Upload
icequick
View
210
Download
1
Embed Size (px)
Citation preview
DEFENSE-IN-DEPTH TO SECURE YOUR ORGANIZATION@DC970October 20, 2015
AGENDA Who is DC970? Defense-in-Depth Components Trends Discussion
WHO IS DC970 DEF CON is one of the world’s largest hacker
conferences Occurs annually in Las Vegas 16,000+ attended in 2014; 20,000+ in 2015
DC970 is a local meet up with similar interest Meets the 3rd Thursday of the month at Wild Boar Café – 7pm
One of a handful of groups around Northern Colorado Not on Meetup.com --- Should we be?
DEFENSE – IN – DEPTH Full scope: Personnel, Procedural, Technical and Physical Expect any single layer to fail/be defeated (e.g. 0-day) Add layers to mitigate impact of any single layer failing Could be 3 or 30 layers Medieval Castle, Military base Warcraft/AOE/CnC strategy – e.g. All zergs Again: Expect and Accept losses at any layer
OLD SCHOOL DEFENSE
C-I-A TRIAD
COMPONENTS Perimeter FW IPS Anti-virus Web Proxy Filters Hardened OS Patch Management Two/Three-factor
authentication
COMPONENTS Application Sandboxing Multiple DMZs (e.g.
untrusted client subnet) NAP / NAC (network
sandbox) Physical security Password policies
(long/complex password
requirements) Log correlation Supply Chain
STATE OF THE UNION Industry reports from multiple vendors Microsoft – Security Intelligence
Report Symantec – Internet Security Threat
Report Verizon – Data Breach Investigations
Report
SYMANTEC – 2012 From DC970’s first presentation in 2013…
31% of attacks targeted at businesses with fewer than 250 employees
32% of mobile threats are designed to steal information 69% of all email is spam 5291 new vulnerabilities discovered in 2012 (14.5/daily) One ‘watering hole’ attack infected 500 orgs in one day
DBIR 2015 - PATCHING 99.9% exploits were compromised more
than a year after the CVE released 2008 number was 71% E.g. MS08-067 = CVE-2008-4250
DBIR 2015, p19
DBIR 2015 – PHISHING 23% of recipients open
messages 11% click on attachments
First click: Average 82 seconds Overall: 50% of ‘clickers’ click
within one hour of the attack
DBIR 2015 p.12
DBIR 2015 - OTHER Mobile devices NOT a preferred vector in data breaches No ‘one size fits all’ approach to security
Size Industry Sector
DBIR 2015 – OOPS! Accidental C-I-A breach 30% - Misdelivery of sensitive info to incorrect recipients 17% - Published to public web server 12% - Improper disposal of info (personal, medical, etc…) Total of 60% attributed to sysadmin error 35% of systems are vulnerable to USB-initiated attacks
DBIR 2015 p51
E-COMMERCE WEB APP HACK Why?—Because the threat actor
made changes in the payment application code to capture and send data when processed.
Why?—They bypassed authentication to upload a backdoor to the server via Remote File Inclusion (RFI)
Why?—Because the JBoss version was outdated and vulnerable to a widely known attack.
Why?—Because the server software hadn’t been updated in
years. Why?—This is where it gets tricky. Because...they thought their
third-party vendor would do it? Because...they thought they had,
but failed to check implementation? Because...they had insufficient processes in place to manage their risk?
DBIR 2015 p55
RECOMMENDATION Educate your organization’s users Patching!
Qualys BrowserCheck Filtered internet access
OpenDNS Account Security
Password Manager Don’t reuse passwords
WOULD YOU LIKE TO SEE MORE? If DC970 came back, what topic / demo would
you like to see?