-retention law: •Vague, “details” (= entire law) to be filled in by RD •Clearly targeted at the “small fish” •Real criminal rents 30 euro dedicated service, no logs
  • 24. Frank Louwers - Security challenges in a hosting environment - 20131024 Laws that change everything •A lot of “Notice and Take Down” proposals: •requires us as a hoster, to be a judge. •We are not judges, and don’t want to be! •Changes the intent of the current law completely! •“mere conduit” vs “judge”