security bootcamp for startups and small businesses
TRANSCRIPT
Alison Gianotto @snipeyhead
SECURITY BOOTCAMP FOR STARTUPS
(and Small Businesses)
Alison Gianotto (aka “snipe”)WHO AM I?• FormeragencyCTO/CSO•CTOofAnysha.re•CreatorofSnipe-ITFOSSproject• Security&privacyadvocate•20yearsinITandsoftwaredev•Co-authorofafewPHP/MySQLbooks•@snipeyheadonTwitter
2DomCode2016-Utrecht-#DomCode16
3
WHAT IS RISK?
4DomCode2016-Utrecht-#DomCode16
Risk is the combination of threat, vulnerability, and mission impact.
WHAT KINDS OF THREATS?
5DomCode2016-Utrecht-#DomCode16
•Notalwayshackers•Physicalthreats:naturaldisasters,suchasflood,fire,earthquakes,etc• Logicalthreats:bugsinhardware,powerfailures•Humanthreats:non-maliciousandmaliciousthreats,suchasdisgruntledemployeesandhackers
RISK TOLERANCE
6DomCode2016-Utrecht-#DomCode16
If vulnerability is high, but mission impact is low, you can probably tolerate that risk.
ONE SIZE DOES NOT FIT ALL
7DomCode2016-Utrecht-#DomCode16
Risk looks different for each organization.
IT IS IMPOSSIBLE TO ANTICIPATE OR MITIGATE EVERY RISK.
8DomCode2016-Utrecht-#DomCode16
WHY SHOULD YOU CARE?
9DomCode2016-Utrecht-#DomCode16
Security breaches cost a company reputation, money, time & trust.
WHY SHOULD YOU CARE?
10DomCode2016-Utrecht-#DomCode16
Identity theft and security vulnerabilities affect the lives of real people - your users.
WHY SHOULD YOU CARE?
11DomCode2016-Utrecht-#DomCode16
Source:ForbesMagazine,Aug3,2013
WHY SHOULD YOU CARE?
12DomCode2016-Utrecht-#DomCode16
Source:BoingBoing-Nov3,2016
WHY SHOULD YOU CARE?
13DomCode2016-Utrecht-#DomCode16
Even if your product can’t be weaponized, the data you store and the trust your users have in you can be.
14DomCode2016-Utrecht-#DomCode16
GDPR•Goesintoeffect2018•Couldresultinfinesof€20mor4%ofyourannualturnover,whicheverisGREATER
(General Data Protection Regulation)
In 2013, 61% of reported attacks targeted small and medium businesses, UP from 50% in 2012.
15DomCode2016-Utrecht-#DomCode16
Source:VerizonCommunications2013DataBreachInvestigationsReport
One study found that compromises of mid-size firms rose 64% from 2013 to 2014.
16DomCode2016-Utrecht-#DomCode16
Source:GlobalStateofInformationSecuritySurvey2015
HOW?
17DomCode2016-Utrecht-#DomCode16
Sometimes an attacker will use your product to gain information, sometimes they’ll use YOU.
HOW?
18DomCode2016-Utrecht-#DomCode16
And sometimes your users are the target, and sometimes your company is.
WAYS THEY USE YOUR PRODUCT
19DomCode2016-Utrecht-#DomCode16
•ReflectedXSS•PersistentXSS•CSRF•SQLInjection•Remotefileinclusion•Localfileinclusion/directorytraversal
•DefacementforSEO(pharma,etc)•Privilegeescalation•Malwaredelivery•OtherstuffyouknowfromOWASP
WAYS THEY USE YOU
20DomCode2016-Utrecht-#DomCode16
•Stealingcredentialsfromotherwebsites,hopingyoure-usepasswordsacrosssensitivesystems•Spear-phishing•Wateringholeattacks•Socialengineering•Malware• Insecurethird-partyvendors
DEFENSE IN DEPTH
21DomCode2016-Utrecht-#DomCode16
•Mitigatessinglepointsoffailure.(“Busfactor”)•Requiresmoreeffortonthepartoftheattacker,theoreticallyexhaustingattackerresources.
Except...
DEFENSE IN DEPTH CHALLENGES
22DomCode2016-Utrecht-#DomCode16
• Larger,morecomplicatedsystemscanbehardertomaintain:• Leadstomorecracksforbadguystopokeat•Moresurfacesthatcangetbeoverlooked
• Thebadguyshavenearlylimitlessresources.Wedon’t.•Attacksarecommoditizednow.Botnetsfor<$2/hourandInternetofShit(MiraiDynDNSattack)
CIAConfidentiality, Integrity & Availability
CONFIDENTIALITY IS A SET OF RULES THAT LIMITS ACCESS TO INFORMATION
24DomCode2016-Utrecht-#DomCode16
CONFIDENTIALITY EXAMPLES
25DomCode2016-Utrecht-#DomCode16
•Passwords•Dataencryption(atrestandintransmission)•Two-factorauthenticationorbiometrics.
•CorporateVPN• IPWhitelisting•SSHkeys
CONFIDENTIALITY RISKS
26DomCode2016-Utrecht-#DomCode16
• Nobrute-forcedetection• Novettingofhowthird-partyvendorsuse/storecustomerdata• Informationleakagefromloginmessages(timingattacks,etc.)• SQLinjection
• Privilegeescalationleadingtoadminaccess• Passwordssharedacrosswebsites• Improperdisposal/destructionofpersonaldata• Lost/stolendevices• InsiderThreats
INTEGRITY IS THE ASSURANCE THAT THE INFORMATION IS TRUSTWORTHY & ACCURATE.
27DomCode2016-Utrecht-#DomCode16
INTEGRITY RISKS
28DomCode2016-Utrecht-#DomCode16
• Datalossduetohardwarefailure(servercrash!)• Softwarebugthatunintentionallydeletes/modifiesdata• Dataalterationviaauthorizedpersons(humanerror)
•Dataalterationviaunauthorizedpersons(hackers)•Nobackupsornowaytoverifytheintegrityofthebackupsyouhave• Third-partyvendorwithinadequatesecurity• InsiderThreats
AVAILABILITY IS A GUARANTEE OF READY ACCESS TO THE INFO BY AUTHORIZED PEOPLE.
29DomCode2016-Utrecht-#DomCode16
AVAILABILITY RISKS
30DomCode2016-Utrecht-#DomCode16
•DDoSattacks•Third-partyservicefailures•Hardwarefailures•Softwarebugs•Untestedsoftwarepatches
•Naturaldisasters•Man-madedisasters•InsiderThreats
Hmm… This looks familiar…
31DomCode2016-Utrecht-#DomCode16
INSIDER THREATS
42%58%
• Employees(33%)• Ex-employees(7%)• Customers,partnersorsuppliers(18%)
Source:ClearswiftReport:TheEnemyWithin-PublishedMay2013
• Everythingelse
32DomCode2016-Utrecht-#DomCode16
INSIDER THREATS
Source:ClearswiftReport:TheEnemyWithin-PublishedMay2013
•Oftenverylow-tech•Sometimesmalicious•Sometimesaccidental•Theft/destructionofconfidentialinformation•Sabotage
•Fraud•Defacement•DoSattacks•Sometimesmotivatedbyrevenge
NOT ALL INSIDER THREATS ARE MALICIOUS, BUT THAT DOESN’T MAKE THEM LESS DANGEROUS.
33DomCode2016-Utrecht-#DomCode16
34DomCode2016-Utrecht-#DomCode16
APPLICATION SECURITY
77% OF LEGITIMATE WEBSITES HAD EXPLOITABLE VULNERABILITIES. 1-IN-8 HAD A CRITICAL VULNERABILITY.
35DomCode2016-Utrecht-#DomCode16
Source:SymantecInternetSecurityThreatReport2014::Volume19,PublishedApril2014
BREACHGrowth• credit card info • birth dates • gov ID numbers • home addresses • medical records • phone numbers • financial information • email addresses • login • passwords
Data Stolen
36DomCode2016-Utrecht-#DomCode16
Iden**esStolenbyYear(inMillions)
275
550
825
1100
2011 2012 2013 2014 2015 2016*
554707
1,023
552
267412
Source:SymantecInternetSecurityThreatReport2014/2015
2011 2012 2013 2014 2016
974,000
500,000570,000464,000
190,000
ATTACKS
37
Source:SymantecInternetSecurityThreatReport2014/2016
Per Day
DomCode2016-Utrecht-#DomCode16
APPSEC STRATEGY
PICKTWO
38
COMPLETELYSCREWEDCOMPLETELYSCREWED
COMPLETELYSCREWED
DomCode2016-Utrecht-#DomCode16
39DomCode2016-Utrecht-#DomCode16
WHAT CAN YOU DO?
STOP:
40DomCode2016-Utrecht-#DomCode16
Believing the lie that you’re too small to be a target.
You’re not. I promise.
START:
41DomCode2016-Utrecht-#DomCode16
Evaluating the value of your assets. You have to know what you’re protecting.
42DomCode2016-Utrecht-#DomCode16
VENDOR MANAGEMENT
START:
43DomCode2016-Utrecht-#DomCode16
Documenting ALL of your third-party vendors. Assess risk, and start a vendor management program.
START:
44DomCode2016-Utrecht-#DomCode16
Giving preference to third-party vendors that integrate with LDAP/AD/SSO.
START:
45DomCode2016-Utrecht-#DomCode16
Developing a risk matrix for every project. Keep it updated as new features are added.
RISK MATRIX:
46DomCode2016-Utrecht-#DomCode16
• Type• Third-Party• ServiceDescription• TriggeringAction• ConsequenceofServiceFailure• RiskofFailure• ProbabilityofFailure• UserImpactofFailure
• Methodusedformonitoringthisrisk• EffortstoMitigateinCaseofFailure• Contactinfo
Grabastartertemplatehere!http://snipe.ly/risk_matrix
START:
47DomCode2016-Utrecht-#DomCode16
Giving preference to systems that allow you to show due diligence in the event of a breach.
48DomCode2016-Utrecht-#DomCode16
POLICIES & PROCESS
START:
49DomCode2016-Utrecht-#DomCode16
Implementing policies of “least-privilege”.
START:
50DomCode2016-Utrecht-#DomCode16
Developing a Disaster Recovery Plan. TEST IT. (No, really, test it. Often.)
START:
51DomCode2016-Utrecht-#DomCode16
Developing an Incident Response Plan. Test it, and keep it updated.
START:
52DomCode2016-Utrecht-#DomCode16
Enabling (and requiring) two-factor authentication for everything.
START:
53DomCode2016-Utrecht-#DomCode16
Thinking about any ways a new security measure could actually weaken your security.
REMEMBER:
54DomCode2016-Utrecht-#DomCode16
If your new security policies get in the way of people getting work done, they will find a way around them.
START:
55DomCode2016-Utrecht-#DomCode16
Developing a formal procedure for handling exiting employees.
56DomCode2016-Utrecht-#DomCode16
DATA HANDLING
STOP:
57DomCode2016-Utrecht-#DomCode16
Collecting data about users that you don’t ABSOLUTELY need right now.
START:
58DomCode2016-Utrecht-#DomCode16
Logging (almost) everything. Use a central logging server if you can.
START:
59DomCode2016-Utrecht-#DomCode16
Getting to know what “normal” user behavior looks like. Flag anything out of the ordinary.
START:
60DomCode2016-Utrecht-#DomCode16
Storing offline backups. Make sure you can restore from them successfully.
START:
61DomCode2016-Utrecht-#DomCode16
Encrypting EVERYTHING (where feasible.) in transit and at rest. HTTPS ALL THE THINGS.
START:
62DomCode2016-Utrecht-#DomCode16
Testing that your deployment system can work if Github (or other third-party) is down.
63DomCode2016-Utrecht-#DomCode16
DEV & OPS
START:
64DomCode2016-Utrecht-#DomCode16
Leveraging the built-in data sanitation/CSRF of your language frameworks.
START:
65DomCode2016-Utrecht-#DomCode16
Using prepared statements for your SQL. It’s 2016 already!
START:
66DomCode2016-Utrecht-#DomCode16
Checking for debugging output that can disclose information that can make an attacker’s job easier.
STOP:
67DomCode2016-Utrecht-#DomCode16
Using MD5 for passwords!!!! Use a secure salt+hash like bcrypt.
START:
68DomCode2016-Utrecht-#DomCode16
Looking critically at the complexity of your systems.
START:
69DomCode2016-Utrecht-#DomCode16
Implementing brute-force detection everywhere you can.
STOP:
70DomCode2016-Utrecht-#DomCode16
Using production data in your test environments!
START:
71DomCode2016-Utrecht-#DomCode16
Getting your dev teams involved in Capture the Flag events. (They’re fun!)
START:
72DomCode2016-Utrecht-#DomCode16
Getting penetration tests and vulnerability assessments done.
START:
73DomCode2016-Utrecht-#DomCode16
Building automated scanners into your testing/Continuous Integration pipeline.
74DomCode2016-Utrecht-#DomCode16
COMPANY CULTURE
START:
75DomCode2016-Utrecht-#DomCode16
Building a security-first culture. Make it part of your DNA.
START:
76DomCode2016-Utrecht-#DomCode16
Creating a company culture where your employees are encouraged to ask if they are suspicious.
REMEMBER:
77DomCode2016-Utrecht-#DomCode16
“The security team says no because they are incorrectly held accountable for all flaws.”
— Michael Coates CISO at Twitter, OWASP Global Board Member
START:
78DomCode2016-Utrecht-#DomCode16
Educating employees about social engineering tactics that can be used to gather data about your company.
STOP:
79DomCode2016-Utrecht-#DomCode16
Utilizing policies that punish employees for reporting incidents.
START:
80DomCode2016-Utrecht-#DomCode16
Becoming a passionate security ambassador for your users and your co-workers.
Alison Gianotto (aka “snipe”)THANK YOU!•@snipeyheadonTwitter• [email protected]
81DomCode2016-Utrecht-#DomCode16
Likedthistalk?Leavefeedbackathttp://snipe.ly/domcode16
CAPTURE ALL THE FLAGS!
82DomCode2016-Utrecht-#DomCode16
• NotSoSecureCTF:http://ctf.notsosecure.com• SecurityShepherd:https://www.owasp.org/index.php/OWASP_Security_Shepherd• http://hax.tor.hu/• https://pwn0.com/• http://www.smashthestack.org/• http://www.hellboundhackers.org/• http://www.overthewire.org/wargames/• http://counterhack.net/Counter_Hack/Challenges.html• http://www.hackthissite.org/• http://exploit-exercises.com/• http://vulnhub.com/