Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Bootcamp for Startups and Small Businesses

404 views

Published on

DomCode 2016

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Security Bootcamp for Startups and Small Businesses

  1. 1. Alison Gianotto @snipeyhead SECURITY BOOTCAMP FOR STARTUPS(and Small Businesses)
  2. 2. Alison Gianotto (aka “snipe”) WHO AM I? •Former agency CTO/CSO •CTO of Anysha.re •Creator of Snipe-IT FOSS project •Security & privacy advocate •20 years in IT and software dev •Co-author of a few PHP/MySQL books •@snipeyhead on Twitter 2DomCode 2016 - Utrecht - #DomCode16
  3. 3. 3
  4. 4. WHAT IS RISK? 4DomCode 2016 - Utrecht - #DomCode16 Risk is the combination of threat, vulnerability, and mission impact.
  5. 5. WHAT KINDS OF THREATS? 5DomCode 2016 - Utrecht - #DomCode16 •Not always hackers •Physical threats: natural disasters, such as flood, fire, earthquakes, etc •Logical threats: bugs in hardware, power failures •Human threats: non-malicious and malicious threats, such as disgruntled employees and hackers
  6. 6. RISK TOLERANCE 6DomCode 2016 - Utrecht - #DomCode16 If vulnerability is high, but mission impact is low, you can probably tolerate that risk.
  7. 7. ONE SIZE DOES NOT FIT ALL 7DomCode 2016 - Utrecht - #DomCode16 Risk looks different for each organization.
  8. 8. IT IS IMPOSSIBLE TO ANTICIPATE OR MITIGATE EVERY RISK. 8DomCode 2016 - Utrecht - #DomCode16
  9. 9. WHY SHOULD YOU CARE? 9DomCode 2016 - Utrecht - #DomCode16 Security breaches cost a company reputation, money, time & trust.
  10. 10. WHY SHOULD YOU CARE? 10DomCode 2016 - Utrecht - #DomCode16 Identity theft and security vulnerabilities affect the lives of real people - your users.
  11. 11. WHY SHOULD YOU CARE? 11DomCode 2016 - Utrecht - #DomCode16 Source: Forbes Magazine, Aug 3, 2013
  12. 12. WHY SHOULD YOU CARE? 12DomCode 2016 - Utrecht - #DomCode16 Source: BoingBoing - Nov 3, 2016
  13. 13. WHY SHOULD YOU CARE? 13DomCode 2016 - Utrecht - #DomCode16 Even if your product can’t be weaponized, the data you store and the trust your users have in you can be.
  14. 14. 14DomCode 2016 - Utrecht - #DomCode16 GDPR •Goes into effect 2018 •Could result in fines of €20m or 4% of your annual turnover, whichever is GREATER (General Data Protection Regulation)
  15. 15. In 2013, 61% of reported attacks targeted small and medium businesses, UP from 50% in 2012. 15DomCode 2016 - Utrecht - #DomCode16 Source: Verizon Communications 2013 Data Breach Investigations Report
  16. 16. One study found that compromises of mid-size firms rose 64% from 2013 to 2014. 16DomCode 2016 - Utrecht - #DomCode16 Source: Global State of Information Security Survey 2015
  17. 17. HOW? 17DomCode 2016 - Utrecht - #DomCode16 Sometimes an attacker will use your product to gain information, sometimes they’ll use YOU.
  18. 18. HOW? 18DomCode 2016 - Utrecht - #DomCode16 And sometimes your users are the target, and sometimes your company is.
  19. 19. WAYS THEY USE YOUR PRODUCT 19DomCode 2016 - Utrecht - #DomCode16 •Reflected XSS •Persistent XSS •CSRF •SQL Injection •Remote file inclusion •Local file inclusion/ directory traversal •Defacement for SEO (pharma, etc) •Privilege escalation •Malware delivery •Other stuff you know from OWASP
  20. 20. WAYS THEY USE YOU 20DomCode 2016 - Utrecht - #DomCode16 •Stealing credentials from other websites, hoping you re-use passwords across sensitive systems •Spear-phishing •Watering hole attacks •Social engineering •Malware •Insecure third-party vendors
  21. 21. DEFENSE IN DEPTH 21DomCode 2016 - Utrecht - #DomCode16 •Mitigates single points of failure. (“Bus factor”) •Requires more effort on the part of the attacker, theoretically exhausting attacker resources. Except...
  22. 22. DEFENSE IN DEPTH CHALLENGES 22DomCode 2016 - Utrecht - #DomCode16 •Larger, more complicated systems can be harder to maintain: •Leads to more cracks for bad guys to poke at •More surfaces that can get be overlooked •The bad guys have nearly limitless resources. We don’t. •Attacks are commoditized now. Botnets for < $2/hour and Internet of Shit (Mirai DynDNS attack)
  23. 23. CIA Confidentiality, Integrity & Availability
  24. 24. CONFIDENTIALITY IS A SET OF RULES THAT LIMITS ACCESS TO INFORMATION 24DomCode 2016 - Utrecht - #DomCode16
  25. 25. CONFIDENTIALITY EXAMPLES 25DomCode 2016 - Utrecht - #DomCode16 •Passwords •Data encryption (at rest and in transmission) •Two-factor authentication or biometrics. •Corporate VPN •IP Whitelisting •SSH keys
  26. 26. CONFIDENTIALITY RISKS 26DomCode 2016 - Utrecht - #DomCode16 • No brute-force detection • No vetting of how third- party vendors use/store customer data • Information leakage from login messages (timing attacks, etc.) • SQL injection • Privilege escalation leading to admin access • Passwords shared across websites • Improper disposal/ destruction of personal data • Lost/stolen devices • Insider Threats
  27. 27. INTEGRITY IS THE ASSURANCE THAT THE INFORMATION IS TRUSTWORTHY & ACCURATE. 27DomCode 2016 - Utrecht - #DomCode16
  28. 28. INTEGRITY RISKS 28DomCode 2016 - Utrecht - #DomCode16 • Data loss due to hardware failure (server crash!) • Software bug that unintentionally deletes/ modifies data • Data alteration via authorized persons (human error) •Data alteration via unauthorized persons (hackers) •No backups or no way to verify the integrity of the backups you have •Third-party vendor with inadequate security •Insider Threats
  29. 29. AVAILABILITY IS A GUARANTEE OF READY ACCESS TO THE INFO BY AUTHORIZED PEOPLE. 29DomCode 2016 - Utrecht - #DomCode16
  30. 30. AVAILABILITY RISKS 30DomCode 2016 - Utrecht - #DomCode16 •DDoS attacks •Third-party service failures •Hardware failures •Software bugs •Untested software patches •Natural disasters •Man-made disasters •Insider Threats Hmm… This looks familiar…
  31. 31. 31DomCode 2016 - Utrecht - #DomCode16 INSIDER THREATS 42% 58% • Employees (33%) • Ex-employees (7%) • Customers, partners or suppliers (18%) Source: Clearswift Report: The Enemy Within - Published May 2013 • Everything else
  32. 32. 32DomCode 2016 - Utrecht - #DomCode16 INSIDER THREATS Source: Clearswift Report: The Enemy Within - Published May 2013 •Often very low-tech •Sometimes malicious •Sometimes accidental •Theft/destruction of confidential information •Sabotage •Fraud •Defacement •DoS attacks •Sometimes motivated by revenge
  33. 33. NOT ALL INSIDER THREATS ARE MALICIOUS, BUT THAT DOESN’T MAKE THEM LESS DANGEROUS. 33DomCode 2016 - Utrecht - #DomCode16
  34. 34. 34DomCode 2016 - Utrecht - #DomCode16 APPLICATION SECURITY
  35. 35. 77% OF LEGITIMATE WEBSITES HAD EXPLOITABLE VULNERABILITIES. 1-IN-8 HAD A CRITICAL VULNERABILITY. 35DomCode 2016 - Utrecht - #DomCode16 Source: Symantec Internet Security Threat Report 2014 :: Volume 19, Published April 2014
  36. 36. BREACHGrowth • credit card info • birth dates • gov ID numbers • home addresses • medical records • phone numbers • financial information • email addresses • login • passwords Data Stolen 36DomCode 2016 - Utrecht - #DomCode16 Iden**es Stolen by Year (in Millions) 275 550 825 1100 2011 2012 2013 2014 2015 2016* 554 707 1,023 552 267 412 Source: Symantec Internet Security Threat Report 2014 / 2015
  37. 37. 2011 2012 2013 2014 2016 974,000 500,000 570,000 464,000 190,000 ATTACKS 37 Source: Symantec Internet Security Threat Report 2014/2016 Per Day DomCode 2016 - Utrecht - #DomCode16
  38. 38. APPSEC STRATEGY PICK TWO 38 COMPLETELY SCREWEDCOMPLETELY SCREWED COMPLETELY SCREWED DomCode 2016 - Utrecht - #DomCode16
  39. 39. 39DomCode 2016 - Utrecht - #DomCode16 WHAT CAN YOU DO?
  40. 40. STOP: 40DomCode 2016 - Utrecht - #DomCode16 Believing the lie that you’re too small to be a target. You’re not. I promise.
  41. 41. START: 41DomCode 2016 - Utrecht - #DomCode16 Evaluating the value of your assets. You have to know what you’re protecting.
  42. 42. 42DomCode 2016 - Utrecht - #DomCode16 VENDOR MANAGEMENT
  43. 43. START: 43DomCode 2016 - Utrecht - #DomCode16 Documenting ALL of your third-party vendors. Assess risk, and start a vendor management program.
  44. 44. START: 44DomCode 2016 - Utrecht - #DomCode16 Giving preference to third- party vendors that integrate with LDAP/AD/ SSO.
  45. 45. START: 45DomCode 2016 - Utrecht - #DomCode16 Developing a risk matrix for every project. Keep it updated as new features are added.
  46. 46. RISK MATRIX: 46DomCode 2016 - Utrecht - #DomCode16 • Type • Third-Party • Service Description • Triggering Action • Consequence of Service Failure • Risk of Failure • Probability of Failure • User Impact of Failure • Method used for monitoring this risk • Efforts to Mitigate in Case of Failure • Contact info Grab a starter template here! http://snipe.ly/risk_matrix
  47. 47. START: 47DomCode 2016 - Utrecht - #DomCode16 Giving preference to systems that allow you to show due diligence in the event of a breach.
  48. 48. 48DomCode 2016 - Utrecht - #DomCode16 POLICIES & PROCESS
  49. 49. START: 49DomCode 2016 - Utrecht - #DomCode16 Implementing policies of “least-privilege”.
  50. 50. START: 50DomCode 2016 - Utrecht - #DomCode16 Developing a Disaster Recovery Plan. TEST IT. (No, really, test it. Often.)
  51. 51. START: 51DomCode 2016 - Utrecht - #DomCode16 Developing an Incident Response Plan. Test it, and keep it updated.
  52. 52. START: 52DomCode 2016 - Utrecht - #DomCode16 Enabling (and requiring) two-factor authentication for everything.
  53. 53. START: 53DomCode 2016 - Utrecht - #DomCode16 Thinking about any ways a new security measure could actually weaken your security.
  54. 54. REMEMBER: 54DomCode 2016 - Utrecht - #DomCode16 If your new security policies get in the way of people getting work done, they will find a way around them.
  55. 55. START: 55DomCode 2016 - Utrecht - #DomCode16 Developing a formal procedure for handling exiting employees.
  56. 56. 56DomCode 2016 - Utrecht - #DomCode16 DATA HANDLING
  57. 57. STOP: 57DomCode 2016 - Utrecht - #DomCode16 Collecting data about users that you don’t ABSOLUTELY need right now.
  58. 58. START: 58DomCode 2016 - Utrecht - #DomCode16 Logging (almost) everything. Use a central logging server if you can.
  59. 59. START: 59DomCode 2016 - Utrecht - #DomCode16 Getting to know what “normal” user behavior looks like. Flag anything out of the ordinary.
  60. 60. START: 60DomCode 2016 - Utrecht - #DomCode16 Storing offline backups. Make sure you can restore from them successfully.
  61. 61. START: 61DomCode 2016 - Utrecht - #DomCode16 Encrypting EVERYTHING (where feasible.) in transit and at rest. HTTPS ALL THE THINGS.
  62. 62. START: 62DomCode 2016 - Utrecht - #DomCode16 Testing that your deployment system can work if Github (or other third-party) is down.
  63. 63. 63DomCode 2016 - Utrecht - #DomCode16 DEV & OPS
  64. 64. START: 64DomCode 2016 - Utrecht - #DomCode16 Leveraging the built-in data sanitation/CSRF of your language frameworks.
  65. 65. START: 65DomCode 2016 - Utrecht - #DomCode16 Using prepared statements for your SQL. It’s 2016 already!
  66. 66. START: 66DomCode 2016 - Utrecht - #DomCode16 Checking for debugging output that can disclose information that can make an attacker’s job easier.
  67. 67. STOP: 67DomCode 2016 - Utrecht - #DomCode16 Using MD5 for passwords!!!! Use a secure salt+hash like bcrypt.
  68. 68. START: 68DomCode 2016 - Utrecht - #DomCode16 Looking critically at the complexity of your systems.
  69. 69. START: 69DomCode 2016 - Utrecht - #DomCode16 Implementing brute-force detection everywhere you can.
  70. 70. STOP: 70DomCode 2016 - Utrecht - #DomCode16 Using production data in your test environments!
  71. 71. START: 71DomCode 2016 - Utrecht - #DomCode16 Getting your dev teams involved in Capture the Flag events. (They’re fun!)
  72. 72. START: 72DomCode 2016 - Utrecht - #DomCode16 Getting penetration tests and vulnerability assessments done.
  73. 73. START: 73DomCode 2016 - Utrecht - #DomCode16 Building automated scanners into your testing/ Continuous Integration pipeline.
  74. 74. 74DomCode 2016 - Utrecht - #DomCode16 COMPANY CULTURE
  75. 75. START: 75DomCode 2016 - Utrecht - #DomCode16 Building a security-first culture. Make it part of your DNA.
  76. 76. START: 76DomCode 2016 - Utrecht - #DomCode16 Creating a company culture where your employees are encouraged to ask if they are suspicious.
  77. 77. REMEMBER: 77DomCode 2016 - Utrecht - #DomCode16 “The security team says no because they are incorrectly held accountable for all flaws.” — Michael Coates CISO at Twitter, OWASP Global Board Member
  78. 78. START: 78DomCode 2016 - Utrecht - #DomCode16 Educating employees about social engineering tactics that can be used to gather data about your company.
  79. 79. STOP: 79DomCode 2016 - Utrecht - #DomCode16 Utilizing policies that punish employees for reporting incidents.
  80. 80. START: 80DomCode 2016 - Utrecht - #DomCode16 Becoming a passionate security ambassador for your users and your co- workers.
  81. 81. Alison Gianotto (aka “snipe”) THANK YOU! • @snipeyhead on Twitter • snipe@snipe.net 81DomCode 2016 - Utrecht - #DomCode16 Liked this talk? Leave feedback at http://snipe.ly/domcode16
  82. 82. CAPTURE ALL THE FLAGS! 82DomCode 2016 - Utrecht - #DomCode16 • NotSoSecure CTF: http://ctf.notsosecure.com • Security Shepherd: https://www.owasp.org/index.php/OWASP_Security_Shepherd • http://hax.tor.hu/ • https://pwn0.com/ • http://www.smashthestack.org/ • http://www.hellboundhackers.org/ • http://www.overthewire.org/wargames/ • http://counterhack.net/Counter_Hack/Challenges.html • http://www.hackthissite.org/ • http://exploit-exercises.com/ • http://vulnhub.com/

×