LonestarPHP 2014 Security Keynote

Alison Gianotto @snipeyhead

Alison Gianotto (aka “snipe”) WHO AM I? • Former agency CTO/CSO • Security & privacy advocate • 20 years in IT and so<ware development • Co-‐author of a few PHP/MySQL books • Survivor of more corporate audits than I care to remember • @snipeyhead on TwiJer

2 Lonestar PHP -‐ April 2014 -‐ #lsp14

WHAT SECURITY ISN’T 1 Bolted on

2 Compliance

3 A Single Person

4 Outsourced

3

You don’t add it on at the end.

You can be compliant and not secure. Just ask Target.

Security is everyone’s responsibility.

Throwing money at this problem won’t work.

Lonestar PHP -‐ April 2014 -‐ #lsp14

WHAT SECURITY ISN’T 5 An Appliance

6 Silver Bullet

7 Straightforward

4

Firewalls and IDS are part of the soluUon, but not the end.

There is no one thing. Defence in depth maJers. Sort of.

SomeUmes implemenUng security tools increases your aJack surface.


8 Done Security is where you start, not where you finish.

WHAT RISK ISN’T 1 Stifling

2 Boring

3 Avoidable

5

Managing risk doesn’t have to hinder innovaUon

Our job is finding creaUve soluUons to problems. This is one more tool.

Risk isn’t inherently bad. Not understanding your risk is.


4 One Size Acceptable risk to your company may not be the same as someone else’s.

IT IS IMPOSSIBLE TO ANTICIPATE EVERY RISK.


Srsly.

DEFENSE IN DEPTH PROMISES


• MiUgates single points of failure. (“Bus factor”) • Requires more effort on the part of the aJacker, theoreUcally exhausUng aJacker resources.

Except...

DEFENSE IN DEPTH PROBLEMS


• Larger, more complicated systems are harder to maintain. • Leads to more cracks for bad guys to poke at • More surfaces that can get be overlooked • The bad guys have nearly limitless resources. We don’t. • AJacks are commodiUzed now. Botnets for $2/hour.

CIA Confidentiality, Integrity & Availability

CONFIDENTIALITY IS A SET OF RULES THAT LIMITS ACCESS TO INFORMATION


CONFIDENTIALITY EXAMPLES


• Passwords. (boo!) • Data encrypUon (at rest and in transmission.) • Two-‐factor authenUcaUon/biometrics. (Yay!)

• Corporate VPN •  IP WhitelisUng • SSH keys

CONFIDENTIALITY RISKS


• No brute-‐force detecUon • No velng of how third-‐party vendors use/store customer data •  InformaUon leakage from login messages (Uming aJacks, etc.) • SQL injecUon • Privilege escalaUon leading

to admin access • Passwords shared across websites •  Improper disposal/destrucUon of personal

data • Lost/stolen devices

INTEGRITY IS THE ASSURANCE THAT THE INFORMATION IS TRUSTWORTHY & ACCURATE.


INTEGRITY RISKS


• Data loss due to hardware failure (server crash!) • So<ware bug that unintenUonally deletes/modifies data • Data alteraUon via authorized persons (human error)

• Data alteraUon via unauthorized persons (hackers) • No backups or no way to verify the integrity of the backups you have • Third-‐party vendor with inadequate security

AVAILABILITY IS A GUARANTEE OF READY ACCESS TO THE INFO BY AUTHORIZED PEOPLE.


AVAILABILITY RISKS


• DDoS aJacks • Third-‐party service failures • Hardware failures • So<ware bugs • Untested so<ware patches • Natural disasters • Man-‐made disasters

THINK YOU’RE TOO SMALL TO BOTHER WITH?


Think again.

WHY HACK?


• To steal/sell idenUUes, credit card numbers, corporate secrets, military secrets • Fun, Excitement and/or Notoriety • PoliUcal (“HackUvism”)

• Revenge • Blackhat SEO • ExtorUon/Ransomware

COMMON ATTACKS


• Reflected XSS • Persistent XSS • CSRF • SQL InjecUon • Remote file inclusion • Local file inclusion/directory traversal

• HosUng malware • Defacement for SEO (pharma, etc) • Privilege escalaUon

WHY MEEEEEEEEEEEE??


• Users re-‐use passwords across websites • Watering hole aJack • Low-‐hanging fruit • Assumed fewer defenses • To gain more informaUon on

users to execute spear-‐phishing aJacks • Because you are vulnerable. Period.

IN 2013, 61% OF REPORTED ATTACKS TARGETED SMALL AND MEDIUM BUSINESSES, UP FROM 50% IN 2012.


Source: Symantec Internet Security Threat Report 2014 :: Volume 19, Published April 2014

1 2 4 3

REFLECTED XSS

SOCIAL ENGINEERING

XSS SESSION HIJACK

PWNED


77% OF LEGITIMATE WEBSITES HAD EXPLOITABLE VULNERABILITIES. 1-IN-8 HAD A CRITICAL VULNERABILITY.



MEGA BREACHES: RESULTING IN PERSONAL DETAILS OF >= 10 MILLION IDENTITIES EXPOSED IN AN INDIVIDUAL INCIDENT.


THERE WERE EIGHT IN 2013, COMPARED WITH ONLY ONE IN 2012.



+700%

OCT 2013: ADOBE EXPOSED CUSTOMER DATA, DEBIT/CREDIT CARD NUMBERS, SOURCE IMPACTED: 152 MILLION USERS



DEC 2013: TARGET EXPOSED CUSTOMER DATA, DEBIT/CREDIT CARD NUMBERS, PINS IMPACTED: 110 MILLION USERS



BREACH Growth •  credit card info •  birth dates •  government ID numbers •  home addresses • medical records •  phone numbers •  financial informa9on •  email addresses •  login •  passwords

Data Stolen


232

552

0 100 200 300 400 500 600

2011

2013

Iden99es Stolen by Year (in Millions)


190,000

464,000 570,000

2011 2012 2013

ATTACKS

29


Per Day


APPSEC STRATEGY

PICK TWO

30

COMPLETELY BONED COMPLETELY BONED

COMPLETELY BONED


CREATING A RISK MATRIX


• Type • Third-‐Party • Dataflow diagram ID • DescripUon • Triggering AcUon • Consequence of Service Failure • Risk of Failure • User Impact

• Method used for monitoring this risk • Efforts to MiUgate in Case of Failure • Contact info

Grab a starter template here! hJp://snipe.ly/risk_matrix

29 THINGS YOU CAN START DOING TODAY.


Dooo eeeeeet.


1.  Start every project risk-‐first. 2.  Start using a risk matrix for every major project or

product. 3.  Build a clear inventory of surface areas and their value.

Get stakeholders involved. 4.  Make sure you understand what happens when third-‐

party services fail or behave unexpectedly.

29 THINGS TO DO TODAY


5.  Trust your gut. If something doesn’t look right, it probably isn’t.

6.  Keep your systems as simple as possible. Document them. 7.  Favor self-‐documenUng systems so that code, systems and

docs don't fall out of sync. 8.  Increased transparency reduces risk across departments.

Consider devops.



9.  Don't abstract code/systems if you don’t have to. Premature opUmizaUon is the devil. Build light and refactor as needed.

10.  Get to know your users’ behavior. Use tools like Google AnalyUcs and heat-‐mapping to understand what users do on your site. Be suspicious if it changes for no apparent reason.



11.  Automate EVERYTHING (Chef, Vagrant, Ansible, Salt, Fabric, etc.)

12.  Log (almost!) EVERYTHING. Know where your logs are. Use a central logging server if at all possible.

13.  Always employ the principles of “least privilege.” 14.  Give preference to vendors that integrate with your AD/

OD/LDAP.



15.  Create a reliable data backup plan and TEST IT. (MORE THAN ONCE.)

16.  Create a Business ConUnuity Plan. 17.  Create an Incident Response Plan. Test it. 18.  Create a Disaster Recovery Plan. TEST IT. (Seriously.) 19.  Get your team to parUcipate in at least one CTF every

year.




20.  Strip specific messaging from login forms. 21.  Use solid password+salUng like bcrypt. 22.  Implement brute-‐force prevenUon for all login systems. 23.  Encrypt everything, where feasible. 24.  Only collect the data that you absolutely need. 25.  Implement two-‐factor authenUcaUon. It’s easier than you

think.



26.  Supress debugging and server informaUon (PHP versions, Apache versions)

27.  Leverage framework CSRF protecUon and data saniUzaUon/validaUon.

28.  Perform regular penetraUon tests and vulnerability assessments

29.  Become a passionate security ambassador for your users and co-‐workers.

CAPTURE ALL THE FLAGS!


•  NotSoSecure CTF: hJp://cx.notsosecure.com •  Security Shepherd: hJps://www.owasp.org/index.php/

OWASP_Security_Shepherd •  hJp://hax.tor.hu/ •  hJps://pwn0.com/ •  hJp://www.smashthestack.org/ •  hJp://www.hellboundhackers.org/ •  hJp://www.overthewire.org/wargames/ •  hJp://counterhack.net/Counter_Hack/Challenges.html •  hJp://www.hackthissite.org/ •  hJp://exploit-‐exercises.com/ •  hJp://vulnhub.com/

Alison Gianotto (aka “snipe”) THANK YOU! • @snipeyhead on TwiJer • [email protected]


LonestarPHP 2014 Security Keynote

Technology

debitcredit

alison gianotto

aka snipe

data alterauon

bad guys

lonestar php

org hjp

hjp