Upload
alison-gianotto
View
751
Download
0
Embed Size (px)
DESCRIPTION
CTF links: NotSoSecure CTF: http://ctf.notsosecure.com Security Shepherd: https://www.owasp.org/index.php/OWASP_Security_Shepherd http://hax.tor.hu/ https://pwn0.com/ http://www.smashthestack.org/ http://www.hellboundhackers.org/ http://www.overthewire.org/wargames/ http://counterhack.net/Counter_Hack/Challenges.html http://www.hackthissite.org/ http://exploit-exercises.com/ http://vulnhub.com/
Citation preview
Alison Gianotto (aka “snipe”) WHO AM I? • Former agency CTO/CSO • Security & privacy advocate • 20 years in IT & so<ware development • Co-‐author of a few PHP/MySQL books • Survivor of more corporate audits than I care to remember • @snipeyhead on TwiJer
1 dotScale May 2014 -‐ #dotScale
IT IS IMPOSSIBLE TO ANTICIPATE EVERY RISK.
2 dotScale May 2014 -‐ #dotScale
Srsly.
IT IS INAPPROPRIATE TO MITIGATE EVERY RISK.
3 dotScale May 2014 -‐ #dotScale
No, Srsly.
WHY PEOPLE HACK
4
• To steal/sell idenOOes, credit card numbers, corporate secrets, military secrets • Fun/Notoriety • PoliOcal (“HackOvism”) • Revenge • Blackhat SEO • ExtorOon/Ransomware
dotScale May 2014 -‐ #dotScale
MEGA BREACHES: RESULTING IN PERSONAL DETAILS OF >= 10 MILLION IDENTITIES EXPOSED IN AN INDIVIDUAL INCIDENT.
5 dotScale May 2014 -‐ #dotScale
THERE WERE EIGHT MEGA-BREACHES IN 2013, COMPARED WITH ONLY ONE IN 2012.
6
Source: Symantec Internet Security Threat Report 2014 :: Volume 19, Published April 2014
+700% dotScale May 2014 -‐ #dotScale
OCT 2013: ADOBE EXPOSED CUSTOMER DATA, DEBIT/CREDIT CARD NUMBERS, SOURCE IMPACTED: 152 MILLION USERS
7
Source: Symantec Internet Security Threat Report 2014 :: Volume 19, Published April 2014
dotScale May 2014 -‐ #dotScale
DEC 2013: TARGET EXPOSED CUSTOMER DATA, DEBIT/CREDIT CARD NUMBERS, PINS IMPACTED: 110 MILLION USERS
8
Source: Symantec Internet Security Threat Report 2014 :: Volume 19, Published April 2014
dotScale May 2014 -‐ #dotScale
BREACH Growth • credit card info • birth dates • government ID numbers • home addresses • medical records • phone numbers • financial informa9on • email addresses • login • passwords
Data Stolen
9
232
552
0 100 200 300 400 500 600
2011
2013
Iden))es Stolen by Year (in Millions)
Source: Symantec Internet Security Threat Report 2014 :: Volume 19, Published April 2014
dotScale May 2014 -‐ #dotScale
190,000
464,000 570,000
2011 2012 2013
ATTACKS
10
Source: Symantec Internet Security Threat Report 2014 :: Volume 19, Published April 2014
Per Day
dotScale May 2014 -‐ #dotScale
SOMETIMES YOUR EFFORTS TO MITIGATE RISK CAN INCREASE YOUR ATTACK SURFACE.
11 dotScale May 2014 -‐ #dotScale
Because THAT’S fair.
DEFENSE IN DEPTH PROMISES
12
• MiOgates single points of failure. (“Bus factor”) • Requires more effort on the part of the aJacker, theoreOcally exhausOng aJacker resources.
Except...
dotScale May 2014 -‐ #dotScale
DEFENSE IN DEPTH CHALLENGES
13
• Larger, more complicated systems are harder to maintain. • Can lead to more cracks for bad guys to poke at • More surfaces that can get be overlooked • The bad guys have nearly limitless resources. We don’t. • AJacks are commodiOzed now. Botnets for $2/hour.
dotScale May 2014 -‐ #dotScale
HACKERS ARE NOT YOUR ONLY PROBLEM.
14 dotScale May 2014 -‐ #dotScale
Sorry. :(
CIA Confidentiality, Integrity & Availability
dotScale May 2014 -‐ #dotScale
CONFIDENTIALITY IS A SET OF RULES THAT LIMITS ACCESS TO INFORMATION
16 dotScale May 2014 -‐ #dotScale
INTEGRITY IS THE ASSURANCE THAT THE INFORMATION IS TRUSTWORTHY & ACCURATE.
17 dotScale May 2014 -‐ #dotScale
AVAILABILITY IS A GUARANTEE OF READY ACCESS TO THE INFO BY AUTHORIZED PEOPLE.
18 dotScale May 2014 -‐ #dotScale
APPSEC STRATEGY
PICK TWO
19
ABSOLUTELY F*CKED UTTERLY F*CKED
COMPLETELY F*CKED
dotScale May 2014 -‐ #dotScale
CREATING A RISK MATRIX
20
• Type of resource • Third-‐Party • Diagram ID • DescripOon • Triggering AcOon • Consequence of Failure • Risk of Failure • Probability of Failure • User Impact
• Method used for monitoring this risk • Efforts to MiOgate in Case of Failure • Contact info
Grab a starter template here! hJp://snipe.ly/risk_matrix
dotScale May 2014 -‐ #dotScale
20 THINGS YOU CAN START DOING TODAY.
21
Dooo eeeeeet.
dotScale May 2014 -‐ #dotScale
#1. CAPTURE ALL THE FLAGS!
22 dotScale May 2014 -‐ #dotScale
23
• Strip specific messaging from login forms. • Use solid password+salOng like bcrypt. • Implement brute-‐force prevenOon for all login systems. • Encrypt everything, where feasible. • Supress debugging and server informaOon (language/
framework versions, web server versions, stack-‐traces, etc.)
WHAT DEVS LEARN FROM CTF
dotScale May 2014 -‐ #dotScale
24 dotScale May 2014 -‐ #dotScale
#2. START EVERY PROJECT RISK-FIRST.
25 dotScale May 2014 -‐ #dotScale
#3. BUILD A CLEAR INVENTORY OF SURFACE AREAS AND THEIR VALUE.
26 dotScale May 2014 -‐ #dotScale
#4. RISK MATRIX FOR EVERY MAJOR PROJECT OR PRODUCT.
27 dotScale May 2014 -‐ #dotScale
#5. KNOW WHAT HAPPENS WHEN THIRD-PARTY SERVICES FAIL.
28 dotScale May 2014 -‐ #dotScale
#6. TRUST YOUR GUT. WHEN SOMETHING DOESN’T LOOK RIGHT, IT PROBABLY ISN’T.
29 dotScale May 2014 -‐ #dotScale
#7. KEEP YOUR SYSTEMS AS SIMPLE AS POSSIBLE.
30 dotScale May 2014 -‐ #dotScale
#8. INCREASED TRANSPARENCY REDUCES RISK ACROSS DEPARTMENTS.
31 dotScale May 2014 -‐ #dotScale
#9. GET TO KNOW YOUR USERS’ BEHAVIOR. BE SUSPICIOUS IF IT CHANGES FOR NO REASON.
32 dotScale May 2014 -‐ #dotScale
#10. AUTOMATE EVERYTHING.
33 dotScale May 2014 -‐ #dotScale
#11. LOG (ALMOST) EVERYTHING. KNOW WHERE YOUR LOGS ARE.
34 dotScale May 2014 -‐ #dotScale
#12. ALWAYS EMPLOY THE PRINCIPLE OF “LEAST PRIVILEGE”.
35 dotScale May 2014 -‐ #dotScale
#13. ONLY COLLECT THE DATA YOU ABSOLUTELY NEED.
36 dotScale May 2014 -‐ #dotScale
#14. IMPLEMENT TWO-FACTOR AUTHENTICATION. IT’S EASIER THAN YOU THINK.
37 dotScale May 2014 -‐ #dotScale
#15. CREATE A DATA RECOVERY PLAN AND TEST IT. NO, REALLY. TEST IT. MORE THAN ONCE.
38 dotScale May 2014 -‐ #dotScale
#16. MOAR PAPERWORK!
39 dotScale May 2014 -‐ #dotScale
#17. LEVERAGE BUILT-IN VALIDATION/SANITIZATION FROM FRAMEWORKS.
40 dotScale May 2014 -‐ #dotScale
#18. PERFORM REGULAR WHITE-BOX AND BLACK-BOX TESTING.
41 dotScale May 2014 -‐ #dotScale
#19. PAY ATTENTION TO YOUR ALERTS.
42 dotScale May 2014 -‐ #dotScale
#20. BECOME A PASSIONATE SECURITY AMBASSADOR FOR YOUR USERS.
43 dotScale May 2014 -‐ #dotScale
Alison Gianotto (aka “snipe”) THANK YOU! • @snipeyhead on TwiJer • [email protected]
44 dotScale May 2014 -‐ #dotScale