Alison Gianotto @snipeyhead
Oct 21, 2014
Alison Gianotto @snipeyhead
Alison Gianotto (aka “snipe”) WHO AM I? • Former agency CTO/CSO • Security & privacy advocate • 20 years in IT and so<ware development • Co-‐author of a few PHP/MySQL books • Survivor of more corporate audits than I care to remember • @snipeyhead on TwiJer
2 Lonestar PHP -‐ April 2014 -‐ #lsp14
WHAT SECURITY ISN’T 1 Bolted on
2 Compliance
3 A Single Person
4 Outsourced
3
You don’t add it on at the end.
You can be compliant and not secure. Just ask Target.
Security is everyone’s responsibility.
Throwing money at this problem won’t work.
Lonestar PHP -‐ April 2014 -‐ #lsp14
WHAT SECURITY ISN’T 5 An Appliance
6 Silver Bullet
7 Straightforward
4
Firewalls and IDS are part of the soluUon, but not the end.
There is no one thing. Defence in depth maJers. Sort of.
SomeUmes implemenUng security tools increases your aJack surface.
Lonestar PHP -‐ April 2014 -‐ #lsp14
8 Done Security is where you start, not where you finish.
WHAT RISK ISN’T 1 Stifling
2 Boring
3 Avoidable
5
Managing risk doesn’t have to hinder innovaUon
Our job is finding creaUve soluUons to problems. This is one more tool.
Risk isn’t inherently bad. Not understanding your risk is.
Lonestar PHP -‐ April 2014 -‐ #lsp14
4 One Size Acceptable risk to your company may not be the same as someone else’s.
IT IS IMPOSSIBLE TO ANTICIPATE EVERY RISK.
6 Lonestar PHP -‐ April 2014 -‐ #lsp14
Srsly.
DEFENSE IN DEPTH PROMISES
7 Lonestar PHP -‐ April 2014 -‐ #lsp14
• MiUgates single points of failure. (“Bus factor”) • Requires more effort on the part of the aJacker, theoreUcally exhausUng aJacker resources.
Except...
DEFENSE IN DEPTH PROBLEMS
8 Lonestar PHP -‐ April 2014 -‐ #lsp14
• Larger, more complicated systems are harder to maintain. • Leads to more cracks for bad guys to poke at • More surfaces that can get be overlooked • The bad guys have nearly limitless resources. We don’t. • AJacks are commodiUzed now. Botnets for $2/hour.
CIA Confidentiality, Integrity & Availability
CONFIDENTIALITY IS A SET OF RULES THAT LIMITS ACCESS TO INFORMATION
10 Lonestar PHP -‐ April 2014 -‐ #lsp14
CONFIDENTIALITY EXAMPLES
11 Lonestar PHP -‐ April 2014 -‐ #lsp14
• Passwords. (boo!) • Data encrypUon (at rest and in transmission.) • Two-‐factor authenUcaUon/biometrics. (Yay!)
• Corporate VPN • IP WhitelisUng • SSH keys
CONFIDENTIALITY RISKS
12 Lonestar PHP -‐ April 2014 -‐ #lsp14
• No brute-‐force detecUon • No velng of how third-‐party vendors use/store customer data • InformaUon leakage from login messages (Uming aJacks, etc.) • SQL injecUon • Privilege escalaUon leading
to admin access • Passwords shared across websites • Improper disposal/destrucUon of personal
data • Lost/stolen devices
INTEGRITY IS THE ASSURANCE THAT THE INFORMATION IS TRUSTWORTHY & ACCURATE.
13 Lonestar PHP -‐ April 2014 -‐ #lsp14
INTEGRITY RISKS
14 Lonestar PHP -‐ April 2014 -‐ #lsp14
• Data loss due to hardware failure (server crash!) • So<ware bug that unintenUonally deletes/modifies data • Data alteraUon via authorized persons (human error)
• Data alteraUon via unauthorized persons (hackers) • No backups or no way to verify the integrity of the backups you have • Third-‐party vendor with inadequate security
AVAILABILITY IS A GUARANTEE OF READY ACCESS TO THE INFO BY AUTHORIZED PEOPLE.
15 Lonestar PHP -‐ April 2014 -‐ #lsp14
AVAILABILITY RISKS
16 Lonestar PHP -‐ April 2014 -‐ #lsp14
• DDoS aJacks • Third-‐party service failures • Hardware failures • So<ware bugs • Untested so<ware patches • Natural disasters • Man-‐made disasters
THINK YOU’RE TOO SMALL TO BOTHER WITH?
17 Lonestar PHP -‐ April 2014 -‐ #lsp14
Think again.
WHY HACK?
18 Lonestar PHP -‐ April 2014 -‐ #lsp14
• To steal/sell idenUUes, credit card numbers, corporate secrets, military secrets • Fun, Excitement and/or Notoriety • PoliUcal (“HackUvism”)
• Revenge • Blackhat SEO • ExtorUon/Ransomware
COMMON ATTACKS
19 Lonestar PHP -‐ April 2014 -‐ #lsp14
• Reflected XSS • Persistent XSS • CSRF • SQL InjecUon • Remote file inclusion • Local file inclusion/directory traversal
• HosUng malware • Defacement for SEO (pharma, etc) • Privilege escalaUon
WHY MEEEEEEEEEEEE??
20 Lonestar PHP -‐ April 2014 -‐ #lsp14
• Users re-‐use passwords across websites • Watering hole aJack • Low-‐hanging fruit • Assumed fewer defenses • To gain more informaUon on
users to execute spear-‐phishing aJacks • Because you are vulnerable. Period.
IN 2013, 61% OF REPORTED ATTACKS TARGETED SMALL AND MEDIUM BUSINESSES, UP FROM 50% IN 2012.
21 Lonestar PHP -‐ April 2014 -‐ #lsp14
Source: Symantec Internet Security Threat Report 2014 :: Volume 19, Published April 2014
1 2 4 3
REFLECTED XSS
SOCIAL ENGINEERING
XSS SESSION HIJACK
PWNED
22 Lonestar PHP -‐ April 2014 -‐ #lsp14
77% OF LEGITIMATE WEBSITES HAD EXPLOITABLE VULNERABILITIES. 1-IN-8 HAD A CRITICAL VULNERABILITY.
23 Lonestar PHP -‐ April 2014 -‐ #lsp14
Source: Symantec Internet Security Threat Report 2014 :: Volume 19, Published April 2014
MEGA BREACHES: RESULTING IN PERSONAL DETAILS OF >= 10 MILLION IDENTITIES EXPOSED IN AN INDIVIDUAL INCIDENT.
24 Lonestar PHP -‐ April 2014 -‐ #lsp14
THERE WERE EIGHT IN 2013, COMPARED WITH ONLY ONE IN 2012.
25 Lonestar PHP -‐ April 2014 -‐ #lsp14
Source: Symantec Internet Security Threat Report 2014 :: Volume 19, Published April 2014
+700%
OCT 2013: ADOBE EXPOSED CUSTOMER DATA, DEBIT/CREDIT CARD NUMBERS, SOURCE IMPACTED: 152 MILLION USERS
26 Lonestar PHP -‐ April 2014 -‐ #lsp14
Source: Symantec Internet Security Threat Report 2014 :: Volume 19, Published April 2014
DEC 2013: TARGET EXPOSED CUSTOMER DATA, DEBIT/CREDIT CARD NUMBERS, PINS IMPACTED: 110 MILLION USERS
27 Lonestar PHP -‐ April 2014 -‐ #lsp14
Source: Symantec Internet Security Threat Report 2014 :: Volume 19, Published April 2014
BREACH Growth • credit card info • birth dates • government ID numbers • home addresses • medical records • phone numbers • financial informa9on • email addresses • login • passwords
Data Stolen
28 Lonestar PHP -‐ April 2014 -‐ #lsp14
232
552
0 100 200 300 400 500 600
2011
2013
Iden99es Stolen by Year (in Millions)
Source: Symantec Internet Security Threat Report 2014 :: Volume 19, Published April 2014
190,000
464,000 570,000
2011 2012 2013
ATTACKS
29
Source: Symantec Internet Security Threat Report 2014 :: Volume 19, Published April 2014
Per Day
Lonestar PHP -‐ April 2014 -‐ #lsp14
APPSEC STRATEGY
PICK TWO
30
COMPLETELY BONED COMPLETELY BONED
COMPLETELY BONED
Lonestar PHP -‐ April 2014 -‐ #lsp14
CREATING A RISK MATRIX
31 Lonestar PHP -‐ April 2014 -‐ #lsp14
• Type • Third-‐Party • Dataflow diagram ID • DescripUon • Triggering AcUon • Consequence of Service Failure • Risk of Failure • User Impact
• Method used for monitoring this risk • Efforts to MiUgate in Case of Failure • Contact info
Grab a starter template here! hJp://snipe.ly/risk_matrix
29 THINGS YOU CAN START DOING TODAY.
32 Lonestar PHP -‐ April 2014 -‐ #lsp14
Dooo eeeeeet.
33 Lonestar PHP -‐ April 2014 -‐ #lsp14
1. Start every project risk-‐first. 2. Start using a risk matrix for every major project or
product. 3. Build a clear inventory of surface areas and their value.
Get stakeholders involved. 4. Make sure you understand what happens when third-‐
party services fail or behave unexpectedly.
29 THINGS TO DO TODAY
34 Lonestar PHP -‐ April 2014 -‐ #lsp14
5. Trust your gut. If something doesn’t look right, it probably isn’t.
6. Keep your systems as simple as possible. Document them. 7. Favor self-‐documenUng systems so that code, systems and
docs don't fall out of sync. 8. Increased transparency reduces risk across departments.
Consider devops.
29 THINGS TO DO TODAY
35 Lonestar PHP -‐ April 2014 -‐ #lsp14
9. Don't abstract code/systems if you don’t have to. Premature opUmizaUon is the devil. Build light and refactor as needed.
10. Get to know your users’ behavior. Use tools like Google AnalyUcs and heat-‐mapping to understand what users do on your site. Be suspicious if it changes for no apparent reason.
29 THINGS TO DO TODAY
36 Lonestar PHP -‐ April 2014 -‐ #lsp14
11. Automate EVERYTHING (Chef, Vagrant, Ansible, Salt, Fabric, etc.)
12. Log (almost!) EVERYTHING. Know where your logs are. Use a central logging server if at all possible.
13. Always employ the principles of “least privilege.” 14. Give preference to vendors that integrate with your AD/
OD/LDAP.
29 THINGS TO DO TODAY
37 Lonestar PHP -‐ April 2014 -‐ #lsp14
15. Create a reliable data backup plan and TEST IT. (MORE THAN ONCE.)
16. Create a Business ConUnuity Plan. 17. Create an Incident Response Plan. Test it. 18. Create a Disaster Recovery Plan. TEST IT. (Seriously.) 19. Get your team to parUcipate in at least one CTF every
year.
29 THINGS TO DO TODAY
29 THINGS TO DO TODAY
38 Lonestar PHP -‐ April 2014 -‐ #lsp14
20. Strip specific messaging from login forms. 21. Use solid password+salUng like bcrypt. 22. Implement brute-‐force prevenUon for all login systems. 23. Encrypt everything, where feasible. 24. Only collect the data that you absolutely need. 25. Implement two-‐factor authenUcaUon. It’s easier than you
think.
29 THINGS TO DO TODAY
39 Lonestar PHP -‐ April 2014 -‐ #lsp14
26. Supress debugging and server informaUon (PHP versions, Apache versions)
27. Leverage framework CSRF protecUon and data saniUzaUon/validaUon.
28. Perform regular penetraUon tests and vulnerability assessments
29. Become a passionate security ambassador for your users and co-‐workers.
CAPTURE ALL THE FLAGS!
40 Lonestar PHP -‐ April 2014 -‐ #lsp14
• NotSoSecure CTF: hJp://cx.notsosecure.com • Security Shepherd: hJps://www.owasp.org/index.php/
OWASP_Security_Shepherd • hJp://hax.tor.hu/ • hJps://pwn0.com/ • hJp://www.smashthestack.org/ • hJp://www.hellboundhackers.org/ • hJp://www.overthewire.org/wargames/ • hJp://counterhack.net/Counter_Hack/Challenges.html • hJp://www.hackthissite.org/ • hJp://exploit-‐exercises.com/ • hJp://vulnhub.com/
Alison Gianotto (aka “snipe”) THANK YOU! • @snipeyhead on TwiJer • [email protected]
41 Lonestar PHP -‐ April 2014 -‐ #lsp14