DEFENSE-IN-DEPTH TO SECURE YOUR ORGANIZATION@DC970October 20, 2015

AGENDA Who is DC970? Defense-in-Depth Components Trends Discussion

WHO IS DC970 DEF CON is one of the world’s largest hacker

conferences Occurs annually in Las Vegas 16,000+ attended in 2014; 20,000+ in 2015

DC970 is a local meet up with similar interest Meets the 3rd Thursday of the month at Wild Boar Café – 7pm

One of a handful of groups around Northern Colorado Not on Meetup.com --- Should we be?

DEFENSE – IN – DEPTH Full scope: Personnel, Procedural, Technical and Physical  Expect any single layer to fail/be defeated (e.g. 0-day) Add layers to mitigate impact of any single layer failing Could be 3 or 30 layers Medieval Castle, Military base Warcraft/AOE/CnC strategy – e.g. All zergs Again: Expect and Accept losses at any layer

OLD SCHOOL DEFENSE

C-I-A TRIAD

COMPONENTS Perimeter FW IPS Anti-virus Web Proxy Filters Hardened OS Patch Management Two/Three-factor

authentication

COMPONENTS Application Sandboxing Multiple DMZs (e.g.

untrusted client subnet) NAP / NAC (network

sandbox) Physical security Password policies

(long/complex password

requirements) Log correlation Supply Chain

STATE OF THE UNION Industry reports from multiple vendors Microsoft – Security Intelligence

Report Symantec – Internet Security Threat

Report Verizon – Data Breach Investigations

Report

SYMANTEC – 2012 From DC970’s first presentation in 2013…

31% of attacks targeted at businesses with fewer than 250 employees

32% of mobile threats are designed to steal information 69% of all email is spam 5291 new vulnerabilities discovered in 2012 (14.5/daily) One ‘watering hole’ attack infected 500 orgs in one day

DBIR 2015 - PATCHING 99.9% exploits were compromised more

than a year after the CVE released 2008 number was 71% E.g. MS08-067 = CVE-2008-4250

DBIR 2015, p19

DBIR 2015 – PHISHING 23% of recipients open

messages 11% click on attachments

First click: Average 82 seconds Overall: 50% of ‘clickers’ click

within one hour of the attack

DBIR 2015 p.12

DBIR 2015 - OTHER Mobile devices NOT a preferred vector in data breaches No ‘one size fits all’ approach to security

Size Industry Sector

DBIR 2015 – OOPS! Accidental C-I-A breach 30% - Misdelivery of sensitive info to incorrect recipients 17% - Published to public web server 12% - Improper disposal of info (personal, medical, etc…) Total of 60% attributed to sysadmin error 35% of systems are vulnerable to USB-initiated attacks

DBIR 2015 p51

E-COMMERCE WEB APP HACK Why?—Because the threat actor

made changes in the payment application code to capture and send data when processed.

Why?—They bypassed authentication to upload a backdoor to the server via Remote File Inclusion (RFI)

Why?—Because the JBoss version was outdated and vulnerable to a widely known attack.

Why?—Because the server software hadn’t been updated in

years. Why?—This is where it gets tricky. Because...they thought their

third-party vendor would do it? Because...they thought they had,

but failed to check implementation? Because...they had insufficient processes in place to manage their risk?

DBIR 2015 p55

RECOMMENDATION Educate your organization’s users Patching!

Qualys BrowserCheck Filtered internet access

OpenDNS Account Security

Password Manager Don’t reuse passwords

WOULD YOU LIKE TO SEE MORE? If DC970 came back, what topic / demo would

you like to see?