Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

dotScale 2014

2,487 views

Published on

CTF links:
NotSoSecure CTF: http://ctf.notsosecure.com
Security Shepherd: https://www.owasp.org/index.php/OWASP_Security_Shepherd
http://hax.tor.hu/
https://pwn0.com/
http://www.smashthestack.org/
http://www.hellboundhackers.org/
http://www.overthewire.org/wargames/
http://counterhack.net/Counter_Hack/Challenges.html
http://www.hackthissite.org/
http://exploit-exercises.com/
http://vulnhub.com/

Published in: Technology, News & Politics

dotScale 2014

  1. 1. Alison Gianotto (aka “snipe”)WHO AM I? • Former  agency  CTO/CSO   • Security  &  privacy  advocate   • 20  years  in  IT  &  so<ware  development   • Co-­‐author  of  a  few  PHP/MySQL  books   • Survivor  of  more  corporate  audits  than  I   care  to  remember   • @snipeyhead  on  TwiJer   1  dotScale  May  2014  -­‐  #dotScale  
  2. 2. IT IS IMPOSSIBLE TO ANTICIPATE EVERY RISK. 2  dotScale  May  2014  -­‐  #dotScale   Srsly.
  3. 3. IT IS INAPPROPRIATE TO MITIGATE EVERY RISK. 3  dotScale  May  2014  -­‐  #dotScale   No, Srsly.
  4. 4. WHY PEOPLE HACK 4   • To  steal/sell  idenOOes,  credit  card  numbers,  corporate  secrets,   military  secrets   • Fun/Notoriety   • PoliOcal  (“HackOvism”)   • Revenge   • Blackhat  SEO   • ExtorOon/Ransomware   dotScale  May  2014  -­‐  #dotScale  
  5. 5. MEGA BREACHES: RESULTING IN PERSONAL DETAILS OF >= 10 MILLION IDENTITIES EXPOSED IN AN INDIVIDUAL INCIDENT. 5  dotScale  May  2014  -­‐  #dotScale  
  6. 6. THERE WERE EIGHT MEGA- BREACHES IN 2013, COMPARED WITH ONLY ONE IN 2012. 6   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     +700% dotScale  May  2014  -­‐  #dotScale  
  7. 7. OCT 2013: ADOBE EXPOSED CUSTOMER DATA, DEBIT/ CREDIT CARD NUMBERS, SOURCE IMPACTED: 152 MILLION USERS 7   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     dotScale  May  2014  -­‐  #dotScale  
  8. 8. DEC 2013: TARGET EXPOSED CUSTOMER DATA, DEBIT/ CREDIT CARD NUMBERS, PINS IMPACTED: 110 MILLION USERS 8   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     dotScale  May  2014  -­‐  #dotScale  
  9. 9. BREACHGrowth •  credit  card  info •  birth  dates •  government  ID  numbers •  home  addresses •  medical  records •  phone  numbers •  financial  informa9on •  email  addresses •  login •  passwords Data Stolen 9   232   552   0   100   200   300   400   500   600   2011   2013   Iden))es  Stolen  by  Year  (in  Millions)   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     dotScale  May  2014  -­‐  #dotScale  
  10. 10. 190,000 464,000 570,000 2011   2012   2013   ATTACKS 10   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     Per Day dotScale  May  2014  -­‐  #dotScale  
  11. 11. SOMETIMES YOUR EFFORTS TO MITIGATE RISK CAN INCREASE YOUR ATTACK SURFACE. 11  dotScale  May  2014  -­‐  #dotScale   Because THAT’S fair.
  12. 12. DEFENSE IN DEPTH PROMISES 12   • MiOgates  single  points  of  failure.  (“Bus  factor”)   • Requires  more  effort  on  the  part  of  the  aJacker,   theoreOcally  exhausOng  aJacker  resources.     Except... dotScale  May  2014  -­‐  #dotScale  
  13. 13. DEFENSE IN DEPTH CHALLENGES 13   • Larger,  more  complicated  systems  are  harder  to  maintain.     • Can  lead  to  more  cracks  for  bad  guys  to  poke  at   • More  surfaces  that  can  get  be  overlooked     • The  bad  guys  have  nearly  limitless  resources.  We  don’t.     • AJacks  are  commodiOzed  now.    Botnets  for  $2/hour.   dotScale  May  2014  -­‐  #dotScale  
  14. 14. HACKERS ARE NOT YOUR ONLY PROBLEM. 14  dotScale  May  2014  -­‐  #dotScale   Sorry. :(
  15. 15. CIA Confidentiality, Integrity & Availability dotScale  May  2014  -­‐  #dotScale  
  16. 16. CONFIDENTIALITY IS A SET OF RULES THAT LIMITS ACCESS TO INFORMATION 16  dotScale  May  2014  -­‐  #dotScale  
  17. 17. INTEGRITY IS THE ASSURANCE THAT THE INFORMATION IS TRUSTWORTHY & ACCURATE. 17  dotScale  May  2014  -­‐  #dotScale  
  18. 18. AVAILABILITY IS A GUARANTEE OF READY ACCESS TO THE INFO BY AUTHORIZED PEOPLE. 18  dotScale  May  2014  -­‐  #dotScale  
  19. 19. APPSEC STRATEGY PICK  TWO   19   ABSOLUTELY  F*CKED  UTTERLY  F*CKED   COMPLETELY  F*CKED   dotScale  May  2014  -­‐  #dotScale  
  20. 20. CREATING A RISK MATRIX 20   • Type  of  resource   • Third-­‐Party   • Diagram  ID   • DescripOon   • Triggering  AcOon   • Consequence  of  Failure   • Risk  of  Failure   • Probability  of  Failure   • User  Impact   • Method  used  for  monitoring   this  risk   • Efforts  to  MiOgate  in  Case  of   Failure   • Contact  info   Grab  a  starter  template  here!     hJp://snipe.ly/risk_matrix     dotScale  May  2014  -­‐  #dotScale  
  21. 21. 20 THINGS YOU CAN START DOING TODAY. 21   Dooo eeeeeet. dotScale  May  2014  -­‐  #dotScale  
  22. 22. #1. CAPTURE ALL THE FLAGS! 22  dotScale  May  2014  -­‐  #dotScale  
  23. 23. 23   •  Strip  specific  messaging  from  login  forms.   •  Use  solid  password+salOng  like  bcrypt.   •  Implement  brute-­‐force  prevenOon  for  all  login  systems.   •  Encrypt  everything,  where  feasible.   •  Supress  debugging  and  server  informaOon  (language/ framework  versions,  web  server  versions,  stack-­‐traces,   etc.)   WHAT DEVS LEARN FROM CTF dotScale  May  2014  -­‐  #dotScale  
  24. 24. 24  dotScale  May  2014  -­‐  #dotScale  
  25. 25. #2. START EVERY PROJECT RISK-FIRST. 25  dotScale  May  2014  -­‐  #dotScale  
  26. 26. #3. BUILD A CLEAR INVENTORY OF SURFACE AREAS AND THEIR VALUE. 26  dotScale  May  2014  -­‐  #dotScale  
  27. 27. #4. RISK MATRIX FOR EVERY MAJOR PROJECT OR PRODUCT. 27  dotScale  May  2014  -­‐  #dotScale  
  28. 28. #5. KNOW WHAT HAPPENS WHEN THIRD-PARTY SERVICES FAIL. 28  dotScale  May  2014  -­‐  #dotScale  
  29. 29. #6. TRUST YOUR GUT. WHEN SOMETHING DOESN’T LOOK RIGHT, IT PROBABLY ISN’T. 29  dotScale  May  2014  -­‐  #dotScale  
  30. 30. #7. KEEP YOUR SYSTEMS AS SIMPLE AS POSSIBLE. 30  dotScale  May  2014  -­‐  #dotScale  
  31. 31. #8. INCREASED TRANSPARENCY REDUCES RISK ACROSS DEPARTMENTS. 31  dotScale  May  2014  -­‐  #dotScale  
  32. 32. #9. GET TO KNOW YOUR USERS’ BEHAVIOR. BE SUSPICIOUS IF IT CHANGES FOR NO REASON. 32  dotScale  May  2014  -­‐  #dotScale  
  33. 33. #10. AUTOMATE EVERYTHING. 33  dotScale  May  2014  -­‐  #dotScale  
  34. 34. #11. LOG (ALMOST) EVERYTHING. KNOW WHERE YOUR LOGS ARE. 34  dotScale  May  2014  -­‐  #dotScale  
  35. 35. #12. ALWAYS EMPLOY THE PRINCIPLE OF “LEAST PRIVILEGE”. 35  dotScale  May  2014  -­‐  #dotScale  
  36. 36. #13. ONLY COLLECT THE DATA YOU ABSOLUTELY NEED. 36  dotScale  May  2014  -­‐  #dotScale  
  37. 37. #14. IMPLEMENT TWO-FACTOR AUTHENTICATION. IT’S EASIER THAN YOU THINK. 37  dotScale  May  2014  -­‐  #dotScale  
  38. 38. #15. CREATE A DATA RECOVERY PLAN AND TEST IT. NO, REALLY. TEST IT. MORE THAN ONCE. 38  dotScale  May  2014  -­‐  #dotScale  
  39. 39. #16. MOAR PAPERWORK! 39  dotScale  May  2014  -­‐  #dotScale  
  40. 40. #17. LEVERAGE BUILT-IN VALIDATION/SANITIZATION FROM FRAMEWORKS. 40  dotScale  May  2014  -­‐  #dotScale  
  41. 41. #18. PERFORM REGULAR WHITE- BOX AND BLACK-BOX TESTING. 41  dotScale  May  2014  -­‐  #dotScale  
  42. 42. #19. PAY ATTENTION TO YOUR ALERTS. 42  dotScale  May  2014  -­‐  #dotScale  
  43. 43. #20. BECOME A PASSIONATE SECURITY AMBASSADOR FOR YOUR USERS. 43  dotScale  May  2014  -­‐  #dotScale  
  44. 44. Alison Gianotto (aka “snipe”)THANK YOU! • @snipeyhead  on  TwiJer   • snipe@snipe.net   44  dotScale  May  2014  -­‐  #dotScale  

×