top 5 myths of it security in the light of current events tisa pro talk 4 2554
DESCRIPTION
TRANSCRIPT
Top 5 Myths of IT Security in the Light of Current Events
Advisor for your information security.
Version: 1.0Author: S.StreichsbierResponsible: S.StreichsbierDate: 05.10.2011Confidentiality: Public
Agenda
• Introduction
• Top 5 IT Security Myths
• Reality Check – Current Events
• Conclusion
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved2
SEC Consult – Who we are
CanadaLithuania
Germany
Austria Central and Easter EuropeUnited States ofAmerica
� Since foundation in 2002SEC Consult delivered more than 1000 IT security projects.
Singapore
Americathan 1000 IT security projects.
� Offices in Austria (HQ), Germany, Lithuania, Canada and Singapore since 2011
� 25+ Security Professionals
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved3
SEC Consult Office
SEC Consult Headquarter
SEC Consult Clients
� Well established in Central and Eastern Europe
• Team of highly skilled, internationally recognized security experts• Regular speakers on international conferences
• Publish security advisories, whitepapers
• Awards (e.g. “PWNIE” Award 2009)
SEC Consult - Overview
• Internal Vulnerability Lab
○ Responsible Disclosure Policy
• Holistic approach to cover all facets of information security• Diverse experience in technical and organizational IT security
• Independent from vendors• No off-the-shelf products
• Tailor-made solutions
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved4
• Tailor-made solutions
• Confidentiality and data security is guaranteed
Agenda - Workshop Day I:
• Introduction
• Top 5 IT Security Myths
• Reality Check – Current Events
• Conclusion
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved5
Top 5 IT Security Myths
5 - Hackers=Geniuses
„Only a genius can break into my network“
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved6
Top 5 IT Security Myths – Hackers=Geniuses (1)
• The Myth: Hacking requires secret Ninja skills• True 20 years ago
• Today, knowledge and tools are out there• Huge security community• Huge security community
• Exploits and hacking tools released every day
• Commercial exploit kits
• Hacking can be learned (CEH, university,...)
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved7
Top 5 IT Security Myths – Hackers=Geniuses (2)
Anybody can launch a tool!
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved8
Top 5 IT Security Myths – Hackers=Geniuses (3)
Hackers are:
• Hacking for fun / hacktivism• Anonymous / LulzSec
• Kids looking for attention• Kids looking for attention
• Hacking for profit• Huge underground economy
• Exploit Kits, Phishing Kits, etc.
• Botnets
• Cyber warfare• Stuxnet (admittedly very advanced)
• Shady RAT
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved9
• Shady RAT
• Operation Aurora
Top 5 IT Security Myths
4 – Updates and AV
„Software Updates and Anti Virus are enough to keep a system safe“
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved10
a system safe“
Top 5 IT Security Myths – 4. Updates and AV
Myth: I am safe my AV will protect me from trojans, viruses and worms.
• Facts• Timeliness (delay)
• Completeness
• Protection against known security issues, vulnerabilities in proprietary applications are not covered
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved11
not covered
• Important part of client security (user still has to be responsible)
• AV also have flaws
• Detection rate / Effectiveness heavily discussed
• False positives: Chrome browser is a virus?
• 8.562 new vulnerabilities were disclosed in 2010 (27% more than 2009).
• 49 percent of all vulnerabilities affect web applications.
• 44 percent of vulnerabilities remained un-patched by the end of 2010.
Excerpt of “disclosed” vulnerabilities on 24.6.2011
• 44 percent of vulnerabilities remained un-patched by the end of 2010.
Source: X-Force Trend und Risk Report 2010
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved12
Sources: http://www.securityfocus.com/
Top 5 IT Security Myths
3. Easy solutions3. Easy solutions
„Product X solves all my security problems“
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved13
Top 5 IT Security Myths – Easy solutions (1)
• The Myth: Product X solves all security problems out of the box• IPS X will block all attacks on my network automatically
• If I just install webapp firewall Y it will protect my web application
• Fact: Security products are useless without careful configuration and • Fact: Security products are useless without careful configuration and maintenance
• Off-the-shelf-solutions do not work!
• Vendor marketing sometimes adds to the myth:
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved14
Top 5 IT Security Myths – Easy solutions (2)
• Web application firewalls are usually easily bypassed
• Bypassing preconfigured signatures• There are unlimited ways to formulate and encode an attack
• Web applications have unique vulnerabilities• Web applications have unique vulnerabilities
• Bypassing behaviour based analysis• May detect some anomalies, but attacks can look like normal traffic
• Application logic attacks
• To make a WAF work, configuration has to be tailored to the web application in question
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved15
Top 5 IT Security Myths – Easy solutions (3)
• IDS / IPS should be added as part of an defense-in-depth approach
• WAF can be used in certain situations• If its impossible or too expensive to fix the web application
• For compliance (PCI DSS)• For compliance (PCI DSS)
• It is always preferable to apply preventive controls at the core!• Secure configuration
• Secure development practices
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved16
Top 5 IT Security Myths
2 - Encryption2 - Encryption
„My server is secure because it uses SSL.“
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved17
Top 5 IT Security Myths – Encryption
• The Myth: Something that is encrypted is automatically secure• Hackers first have to break the encryption to break in
• Fact: Encryption ensures confidentiality & integrity in some scenarios• Needed for secure network traffic, file storage, proof of identity• Needed for secure network traffic, file storage, proof of identity
• Hackers find ways around the encryption!• Breaking the keys is practically impossible anyway in most cases
• Attacks on the public key infrastructure (CAs)
• Attacks on the algorithm / implementation (BEAST)
• Attacks on users (Man-in-the-Middle w/ spoofed Certificate)
• Application vulnerabilities
• A webserver that uses HTTPS is NOT automatically secure!
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved18
Top 5 IT Security Myths
1 – The Firewall
„A device that protects against hackers“
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved19
Top 5 IT Security Myths – The Firewall (2)
Myth: In order to attack servers behind the firewall hackers need to “break through” the firewall
• Facts• Firewall provide a very small attacking surface
for hackers
• Usually straight forward to configure
• Normally a hacker does not have to bypass a firewall
• A hacker would target the low hanging fruits, which are in almost all cases vulnerable
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved20
• A hacker would target the low hanging fruits, which are in almost all cases vulnerable applications
• HTTP = UFBP (universal firewall bypass protocol)
Web applications – the weakest link
AttackerAD
Web server with vulnerable applications
Internet
File-Share
applications
DB
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved21
Public (Extern) DMZ LAN (Intern)
86% of all attacks are carried out over the application layer
Top 5 IT Security Myths – The Firewall (3)
Myth: The firewall will block attacks and make sure that everything that passes through is safe/secure
• Facts• Traditionally a firewall is only a packet filter
• Packets can be blocked up to a level where the
Firewall understands it
• A firewall does not have an understanding of the
Application layer
• A firewall can not verify if communication
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved22
• A firewall can not verify if communication
to an exposed service is malicious
Application Security
• ”In 86% of all attacks, a weakness in a web interface was exploited (vs. 14% infrastructure) and the attackers were predominately external (80%)”
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved23
Source: UK Security Breach Investigations Report 2010
Web Security 1998-2010
• Web application related vulnerabilities have increased rapidly in the last rapidly in the last years
• Reasons: • New technologies
• More applications
• More information
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved24
Source: IBM X-Force® 2010 Trend and Risk Report
Attacks on Web Applications
• Organized crime focuses on web applications
”You will see less shotgun types of attacks and more stealthy kinds of attacks going after
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved25
Source: Web Hacking Incident Database 2010 Semi Annual Report – 2 (July-December)
more stealthy kinds of attacks going after financial information because there are whole new sets of ways to make money”
--- Amrit Williams, Resarch Director at Gartner -Reuters 13.2.2006
Myths – Summary
• Off the shelf solutions:• Security products are useful for specific areas
• Level your expectations (strength/weakness)
• Security is a continuous process, be doubtful of miracles
• Prevention/Detection • Necessary to have good detection mechanisms
• Continuous Monitoring of the results
• Planning• IT Security can only be achieved by a holistic approach
• ISM is essential to implement the right processes
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved26
• ISM is essential to implement the right processes
• It is always preferable to apply preventive controls at the core!
SEC Consult Singapore Pte. Ltd.
Contact Details
4 Battery Road#25-01 Bank of China Building
Singapore (049908)
Tel: +65 31080365
Email: [email protected]
Singapore
Mooslackengasse 17 A-1190 Vienna
Austria
Tel: +43-(0)1-890 30 43-0Fax: +43-(0)1-890 30 43-15
Email: [email protected]
Austria
© 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved49
Email: [email protected]
Email: [email protected]