Security Bootcamp for Startups and Small Businesses

Alison Gianotto
@snipeyhead
SECURITY BOOTCAMP
FOR STARTUPS(and Small Businesses)

Alison Gianotto (aka “snipe”)
WHO AM I?
•Former agency CTO/CSO
•CTO of Anysha.re
•Creator of Snipe-IT FOSS project
•Security & privacy advocate
•20 years in IT and software dev
•Co-author of a few PHP/MySQL books
•@snipeyhead on Twitter
2DomCode 2016 - Utrecht - #DomCode16

WHAT IS RISK?
Risk is the combination of
threat, vulnerability, and
mission impact.

WHAT KINDS OF THREATS?
•Not always hackers
•Physical threats: natural disasters, such as flood,
fire, earthquakes, etc
•Logical threats: bugs in hardware, power failures
•Human threats: non-malicious and malicious
threats, such as disgruntled employees and
hackers

RISK TOLERANCE
If vulnerability is high, but
mission impact is low, you
can probably tolerate that
risk.

ONE SIZE DOES NOT FIT ALL
Risk looks different for each
organization.

IT IS IMPOSSIBLE TO
ANTICIPATE OR MITIGATE
EVERY RISK.

WHY SHOULD YOU CARE?
Security breaches cost a
company reputation,
money, time & trust.

Identity theft and security
vulnerabilities affect the
lives of real people - your
users.

Source: Forbes Magazine, Aug 3, 2013

Source: BoingBoing - Nov 3, 2016

Even if your product can’t
be weaponized, the data you
store and the trust your
users have in you can be.

GDPR
•Goes into effect 2018
•Could result in fines of €20m or 4% of your
annual turnover, whichever is GREATER
(General Data Protection Regulation)

In 2013, 61% of reported
attacks targeted small and
medium businesses, UP
from 50% in 2012.
Source: Verizon Communications 2013 Data Breach Investigations Report

One study found that
compromises of mid-size
firms rose 64% from 2013
to 2014.
Source: Global State of Information Security Survey 2015

HOW?
Sometimes an attacker will
use your product to gain
information, sometimes
they’ll use YOU.

HOW?
And sometimes your users
are the target, and
sometimes your company is.

WAYS THEY USE YOUR PRODUCT
•Reflected XSS
•Persistent XSS
•CSRF
•SQL Injection
•Remote file inclusion
•Local file inclusion/
directory traversal
•Defacement for SEO
(pharma, etc)
•Privilege escalation
•Malware delivery
•Other stuff you know
from OWASP

WAYS THEY USE YOU
•Stealing credentials from other websites, hoping
you re-use passwords across sensitive systems
•Spear-phishing
•Watering hole attacks
•Social engineering
•Malware
•Insecure third-party vendors

DEFENSE IN DEPTH
•Mitigates single points of failure. (“Bus factor”)
•Requires more effort on the part of the
attacker, theoretically exhausting attacker
resources.
Except...

DEFENSE IN DEPTH CHALLENGES
•Larger, more complicated systems can be harder to
maintain:
•Leads to more cracks for bad guys to poke at
•More surfaces that can get be overlooked
•The bad guys have nearly limitless resources. We don’t.
•Attacks are commoditized now. Botnets for < $2/hour
and Internet of Shit (Mirai DynDNS attack)

CIA
Confidentiality,
Integrity &
Availability

CONFIDENTIALITY IS A SET OF
RULES THAT LIMITS ACCESS TO
INFORMATION

CONFIDENTIALITY EXAMPLES
•Passwords
•Data encryption (at rest
and in transmission)
•Two-factor
authentication or
biometrics.
•Corporate VPN
•IP Whitelisting
•SSH keys

CONFIDENTIALITY RISKS
• No brute-force detection
• No vetting of how third-
party vendors use/store
customer data
• Information leakage from
login messages (timing
attacks, etc.)
• SQL injection
• Privilege escalation leading
to admin access
• Passwords shared across
websites
• Improper disposal/
destruction of personal
data
• Lost/stolen devices
• Insider Threats

INTEGRITY IS THE ASSURANCE
THAT THE INFORMATION IS
TRUSTWORTHY & ACCURATE.

INTEGRITY RISKS
• Data loss due to hardware
failure (server crash!)
• Software bug that
unintentionally deletes/
modifies data
• Data alteration via
authorized persons (human
error)
•Data alteration via
unauthorized persons
(hackers)
•No backups or no way to
verify the integrity of the
backups you have
•Third-party vendor with
inadequate security
•Insider Threats

AVAILABILITY IS A GUARANTEE OF
READY ACCESS TO THE INFO BY
AUTHORIZED PEOPLE.

AVAILABILITY RISKS
•DDoS attacks
•Third-party service
failures
•Hardware failures
•Software bugs
•Untested software
patches
•Natural disasters
•Man-made disasters
•Insider Threats
Hmm… This
looks familiar…

INSIDER THREATS
42%
58%
• Employees (33%)
• Ex-employees (7%)
• Customers, partners or
suppliers (18%)
Source: Clearswift Report: The Enemy Within - Published May 2013
• Everything else

INSIDER THREATS
Source: Clearswift Report: The Enemy Within - Published May 2013
•Often very low-tech
•Sometimes malicious
•Sometimes accidental
•Theft/destruction of
confidential
information
•Sabotage
•Fraud
•Defacement
•DoS attacks
•Sometimes motivated
by revenge

NOT ALL INSIDER THREATS ARE
MALICIOUS, BUT THAT DOESN’T
MAKE THEM LESS DANGEROUS.

APPLICATION SECURITY

77% OF LEGITIMATE WEBSITES HAD
EXPLOITABLE VULNERABILITIES.
1-IN-8 HAD A CRITICAL
VULNERABILITY.
Source: Symantec Internet Security Threat Report 2014 :: Volume 19, Published April 2014

BREACHGrowth • credit card info
• birth dates
• gov ID numbers
• home addresses
• medical records
• phone numbers
• financial information
• email addresses
• login
• passwords
Data Stolen
Iden**es Stolen by Year (in Millions)
275
550
825
1100
2011 2012 2013 2014 2015 2016*
554
707
1,023
552
267
412
Source: Symantec Internet Security Threat Report 2014 / 2015

2011 2012 2013 2014 2016
974,000
500,000
570,000
464,000
190,000
ATTACKS
37
Source: Symantec Internet Security Threat Report 2014/2016
Per Day
DomCode 2016 - Utrecht - #DomCode16

APPSEC STRATEGY
PICK TWO
38
COMPLETELY SCREWEDCOMPLETELY SCREWED
COMPLETELY SCREWED
DomCode 2016 - Utrecht - #DomCode16

WHAT CAN YOU DO?

STOP:
Believing the lie that you’re
too small to be a target.
You’re not. I promise.

START:
Evaluating the value of your
assets. You have to know
what you’re protecting.

VENDOR MANAGEMENT

START:
Documenting ALL of your
third-party vendors. Assess
risk, and start a vendor
management program.

START:
Giving preference to third-
party vendors that
integrate with LDAP/AD/
SSO.

START:
Developing a risk matrix for
every project. Keep it
updated as new features are
added.

RISK MATRIX:
• Type
• Third-Party
• Service Description
• Triggering Action
• Consequence of Service
Failure
• Risk of Failure
• Probability of Failure
• User Impact of Failure
• Method used for monitoring
this risk
• Efforts to Mitigate in Case of
Failure
• Contact info
Grab a starter template here!
http://snipe.ly/risk_matrix

START:
Giving preference to systems
that allow you to show due
diligence in the event of a
breach.

POLICIES & PROCESS

START:
Implementing policies of
“least-privilege”.

START:
Developing a Disaster
Recovery Plan. TEST IT. (No,
really, test it. Often.)

START:
Developing an Incident
Response Plan. Test it, and
keep it updated.

START:
Enabling (and requiring)
two-factor authentication
for everything.

START:
Thinking about any ways a
new security measure could
actually weaken your
security.

REMEMBER:
If your new security policies
get in the way of people
getting work done, they will
find a way around them.

START:
Developing a formal
procedure for handling
exiting employees.

DATA HANDLING

STOP:
Collecting data about users
that you don’t
ABSOLUTELY need right
now.

START:
Logging (almost) everything.
Use a central logging server
if you can.

START:
Getting to know what
“normal” user behavior
looks like. Flag anything out
of the ordinary.

START:
Storing offline backups.
Make sure you can restore
from them successfully.

START:
Encrypting EVERYTHING
(where feasible.) in transit
and at rest.
HTTPS ALL THE THINGS.

START:
Testing that your
deployment system can
work if Github (or other
third-party) is down.

DEV & OPS

START:
Leveraging the built-in data
sanitation/CSRF of your
language frameworks.

START:
Using prepared statements
for your SQL. It’s 2016
already!

START:
Checking for debugging
output that can disclose
information that can make
an attacker’s job easier.

STOP:
Using MD5 for passwords!!!!
Use a secure salt+hash like
bcrypt.

START:
Looking critically at the
complexity of your systems.

START:
Implementing brute-force
detection everywhere you
can.

STOP:
Using production data in
your test environments!

START:
Getting your dev teams
involved in Capture the Flag
events. (They’re fun!)

START:
Getting penetration tests
and vulnerability
assessments done.

START:
Building automated
scanners into your testing/
Continuous Integration
pipeline.

COMPANY CULTURE

START:
Building a security-first
culture. Make it part of your
DNA.

START:
Creating a company culture
where your employees are
encouraged to ask if they
are suspicious.

REMEMBER:
“The security team says no because
they are incorrectly held accountable
for all flaws.”
— Michael Coates
CISO at Twitter, OWASP Global Board Member

START:
Educating employees about
social engineering tactics
that can be used to gather
data about your company.

STOP:
Utilizing policies that punish
employees for reporting
incidents.

START:
Becoming a passionate
security ambassador for
your users and your co-
workers.

Alison Gianotto (aka “snipe”)
THANK YOU!
• @snipeyhead on Twitter
• snipe@snipe.net
Liked this talk? Leave feedback at
http://snipe.ly/domcode16

CAPTURE ALL THE FLAGS!
• NotSoSecure CTF: http://ctf.notsosecure.com
• Security Shepherd: https://www.owasp.org/index.php/OWASP_Security_Shepherd
• http://hax.tor.hu/
• https://pwn0.com/
• http://www.smashthestack.org/
• http://www.hellboundhackers.org/
• http://www.overthewire.org/wargames/
• http://counterhack.net/Counter_Hack/Challenges.html
• http://www.hackthissite.org/
• http://exploit-exercises.com/
• http://vulnhub.com/

Security Bootcamp for Startups and Small Businesses

More Related Content

Viewers also liked

Similar to Security Bootcamp for Startups and Small Businesses

More from Alison Gianotto

Recently uploaded

Security Bootcamp for Startups and Small Businesses