Post on 28-May-2020
transcript
CLICK TO EDIT MASTER TITLE STYLE
Click To Edit Subtitle Style
ADELAIDE HALF DAYSECURITY CONFERENCE 2019
#SecDaySA
Friday 7 June 2019
CLICK TO EDIT MASTER TITLE STYLE
Click To Edit Subtitle Style
We
Welcome and opening address
Nathan MorelliAdelaide Branch Chair at AISA
CYBERsmartsafe
secure
Thank you to our sponsors
Venue Sponsor
Event Sponsors
CLICK TO EDIT MASTER TITLE STYLE
Click To Edit Subtitle Style
We
Akamai’s state of the internet
Fernando SertoHead of Security Technology and Strategy for
APJ at Akamai
AkamaiThreat Brief AISA AdelaideFernando SertoHead of Security Technology and Strategy, APAC
7/June/2019
Growth of Web API Use: 2014 through 2018
54%
17%
14%
14%
6%
26%
69%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
2014 2018
Web Hits by Content Type
Text / HTML Text / XML App / XML App / JSON
83%API
Source: Akamai ESSL Network, SOTI Q1 2019
API calls now dominate overall web hits
Things On The Internet Make Majority Of API Calls
About 1/3rd of Web API calls come from browsers.
The other 2/3rds come from mobile phones, gaming consoles, smart TVs, etc…
This is a huge challenge! 66%
Source: Akamai SOTI Q1 2019
http://petstore.com/api/v1/pet/’%20or%20’1’=’1
=SELECT * FROM pets WHERE petID = ‘’ or ‘1’ = ‘1’
API SQL Injection - Concept
API SQL Injection - Real life
Web APIs Are A Primary Target For Attackers Today
Web sites & Web APIs share the same (old) attack vectors – but APIs
are often unprotected
APIs are more performant and less expensive to attack compared with
traditional web forms
4Xmore Credential
Stuffing attacks on APIs
76%SQL injection
13%Local file include
Code injection
6%
Command injection
3%
Cross-site injection
2%
Holiday Season 2018MOBILES and APIs
SQLi
~50% WEB
~76% MOBILE
vs
* Data pre-Holiday Season
MUST HAVE: Positive and Negative Security Models
Example: What’s In Your API Response?Developers often make assumptions that systems will be used as intended…..”Only my mobile app will call my API”
curl https://api.orderinput.com/v1/sku\-u sku_4bC39lelyjwGarjt:\-d currency=usd\-d inventory [type]=finite\-d inventory[quantity]=500\-d price=3\-d product=prod_BgrChzDbl\-d attributes[size]=medium]
http 200 OKhttps ://success.api.orderinput.com/v1/sku-idAPI response includes some interesting data
Simple order request to order entry APIs
order_number=14586
Example: What’s In Your API Response?
It is rare for developers to consider attack scenarios, especially non-traditional ones…..”Sequential order numbers makes sense”
http 200 OKhttps ://success.api.orderinput.com/v1/sku-id
But what if I submit subsequent orders over time and various geographies?
order_number=23697
Example: But Why?
Honestly - We don’t know. Same store sales data?
Competition?Investor?
API DoS is a problem!
Specially crafted request that causesmultiple hash collision can cause DoSattack on server.
Eg:{"4vq":"key1", "4wP2":"key2", "5Uq":"key3", "5VP":"key4", "64q":"key5" }
The large payload of the above pattern whensent to a vulnerable json_decode functionin a server can slow down the server.
Specially crafted request with deep nesting
as shown below can exhaust server memory
very quickly.
Eg: {“p”:{“p”:{“p”:{……………….}}}}
The large payload of the above pattern whensent to a vulnerable deserializer can slow down a server.
The problems mentioned above can be mitigated if you perform validation on maximum allowed parameters and setting maximum nesting depth.
CYBERsmartsafe
secure2018 DDOS Trends
❑ The size of the largest attacks have grown by approximately 6%on an annual basis
❑Cyclic growth and retreat on a two-year basis observed on themedian size of the attacks
❑Smaller, more focused attacks can do as much damage as thelarger-scaled counterparts
Attack Density &
Trends 2017-18
Second Half of 2018DDoS ATTACKS AND PEAK BW/VECTOR
DDOS Attacks by-Week ‘18
2017 Q1 2017 Q2 2017 Q3 2017 Q4 2018 Q1 2018 Q2 2018 Q3 2018 Q4
1850 2354 2535 2348 2057 1845 2364 2142
DDOS by Quarter
Attack Density &
Trends 2017-18
39.8%
97.7%
95%
1.35 Tbps
DDOS attack density grew from 560 Mbps to 783 Mbps
DDOS ATTACK DENSITY
Growth observed in attack size with a median in Januaryof .56 Gbps ballooning to 1.548 Gbps by December
DDOS ATTACK SIZE
Jan ’17: < 4.19 GbpsJan ‘18: < 5.91 GbpsDec ‘18: < 11.34 Gbps
INCREASING MAGNITUDE OF THE DDOS ATTACKS
On March 01, a software development companyexperienced a 1.35 Tbps DDoS attack using memcachedUDP reflection.
ONE OF THE LARGEST ATTACKS ON AKAMAI
Summary: DDOS Attack Trends
DDoS Attacks in FinServ
DDoSINTERESTING TRENDS
• FSI companies usually get attacked with smaller volumetric attacks but get attacked a lot more often.• Major Bank in Asia Pacific was hit with a 3.9Gbps attack after Christmas
• Another Major Bank keeps getting attacks between 600Mbps and 3Gbps
• We are seeing more and more attacks that last less than a few minutes –sometimes it is hard to pick those up on monitoring tools.• Organization getting hit with small bursts of 3Gbps
Holiday Season 2018ATTACK TRAFFIC
7 million
Holiday Season 2018ATTACK TRAFFIC
7 million
SOTI – Cred Abuse By Vertical 2018
27.985 Billion
Credential Stuffing
Attempts in 8
months.
115 Million attempts
per day
Credential AbuseAttacks per day
Credential Abuse – FinServAttacks per day
Credential Abuse: Top Credit Union in US* recap for some
Credential Abuse into DDoS – Customer Case
• Over one weekend, Digital Bank’s login site was subject to aggressive credential stuffing attack which brought their internet banking (IB) site down.
• 65k IP addresses participated in the attack, from more than 120 countries.
• Two days later, a large DDoS attack was targeted against flagship Internet Bank login site, which brought the site down as well
Bots Bots Bots
Protecting 3rd Party Scripts
The Zero Trust buzzword
European Fin Serv Phishing
Campaign
It starts with a text message
European Fin Serv Phishing
Campaign
The phishing page
Phishing page setup on ‘bankieren.cp2-rabobank.net/NL2/’ where they have imitated the Rabobank page in attempts to try to obtain credentials from unaware Rabobank users.
European Fin Serv Phishing
Campaign
Is it working?
Source: CyberWarZone.com
CLICK TO EDIT MASTER TITLE STYLE
Click To Edit Subtitle Style
We
Cybersecurity at UniSA
Dr Ben Martini and Dr Gaye DeehanProgram Directors at UniSA
CLICK TO EDIT MASTER TITLE STYLE
Click To Edit Subtitle Style
We
Malicious office hardware
Norman YueOffensive Cyber Security Researcher
CYBERsmartsafe
secure
Backdooring Stuff
Some thoughts on modern meme theory, and its applications to securing the business-cyber agile cloud
ecosystem.
CYBERsmartsafe
secure
Background / Motivation
Improvise. Adapt. Overcome.
CYBERsmartsafe
secure
the use of a computer program to record every keystroke made by a computer user, especially in order to gain fraudulent access to passwords and other confidential
information
Keylogging
CYBERsmartsafe
secure
Into the (Scan) Matrix!
Source: ZX Spectrum 128 Service Manual
CYBERsmartsafe
secure
Scan Matrix Sniffer
CYBERsmartsafe
secure
Scan Matrix -> Serial (+ Debugging)
CYBERsmartsafe
secure
Exfil (Wifi, Bluetooth)
CYBERsmartsafe
secure
Source Code!
github.com/CreateRemoteThread/starscream
CYBERsmartsafe
secure
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating
system via a vulnerable application
Command Injection
CYBERsmartsafe
secure
USB Hubs: Mouse (Compact)
CYBERsmartsafe
secure
USB Hubs: Mouse (Deluxe)
CYBERsmartsafe
secure
Extending the Attack
CYBERsmartsafe
secure
Modern Solutions for Modern Problems…
CYBERsmartsafe
secure
Modern Solutions for Modern Problems…
CYBERsmartsafe
secure
Abusing USB-C Power Delivery
CYBERsmartsafe
secure
USB Type-C
Power negotiation in USB-C is effectively optional.
CYBERsmartsafe
secure
USB Type-C
CYBERsmartsafe
secure
USB-C: What if…
+
CYBERsmartsafe
secure
USB-C: Prototype
CYBERsmartsafe
secure
USB-C: (but not game over)
CYBERsmartsafe
secure
Non-Traditional Exfil
CYBERsmartsafe
secure
Traditional Exfil
github.com/avast/retdec
CYBERsmartsafe
secure
Rethinking the Problem!
“Telstra Air”
CYBERsmartsafe
secure
Tools of the Trade (2018!)
CYBERsmartsafe
secure
Tools of the Trade (2019, Home Edition)
CYBERsmartsafe
secure
On Defensive Measures
Traditional controls are cat and mouse at best.
One bite-sized chunk at a time…
CYBERsmartsafe
secure
A Simple Start: SSL / User Behaviour
CLICK TO EDIT MASTER TITLE STYLE
Click To Edit Subtitle Style
We
Beyond the C-I-A triad: Applying a privacy perspective to
traditional security controls
Nicole StephensenPrincipal Consultant at Ground Up Consulting
Beyond the CIA triad:
Applying a privacy perspective to traditional security controls
AISA ADELAIDE
7 June 2019
Nicole Stephensen
Once upon a time…
THEN
NOW
PRIVACY
LENS
Data vs. personal information
DATA
Information, especially facts or
numbers, collected to be examined and
considered and used to help decision-
making, or information in an electronic
form that can be stored and used by a
computer
PERSONAL INFORMATION
Information that identifies an
individual or could reasonably lead
to the identification of an individual
PI
1. Collection limitation
Does your restaurant
need all of this PI
simply to reserve a
table?
2. Harms
Lost opportunity
Economic loss
Social detriment
Loss of liberty
Illegal
Collective
Unfair
Individual
3. Watch out for function creep
What it’s originally for… The expanded use…
Combining with other tech or data
sets
Apply a ‘privacy lens’ to reduce risk and
improve outcomes
PI
THANK
YOU!
CLICK TO EDIT MASTER TITLE STYLE
Click To Edit Subtitle Style
We
Cyber metrics and selling the dream
Ben WatersCo-founder and COO at Cydarm Technologies
CYBERsmartsafe
secure
whoami
• Ben Waters, Co-founder & COO, Cydarm
• 8 years in cybersecurity
• Generalist – architecture, governance, risk, compliance,
security operations, awareness
• Problem solver
CYBERsmartsafe
secure
Why the talk
“Failure is instructive. The person who really thinks learns quite as much from his failures as from his successes.”
– John Dewey
CYBERsmartsafe
secure
Setting the scene
• Organisation with lower security maturity
• Hadn’t had security leadership in a long time
• Culturally – lots of freedom, aversion to authority
• High insider threat
CYBERsmartsafe
secure
Take 1
Approach:
• “What have we done before?”
• “What data can I get?”
CYBERsmartsafe
secure
End Result: Failure
Security platforms *generally* don’t produce useful data.
CYBERsmartsafe
secure
Security Controls don’t produce great data
Confusion Matrix
Positive Negative
True Attack Blocked Legitimate traffic/process
False Legitimate traffic/process Control Failure | Misses
CYBERsmartsafe
secure
Example
CYBERsmartsafe
secure
Findings
• Data quality is important
CYBERsmartsafe
secure
Findings
• Heterogeneous environments are hard
CYBERsmartsafe
secure
Lessons Learned
• Don’t put up metrics you can’t explain
• Accuracy and integrity of the data is really critical
• Get comfortable saying “I can’t measure that”
CYBERsmartsafe
secure
Take 2
Approach:
1. Figure out what we should measure;
2. Figure out if we could measure it.
CYBERsmartsafe
secure
Back to Basics – “Security Hygiene”
• Vulnerability management & Patching
• Configuration management
• Identity and access management
• Employee lifecycle
CYBERsmartsafe
secure
Vulnerability & Patching Metrics
• Vulnerability age
• Vulnerability age by severity
• Vulnerability age over time
CYBERsmartsafe
secure
Configuration Management Metrics
• Systems meeting a defined baseline
• No. Unauthorised software
CYBERsmartsafe
secure
Identity and Access Metrics
• No. users w/ local admin by department
• Accounts not logged in over x days
CYBERsmartsafe
secure
Employee lifecycle
• Awareness training as part of onboarding
• Awareness training delivered prior to travel
• Adherence to offboarding process
CYBERsmartsafe
secure
End Result
• Could only obtain data for ~60% of metrics
• Improved business & IT engagement and ownership of security
• Mandate to resolve control coverage issues
Key Takeaways
CYBERsmartsafe
secure
Metrics need to be actionable
Metrics you choose will probably have to reflect security maturity
• Decision Support
• Prioritisation
CYBERsmartsafe
secure
Measure inputs and outputs
Inputs
• You can control this
Outputs
• Have your inputs made a difference?
CYBERsmartsafe
secure
Example: Phishing Awareness Training
CYBERsmartsafe
secure
Understand the audience
CYBERsmartsafe
secure
Thanks!
Ben Waters
0416 199 402
bwaters@cydarm.com
@cydarmtech
CLICK TO EDIT MASTER TITLE STYLE
Click To Edit Subtitle Style
We
Closing address
Damien ManuelBoard of Directors Chair at AISA
109
Our Structure• Not-for-profit Charity• 8 Branches in all major capital cities plus cloud branch
• Operated by branch executives (branch chair and branch deputy with a committee) - all volunteers (100+)
National Board of Directors - all volunteers• Damien Manuel (Chair) (VIC - elected)• Alex Woerndle (Deputy Chair) (VIC - appointed)• Helaine Leggatt (VIC - elected)• Mike Trovato (VIC) – elected)• Alex Hoffmann (SA - elected)• Tracey Edwards (VIC - elected)• Nicole Murdoch (QLD - appointed)• Stephen Knights (NSW - elected)• Joshua Craig (Secretary) (VIC)
Employees - paid staff• Megan Spielvogel – Marketing & Operations
Manager• Sandra Blair – Admin & Finance• Susanna Palermo – Event & Sponsorship Manager• Nick Moore – Digital Content & Communications
Producer
Our Members
Who are our members?
Membership trend – 2022 goal is 40,000 members
780
975
1630
1820
1991
2394
27602666
2869
3330
0
500
1000
1500
2000
2500
3000
3500
4000
4500
5000
2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
Commercial In Confidence – Not for public distribution
The Ecosystem
Training Partners
Certification Partners
Education Partners
SponsorsKeystone Foundation Core
BranchesNT, QLD, NSW, VIC, ACT, TAS,
SA, WA + Cloud
EventsBranches (Content, Thought, Social)BrisSecPerthSA Security DayACT Security DayAustralian Cyber ConferenceAwards (logo defined)
MembershipFull Member - $77 + joining fee $22Associate Member Corporate Partnership Program (CPP)
Additional ItemsEABLocal partnershipsInternational partnershipsFortnightly eDMNews feed
TBC
CLICK TO EDIT MASTER TITLE STYLE
Click To Edit Subtitle Style
We
Final remarks
Nathan MorelliAdelaide Branch Chair at AISA