Alison Gianotto (aka “snipe”) WHO AM I? • Former  agency  CTO/CSO  • Security  &  privacy  advocate  • 20  years  in  IT  &  so<ware  development  • Co-­‐author  of  a  few  PHP/MySQL  books  • Survivor  of  more  corporate  audits  than  I  care  to  remember  • @snipeyhead  on  TwiJer  

1  dotScale  May  2014  -­‐  #dotScale  

IT IS IMPOSSIBLE TO ANTICIPATE EVERY RISK.

2  dotScale  May  2014  -­‐  #dotScale  

Srsly.

IT IS INAPPROPRIATE TO MITIGATE EVERY RISK.

3  dotScale  May  2014  -­‐  #dotScale  

No, Srsly.

WHY PEOPLE HACK

4  

• To  steal/sell  idenOOes,  credit  card  numbers,  corporate  secrets,  military  secrets  • Fun/Notoriety  • PoliOcal  (“HackOvism”)  • Revenge  • Blackhat  SEO  • ExtorOon/Ransomware  

dotScale  May  2014  -­‐  #dotScale  

MEGA BREACHES: RESULTING IN PERSONAL DETAILS OF >= 10 MILLION IDENTITIES EXPOSED IN AN INDIVIDUAL INCIDENT.

5  dotScale  May  2014  -­‐  #dotScale  

THERE WERE EIGHT MEGA-BREACHES IN 2013, COMPARED WITH ONLY ONE IN 2012.

6  

Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    

+700% dotScale  May  2014  -­‐  #dotScale  

OCT 2013: ADOBE EXPOSED CUSTOMER DATA, DEBIT/CREDIT CARD NUMBERS, SOURCE IMPACTED: 152 MILLION USERS

7  

Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    

dotScale  May  2014  -­‐  #dotScale  

DEC 2013: TARGET EXPOSED CUSTOMER DATA, DEBIT/CREDIT CARD NUMBERS, PINS IMPACTED: 110 MILLION USERS

8  

Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    

dotScale  May  2014  -­‐  #dotScale  

BREACH Growth •  credit  card  info •  birth  dates •  government  ID  numbers •  home  addresses • medical  records •  phone  numbers •  financial  informa9on •  email  addresses •  login •  passwords

Data Stolen

9  

232  

552  

0   100   200   300   400   500   600  

2011  

2013  

Iden))es  Stolen  by  Year  (in  Millions)  

Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    

dotScale  May  2014  -­‐  #dotScale  

190,000

464,000 570,000

2011   2012   2013  

ATTACKS

10  

Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    

Per Day

dotScale  May  2014  -­‐  #dotScale  

SOMETIMES YOUR EFFORTS TO MITIGATE RISK CAN INCREASE YOUR ATTACK SURFACE.

11  dotScale  May  2014  -­‐  #dotScale  

Because THAT’S fair.

DEFENSE IN DEPTH PROMISES

12  

• MiOgates  single  points  of  failure.  (“Bus  factor”)  • Requires  more  effort  on  the  part  of  the  aJacker,  theoreOcally  exhausOng  aJacker  resources.    

Except...

dotScale  May  2014  -­‐  #dotScale  

DEFENSE IN DEPTH CHALLENGES

13  

• Larger,  more  complicated  systems  are  harder  to  maintain.    • Can  lead  to  more  cracks  for  bad  guys  to  poke  at  • More  surfaces  that  can  get  be  overlooked    • The  bad  guys  have  nearly  limitless  resources.  We  don’t.    • AJacks  are  commodiOzed  now.    Botnets  for  $2/hour.  

dotScale  May  2014  -­‐  #dotScale  

HACKERS ARE NOT YOUR ONLY PROBLEM.

14  dotScale  May  2014  -­‐  #dotScale  

Sorry. :(

CIA Confidentiality, Integrity & Availability

dotScale  May  2014  -­‐  #dotScale  

CONFIDENTIALITY IS A SET OF RULES THAT LIMITS ACCESS TO INFORMATION

16  dotScale  May  2014  -­‐  #dotScale  

INTEGRITY IS THE ASSURANCE THAT THE INFORMATION IS TRUSTWORTHY & ACCURATE.

17  dotScale  May  2014  -­‐  #dotScale  

AVAILABILITY IS A GUARANTEE OF READY ACCESS TO THE INFO BY AUTHORIZED PEOPLE.

18  dotScale  May  2014  -­‐  #dotScale  

APPSEC STRATEGY

PICK  TWO  

19  

ABSOLUTELY  F*CKED  UTTERLY  F*CKED  

COMPLETELY  F*CKED  

dotScale  May  2014  -­‐  #dotScale  

CREATING A RISK MATRIX

20  

• Type  of  resource  • Third-­‐Party  • Diagram  ID  • DescripOon  • Triggering  AcOon  • Consequence  of  Failure  • Risk  of  Failure  • Probability  of  Failure  • User  Impact  

• Method  used  for  monitoring  this  risk  • Efforts  to  MiOgate  in  Case  of  Failure  • Contact  info  

Grab  a  starter  template  here!    hJp://snipe.ly/risk_matrix    

dotScale  May  2014  -­‐  #dotScale  

20 THINGS YOU CAN START DOING TODAY.

21  

Dooo eeeeeet.

dotScale  May  2014  -­‐  #dotScale  

#1. CAPTURE ALL THE FLAGS!

22  dotScale  May  2014  -­‐  #dotScale  

23  

•  Strip  specific  messaging  from  login  forms.  •  Use  solid  password+salOng  like  bcrypt.  •  Implement  brute-­‐force  prevenOon  for  all  login  systems.  •  Encrypt  everything,  where  feasible.  •  Supress  debugging  and  server  informaOon  (language/

framework  versions,  web  server  versions,  stack-­‐traces,  etc.)  

WHAT DEVS LEARN FROM CTF

dotScale  May  2014  -­‐  #dotScale  

24  dotScale  May  2014  -­‐  #dotScale  

#2. START EVERY PROJECT RISK-FIRST.

25  dotScale  May  2014  -­‐  #dotScale  

#3. BUILD A CLEAR INVENTORY OF SURFACE AREAS AND THEIR VALUE.

26  dotScale  May  2014  -­‐  #dotScale  

#4. RISK MATRIX FOR EVERY MAJOR PROJECT OR PRODUCT.

27  dotScale  May  2014  -­‐  #dotScale  

#5. KNOW WHAT HAPPENS WHEN THIRD-PARTY SERVICES FAIL.

28  dotScale  May  2014  -­‐  #dotScale  

#6. TRUST YOUR GUT. WHEN SOMETHING DOESN’T LOOK RIGHT, IT PROBABLY ISN’T.

29  dotScale  May  2014  -­‐  #dotScale  

#7. KEEP YOUR SYSTEMS AS SIMPLE AS POSSIBLE.

30  dotScale  May  2014  -­‐  #dotScale  

#8. INCREASED TRANSPARENCY REDUCES RISK ACROSS DEPARTMENTS.

31  dotScale  May  2014  -­‐  #dotScale  

#9. GET TO KNOW YOUR USERS’ BEHAVIOR. BE SUSPICIOUS IF IT CHANGES FOR NO REASON.

32  dotScale  May  2014  -­‐  #dotScale  

#10. AUTOMATE EVERYTHING.

33  dotScale  May  2014  -­‐  #dotScale  

#11. LOG (ALMOST) EVERYTHING. KNOW WHERE YOUR LOGS ARE.

34  dotScale  May  2014  -­‐  #dotScale  

#12. ALWAYS EMPLOY THE PRINCIPLE OF “LEAST PRIVILEGE”.

35  dotScale  May  2014  -­‐  #dotScale  

#13. ONLY COLLECT THE DATA YOU ABSOLUTELY NEED.

36  dotScale  May  2014  -­‐  #dotScale  

#14. IMPLEMENT TWO-FACTOR AUTHENTICATION. IT’S EASIER THAN YOU THINK.

37  dotScale  May  2014  -­‐  #dotScale  

#15. CREATE A DATA RECOVERY PLAN AND TEST IT. NO, REALLY. TEST IT. MORE THAN ONCE.

38  dotScale  May  2014  -­‐  #dotScale  

#16. MOAR PAPERWORK!

39  dotScale  May  2014  -­‐  #dotScale  

#17. LEVERAGE BUILT-IN VALIDATION/SANITIZATION FROM FRAMEWORKS.

40  dotScale  May  2014  -­‐  #dotScale  

#18. PERFORM REGULAR WHITE-BOX AND BLACK-BOX TESTING.

41  dotScale  May  2014  -­‐  #dotScale  

#19. PAY ATTENTION TO YOUR ALERTS.

42  dotScale  May  2014  -­‐  #dotScale  

#20. BECOME A PASSIONATE SECURITY AMBASSADOR FOR YOUR USERS.

43  dotScale  May  2014  -­‐  #dotScale  

Alison Gianotto (aka “snipe”) THANK YOU! • @snipeyhead  on  TwiJer  • snipe@snipe.net  

44  dotScale  May  2014  -­‐  #dotScale