security for human beings
TRANSCRIPT
THANKS!
Zequi Vazquez @RabbitLair Security for Human Beigns
Ezequiel ”Zequi”Vazquez
Backend Developer
Sysadmin & DevOps
Hacking & Security
Speaker since 2013
Zequi Vazquez @RabbitLair Security for Human Beigns
Zequi Vazquez @RabbitLair Security for Human Beigns
Zequi Vazquez @RabbitLair Security for Human Beigns
Zequi Vazquez @RabbitLair Security for Human Beigns
Zequi Vazquez @RabbitLair Security for Human Beigns
StuxnetJune 2010, worm against SCADA systemsFour (4) critical vulns on Windows XP
Zequi Vazquez @RabbitLair Security for Human Beigns
Sony Pictures EntertainmentNovember 2014, worm against SMBMore than 100 TB of condifential info
Zequi Vazquez @RabbitLair Security for Human Beigns
El Corte Ingles
February 2016, SQL Injection on login
Extracted financial info 2011 to 2016
Zequi Vazquez @RabbitLair Security for Human Beigns
Philippines
March 2016, unknown vulnerabilities
55 million voters data, fingerprints!
Zequi Vazquez @RabbitLair Security for Human Beigns
Panama Papers
April 2016, Drupal 7 and Wordpress
2.6 TB confidential information, +40 years
Zequi Vazquez @RabbitLair Security for Human Beigns
TurkeyApril 2016, hardcoded password on codePersonal data of 49,611,709 voters (6.9 GB)
Zequi Vazquez @RabbitLair Security for Human Beigns
IPS Community Suite
April 2016, Thanatos, trojan to zombify
Infrastructure attack - Warner, LiveNation
Zequi Vazquez @RabbitLair Security for Human Beigns
LastPass
March 2017, vulns on browser extensionsPasswords leakage
Zequi Vazquez @RabbitLair Security for Human Beigns
In summary
Zequi Vazquez @RabbitLair Security for Human Beigns
But not everything is lost
Zequi Vazquez @RabbitLair Security for Human Beigns
What is a project?More than put some code on a serverSecurity must be present on all phases
Zequi Vazquez @RabbitLair Security for Human Beigns
From minute zeroSecurity should be reflected on requirementsBalance between security and budget
Zequi Vazquez @RabbitLair Security for Human Beigns
Setting the plansDesign application with security on mindParanoid is a virtue
Zequi Vazquez @RabbitLair Security for Human Beigns
While developing. . .We are responsible of our productBad guys do not create holes - we do
Zequi Vazquez @RabbitLair Security for Human Beigns
While developing. . .
Do you know security best practices?
Programmers are human, humans are lazy
Zequi Vazquez @RabbitLair Security for Human Beigns
What can we do?
Defensive programming, error handling!Try to think as an attacker when coding
Zequi Vazquez @RabbitLair Security for Human Beigns
Take care of not only code
Are development envs & repo closed?
Be careful with questions on StackOverflow
Zequi Vazquez @RabbitLair Security for Human Beigns
Security person/team
At least, one person should review code
Zequi Vazquez @RabbitLair Security for Human Beigns
Infrastructure
Project is much more than code
Fail tolerance, high availability, settings
Zequi Vazquez @RabbitLair Security for Human Beigns
TestingFull security audit before deployingIdeally, automate security testing
Zequi Vazquez @RabbitLair Security for Human Beigns
Information is PowerMonitorize all the things!Keep up to date about updates
Zequi Vazquez @RabbitLair Security for Human Beigns
Sh*t happens
Emergency recovery plan, forensics
Untested backups are NO backups
Zequi Vazquez @RabbitLair Security for Human Beigns
Some other stuffTechnical debt & McFly theoremMaintenance, patches and other drugsPost-mortem report
Zequi Vazquez @RabbitLair Security for Human Beigns
In Summary
Investment, not waste
Try to involve everyone
Security is a process
Education!
Zequi Vazquez @RabbitLair Security for Human Beigns
Zequi Vazquez @RabbitLair Security for Human Beigns
Zequi Vazquez @RabbitLair Security for Human Beigns
Thank you!
@RabbitLair
zequi[at]lullabot[dot]com
Zequi Vazquez @RabbitLair Security for Human Beigns