top 5 myths of it security in the light of current events tisa pro talk 4 2554

Top 5 Myths of IT Security in the Light of Current Events

Advisor for your information security.

Version: 1.0Author: S.StreichsbierResponsible: S.StreichsbierDate: 05.10.2011Confidentiality: Public

Agenda

• Introduction

• Top 5 IT Security Myths

• Reality Check – Current Events

• Conclusion

© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved2

SEC Consult – Who we are

CanadaLithuania

Germany

Austria Central and Easter EuropeUnited States ofAmerica

� Since foundation in 2002SEC Consult delivered more than 1000 IT security projects.

Singapore

Americathan 1000 IT security projects.

� Offices in Austria (HQ), Germany, Lithuania, Canada and Singapore since 2011

� 25+ Security Professionals


SEC Consult Office

SEC Consult Headquarter

SEC Consult Clients

� Well established in Central and Eastern Europe

• Team of highly skilled, internationally recognized security experts• Regular speakers on international conferences

• Publish security advisories, whitepapers

• Awards (e.g. “PWNIE” Award 2009)

SEC Consult - Overview

• Internal Vulnerability Lab

○ Responsible Disclosure Policy

• Holistic approach to cover all facets of information security• Diverse experience in technical and organizational IT security

• Independent from vendors• No off-the-shelf products

• Tailor-made solutions


• Tailor-made solutions

• Confidentiality and data security is guaranteed

Agenda - Workshop Day I:

• Introduction

• Top 5 IT Security Myths

• Reality Check – Current Events

• Conclusion


Top 5 IT Security Myths

5 - Hackers=Geniuses

„Only a genius can break into my network“


Top 5 IT Security Myths – Hackers=Geniuses (1)

• The Myth: Hacking requires secret Ninja skills• True 20 years ago

• Today, knowledge and tools are out there• Huge security community• Huge security community

• Exploits and hacking tools released every day

• Commercial exploit kits

• Hacking can be learned (CEH, university,...)



Anybody can launch a tool!



Hackers are:

• Hacking for fun / hacktivism• Anonymous / LulzSec

• Kids looking for attention• Kids looking for attention

• Hacking for profit• Huge underground economy

• Exploit Kits, Phishing Kits, etc.

• Botnets

• Cyber warfare• Stuxnet (admittedly very advanced)

• Shady RAT


• Shady RAT

• Operation Aurora


4 – Updates and AV

„Software Updates and Anti Virus are enough to keep a system safe“


a system safe“

Top 5 IT Security Myths – 4. Updates and AV

Myth: I am safe my AV will protect me from trojans, viruses and worms.

• Facts• Timeliness (delay)

• Completeness

• Protection against known security issues, vulnerabilities in proprietary applications are not covered


not covered

• Important part of client security (user still has to be responsible)

• AV also have flaws

• Detection rate / Effectiveness heavily discussed

• False positives: Chrome browser is a virus?

• 8.562 new vulnerabilities were disclosed in 2010 (27% more than 2009).

• 49 percent of all vulnerabilities affect web applications.

• 44 percent of vulnerabilities remained un-patched by the end of 2010.

Excerpt of “disclosed” vulnerabilities on 24.6.2011

• 44 percent of vulnerabilities remained un-patched by the end of 2010.

Source: X-Force Trend und Risk Report 2010


Sources: http://www.securityfocus.com/


3. Easy solutions3. Easy solutions

„Product X solves all my security problems“


Top 5 IT Security Myths – Easy solutions (1)

• The Myth: Product X solves all security problems out of the box• IPS X will block all attacks on my network automatically

• If I just install webapp firewall Y it will protect my web application

• Fact: Security products are useless without careful configuration and • Fact: Security products are useless without careful configuration and maintenance

• Off-the-shelf-solutions do not work!

• Vendor marketing sometimes adds to the myth:



• Web application firewalls are usually easily bypassed

• Bypassing preconfigured signatures• There are unlimited ways to formulate and encode an attack

• Web applications have unique vulnerabilities• Web applications have unique vulnerabilities

• Bypassing behaviour based analysis• May detect some anomalies, but attacks can look like normal traffic

• Application logic attacks

• To make a WAF work, configuration has to be tailored to the web application in question



• IDS / IPS should be added as part of an defense-in-depth approach

• WAF can be used in certain situations• If its impossible or too expensive to fix the web application

• For compliance (PCI DSS)• For compliance (PCI DSS)

• It is always preferable to apply preventive controls at the core!• Secure configuration

• Secure development practices



2 - Encryption2 - Encryption

„My server is secure because it uses SSL.“


Top 5 IT Security Myths – Encryption

• The Myth: Something that is encrypted is automatically secure• Hackers first have to break the encryption to break in

• Fact: Encryption ensures confidentiality & integrity in some scenarios• Needed for secure network traffic, file storage, proof of identity• Needed for secure network traffic, file storage, proof of identity

• Hackers find ways around the encryption!• Breaking the keys is practically impossible anyway in most cases

• Attacks on the public key infrastructure (CAs)

• Attacks on the algorithm / implementation (BEAST)

• Attacks on users (Man-in-the-Middle w/ spoofed Certificate)

• Application vulnerabilities

• A webserver that uses HTTPS is NOT automatically secure!



1 – The Firewall

„A device that protects against hackers“


Top 5 IT Security Myths – The Firewall (2)

Myth: In order to attack servers behind the firewall hackers need to “break through” the firewall

• Facts• Firewall provide a very small attacking surface

for hackers

• Usually straight forward to configure

• Normally a hacker does not have to bypass a firewall

• A hacker would target the low hanging fruits, which are in almost all cases vulnerable


• A hacker would target the low hanging fruits, which are in almost all cases vulnerable applications

• HTTP = UFBP (universal firewall bypass protocol)

Web applications – the weakest link

AttackerAD

Web server with vulnerable applications

Internet

File-Share

applications

DB


Public (Extern) DMZ LAN (Intern)

86% of all attacks are carried out over the application layer

Top 5 IT Security Myths – The Firewall (3)

Myth: The firewall will block attacks and make sure that everything that passes through is safe/secure

• Facts• Traditionally a firewall is only a packet filter

• Packets can be blocked up to a level where the

Firewall understands it

• A firewall does not have an understanding of the

Application layer

• A firewall can not verify if communication


• A firewall can not verify if communication

to an exposed service is malicious

Application Security

• ”In 86% of all attacks, a weakness in a web interface was exploited (vs. 14% infrastructure) and the attackers were predominately external (80%)”


Source: UK Security Breach Investigations Report 2010

Web Security 1998-2010

• Web application related vulnerabilities have increased rapidly in the last rapidly in the last years

• Reasons: • New technologies

• More applications

• More information


Source: IBM X-Force® 2010 Trend and Risk Report

Attacks on Web Applications

• Organized crime focuses on web applications

”You will see less shotgun types of attacks and more stealthy kinds of attacks going after


Source: Web Hacking Incident Database 2010 Semi Annual Report – 2 (July-December)

more stealthy kinds of attacks going after financial information because there are whole new sets of ways to make money”

--- Amrit Williams, Resarch Director at Gartner -Reuters 13.2.2006

Myths – Summary

• Off the shelf solutions:• Security products are useful for specific areas

• Level your expectations (strength/weakness)

• Security is a continuous process, be doubtful of miracles

• Prevention/Detection • Necessary to have good detection mechanisms

• Continuous Monitoring of the results

• Planning• IT Security can only be achieved by a holistic approach

• ISM is essential to implement the right processes


• ISM is essential to implement the right processes

• It is always preferable to apply preventive controls at the core!

SEC Consult Singapore Pte. Ltd.

Contact Details

4 Battery Road#25-01 Bank of China Building

Singapore (049908)

Tel: +65 31080365

Email: [email protected]

Singapore

Mooslackengasse 17 A-1190 Vienna

Austria

Tel: +43-(0)1-890 30 43-0Fax: +43-(0)1-890 30 43-15


Austria




top 5 myths of it security in the light of current events tisa pro talk 4 2554

Technology