lonestarphp 2014 security keynote
Post on 21-Oct-2014
1.053 views
DESCRIPTION
Keynote for LonestarPHP 2014TRANSCRIPT
![Page 1: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/1.jpg)
Alison Gianotto @snipeyhead
![Page 2: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/2.jpg)
Alison Gianotto (aka “snipe”) WHO AM I? • Former agency CTO/CSO • Security & privacy advocate • 20 years in IT and so<ware development • Co-‐author of a few PHP/MySQL books • Survivor of more corporate audits than I care to remember • @snipeyhead on TwiJer
2 Lonestar PHP -‐ April 2014 -‐ #lsp14
![Page 3: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/3.jpg)
WHAT SECURITY ISN’T 1 Bolted on
2 Compliance
3 A Single Person
4 Outsourced
3
You don’t add it on at the end.
You can be compliant and not secure. Just ask Target.
Security is everyone’s responsibility.
Throwing money at this problem won’t work.
Lonestar PHP -‐ April 2014 -‐ #lsp14
![Page 4: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/4.jpg)
WHAT SECURITY ISN’T 5 An Appliance
6 Silver Bullet
7 Straightforward
4
Firewalls and IDS are part of the soluUon, but not the end.
There is no one thing. Defence in depth maJers. Sort of.
SomeUmes implemenUng security tools increases your aJack surface.
Lonestar PHP -‐ April 2014 -‐ #lsp14
8 Done Security is where you start, not where you finish.
![Page 5: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/5.jpg)
WHAT RISK ISN’T 1 Stifling
2 Boring
3 Avoidable
5
Managing risk doesn’t have to hinder innovaUon
Our job is finding creaUve soluUons to problems. This is one more tool.
Risk isn’t inherently bad. Not understanding your risk is.
Lonestar PHP -‐ April 2014 -‐ #lsp14
4 One Size Acceptable risk to your company may not be the same as someone else’s.
![Page 6: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/6.jpg)
IT IS IMPOSSIBLE TO ANTICIPATE EVERY RISK.
6 Lonestar PHP -‐ April 2014 -‐ #lsp14
Srsly.
![Page 7: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/7.jpg)
DEFENSE IN DEPTH PROMISES
7 Lonestar PHP -‐ April 2014 -‐ #lsp14
• MiUgates single points of failure. (“Bus factor”) • Requires more effort on the part of the aJacker, theoreUcally exhausUng aJacker resources.
Except...
![Page 8: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/8.jpg)
DEFENSE IN DEPTH PROBLEMS
8 Lonestar PHP -‐ April 2014 -‐ #lsp14
• Larger, more complicated systems are harder to maintain. • Leads to more cracks for bad guys to poke at • More surfaces that can get be overlooked • The bad guys have nearly limitless resources. We don’t. • AJacks are commodiUzed now. Botnets for $2/hour.
![Page 9: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/9.jpg)
CIA Confidentiality, Integrity & Availability
![Page 10: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/10.jpg)
CONFIDENTIALITY IS A SET OF RULES THAT LIMITS ACCESS TO INFORMATION
10 Lonestar PHP -‐ April 2014 -‐ #lsp14
![Page 11: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/11.jpg)
CONFIDENTIALITY EXAMPLES
11 Lonestar PHP -‐ April 2014 -‐ #lsp14
• Passwords. (boo!) • Data encrypUon (at rest and in transmission.) • Two-‐factor authenUcaUon/biometrics. (Yay!)
• Corporate VPN • IP WhitelisUng • SSH keys
![Page 12: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/12.jpg)
CONFIDENTIALITY RISKS
12 Lonestar PHP -‐ April 2014 -‐ #lsp14
• No brute-‐force detecUon • No velng of how third-‐party vendors use/store customer data • InformaUon leakage from login messages (Uming aJacks, etc.) • SQL injecUon • Privilege escalaUon leading
to admin access • Passwords shared across websites • Improper disposal/destrucUon of personal
data • Lost/stolen devices
![Page 13: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/13.jpg)
INTEGRITY IS THE ASSURANCE THAT THE INFORMATION IS TRUSTWORTHY & ACCURATE.
13 Lonestar PHP -‐ April 2014 -‐ #lsp14
![Page 14: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/14.jpg)
INTEGRITY RISKS
14 Lonestar PHP -‐ April 2014 -‐ #lsp14
• Data loss due to hardware failure (server crash!) • So<ware bug that unintenUonally deletes/modifies data • Data alteraUon via authorized persons (human error)
• Data alteraUon via unauthorized persons (hackers) • No backups or no way to verify the integrity of the backups you have • Third-‐party vendor with inadequate security
![Page 15: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/15.jpg)
AVAILABILITY IS A GUARANTEE OF READY ACCESS TO THE INFO BY AUTHORIZED PEOPLE.
15 Lonestar PHP -‐ April 2014 -‐ #lsp14
![Page 16: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/16.jpg)
AVAILABILITY RISKS
16 Lonestar PHP -‐ April 2014 -‐ #lsp14
• DDoS aJacks • Third-‐party service failures • Hardware failures • So<ware bugs • Untested so<ware patches • Natural disasters • Man-‐made disasters
![Page 17: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/17.jpg)
THINK YOU’RE TOO SMALL TO BOTHER WITH?
17 Lonestar PHP -‐ April 2014 -‐ #lsp14
Think again.
![Page 18: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/18.jpg)
WHY HACK?
18 Lonestar PHP -‐ April 2014 -‐ #lsp14
• To steal/sell idenUUes, credit card numbers, corporate secrets, military secrets • Fun, Excitement and/or Notoriety • PoliUcal (“HackUvism”)
• Revenge • Blackhat SEO • ExtorUon/Ransomware
![Page 19: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/19.jpg)
COMMON ATTACKS
19 Lonestar PHP -‐ April 2014 -‐ #lsp14
• Reflected XSS • Persistent XSS • CSRF • SQL InjecUon • Remote file inclusion • Local file inclusion/directory traversal
• HosUng malware • Defacement for SEO (pharma, etc) • Privilege escalaUon
![Page 20: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/20.jpg)
WHY MEEEEEEEEEEEE??
20 Lonestar PHP -‐ April 2014 -‐ #lsp14
• Users re-‐use passwords across websites • Watering hole aJack • Low-‐hanging fruit • Assumed fewer defenses • To gain more informaUon on
users to execute spear-‐phishing aJacks • Because you are vulnerable. Period.
![Page 21: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/21.jpg)
IN 2013, 61% OF REPORTED ATTACKS TARGETED SMALL AND MEDIUM BUSINESSES, UP FROM 50% IN 2012.
21 Lonestar PHP -‐ April 2014 -‐ #lsp14
Source: Symantec Internet Security Threat Report 2014 :: Volume 19, Published April 2014
![Page 22: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/22.jpg)
1 2 4 3
REFLECTED XSS
SOCIAL ENGINEERING
XSS SESSION HIJACK
PWNED
22 Lonestar PHP -‐ April 2014 -‐ #lsp14
![Page 23: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/23.jpg)
77% OF LEGITIMATE WEBSITES HAD EXPLOITABLE VULNERABILITIES. 1-IN-8 HAD A CRITICAL VULNERABILITY.
23 Lonestar PHP -‐ April 2014 -‐ #lsp14
Source: Symantec Internet Security Threat Report 2014 :: Volume 19, Published April 2014
![Page 24: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/24.jpg)
MEGA BREACHES: RESULTING IN PERSONAL DETAILS OF >= 10 MILLION IDENTITIES EXPOSED IN AN INDIVIDUAL INCIDENT.
24 Lonestar PHP -‐ April 2014 -‐ #lsp14
![Page 25: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/25.jpg)
THERE WERE EIGHT IN 2013, COMPARED WITH ONLY ONE IN 2012.
25 Lonestar PHP -‐ April 2014 -‐ #lsp14
Source: Symantec Internet Security Threat Report 2014 :: Volume 19, Published April 2014
+700%
![Page 26: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/26.jpg)
OCT 2013: ADOBE EXPOSED CUSTOMER DATA, DEBIT/CREDIT CARD NUMBERS, SOURCE IMPACTED: 152 MILLION USERS
26 Lonestar PHP -‐ April 2014 -‐ #lsp14
Source: Symantec Internet Security Threat Report 2014 :: Volume 19, Published April 2014
![Page 27: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/27.jpg)
DEC 2013: TARGET EXPOSED CUSTOMER DATA, DEBIT/CREDIT CARD NUMBERS, PINS IMPACTED: 110 MILLION USERS
27 Lonestar PHP -‐ April 2014 -‐ #lsp14
Source: Symantec Internet Security Threat Report 2014 :: Volume 19, Published April 2014
![Page 28: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/28.jpg)
BREACH Growth • credit card info • birth dates • government ID numbers • home addresses • medical records • phone numbers • financial informa9on • email addresses • login • passwords
Data Stolen
28 Lonestar PHP -‐ April 2014 -‐ #lsp14
232
552
0 100 200 300 400 500 600
2011
2013
Iden99es Stolen by Year (in Millions)
Source: Symantec Internet Security Threat Report 2014 :: Volume 19, Published April 2014
![Page 29: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/29.jpg)
190,000
464,000 570,000
2011 2012 2013
ATTACKS
29
Source: Symantec Internet Security Threat Report 2014 :: Volume 19, Published April 2014
Per Day
Lonestar PHP -‐ April 2014 -‐ #lsp14
![Page 30: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/30.jpg)
APPSEC STRATEGY
PICK TWO
30
COMPLETELY BONED COMPLETELY BONED
COMPLETELY BONED
Lonestar PHP -‐ April 2014 -‐ #lsp14
![Page 31: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/31.jpg)
CREATING A RISK MATRIX
31 Lonestar PHP -‐ April 2014 -‐ #lsp14
• Type • Third-‐Party • Dataflow diagram ID • DescripUon • Triggering AcUon • Consequence of Service Failure • Risk of Failure • User Impact
• Method used for monitoring this risk • Efforts to MiUgate in Case of Failure • Contact info
Grab a starter template here! hJp://snipe.ly/risk_matrix
![Page 32: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/32.jpg)
29 THINGS YOU CAN START DOING TODAY.
32 Lonestar PHP -‐ April 2014 -‐ #lsp14
Dooo eeeeeet.
![Page 33: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/33.jpg)
33 Lonestar PHP -‐ April 2014 -‐ #lsp14
1. Start every project risk-‐first. 2. Start using a risk matrix for every major project or
product. 3. Build a clear inventory of surface areas and their value.
Get stakeholders involved. 4. Make sure you understand what happens when third-‐
party services fail or behave unexpectedly.
29 THINGS TO DO TODAY
![Page 34: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/34.jpg)
34 Lonestar PHP -‐ April 2014 -‐ #lsp14
5. Trust your gut. If something doesn’t look right, it probably isn’t.
6. Keep your systems as simple as possible. Document them. 7. Favor self-‐documenUng systems so that code, systems and
docs don't fall out of sync. 8. Increased transparency reduces risk across departments.
Consider devops.
29 THINGS TO DO TODAY
![Page 35: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/35.jpg)
35 Lonestar PHP -‐ April 2014 -‐ #lsp14
9. Don't abstract code/systems if you don’t have to. Premature opUmizaUon is the devil. Build light and refactor as needed.
10. Get to know your users’ behavior. Use tools like Google AnalyUcs and heat-‐mapping to understand what users do on your site. Be suspicious if it changes for no apparent reason.
29 THINGS TO DO TODAY
![Page 36: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/36.jpg)
36 Lonestar PHP -‐ April 2014 -‐ #lsp14
11. Automate EVERYTHING (Chef, Vagrant, Ansible, Salt, Fabric, etc.)
12. Log (almost!) EVERYTHING. Know where your logs are. Use a central logging server if at all possible.
13. Always employ the principles of “least privilege.” 14. Give preference to vendors that integrate with your AD/
OD/LDAP.
29 THINGS TO DO TODAY
![Page 37: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/37.jpg)
37 Lonestar PHP -‐ April 2014 -‐ #lsp14
15. Create a reliable data backup plan and TEST IT. (MORE THAN ONCE.)
16. Create a Business ConUnuity Plan. 17. Create an Incident Response Plan. Test it. 18. Create a Disaster Recovery Plan. TEST IT. (Seriously.) 19. Get your team to parUcipate in at least one CTF every
year.
29 THINGS TO DO TODAY
![Page 38: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/38.jpg)
29 THINGS TO DO TODAY
38 Lonestar PHP -‐ April 2014 -‐ #lsp14
20. Strip specific messaging from login forms. 21. Use solid password+salUng like bcrypt. 22. Implement brute-‐force prevenUon for all login systems. 23. Encrypt everything, where feasible. 24. Only collect the data that you absolutely need. 25. Implement two-‐factor authenUcaUon. It’s easier than you
think.
![Page 39: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/39.jpg)
29 THINGS TO DO TODAY
39 Lonestar PHP -‐ April 2014 -‐ #lsp14
26. Supress debugging and server informaUon (PHP versions, Apache versions)
27. Leverage framework CSRF protecUon and data saniUzaUon/validaUon.
28. Perform regular penetraUon tests and vulnerability assessments
29. Become a passionate security ambassador for your users and co-‐workers.
![Page 40: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/40.jpg)
CAPTURE ALL THE FLAGS!
40 Lonestar PHP -‐ April 2014 -‐ #lsp14
• NotSoSecure CTF: hJp://cx.notsosecure.com • Security Shepherd: hJps://www.owasp.org/index.php/
OWASP_Security_Shepherd • hJp://hax.tor.hu/ • hJps://pwn0.com/ • hJp://www.smashthestack.org/ • hJp://www.hellboundhackers.org/ • hJp://www.overthewire.org/wargames/ • hJp://counterhack.net/Counter_Hack/Challenges.html • hJp://www.hackthissite.org/ • hJp://exploit-‐exercises.com/ • hJp://vulnhub.com/
![Page 41: LonestarPHP 2014 Security Keynote](https://reader034.vdocument.in/reader034/viewer/2022051608/5447228dafaf9f69178b48e4/html5/thumbnails/41.jpg)
Alison Gianotto (aka “snipe”) THANK YOU! • @snipeyhead on TwiJer • [email protected]
41 Lonestar PHP -‐ April 2014 -‐ #lsp14