Upload
chris-grayson
View
322
Download
6
Tags:
Embed Size (px)
Citation preview
Security CompensationHOW TO INVEST IN STARTUP SECURITY
April 8, 2015
INTRODUCTIONWHO ARE THOSE PEEPS UP IN FRONT?
33
Chris Grayson
• Security Associate
Austin Whipple
• Senior Security Analyst
RELEVANT BECAUSE EASTER
Some Cool Peeps
3
ChrisAustin
44
• Offloading Security Risk
• Security Best Practices for Start-ups
• Conclusion
WHATCHU TALKIN’ ‘BOUT HOLMES?
Agenda
OFFLOADINGONLY MARGINALLY DIFFERENT FROM FREELOADING
66
• Risk = (Probability of a threat occurring against an asset) x (Value of asset)
• Reducing risk can be done by reducing the probability of the threator reducing the value of the asset.
• What is offloading risk?
THE GAME OF GLOBAL DOMINATION
Offloading Risk
77
• Email has lots of hidden “gotchas:” spoofing, forwarding, encryption, backups, etc.
• These are incredibly easy to overlook and misconfigure. Don’t do it yourself!
EVERY WEEK I CHECK THE EMAIL
Offloading Email
88
• Similar to email, there are lots of “gotchas” that can lead to exploitation (Heartbleed).
• Platforms like Cloudflareget early warning/access to exploits to fix them before the security advisory goes public.
ENCRYPT ALL THE THINGS
Offloading SSL
99
• “Cloud” is not the be-all and end-all of technology solutions, but it does have its place.
• Amazon suite, for example, makes it easier to have security by default.
EVERYTHING IS SECURE IN “THE CLOUD”
Offloading Hosting
1010
• In 2015, there aren’t very many good reasons to be doing your own payroll.
• If you aren’t storing/handling/processing those details, we can’t steal them from you.
YOU CAN’T STEAL WHAT THEY DON’T HAVE
Offloading Payroll
1111
• For tech companies with a product or a web presence, research shows that having a bug bounty is a good idea.
• Bugcrowd: 193 – average number of valid submissions per bug bounty run
YOU DEAL WITH MY PROBLEMS
Offloading Bug Bounties
SECURITY BEST PRACTICESSTART NOW OR FOREVER HOLD YOUR PEACE
1313
• As per Wikipedia, “every module must be able to access only the information and resources that are necessary for its legitimate purpose.”
• Local admin rights, access to file shares, other sensitive information
• Not about trust – about minimizing exposure
NO, THEY DON’T NEED AN ADMIN ACCOUNT
Principle of Least Privilege
1414
• Browsers are popular targets.
• Script blocking
• ScriptSafe, ScriptBlock, NoScript
• Ad blocking
• Adblock
• Tracker blocking
• Ghostery, Disconnect
THIS MIGHT HURT A LITTLE
Hardening Your Browser
1515
How a digital system identifies a user.
• Authenticate with Facebook, Google
• Private keys
• Two-factor authentication on highly-sensitive endpoints (email, VPN)
• Duo Security
WHO ARE YOU AND WHAT ARE YOU DOING ON MY SERVER?!
Authentication
1616
• Wikipedia defines sandboxing as, “a security mechanism for separating running programs. It is often used to execute untested code.”
• Virtual machines!
• VMWare, VirtualBox
DOMO ARIGATO MR. ROBOTO
Virtualization
1717
Passwords are the most ubiquitous form of authentication
• One of the most valuable targets for an attacker.
• Don’t re-use them!
• Don’t share them!
• Don’t write them down!
• Use password vaults where possible.
• KeePass, LastPass
YOU CAN’T LIVE WITH ‘EM, YOU CAN’T LIVE WITHOUT ‘EM
Password Management
1818
• Vulnerable services and applications lead to compromised businesses.
• Internal applications shouldn’t be on the open Internet.
• Have a network? VPN + 2FA
• No network? SSH + private key + port forwarding
YOU’VE GOT WHAT ON YOUR EXTERNAL NETWORK?!
Applications and Services
1919
Only if you insist…
• Not using publicly-vulnerable software
• All sensitive information is encrypted when transmitted across the network
• If passwords are used, the passwords are strong
• Web application? Pay attention to the OWASP top 10
UGH FINE – WELL IF IT HAS TO BE ON THE INTERNET
Applications and Services
2020
Majority of sensitive communication occurs via email.
• Encrypt your emails
• Protect your domain from spoofed emails
AN AGE OLD PROTOCOL WITH SERIOUS SECURITY IMPLICATIONS
2121
• Don’t leave sensitive files sitting around
• USB drives, FTP servers, anonymously-accessible file shares
• Encryption
• ZIP files, Truecryptvolumes
• Don’t email files!
• Syncing files
• GIT, SVN, Box.com, Dropbox.com, Seafile
EVERYBODY DOES IT
File Sharing
2222
Employees will come and go.
• Establish a process for provisioning and revocation
• May not seem necessary…
• But by the time it is, it’s too late.
PAY A LITTLE NOW OR A LOT LATER
Account Provisioning and Revocation
2323
• Security controls only count when they’re used.
• Uniform practices
• Repeatable,
• Thought out
• Documented
• Verbalized.
• Don’t over-engineer!
BUT I THOUGHT WE WERE TALKING ABOUT SECURITY…
Process Management
2424
• Don’t do it
• Seriously – don’t do it
• Wireless networks pose significant risk
• Open wireless network for guests
• WPA2-PSK for employee Internet access
CUT ALL THE CLUTTER
Wireless Networks
CONCLUSIONBRINGING IT ALL FULL-CIRCLE
2626
Now that we’ve blown your mind…
2727
If you can offload to a secure service, do it!
Start security ASAP - you’ll be glad you did later.
IF YOU DON’T REMEMBER ANYTHING ELSE…
Key Takeaways
PARTING WORDSALWAYS THE HARDEST PART… :’(
QUESTIONSAND MAYBE ANSWERS
3030
• @BishopFox
• Facebook.com/BishopFoxConsulting
• LinkedIn.com/Company/Bishop-Fox
• Google.com/+BishopFox
WE’RE A CHATTY BUNCH
Contact Us
Thank You
3232
Wikipedia – Principle of Least Privilege
http://en.wikipedia.org/wiki/Principle_of_least_privilege
ScriptSafe Chrome Plugin
https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf?hl=en
NoScript Firefox Plugin
https://addons.mozilla.org/en-us/firefox/addon/noscript/
AdBlock
https://adblockplus.org/
Ghostery
https://www.ghostery.com/en/
Disconnect
https://disconnect.me/
Authenticate with Google
https://developers.google.com/identity/
SLIDE 1 OF 4
Additional Resources
3333
Authenticate with Facebook
https://developers.facebook.com/docs/facebook-login/v2.3
Wikipedia – Key Authentication
http://en.wikipedia.org/wiki/Key_authentication
Wikipedia – Two-Factor Authentication
http://en.wikipedia.org/wiki/Two_factor_authentication
Duo Two-Factor Authentication
https://www.duosecurity.com/
Better Security Through Sandboxing
http://www.windowsecurity.com/articles-tutorials/windows_os_security/Better-Security-through-Sandboxing.html
KeePass Password Safe
http://keepass.info/
LastPass
https://lastpass.com/
SLIDE 2 OF 4
Additional Resources
3434
OpenVPN How-To
https://openvpn.net/index.php/open-source/documentation/howto.html
SSH Port Forwarding
https://help.ubuntu.com/community/SSH/OpenSSH/PortForwarding
OWASP Top 10
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Microsoft – Building a Strong Password Policy
https://technet.microsoft.com/en-us/library/cc736605%28v=ws.10%29.aspx
Getting Started with S/MIME
http://www.office.mvps.org/smime/
DKIM Explained
http://www.gettingemaildelivered.com/dkim-explained-how-to-set-up-and-use-domainkeys-identified-mail-effectively
Setting up SPF Records
http://www.rackspace.com/apps/support/portal/1212
SLIDE 3 OF 4
Additional Resources
3535
How to Set Up DMARC Email Authentication
http://www.gettingemaildelivered.com/how-to-set-up-dmarc-email-authentication
Encrypting ZIP Files with 7-Zip
http://www.northeastern.edu/securenu/?page_id=2573
TrueCrypt
http://truecrypt.sourceforge.net/
Bug Bounties Helpful
https://www.eecs.berkeley.edu/~daw/papers/vrp-use13.pdf
Bug Bounties Helpful, pt. 2
http://www.cmswire.com/cms/information-management/bug-bounty-programs-help-companies-track-vulnerabilities-027932.php
Bugcrowd
https://bugcrowd.com/products/bounty
SLIDE 4 OF 4
Additional Resources