Download to read offline
More Related Content
![[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect](https://cdn.slidesharecdn.com/ss_thumbnails/ericrennieswciscoconnect-180504035433-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Secure from the start : The changing landscape
Secure from the start : The changing landscape
- 1. Welcome "In the wakeof the Heartbleed bug and a number of other high profile security related failures, we revisit the idea of making sure we’re ahead of the game, secure from the start" Kieran O'SheaSecure from the Start : The changing landscape Secure from the Start The changing landscape Kieran O'Shea kieran@kieranoshea.com • @kieranoshea • http://www.kieranoshea.com/
- 2. Overview Kieran O'Shea Motivationsfor this session Analysis on recent high profile issues Types of attack vectors Mitigation; config, tools, plugins & more Questions Secure from the Start : The changing landscape
- 3. Recent issues -Heartbleed Kieran O'Shea An OpenSSL exploit Heartbeat reply leaks data in memory Data acquired compromises security Secure from the Start : The changing landscape
- 4. Recent issues -Heartbleed Kieran O'SheaSecure from the Start : The changing landscape
- 5. Recent issues -Heartbleed Kieran O'SheaSecure from the Start : The changing landscape
- 6. Recent issues -Heartbleed Kieran O'Shea Fallout Recovery Secure from the Start : The changing landscape
- 7. Recent issues -Ransomware Kieran O'SheaSecure from the Start : The changing landscape Realintogive/Wikimedia Commons
- 8. Recent issues -Ransomware Kieran O'Shea Essentially blackmail Takes different forms Difficult to recover from Infection rates uncertain Millions made by criminals Secure from the Start : The changing landscape
- 9. Recent issues –Back doors Kieran O'SheaSecure from the Start : The changing landscape
- 10. Recent issues -Back doors Kieran O'SheaSecure from the Start : The changing landscape
- 11. Recent issues -Social Engineering Kieran O'Shea Should be considered a back door Password resets Security questions "Single Sign On" Secure from the Start : The changing landscape
- 12. Recent issues -Obscurity Kieran O'Shea When is security no security at all? When my hotel reservation is www.somehotel.com/reservation/12345 So the previous customer's must be... www.somehotel.com/reservation/12344 Secure from the Start : The changing landscape
- 13. Attack Vectors -Passwords Kieran O'Shea Exploitation of simple passwords Re-use of stolen credentials Brute force Is this your password? Secure from the Start : The changing landscape
- 14. Attack Vectors -Social Engineering Kieran O'Shea Probably our weakest link Guessable info overrides passwords Privileged users exploited Secure from the Start : The changing landscape
- 15. Attack Vectors -External Applications Kieran O'Shea Shared use servers amplify risk Exploiting the file system Taking advantage of firewall rules Piggy backing off API connectivity Secure from the Start : The changing landscape
- 16. Attack Vectors -Rogue Code Kieran O'Shea Does your theme footer look like this? Secure from the Start : The changing landscape
- 17. Attack Vectors -Rogue Code Kieran O'Shea When hackers get control Secure from the Start : The changing landscape
- 18. Attack Vectors -Rogue Code Kieran O'Shea When hackers really get control Secure from the Start : The changing landscape
- 19. Mitigation - Passwords KieranO'Shea Secure passwords, auto generated Avoid re-use between systems Secure from the Start : The changing landscape
- 20. Mitigation - Passwords KieranO'Shea Employ secure password storage Complex & differing passwords easier A variety of services exist, paid & free Single, secure, master password Secure from the Start : The changing landscape
- 21. Mitigation - TwoFactor Authentication Kieran O'Shea Something you have, something you know A variety of implementations Finger prints Smart cards Text Messages Paper based grids Good degree of separation required Extend to multi-factor authentication Secure from the Start : The changing landscape
- 22. Mitigation - OneTime Passwords Kieran O'Shea Reduces consequences of interception Remote verification of token Also provides two factor authentication Support for independent infrastructure Secure from the Start : The changing landscape
- 23. Mitigation - SSL KieranO'Shea Protects data in transit Consider what constitutes ”sensitive” Key & Signed certificate Available for free Beware revocation costs Enhance security with forward secrecy Remember client security too VPN S/MIME Don't settle for plain text Secure from the Start : The changing landscape
- 24. Mitigation - ExternalApplications Kieran O'Shea Minimise server sharing, VPS preferable If sharing, protect users from users Don't chmod 777 Sand box your code, e.g. suPHP Keep an eye on key file changes Consider onward security of allowed IPs Secure from the Start : The changing landscape
- 25. Mitigation - Plugins KieranO'Shea Two factor authentication (OTP) ✔ "YubiKey Plugin" (Henrik Schack) Modifications to files ✔ "WordPress File Monitor Plus" (Scott Cariss) Login attempts ✔ "Limit Login Attempts" (Johan Eenfeldt) Action logging ✔ "Audit Trail" (John Godley) More involved auditing ✔ "The Auditor" (interconnect/it) Secure from the Start : The changing landscape
- 26. Mitigation – Configuration KieranO'Shea Lock down powerful interfaces Work with minimum usable privileges Reduce brute force with fail2ban Block access at an IP level Maintain access by using a VPN # Define specific rules for the blog admin panel <Directory /home/kieran/public_html/wp-admin> Order Deny,Allow Deny from all Allow from 95.172.226.96/27 </Directory> Secure from the Start : The changing landscape
- 27. Mitigation – Socialengineering Kieran O'Shea Don't populate ”password hints” Don't use real ”secret questions” Become aware of back doors Know the warning signs Power of notifications Avoid single points of failure Multiple backups, multiple services At least one backup offline Secure from the Start : The changing landscape
- 28. Questions? Kieran O'Shea Kieran O'Shea• kieran@kieranoshea.com @kieranoshea • http://www.kieranoshea.com/ Remember, WordCamp tweets archived here: https://wcuk.kieranoshea.com/tweets/ Secure from the Start : The changing landscape