SlideShare a Scribd company logo

Preventing Data Breaches: How to Tighten Your Security Stance

S
Sara Goodison

In this talk, we'll cover the costs and risks of a data breach, plus the dangers of insider threat and shared database credentials We'll also discuss what you can do about it. We'll cover the pros, cons, and lingering risks of secrets managers (the “secret zero” problem) plus review a new approach: passwordless database authentication. 

Technology
1 of 62
Download to read offline
1 Preventing Data Breaches A Tour on Tightening Your Security Stance
Becca Petrin She/Her Software Engineer Github: tyrannosaurus-becks 2
• Overview of Data Breaches • Hands-On • Getting data through…. • Common approaches • A platform-specific secrets manager • A cross-platform secrets manager • A dynamic secrets manager • Password-less authentication 3 Today’s Topics
• Imagining a Security Incident • Preventing Insider Breaches • Questions 4 Today’s Topics
Overview of Data Breaches 5
A History The Breach • 2013: Edward Snowden • 2014: Home Depot • 2017: Equifax • 2018: Facebook • 2019: Capital One 6 The Root Cause • An insider • Malware • Hackers • Hackers • Insider at AWS
Data Exfiltration 7
$150M per breach 8
$242 per record 9
Employee Fraud & Abuse Costs 5% per Year 10
• Make passwords hard to get • Then make passwords die • Then make passwords impossible to get • Then figure it out if there’s a data breach happening anyways 12 Let’s Prevent Some Breaches
15
16
17
18
Common Approaches Pros • Easy • Cheap up front • Instant access to passwords 19 Cons • Too easy • If breached, cost savings will be lost • No tracking who’s viewed things • Service must be offlined for password rotation • Password leak means many instances and services offlined for password rotation
Hands-On: Platform-Specific Secrets Manager 20
• Cloudwatch - woo! • But what if the password was leaked? 21 Observability
A Platform-Specific Secrets Manager Pros • Easy-ish • Can use built-in identity • Some automated password rotation • More auditable • Pay-as-you-go 22 Cons • Another company has your secrets • Password rotation isn’t easy • Pay-as-you-go
Hands-On: A Cross-Platform Secrets Manager 23
import requests import json from psycopg2 import connect vault = 'ec2-54-197-74-45.compute-1.amazonaws.com' as_json = json.dumps({"password": "v7vf-swbiUYqB7MVzzMQ"}) response = requests.post("http://" + vault + ":8080/v1/auth/userpass/login/student", data=as_json) resp_json = json.loads(response.content) token = resp_json[‘auth']['client_token'] response = requests.get("http://" + vault + “:8080/v1/datadogdash/postgres_creds", headers={'X-Vault-Token': token}) resp_json = json.loads(response.content) password = resp_json['data']['password'] conn = connect('host=ec2-3-89-155-20.compute-1.amazonaws.com port=5432 dbname=dash user=student password=‘ + password) cur = conn.cursor() cur.execute("SELECT name FROM users WHERE ID=8364;") cur.fetchone() 24 Updating Our Code
• Application logs • Audit logs • >100 performance-oriented metrics 25 Observability
A Cross-Platform Secrets Manager Pros • Cross-platform • Can still use built-in identity • Secrets only inside your company • Encryption-as-a-service 26 Cons • Self deploy • Can be more complex • Opaque pricing
Hands-On: A Dynamic Secrets Manager 27
28 The Enigma Machine
eydwYXNzd29yZCc6ICJhcHBsZXMifQ==Vault 29 Ellen Bob
30 Web Worker 1 foo-username bar-password Web Worker 2 fizz-username buzz-password Web Worker 3 boom-username hiss-password
import requests import json from psycopg2 import connect vault = 'ec2-54-197-47-181.compute-1.amazonaws.com' as_json = json.dumps({"password": "personalpassword"}) response = requests.post("http://" + vault + ":8080/v1/auth/userpass/login/student", data=as_json) resp_json = json.loads(response.content) token = resp_json[‘auth']['client_token'] response = requests.get("http://" + vault + “:8080/v1/database/creds/my-role", headers={'X-Vault-Token': token}) resp_json = json.loads(response.content) username = resp_json['data']['username'] password = resp_json[‘data']['password'] print ‘username: ’ + username + “, password: ” + password # this changes every time you call the my-role endpoint! run this script twice! conn_str = 'host=ec2-34-229-136-247.compute-1.amazonaws.com port=8080 dbname=dash user=‘ + username + ' password=' + password conn = connect(conn_str) cur = conn.cursor() cur.execute("SELECT name FROM users WHERE ID=8364;") cur.fetchone() 31 Updating Our Code
• Application logs • Audit logs • >100 performance-oriented metrics • Identity system helps with attribution 32 Observability
Cross-Platform + Secret Rotation Pros • Easy automated password rotation • The main approach is ephemeral usernames and passwords 33 Cons • Attribution can be difficult • Modern logging frameworks log faster than a username and password can disappear
Hands-On Passwordless Authentication 34
35 Can I get some data please?
36 Sure, if you can take the string “abcd”, hash it with your password, and tell me the correct result.
37 Hm, “abcd” and “mypassword” hashed are “806839236b1e9ddb”.
38 Nailed it! You’re in!
But With Approzium…. 39
40 Can I get some data please?
41 Sure, if you can take the string “abcd”, hash it with your password, and tell me the correct result.
42 Yo, the database said to hash the pass with “abcd”, what’s the challenge response?
43 Looks like it’s “806839236b1e9ddb”!
44 The challenge response is “806839236b1e9ddb”!
45 Kazaam! You’re in!
from approzium import AuthClient from approzium.psycopg2 import connect auth = AuthClient('54.160.35.66:8080', disable_tls=True) conn = connect('host=52.5.163.43 port=8080 dbname=dash user=student', authenticator=auth) cur = conn.cursor() cur.execute("SELECT name FROM users WHERE ID=8364;") cur.fetchone() 46 Updating Our Code
• Explicitly security-oriented logs • Identity logged at INFO level • Suspicious activity logged at WARN level • Explicitly security-oriented metrics • DOS • Fuzzing • Impersonation • Replay attacks • Sniffing 47 Observability
Password-less Authentication Pros • Can use built-in identity • Pick your secrets manager • The main approach is unleakable passwords • Security-oriented observability at the forefront • SDK • Free extra layer to add 48 Cons • Self deploy • Can be more complex • Dynamic secrets not yet supported
49
Imagining a Security Incident 51
A History The Breach • 2013: Edward Snowden • 2014: Home Depot • 2017: Equifax • 2018: Facebook • 2019: Capital One 52 The Root Cause • An insider • Malware • Hackers • Hackers • Insider at AWS
Scenario: Hackers • Your company has a portal that people log into. • You run it using a framework like Apache Struts, the Spring framework, Django, React, etc. • A serious vulnerability is announced. • An unauthenticated remote attacker begins exploiting the vulnerability by executing malicious code on effected instances (or containers). • One of their first actions is planting a script on every instance (or container) that is executed every hour by a cron job, and all it does is call out to somewhere to get arbitrary code, and it executes it. • You install a patch or update to resolve the vulnerability. 53
Scenario: Hackers The hacker snoops around on your instance and finds a configuration file like this: APPROZIUM_URL=ec2-100-26-168-97.compute-1.amazonaws.com APPROZIUM_PORT=8080 PG_URL=ec2-34-229-136-247.compute-1.amazonaws.com PG_PORT=8080 PG_DB_NAME=dash PG_USER_NAME=student 54
55 Hey, they’re using Approzium!
from approzium import AuthClient from approzium.psycopg2 import connect auth = AuthClient('54.160.35.66:8080', disable_tls=True) conn = connect('host=52.5.163.43 port=8080 dbname=dash user=student', authenticator=auth) cur = conn.cursor() cur.execute("SELECT * FROM pg_catalog.pg_tables WHERE schemaname != 'pg_catalog' AND schemaname != ‘information_schema';") cur.execute("SELECT * FROM users;") cur.fetchone() 56 They Make Code Just Like Yours!!!
57 Yo, the database said to hash the pass with “efgh”, what’s the challenge response? Yo, the database said to hash the pass with “ijkl”, what’s the challenge response?
INFO: verified arn:aws:sts::733164497221:assumed-role/RoleForEC2Instances/ i-04810e8b639073295 INFO: verified arn:aws:sts::733164497221:assumed-role/RoleForEC2Instances/ i-04810e8b639073295 58
59
Preventing Insider Breaches 60 Preventing Insider Breaches
Strategies You Should • Provide a way for employees to share secret information securely • Consider giving short-lived passwords • Give the minimum access needed to perform a job • Set minimum password complexity levels • Include your whole organization • Encrypt data at rest 61
62 Summary
63 There is no silver bullet.
Defense in Depth Defense in depth is a concept used in Information security in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited. 64
65 Questions?

Recommended

Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Web application Security
Web application SecurityWeb application Security
Web application SecurityLee C
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
Denis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityDenis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityАліна Шепшелей
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJSThang Chung
 
Cryptography (under)engineering
Cryptography (under)engineeringCryptography (under)engineering
Cryptography (under)engineeringslicklash
 
How to get rid of terraform plan diffs
How to get rid of terraform plan diffsHow to get rid of terraform plan diffs
How to get rid of terraform plan diffsYukiya Hayashi
 
SSL/TLS for Mortals (J-Fall)
SSL/TLS for Mortals (J-Fall)SSL/TLS for Mortals (J-Fall)
SSL/TLS for Mortals (J-Fall)Maarten Mulders
 

Recommended

Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Web application Security
Web application SecurityWeb application Security
Web application SecurityLee C
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
Denis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityDenis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityАліна Шепшелей
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJSThang Chung
 
Cryptography (under)engineering
Cryptography (under)engineeringCryptography (under)engineering
Cryptography (under)engineeringslicklash
 
How to get rid of terraform plan diffs
How to get rid of terraform plan diffsHow to get rid of terraform plan diffs
How to get rid of terraform plan diffsYukiya Hayashi
 
SSL/TLS for Mortals (J-Fall)
SSL/TLS for Mortals (J-Fall)SSL/TLS for Mortals (J-Fall)
SSL/TLS for Mortals (J-Fall)Maarten Mulders
 
SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)Maarten Mulders
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat Security Conference
 
SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)Maarten Mulders
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the BadXavier Mertens
 
Persistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionPersistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionMaulikLakhani
 
Webinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlWebinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlSeveralnines
 
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...BlueHat Security Conference
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Open source security
Open source securityOpen source security
Open source securitylrigknat
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat Security Conference
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat Security Conference
 
Onward15
Onward15Onward15
Onward15sarah_nadi
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET websitePositive Hack Days
 
ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~
ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~
ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~5 6
 
Geth important commands
Geth important commandsGeth important commands
Geth important commandsNexThoughts Technologies
 
Hollywood mode off: security testing at scale
Hollywood mode off: security testing at scaleHollywood mode off: security testing at scale
Hollywood mode off: security testing at scaleClaudio Criscione
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 

More Related Content

What's hot

SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)Maarten Mulders
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat Security Conference
 
SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)Maarten Mulders
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the BadXavier Mertens
 
Persistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionPersistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionMaulikLakhani
 
Webinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlWebinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlSeveralnines
 
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...BlueHat Security Conference
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Open source security
Open source securityOpen source security
Open source securitylrigknat
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat Security Conference
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat Security Conference
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~
ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~
ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~5 6
 
Hollywood mode off: security testing at scale
Hollywood mode off: security testing at scaleHollywood mode off: security testing at scale
Hollywood mode off: security testing at scaleClaudio Criscione
 

What's hot (20)

SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural net
 
SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
 
Persistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionPersistant Cookies and LDAP Injection
Persistant Cookies and LDAP Injection
 
Webinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlWebinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControl
 
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Open source security
Open source securityOpen source security
Open source security
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, please
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
 
Onward15
Onward15Onward15
Onward15
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
 
ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~
ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~
ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~
 
Geth important commands
Geth important commandsGeth important commands
Geth important commands
 
Hollywood mode off: security testing at scale
Hollywood mode off: security testing at scaleHollywood mode off: security testing at scale
Hollywood mode off: security testing at scale
 

Similar to Preventing Data Breaches: How to Tighten Your Security Stance

hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningSean Chittenden
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityCoverity
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"Inhacking
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesZuzannaKornecka
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsAleksandr Yampolskiy
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesLeo Loobeek
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
 
IDSECCONF2013 CTF online Write Up
IDSECCONF2013 CTF online Write Up IDSECCONF2013 CTF online Write Up
IDSECCONF2013 CTF online Write Up idsecconf
 

Similar to Preventing Data Breaches: How to Tighten Your Security Stance (20)

hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
Demystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchIDDemystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchID
 
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slides
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
 
IDSECCONF2013 CTF online Write Up
IDSECCONF2013 CTF online Write Up IDSECCONF2013 CTF online Write Up
IDSECCONF2013 CTF online Write Up
 

Recently uploaded

costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Recently uploaded (20)

costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

Preventing Data Breaches: How to Tighten Your Security Stance

  • 1. 1 Preventing Data Breaches A Tour on Tightening Your Security Stance
  • 3. • Overview of Data Breaches • Hands-On • Getting data through…. • Common approaches • A platform-specific secrets manager • A cross-platform secrets manager • A dynamic secrets manager • Password-less authentication 3 Today’s Topics
  • 4. • Imagining a Security Incident • Preventing Insider Breaches • Questions 4 Today’s Topics
  • 5. Overview of Data Breaches 5
  • 6. A History The Breach • 2013: Edward Snowden • 2014: Home Depot • 2017: Equifax • 2018: Facebook • 2019: Capital One 6 The Root Cause • An insider • Malware • Hackers • Hackers • Insider at AWS
  • 10. Employee Fraud & Abuse Costs 5% per Year 10
  • 11.
  • 12. • Make passwords hard to get • Then make passwords die • Then make passwords impossible to get • Then figure it out if there’s a data breach happening anyways 12 Let’s Prevent Some Breaches
  • 13. 15
  • 14. 16
  • 15. 17
  • 16. 18
  • 17. Common Approaches Pros • Easy • Cheap up front • Instant access to passwords 19 Cons • Too easy • If breached, cost savings will be lost • No tracking who’s viewed things • Service must be offlined for password rotation • Password leak means many instances and services offlined for password rotation
  • 19. • Cloudwatch - woo! • But what if the password was leaked? 21 Observability
  • 20. A Platform-Specific Secrets Manager Pros • Easy-ish • Can use built-in identity • Some automated password rotation • More auditable • Pay-as-you-go 22 Cons • Another company has your secrets • Password rotation isn’t easy • Pay-as-you-go
  • 22. import requests import json from psycopg2 import connect vault = 'ec2-54-197-74-45.compute-1.amazonaws.com' as_json = json.dumps({"password": "v7vf-swbiUYqB7MVzzMQ"}) response = requests.post("http://" + vault + ":8080/v1/auth/userpass/login/student", data=as_json) resp_json = json.loads(response.content) token = resp_json[‘auth']['client_token'] response = requests.get("http://" + vault + “:8080/v1/datadogdash/postgres_creds", headers={'X-Vault-Token': token}) resp_json = json.loads(response.content) password = resp_json['data']['password'] conn = connect('host=ec2-3-89-155-20.compute-1.amazonaws.com port=5432 dbname=dash user=student password=‘ + password) cur = conn.cursor() cur.execute("SELECT name FROM users WHERE ID=8364;") cur.fetchone() 24 Updating Our Code
  • 23. • Application logs • Audit logs • >100 performance-oriented metrics 25 Observability
  • 24. A Cross-Platform Secrets Manager Pros • Cross-platform • Can still use built-in identity • Secrets only inside your company • Encryption-as-a-service 26 Cons • Self deploy • Can be more complex • Opaque pricing
  • 28. 30 Web Worker 1 foo-username bar-password Web Worker 2 fizz-username buzz-password Web Worker 3 boom-username hiss-password
  • 29. import requests import json from psycopg2 import connect vault = 'ec2-54-197-47-181.compute-1.amazonaws.com' as_json = json.dumps({"password": "personalpassword"}) response = requests.post("http://" + vault + ":8080/v1/auth/userpass/login/student", data=as_json) resp_json = json.loads(response.content) token = resp_json[‘auth']['client_token'] response = requests.get("http://" + vault + “:8080/v1/database/creds/my-role", headers={'X-Vault-Token': token}) resp_json = json.loads(response.content) username = resp_json['data']['username'] password = resp_json[‘data']['password'] print ‘username: ’ + username + “, password: ” + password # this changes every time you call the my-role endpoint! run this script twice! conn_str = 'host=ec2-34-229-136-247.compute-1.amazonaws.com port=8080 dbname=dash user=‘ + username + ' password=' + password conn = connect(conn_str) cur = conn.cursor() cur.execute("SELECT name FROM users WHERE ID=8364;") cur.fetchone() 31 Updating Our Code
  • 30. • Application logs • Audit logs • >100 performance-oriented metrics • Identity system helps with attribution 32 Observability
  • 31. Cross-Platform + Secret Rotation Pros • Easy automated password rotation • The main approach is ephemeral usernames and passwords 33 Cons • Attribution can be difficult • Modern logging frameworks log faster than a username and password can disappear
  • 33. 35 Can I get some data please?
  • 34. 36 Sure, if you can take the string “abcd”, hash it with your password, and tell me the correct result.
  • 35. 37 Hm, “abcd” and “mypassword” hashed are “806839236b1e9ddb”.
  • 38. 40 Can I get some data please?
  • 39. 41 Sure, if you can take the string “abcd”, hash it with your password, and tell me the correct result.
  • 40. 42 Yo, the database said to hash the pass with “abcd”, what’s the challenge response?
  • 44. from approzium import AuthClient from approzium.psycopg2 import connect auth = AuthClient('54.160.35.66:8080', disable_tls=True) conn = connect('host=52.5.163.43 port=8080 dbname=dash user=student', authenticator=auth) cur = conn.cursor() cur.execute("SELECT name FROM users WHERE ID=8364;") cur.fetchone() 46 Updating Our Code
  • 45. • Explicitly security-oriented logs • Identity logged at INFO level • Suspicious activity logged at WARN level • Explicitly security-oriented metrics • DOS • Fuzzing • Impersonation • Replay attacks • Sniffing 47 Observability
  • 46. Password-less Authentication Pros • Can use built-in identity • Pick your secrets manager • The main approach is unleakable passwords • Security-oriented observability at the forefront • SDK • Free extra layer to add 48 Cons • Self deploy • Can be more complex • Dynamic secrets not yet supported
  • 47. 49
  • 48. Imagining a Security Incident 51
  • 49. A History The Breach • 2013: Edward Snowden • 2014: Home Depot • 2017: Equifax • 2018: Facebook • 2019: Capital One 52 The Root Cause • An insider • Malware • Hackers • Hackers • Insider at AWS
  • 50. Scenario: Hackers • Your company has a portal that people log into. • You run it using a framework like Apache Struts, the Spring framework, Django, React, etc. • A serious vulnerability is announced. • An unauthenticated remote attacker begins exploiting the vulnerability by executing malicious code on effected instances (or containers). • One of their first actions is planting a script on every instance (or container) that is executed every hour by a cron job, and all it does is call out to somewhere to get arbitrary code, and it executes it. • You install a patch or update to resolve the vulnerability. 53
  • 51. Scenario: Hackers The hacker snoops around on your instance and finds a configuration file like this: APPROZIUM_URL=ec2-100-26-168-97.compute-1.amazonaws.com APPROZIUM_PORT=8080 PG_URL=ec2-34-229-136-247.compute-1.amazonaws.com PG_PORT=8080 PG_DB_NAME=dash PG_USER_NAME=student 54
  • 53. from approzium import AuthClient from approzium.psycopg2 import connect auth = AuthClient('54.160.35.66:8080', disable_tls=True) conn = connect('host=52.5.163.43 port=8080 dbname=dash user=student', authenticator=auth) cur = conn.cursor() cur.execute("SELECT * FROM pg_catalog.pg_tables WHERE schemaname != 'pg_catalog' AND schemaname != ‘information_schema';") cur.execute("SELECT * FROM users;") cur.fetchone() 56 They Make Code Just Like Yours!!!
  • 54. 57 Yo, the database said to hash the pass with “efgh”, what’s the challenge response? Yo, the database said to hash the pass with “ijkl”, what’s the challenge response?
  • 55. INFO: verified arn:aws:sts::733164497221:assumed-role/RoleForEC2Instances/ i-04810e8b639073295 INFO: verified arn:aws:sts::733164497221:assumed-role/RoleForEC2Instances/ i-04810e8b639073295 58
  • 56. 59
  • 58. Strategies You Should • Provide a way for employees to share secret information securely • Consider giving short-lived passwords • Give the minimum access needed to perform a job • Set minimum password complexity levels • Include your whole organization • Encrypt data at rest 61
  • 60. 63 There is no silver bullet.
  • 61. Defense in Depth Defense in depth is a concept used in Information security in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited. 64