Advertisement

LonestarPHP 2014 Security Keynote

Alison Gianotto
CTO/Corporate Security Officer
Apr. 28, 2014
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote

Check these out next

GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
Andrew Morris
vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security way
vodQA
Threat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
Greg Foss
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
EC-Council
QAing the security way!
QAing the security way!
Amit Gundiyal
Threat Hunting with Splunk
Threat Hunting with Splunk
Splunk
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Security Weekly
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
Greg Foss
1 of 41

LonestarPHP 2014 Security Keynote

Apr. 28, 2014
Download to read offline
Technology
Business

Keynote for LonestarPHP 2014

Alison Gianotto
CTO/Corporate Security Officer
Advertisement
Advertisement
Advertisement

Recommended

MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsAlison Gianotto2.9K views36 slides
P Hundamental Security Coding Secure With Php LampP Hundamental Security Coding Secure With Php Lamp
P Hundamental Security Coding Secure With Php Lampphptechtalk1K views21 slides
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi648 views17 slides
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In LibrariesBlake Carver457 views84 slides
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereBlake Carver479 views86 slides
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss2.5K views67 slides

More Related Content

Slideshows for you(20)

GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
Andrew Morris447 views
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security way
vodQA172 views
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
Greg Foss1.2K views
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
EC-Council196 views
QAing the security way!QAing the security way!
QAing the security way!
Amit Gundiyal221 views
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk5K views
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Security Weekly2.2K views
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
Greg Foss10.3K views
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made Easy
Security Weekly3.7K views
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
Security Weekly1.6K views
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
Security Weekly3.4K views
A journey into Application SecurityA journey into Application Security
A journey into Application Security
Christian Martorella1.2K views
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
Greg Foss1.2K views
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linux
viaForensics 2.3K views
Owasp for testing_mobile_apps_opdOwasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opd
Pawel Rzepa416 views
What you need to know about OSINTWhat you need to know about OSINT
What you need to know about OSINT
Jerod Brennen1.2K views
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
RootedCON2.6K views
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk3K views
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
EC-Council274 views
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek1.5K views

Similar to LonestarPHP 2014 Security Keynote(20)

dotScale 2014dotScale 2014
dotScale 2014
Alison Gianotto2.7K views
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Zivaro Inc1.3K views
Security News Bytes June 2014Security News Bytes June 2014
Security News Bytes June 2014
Nishanth Kumar Pathi360 views
Website Security Threats - January 2014 Update Website Security Threats - January 2014 Update
Website Security Threats - January 2014 Update
Symantec Website Security4.2K views
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
Splunk2.2K views
Mind the gapMind the gap
Mind the gap
Roger Hagedorn586 views
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault5.3K views
Symantec Intelligence Report December 2014Symantec Intelligence Report December 2014
Symantec Intelligence Report December 2014
Symantec828 views
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industrySeminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Roberto Sponchioni423 views
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.855 views
The malware monetization machineThe malware monetization machine
The malware monetization machine
Priyanka Aash171 views
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Lancope, Inc.803 views
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
CiNPA Security SIG83 views
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & Recommendations
Ulf Mattsson479 views
(Certificates2019)alireza.ghahrood(Certificates2019)alireza.ghahrood
(Certificates2019)alireza.ghahrood
Alireza Ghahrood53 views
Cyber Tech Israel 2016: Advanced Threat Protection Technical OverviewCyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Symantec962 views
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence Webinar
ThreatConnect1.4K views
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud Detection
Splunk6.2K views
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
EC-Council1.7K views
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst
Priyanka Aash401 views
Advertisement

More from Alison Gianotto(8)

Security Bootcamp for Startups and Small Businesses Security Bootcamp for Startups and Small Businesses
Security Bootcamp for Startups and Small Businesses
Alison Gianotto904 views
Laravel 5.2 Gates, AuthServiceProvider and PoliciesLaravel 5.2 Gates, AuthServiceProvider and Policies
Laravel 5.2 Gates, AuthServiceProvider and Policies
Alison Gianotto3.5K views
Failing well: Managing Risk in High Performance ApplicationsFailing well: Managing Risk in High Performance Applications
Failing well: Managing Risk in High Performance Applications
Alison Gianotto11.4K views
DNS 101 for Non-TechsDNS 101 for Non-Techs
DNS 101 for Non-Techs
Alison Gianotto1.7K views
Security PrimerSecurity Primer
Security Primer
Alison Gianotto1K views
Facebook Timeline for PagesFacebook Timeline for Pages
Facebook Timeline for Pages
Alison Gianotto962 views
Getting users to care about securityGetting users to care about security
Getting users to care about security
Alison Gianotto1.2K views
Twitter 101: 140 characters. Don't be a douche.Twitter 101: 140 characters. Don't be a douche.
Twitter 101: 140 characters. Don't be a douche.
Alison Gianotto809 views

Recently uploaded(20)

Into The Box 2023 Keynote Day 1Into The Box 2023 Keynote Day 1
Into The Box 2023 Keynote Day 1
Ortus Solutions, Corp0 views
KMM - Kanban Maturity ModelKMM - Kanban Maturity Model
KMM - Kanban Maturity Model
Adail Viana Neto0 views
REPORT: Heating appliances market in Poland 2022REPORT: Heating appliances market in Poland 2022
REPORT: Heating appliances market in Poland 2022
SPIUG0 views
MS EXCEL LESSON.pptxMS EXCEL LESSON.pptx
MS EXCEL LESSON.pptx
JoeyGarancho10 views
kamil.pdfkamil.pdf
kamil.pdf
AzeemAslam110 views
Digital Forencis.pdfDigital Forencis.pdf
Digital Forencis.pdf
HridhayBharti20 views
Global Sustainable Masterbatch Market.pdfGlobal Sustainable Masterbatch Market.pdf
Global Sustainable Masterbatch Market.pdf
Mohit BISResearch0 views
Multi Standard Mixed Mode.pdfMulti Standard Mixed Mode.pdf
Multi Standard Mixed Mode.pdf
MbBot0 views
SampleDecPkg.pptSampleDecPkg.ppt
SampleDecPkg.ppt
Courtney Doutherd0 views
Secure and manage your data while collaborating with Microsoft Teams.pptxSecure and manage your data while collaborating with Microsoft Teams.pptx
Secure and manage your data while collaborating with Microsoft Teams.pptx
Jasper Oosterveld0 views
Perform Mensuration and Calculation PPT.pptxPerform Mensuration and Calculation PPT.pptx
Perform Mensuration and Calculation PPT.pptx
PauloAngeles40 views
CDP_Presentation.pptxCDP_Presentation.pptx
CDP_Presentation.pptx
Abbas3358830 views
UiPath Community - Dallas - Studio Web.pdfUiPath Community - Dallas - Studio Web.pdf
UiPath Community - Dallas - Studio Web.pdf
DianaGray100 views
My College ProjectMy College Project
My College Project
AKHILAASOK0 views
ChatGPT_Prompts.pptxChatGPT_Prompts.pptx
ChatGPT_Prompts.pptx
Chakrit Phain0 views
Studying the materials used in weapons during Chhatrapati Shivaji Maharaj eraStudying the materials used in weapons during Chhatrapati Shivaji Maharaj era
Studying the materials used in weapons during Chhatrapati Shivaji Maharaj era
Sagarwalanj0 views
Ericsson LTE Commands.pdfEricsson LTE Commands.pdf
Ericsson LTE Commands.pdf
MbBot0 views
Exploratory Data Analysis - A Comprehensive Guide to EDA.pdfExploratory Data Analysis - A Comprehensive Guide to EDA.pdf
Exploratory Data Analysis - A Comprehensive Guide to EDA.pdf
JamieDornan20 views
Ignite the future of clincial trials with Clinion AIIgnite the future of clincial trials with Clinion AI
Ignite the future of clincial trials with Clinion AI
shirleyraghu0 views
AI Intro.pptxAI Intro.pptx
AI Intro.pptx
DSCYorkU0 views
Advertisement

LonestarPHP 2014 Security Keynote

  1. Alison Gianotto @snipeyhead
  2. Alison Gianotto (aka “snipe”)WHO AM I? • Former  agency  CTO/CSO   • Security  &  privacy  advocate   • 20  years  in  IT  and  so<ware  development   • Co-­‐author  of  a  few  PHP/MySQL  books   • Survivor  of  more  corporate  audits  than  I   care  to  remember   • @snipeyhead  on  TwiJer   2  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  3. WHAT SECURITY ISN’T 1 Bolted on 2 Compliance 3 A Single Person 4 Outsourced 3   You  don’t  add  it  on  at  the  end.     You  can  be  compliant  and  not   secure.  Just  ask  Target.   Security  is  everyone’s  responsibility.   Throwing  money  at  this  problem   won’t  work.   Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  4. WHAT SECURITY ISN’T 5 An Appliance 6 Silver Bullet 7 Straightforward 4   Firewalls  and  IDS  are  part  of  the   soluUon,  but  not  the  end.   There  is  no  one  thing.  Defence  in   depth  maJers.  Sort  of.     SomeUmes  implemenUng  security   tools  increases  your  aJack  surface.   Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   8 Done Security  is  where  you  start,  not   where  you  finish.  
  5. WHAT RISK ISN’T 1 Stifling 2 Boring 3 Avoidable 5   Managing  risk  doesn’t  have  to   hinder  innovaUon   Our  job  is  finding  creaUve  soluUons   to  problems.  This  is  one  more  tool.   Risk  isn’t  inherently  bad.  Not   understanding  your  risk  is.     Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   4 One Size Acceptable  risk  to  your  company   may  not  be  the  same  as  someone   else’s.    
  6. IT IS IMPOSSIBLE TO ANTICIPATE EVERY RISK. 6  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Srsly.
  7. DEFENSE IN DEPTH PROMISES 7  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • MiUgates  single  points  of  failure.  (“Bus  factor”)   • Requires  more  effort  on  the  part  of  the  aJacker,   theoreUcally  exhausUng  aJacker  resources.     Except...
  8. DEFENSE IN DEPTH PROBLEMS 8  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Larger,  more  complicated  systems  are  harder  to  maintain.     • Leads  to  more  cracks  for  bad  guys  to  poke  at   • More  surfaces  that  can  get  be  overlooked     • The  bad  guys  have  nearly  limitless  resources.  We  don’t.     • AJacks  are  commodiUzed  now.    Botnets  for  $2/hour.  
  9. CIA Confidentiality, Integrity & Availability
  10. CONFIDENTIALITY IS A SET OF RULES THAT LIMITS ACCESS TO INFORMATION 10  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  11. CONFIDENTIALITY EXAMPLES 11  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Passwords.  (boo!)   • Data  encrypUon  (at  rest  and   in  transmission.)   • Two-­‐factor  authenUcaUon/ biometrics.  (Yay!)   • Corporate  VPN   • IP  WhitelisUng   • SSH  keys  
  12. CONFIDENTIALITY RISKS 12  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • No  brute-­‐force  detecUon   • No  velng  of  how  third-­‐ party  vendors  use/store   customer  data   • InformaUon  leakage  from   login  messages  (Uming   aJacks,  etc.)   • SQL  injecUon     • Privilege  escalaUon  leading   to  admin  access     • Passwords  shared  across   websites   • Improper  disposal/ destrucUon  of  personal   data   • Lost/stolen  devices    
  13. INTEGRITY IS THE ASSURANCE THAT THE INFORMATION IS TRUSTWORTHY & ACCURATE. 13  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  14. INTEGRITY RISKS 14  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Data  loss  due  to  hardware   failure  (server  crash!)   • So<ware  bug  that   unintenUonally  deletes/ modifies  data   • Data  alteraUon  via   authorized  persons  (human   error)   • Data  alteraUon  via   unauthorized  persons   (hackers)   • No  backups  or  no  way  to   verify  the  integrity  of  the   backups  you  have   • Third-­‐party  vendor  with   inadequate  security  
  15. AVAILABILITY IS A GUARANTEE OF READY ACCESS TO THE INFO BY AUTHORIZED PEOPLE. 15  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  16. AVAILABILITY RISKS 16  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • DDoS  aJacks   • Third-­‐party  service  failures   • Hardware  failures   • So<ware  bugs   • Untested  so<ware  patches   • Natural  disasters   • Man-­‐made  disasters  
  17. THINK YOU’RE TOO SMALL TO BOTHER WITH? 17  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Think again.
  18. WHY HACK? 18  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • To  steal/sell  idenUUes,  credit   card  numbers,  corporate   secrets,  military  secrets   • Fun,  Excitement  and/or   Notoriety   • PoliUcal  (“HackUvism”)   • Revenge   • Blackhat  SEO   • ExtorUon/Ransomware  
  19. COMMON ATTACKS 19  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Reflected  XSS   • Persistent  XSS   • CSRF   • SQL  InjecUon   • Remote  file  inclusion     • Local  file  inclusion/directory   traversal   • HosUng  malware   • Defacement  for  SEO   (pharma,  etc)   • Privilege  escalaUon    
  20. WHY MEEEEEEEEEEEE?? 20  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Users  re-­‐use  passwords   across  websites   • Watering  hole  aJack   • Low-­‐hanging  fruit   • Assumed  fewer  defenses   • To  gain  more  informaUon  on   users  to  execute  spear-­‐ phishing  aJacks   • Because  you  are  vulnerable.   Period.  
  21. IN 2013, 61% OF REPORTED ATTACKS TARGETED SMALL AND MEDIUM BUSINESSES, UP FROM 50% IN 2012. 21  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  22. 1 2 43 REFLECTED XSS SOCIAL     ENGINEERING   XSS   SESSION   HIJACK   PWNED   22  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  23. 77% OF LEGITIMATE WEBSITES HAD EXPLOITABLE VULNERABILITIES. 1-IN-8 HAD A CRITICAL VULNERABILITY. 23  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  24. MEGA BREACHES: RESULTING IN PERSONAL DETAILS OF >= 10 MILLION IDENTITIES EXPOSED IN AN INDIVIDUAL INCIDENT. 24  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  25. THERE WERE EIGHT IN 2013, COMPARED WITH ONLY ONE IN 2012. 25  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     +700%
  26. OCT 2013: ADOBE EXPOSED CUSTOMER DATA, DEBIT/ CREDIT CARD NUMBERS, SOURCE IMPACTED: 152 MILLION USERS 26  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  27. DEC 2013: TARGET EXPOSED CUSTOMER DATA, DEBIT/ CREDIT CARD NUMBERS, PINS IMPACTED: 110 MILLION USERS 27  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  28. BREACHGrowth •  credit  card  info •  birth  dates •  government  ID  numbers •  home  addresses •  medical  records •  phone  numbers •  financial  informa9on •  email  addresses •  login •  passwords Data Stolen 28  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   232   552   0   100   200   300   400   500   600   2011   2013   Iden99es  Stolen  by  Year  (in  Millions)   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  29. 190,000 464,000 570,000 2011   2012   2013   ATTACKS 29   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     Per Day Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  30. APPSEC STRATEGY PICK  TWO   30   COMPLETELY  BONED  COMPLETELY  BONED   COMPLETELY  BONED   Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  31. CREATING A RISK MATRIX 31  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Type   • Third-­‐Party   • Dataflow  diagram  ID   • DescripUon   • Triggering  AcUon   • Consequence  of  Service   Failure   • Risk  of  Failure   • User  Impact   • Method  used  for  monitoring   this  risk   • Efforts  to  MiUgate  in  Case  of   Failure   • Contact  info   Grab  a  starter  template  here!     hJp://snipe.ly/risk_matrix    
  32. 29 THINGS YOU CAN START DOING TODAY. 32  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Dooo eeeeeet.
  33. 33  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   1.  Start  every  project  risk-­‐first.   2.  Start  using  a  risk  matrix  for  every  major  project  or   product.   3.  Build  a  clear  inventory  of  surface  areas  and  their  value.   Get  stakeholders  involved.   4.  Make  sure  you  understand  what  happens  when  third-­‐ party  services  fail  or  behave  unexpectedly.       29 THINGS TO DO TODAY
  34. 34  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   5.  Trust  your  gut.  If  something  doesn’t  look  right,  it  probably   isn’t.   6.  Keep  your  systems  as  simple  as  possible.  Document  them.   7.  Favor  self-­‐documenUng  systems  so  that  code,  systems  and   docs  don't  fall  out  of  sync.   8.  Increased  transparency  reduces  risk  across  departments.   Consider  devops.     29 THINGS TO DO TODAY
  35. 35  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   9.  Don't  abstract  code/systems  if  you  don’t  have  to.   Premature  opUmizaUon  is  the  devil.  Build  light  and   refactor  as  needed.   10.   Get  to  know  your  users’  behavior.  Use  tools  like  Google   AnalyUcs  and  heat-­‐mapping  to  understand  what  users  do   on  your  site.  Be  suspicious  if  it  changes  for  no  apparent   reason.   29 THINGS TO DO TODAY
  36. 36  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   11.   Automate  EVERYTHING  (Chef,  Vagrant,  Ansible,  Salt,   Fabric,  etc.)   12.   Log  (almost!)  EVERYTHING.  Know  where  your  logs  are.   Use  a  central  logging  server  if  at  all  possible.     13.   Always  employ  the  principles  of  “least  privilege.”   14.   Give  preference  to  vendors  that  integrate  with  your  AD/     OD/LDAP.   29 THINGS TO DO TODAY
  37. 37  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   15.   Create  a  reliable  data  backup  plan  and  TEST  IT.  (MORE   THAN  ONCE.)   16.   Create  a  Business  ConUnuity  Plan.   17.   Create  an  Incident  Response  Plan.  Test  it.   18.   Create  a  Disaster  Recovery  Plan.  TEST  IT.  (Seriously.)   19.   Get  your  team  to  parUcipate  in  at  least  one  CTF  every   year.     29 THINGS TO DO TODAY
  38. 29 THINGS TO DO TODAY 38  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   20.   Strip  specific  messaging  from  login  forms.   21.   Use  solid  password+salUng  like  bcrypt.   22.   Implement  brute-­‐force  prevenUon  for  all  login  systems.   23.   Encrypt  everything,  where  feasible.   24.   Only  collect  the  data  that  you  absolutely  need.   25.   Implement  two-­‐factor  authenUcaUon.  It’s  easier  than  you   think.  
  39. 29 THINGS TO DO TODAY 39  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   26.   Supress  debugging  and  server  informaUon  (PHP  versions,   Apache  versions)   27.   Leverage  framework  CSRF  protecUon  and  data   saniUzaUon/validaUon.   28.   Perform  regular  penetraUon  tests  and  vulnerability   assessments   29.   Become  a  passionate  security  ambassador  for  your  users   and  co-­‐workers.      
  40. CAPTURE ALL THE FLAGS! 40  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   •  NotSoSecure  CTF:  hJp://cx.notsosecure.com   •  Security  Shepherd:  hJps://www.owasp.org/index.php/ OWASP_Security_Shepherd   •  hJp://hax.tor.hu/   •  hJps://pwn0.com/   •  hJp://www.smashthestack.org/   •  hJp://www.hellboundhackers.org/   •  hJp://www.overthewire.org/wargames/   •  hJp://counterhack.net/Counter_Hack/Challenges.html   •  hJp://www.hackthissite.org/   •  hJp://exploit-­‐exercises.com/   •  hJp://vulnhub.com/  
  41. Alison Gianotto (aka “snipe”)THANK YOU! • @snipeyhead  on  TwiJer   • snipe@snipe.net   41  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
Advertisement