sécurité, les best practices par ovh
TRANSCRIPT
![Page 1: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/1.jpg)
7 Février 2017 - Lille
![Page 2: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/2.jpg)
Best Practices to protect your business against
hackers
Vincent MalguyPentester
![Page 3: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/3.jpg)
A R E H A C K E R S I N T E R E S T E D I NY O U R I N F R A S T R U C T U R E A N D I N F O R M A T I O N S Y S T E M ?
Why ?ARE HACKERS INTERESTED INYOUR INFRASTRUCTURE AND INFORMATION SYSTEM ?
![Page 4: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/4.jpg)
FORM, 1990• Floppy boot sector• Clicking noise when using the keyboard on
the 18th
Malwares The Story so Far
![Page 5: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/5.jpg)
FORM, 1990• Floppy boot sector• Clicking noise when using
the keyboard on the 18th
CHERNOBYL, 1998
• Explodes on April 26th• Erases BIOS• Erases hard drives• 1 billion $ loss
Malwares The Story so Far
![Page 6: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/6.jpg)
CHERNOBYL, 1998• Explodes on the 26th
• Erases BIOS• Erases hard drives
ILOVEYOU, 2000
• By e-mail (using Outlook)
• By IRC (using mIRC)• Overwrites JPG, HTM...
FORM, 1990• Floppy boot sector• Clicking noise when using
the keyboard on the 18th
Malwares The Story so Far
![Page 7: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/7.jpg)
BLASTER, 2003• WinXP vulnerability• Reboot after 60 sec• Scans the Internet
madly to propagate
ILOVEYOU, 2000• By e-mail (using Outlook)• By IRC (using mIRC)• Overwrites JPG, HTM...
Malwares The Story so Far
![Page 8: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/8.jpg)
FORM, 1990• Floppy boot sector• Clicking noise when using
the keyboard on the 18th
CHERNOBYL, 1998• Explodes on the 26th
• Erases BIOS• Erases hard drives• 1 billion $ loss
ILOVEYOU, 2000• By e-mail (using Outlook)• By IRC (using mIRC)• Overwrites JPG, HTM...
BLASTER, 2003• WinXP vulnerability• Reboot after 60 sec• Scans the Internet
madly to propagate
Malwares The Story so Far
![Page 9: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/9.jpg)
YESTERDAYTODAY
• Viruses for fun :
• Replicate and propagate
• Destroy your files
• Destroy your hardware
• Let you know you’re infected
• Don’t make any money
• Malwares as a Profit:
• Replicate and propagate
• Encrypt your files
• Use your hardware
• Stay stealth and hidden
• Makes sh*tloads of cash !
Malwares Something Has Changed
![Page 10: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/10.jpg)
RANS0MWARE
![Page 11: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/11.jpg)
• Remote takeover of servers and desktops
Computing power (mining BTC)
Impunity (phishing/malware hosting, ...)
Network strike force (DoS)
Botnets (card fraud, DDoS aaS, cloud spam aaS, ...)
Why It’s Profitable
![Page 12: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/12.jpg)
• Theft and exploitation of your data
• Accounts hacking (social networks, e-mail accounts, ...)
• Selling e-mail addresses to spammers
• Competitors reaching out to your customers
• Brand reputation, exposure to bad buzz
• Industrial secrets made public or reselled to competitors
Why It’s Profitable
![Page 13: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/13.jpg)
HOW TO MITIGATE L E T ’ S B E P R A G M A T I C …
![Page 14: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/14.jpg)
• Most important is patching the weakest link• Access to management interfaces (customer account)• Infrastructure (servers and network)• Operating System• Applications
• Security is a process, not a project• The question is not « am I vulnerable ?* »,
but rather « how to mitigate the risks ? »
* Hint: the answer is « yes »
Security Key Concepts
![Page 15: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/15.jpg)
Customer accountoInfrastructureoOperating SystemoApplications
![Page 16: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/16.jpg)
Your OVH Customer Account• Entrypoint to your infrastructure management• Password
Unique• This way, database leaks don’t propagate to your other accounts• haveibeenpwned.com: 2,055,538,028 pwned accounts
• Complex, but that you can remember
![Page 17: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/17.jpg)
Password Memorizing difficulty
Complexity Time
123456 Ultra easy ~1 zero
p4ssw0rd Ultra easy ~10000 ~seconds
P4ssw0rd1% Easy ~1000000 ~minutes
yCwrQT8Jvi Hard 839299365868340224 ~1 year
LzS~2Y8g\[h6w{Mz Very hard 4579937329576774398276408998492161 infinity
pourquoiPasCeMotDePaaS Easy 56503267085670146216220839069303701504 infinity
PimousseADesVibrissettes Easy 152784834199652075368661148843397208866816
Infinity
Password Complexity
![Page 18: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/18.jpg)
• Entrypoint to your infrastructure management• Password
Unique Complex, but that you can remember Personal password manager (Keepass, ...)
• Works under Windows, Linux, MacOS, iOS, Android• You can drop your encrypted database on your favorite file
sharing service
Your OVH Customer Account
![Page 19: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/19.jpg)
Keepass Overview
![Page 20: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/20.jpg)
• Entrypoint to your infrastructure management• Password
Unique Complex, but that you can remember Personal password manager (Keepass, ...)
• Two-factor authentication• What I know (password)• What I have (smartphone, usb key, ...)• What I am (fingerprint scanner, retinal scanner, ...)
Your OVH Customer Account
![Page 21: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/21.jpg)
TWO-FACTOR AUTH ConfigurationOTP by APP
OTP by SMSStatic OTP
![Page 22: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/22.jpg)
• Entrypoint to your infrastructure management
• Password Unique Complex, but that you can remember Personal password manager (Keepass, ...)
• Two-factor authentication
• Restrict access by IP if you can
Your OVH Customer Account
![Page 23: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/23.jpg)
Restrict Access by IP adresses
![Page 24: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/24.jpg)
Your [Own application] Account• Password
www.cnil.fr/fr/les-conseils-de-la-cnil-pour-un-bon-mot-de-passe www.ssi.gouv.fr/guide/mot-de-passe/
• Two-factor authentication Use OVH SMS gateway (github.com/ovh/php-ovh-sms) Tutorial on www.twilio.com SaaS with authy.com/developers/
![Page 25: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/25.jpg)
Customer accountInfrastructureoOperating SystemoApplications
![Page 26: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/26.jpg)
Security at the core of conception
![Page 27: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/27.jpg)
Security at the core of conception• Use private
networks (vRack)
VLAN WEB
VLAN APP
VLAN DB
![Page 28: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/28.jpg)
![Page 29: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/29.jpg)
![Page 30: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/30.jpg)
Security at the core of conception• Use private
networks (vRack)• Allow mandatory
traffic only ... and don’t forget IPv6 !
VLAN WEB
VLAN APP
VLAN DB
HTTP /HTTPS
HTTP /HTTPS
Port Applicatif
Port SQL
![Page 31: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/31.jpg)
Security at the core of conception• Use private
networks (vRack)• Allow mandatory
traffic only • filter admin access
VLAN WEB
VLAN APP
VLAN DB
SSH/RDP from
VPN Access (Beta)
![Page 32: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/32.jpg)
Security at the core of conception• Use private
networks (vRack)• Allow mandatory
traffic only • filter admin access• High Availability
Roubaix Strasbourg
IP Failover
![Page 33: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/33.jpg)
Security at the core of conception• Use private
networks (vRack)• Allow mandatory
traffic only • filter admin access• High Availability• OVH IPLB
protection (March)
VLAN WEB
VLAN APP
VLAN DB
OVH IPLB
![Page 34: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/34.jpg)
Customer AccountInfrastructureOperating SystemoApplications
![Page 35: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/35.jpg)
Operating System• Stable OS, still supported (LTS)• Stable OS, up to date (turn-on auto update)
• Reduce the attack surface• Install only needed services/daemons (check with netstat!)• Change the default port of system administration services (ssh, rdp…)• Configure Port knocking and/or Fail2Ban• Enforce password complexity • Enforce use of Certificat instead of password for admin access
![Page 36: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/36.jpg)
Operating System• Stable OS, still supported (LTS) and up to date• Reduce the attack surface• Build a real backup policy
• Security-wise, protect your backups even more than your production data openssl aes-256-cbc -salt -in archive.zip -out archive.zip.aes
• A RAID1 array is not a backup• An untested backup is not a backup• Local backup is not a backup
![Page 37: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/37.jpg)
https://about.gitlab.com/2017/02/01/gitlab-dot-com-database-incident/
![Page 38: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/38.jpg)
Public Cloud Archive• 100% durability• Server-side configurable actions• Easy integration
• sftp, scp, rsync, https• SVFS https://github.com/ovh/svfs
![Page 39: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/39.jpg)
Customer AccountInfrastructureOperating SystemApplications
![Page 40: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/40.jpg)
• Reduce the attack surface• Change passwords of default accounts (SA)• Use TLS and Test it on ssllabs.com/ssltest/
Application
OVH IPLB : one click Free certificat and A+ Rating
![Page 41: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/41.jpg)
• Reduce the attack surface• Change passwords of default accounts (SA)• Use TLS and Test it on ssllabs.com/ssltest/• Leak the least information possible (Apache, PHP, SQL...)
Application
![Page 42: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/42.jpg)
Application• Principle of least rights
• 1 account per person• 1 account per app• 1 admin account only
• Use LXC / Docker where possible• Base system with almost nothing on it (CoreOS)• One container per app• No root inside containers !
![Page 43: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/43.jpg)
Application• Use and abuse PaaS
• PaaS Log • PaaS Metrics• PaaS DataBase
• Use and abuse SaaS• DNS(SEC)• Mail• Cloud Desktop
![Page 44: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/44.jpg)
Applications• CMS webapps
• Used a lot, hacked a lot• It’s mandatory to be strictly up to date
• CMS plugins• Don’t install seldom-used plugins• An apparently nice feature always comes
at a cost
• Libraries and programs on Github• Still supported ?• Has it been audited ?• Security vulnerabilities and fixes history ?• Check on secunia.com
![Page 45: Sécurité, les Best practices par OVH](https://reader030.vdocuments.mx/reader030/viewer/2022020717/58f2d7da1a28ab42218b4587/html5/thumbnails/45.jpg)
Thanks you & be safe