Security Theatre - Benelux

Download Security Theatre - Benelux

Post on 20-Jan-2017

499 views

Category:

Technology

2 download

Embed Size (px)

TRANSCRIPT

  • Booking.comW

    E ARE HIRING

    Work @ Booking: http://grnh.se/seomt7

    http://grnh.se/seomt7

  • Security Theatre@thomas_shone

    Image by Matt McGee released under CC BY-ND 2.0

    https://joind.in/talk/7c669

    https://www.flickr.com/photos/pleeker/233507935/in/photolist-mCMLT-a4Ds2o-m6C8zw-rRU4uV-s8Vmzs-repH4x-rebYiC-rebUzq-rTBPaf-s8TURL-rTMtg6-sb6a33-s8Wj8w-sbe3Ge-rTDWss-reqvne-sbaBaV-redre9-repZHe-rTDpFh-rRTeop-s8Vn9d-sb3Liu-rTC5mN-ofLKcC-a3ydQW-a4DoFj-a4DGUj-a4DkN1-9iUAyS-rTCBmJ-a4Dyvs-ree8Ku-sb5Au7-sbe3gV-repKp4-rec97L-rTAV6J-6zkyeZ-sbcaCT-s8UiSq-sb9872-sbbW1c-sb3gny-sbbxek-rTAGG5-rRTxg8-rTC6GS-rec3Gh-rTJGRihttps://creativecommons.org/licenses/by-nd/2.0/

  • Illusion

  • Denial

  • I know about OWASP!

  • If you are hacked via OWASP Top 10, youre not allowed to call it advanced or sophisticated

    @thegrugq

    Reference: https://twitter.com/thegrugq/status/658991205816995840

    https://twitter.com/thegrugq/status/658991205816995840

  • But I use antivirus!

  • Crypting services makes most antivirus techniques useless

    Reference: http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/

    http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/

  • Let us put an unsecured node.js server on your personal

    computer

    TrendMicro Antivirus on WindowsJan 2016

    https://code.google.com/p/google-security-research/issues/detail?id=693

    https://code.google.com/p/google-security-research/issues/detail?id=693https://code.google.com/p/google-security-research/issues/detail?id=693

  • Remote code-executions via your mail client downloading an

    email

    Sophos AntivirusJune 2015

    https://lock.cmpxchg8b.com/sophailv2.pdf

    https://lock.cmpxchg8b.com/sophailv2.pdfhttps://lock.cmpxchg8b.com/sophailv2.pdf

  • Were all bad at security

  • Users are bad at security

    Weak passwords Password reset questions Human verification sucks Clickbait and phishing Attachments URL mistype Routine and workarounds Convenience trumps security

  • Developers are bad at security

    Reference: https://github.com/

    https://github.com/

  • Hackers are bad at security

  • A study in scarlet

  • 43 applications, libraries or frameworksover 4,800 versionsover 10 million files

  • 255,000 scansAbout 6k/month from June 2012 till now

  • ResultsJuly 2015

  • Most popular softwareIts not what you think

  • How bad is it?

  • Why is it so bad?

  • I have seen thingsPh'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn

  • Versioning Hell1.3-final-beta6-pre-patch3

  • OpenXBackdoored for almost a year

  • Lessons Learnt

  • VersioningProjects with bad versioning also have some

    of the worst security issues

  • Automatic PatchingIf your software comes with automatic

    upgrading, people will use it

  • Plugins and TemplatesIf an update needs manual changes for

    plugins or template, no one updates

  • Patch Fatigue Exists

    Image by Aaaron Jacobs released under CC BY-SA 2.0

    https://www.flickr.com/photos/aaronjacobs/https://creativecommons.org/licenses/by-sa/2.0/

  • Anger

    Image by Josh Janssen released under CC BY-ND 2.0

    https://www.flickr.com/photos/mediaflex/https://creativecommons.org/licenses/by-nd/2.0/

  • Why doesnt someone do something about it?

  • Private industry keep threatening security researchers

  • "How many Fortune 500 companies are hacked right now?

    Answer, 500."Mikko Hypponen, CRO of F-Secure

    Reference: https://twitter.com/mikko/status/184329161257652227

    https://twitter.com/mikko/status/184329161257652227

  • Why dont we have some form of standard?

  • We have ISO 27001/2, ISO 15408, RFC 2196, PCI DSS, NIST,

    Reference: https://en.wikipedia.org/wiki/Cyber_security_standards

    https://en.wikipedia.org/wiki/Cyber_security_standards

  • Why doesnt the government do something about it?

  • A Ukrainian power plant was hacked & shutdown because

    someone had macros enabled in Excel

    Reference: https://t.co/PA7cDQC9EI

    https://t.co/PA7cDQC9EI

  • NSA: Were just upgrading your megaflops, promise.

  • Reference: https://t.co/PA7cDQC9EIImage by Unknown released into the Public Domain

    https://t.co/PA7cDQC9EIhttps://commons.wikimedia.org/wiki/File:Trees_and_sunshine.JPGhttps://en.wikipedia.org/wiki/Public_domain

  • Bargaining

    Image by Jeroen Moes released under CC BY-SA 2.0

    https://www.flickr.com/photos/jeroenmoes/https://creativecommons.org/licenses/by-sa/2.0/

  • But what if we installed advanced IDSs, WAFs and

    specialised network hardware

  • We probably only knew about one of the two backdoors in our

    system

    Juniper NetworksDec 2015

    http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/

    http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/

  • IDSs produce reports. Managers likes reports: it helps them feel like they can "manage" security

    http://security.stackexchange.com/questions/12164/how-effective-is-an-ids-at-catching-targeted-attacks

    http://security.stackexchange.com/questions/12164/how-effective-is-an-ids-at-catching-targeted-attackshttp://security.stackexchange.com/questions/12164/how-effective-is-an-ids-at-catching-targeted-attackshttp://security.stackexchange.com/questions/12164/how-effective-is-an-ids-at-catching-targeted-attacks

  • Well start following prescribed security standards

  • Thats great for your insurance premiums

  • Depression

  • Ninety percent of everything is crap.

    Sturgeon's law

    Reference: https://en.wikipedia.org/wiki/Sturgeon%27s_law

    https://en.wikipedia.org/wiki/Sturgeon%27s_law

  • Acceptance

    Image by Stephan Brunet released under CC BY-SA 3.0

    http://macphreak.comhttp://creativecommons.org/licenses/by-sa/3.0/

  • Effective?

  • Most of our security practices are ineffective

  • We do security in isolation

  • Holistic

  • Hardware

    Drivers

    Services

    Your Dependencies

    Operating System

    Your Software

    Humans

    Network / Internet

    Area of Influence

  • Hardware

    Drivers

    Services

    Your Dependencies

    Operating System

    Your Software

    Humans

    Network / Internet

    HR/Training

    System Administrators

    Downstream Providers

  • Layered

    Image by Cadw released under OGL via Commons

    http://cadw.wales.gov.uk/daysout/caerphilly-castle/?lang=enhttps://meta.wikimedia.org/wiki/Open_Government_Licence

  • Image by Albert Bridge released under CC BY-SA 2.0

    Surface Area

    http://www.geograph.ie/profile/5835http://creativecommons.org/licenses/by-sa/2.0/

  • Alertness

    Image by MeganCollins released under CC BY-NC-ND 3.0

    http://megancollins.deviantart.com/art/Yawning-Cat-311201579http://creativecommons.org/licenses/by-nc-nd/3.0/

  • Mitigation

    Image by Pivari.com released under CC BY-SA 3.0

    https://commons.wikimedia.org/wiki/User:Pivarihttp://creativecommons.org/licenses/by-sa/3.0/

  • Trust

  • Trust?

  • Be aware of what youre trusting

  • The hardest part of security is not writing

    secure code

  • Its understanding where you misplace

    your trust

  • Trust is a chain

  • I trust my computer is not compromised

    Up-to-date patches

    TRUST

  • I trust that the software is without vulnerability

    Vulnerability research and security updates

    TRUST

  • I trust that the software is configured properly

    Automated provisioning

    TRUST

  • I trust that the network is configured properly and secure

    Good system administrators

    TRUST

  • I trust you are who you say you are

    TLS Certificate Peer Verification or Authentication

    TRUST

  • I trust you are allowed to talk to me about this topic

    Authorization

    TRUST

  • I trust that what you send me hasnt been tampered with

    Hashes or signatures

    TRUST

  • I trust that what we talk about is just between us

    Public and private keys

    TRUST

  • I trust your computer is not compromised

    ????

    TRUST

  • I trust that what we talk about wont be share with others

    Contracts, Legalities, Terms of use, ????

    TRUST

  • I trust that the user wont be the weak link

    Training and procedures

    TRUST

  • Turn your chain into a mesh

    Image by ineverfinishanyth released under CC BY-NC-SA 2.5

    http://www.instructables.com/member/ineverfinishanyth/http://creativecommons.org/licenses/by-nc-sa/2.5/

  • Common Mistakes

  • WeakeningCompromising encryption or hashing is

    about reducing time to crack

  • ImplementationA bad implementation helps reduce the time

    to crack

  • Authentication

  • 2 Factor Authenticationcomposer require pragmarx/google2fa

  • OAuth2composer require leagu