Something-About-Security

View Github Repository Open presentation in a new window

cyberzed

See all presentation from cyberzed

Something-About-Security

0 0

Something-About-Security

Security focused talk done for Aarhus .NET User Group

On Github cyberzed / Something-About-Security

ditmer

Important stuff...

  • Toilets are behind the green doors
  • WiFi: ditmerVisitor
    • Password: Numen44sas

Statistics

  • 55+ employees
  • 6 times gazelle
  • 7300 cups of coffee pr. months

Customers & Products

  • SBSYS (ESDH)
  • ditmerFlex
  • LetDialog
  • Wide range of webprojects

Join the army!

Open positions

IWDK Foosball Tournament

Click Here

Something about security

Who am I?

  • Stefan Daugaard Poulsen
  • Aarhus, Denmark
  • AP in computer science
  • CISSP
  • Jack of many trades at ditmer a/s
    • Developer
    • Consultant
    • Infrastructure
    • Security
    • ...but not management

Where am I?

What do we think security is?

Swordfish

Hacking WOPR - War Operation Plan Response - US military

Hack the Gibson

Passwords?

  • Reuse
  • Weak
  • Written on the wall

2015 study showed 59% of americans reuse passwords

Cracking facts

It used to be hard

Oldsk00l stats

  • 6 chars using all printable chars
    • 735.091.890.625 (95^6) different combinations
    • 29 years in 1979

Longer passwords wasn't always a proportional better solution

WinXP LanMan compatibility split the password into two hashes

26^7 + 26^7 instead of 26^14

Fast forward

Longer passwords

  • 15 chars takes a while...
    • 463.291.230.159.753.366.058.349.609.375 (95^15) different combinations
    • 41.973.910.103 years (with the 2012 setup)

Writings on the wall

HTTPS?

  • Does it solve everything?

We all know but does our mother?

When is it insecure?

Other?

Missing authentication

Config left overs

Allowing non-secure content

Is it only software and hardware?

Essential security

CIA

C is for cookie...

or was it Confidentiality

Least privilege

Encryption

I is for ice...

yes it is Integrity

Transactions

Consistency/Quality of data

A is for alcohol

it should be Availability

Always up

There when you need it

Definitions

Preservation of confidentiality, integrity and availability of information.

ISO/IEC 27000:2009

The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability

CNSS 2010

Committee on National Security Systems

  • Governance
  • Risk Management
  • Compliance

Too fluffy!

Business continuity

Disaster recovery

Risks

Breaches

Leaks

Failure

Threat categories

  • Human
  • Natural
  • Technical
  • Physical
  • Environmental
  • Operational

Natural = Fire, flood

Environmental = utility etc

Operational = Process

How to rate risk?

  • Likelihood
  • Consequence

Qualify likelihood

  • Skill
    • High skill level required
    • Low or no skill required
  • Ease of Access
    • Very difficult to do
    • Very simple to do
  • Incentive
    • High incentive
    • Low incentive
  • Resource
    • Requires expensive or rare equipment
    • No resources required

Does not fit all threats

Consequence

  • Insignificant
    • Low - No business impact
  • Minor
    • Low - Minor business impact, some loss of confidence
  • Moderate
    • Medium - Business is interrupted, loss of confidence
  • Major
    • High - Business is disrupted, major loss of confidence
  • Catastrophic
    • High - Business cannot continue

Motivation

The people factor

  • Political
  • Morale
  • Cultural / Religious

Anonymous

Panama papers

Financially

$80 Million hack

Government

  • Intelligence agencies

Thrill/Entertainment

  • Getting the legit hack

Trade secrets

Espionage

Revenge

Defamation

Hiding crime

Steganography

Samples

  • Hacking Team
    • 400 GB of data stolen
  • Office of Personnel Management
    • Estimated 21.5 million records stolen
  • Panama Papers
    • 11.5 million documents leaked
    • 2.6 TB of data leaked
  • BeautifulPeople
    • 1.1 million profiles
  • Slack

Sometimes it is evil intent other times it's lack of procedure or actually following the procedure

OPM hack is suspected to be done by China

Beautiful People was discovered by a researcher

Slack exposed teams based on an email entry

What could you face?

  • Hacking
  • Exploiting
  • Phising
    • Spearfishing
  • Social engineering
    • Whaling
  • DDoS

Attack vectors

  • Old hardware
  • Vulnerabilities
  • Human errors
    • Lack of awareness
  • Lack of procedure

Stop Hammertime

Are we holding it wrong?

What we already

should be doing

OWASP Top 10

  • SQL Injection
  • Broken Authentication / Session Management
  • XSS
  • Direct Object Reference
  • Security Misconfiguration
  • Sensitive Data Exposure
  • Missing Function Level Access Control
  • CSRF
  • Vulnerable components
  • Unvalidated redirects

Rumors says it's part of the leak of Panama papers

Don't tell too much

  • X-AspNet-Version
  • X-Powered-By
  • X-AspNetMvc-Version
  • Server

HTTPS

  • Is it enough?

Be aware of...

Pineapples

MitM

  • Public WiFi
  • Guest WiFi
  • WiFi addicts

People will do anything for free WiFi

~Niall Merrigan

What we need to be aware of

  • Content-Security-Policy
  • HTTP Strict Transport Security
  • Public Key Pinning
  • X-Frame-Options
  • X-Xss-Protection
  • X-Content-Type-Options

Trust on first use!

CSP - Approves sources

HSTS - Stay on HTTPS

PKP - SSL on drugs

XFO - Who can frame you

Tools of the trade

NWebSec

Scott Helme

OWASP

FreedomeVPN

How to test?

http://securityheaders.io

Remember

  • Security is never done
  • Always think about security
  • Don't forget privacy
  • Don't wait to the last sprint
  • Pentesting doesn't show everything
  • You might just be the tool
  • You have an obligation to do good

Who can I know more?

Troy Hunt

Niall Merrigan

Scott Helme

Pluralsight courses

Watch conferences talks...there are load of them

Find a friend with a security interrest

BY CYBERZED

@cyberzeddk

1/66
ditmer