Hacking Skills Not Required -...

transcript

Your Vendor Security Programs are

not a Secret

Hacking Skills Not Required:

Bloomberg

Chris BergerGlobal Head of Vendor Risk

RiskRecon

Michael FowkesVP, Engineering & Analytics

sig.org/eval

ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements

In our New WorldData is the Silver Bullet

(…it might be the only bullet…)

Control your third party risk reality

Confidential

SaaS growthvs on-premise

SaaS – 17.3% CAGR vs On-prem – 3.1% CAGR

% of enterprise apps SaaS-based by 2018

27.8%“10x increase in number of cloud based solutions by 2018” – IDC Chief Analyst (2015)

$216 BillionCloud market site by 2020

17.3% CAGRCloud market thru 2020

Confidential

When companies do things on the internet….

Confidential

…they reveal a lot of stuff

Confidential

Data Processing

CompanyWhat you can learn starting with just the company

- No inside information

- No hacking

- JUST LOOKING

Confidential

265 Web

Servers

Confidential

28 Hosting

Providers

Confidential

7 Hosting

Countries

Confidential

6 Email

Providers

Software

Confidential

Software Patching

Confidential

8% of Web Servers EOL

• IIS 4.0 – 1

• Netscape Enterprise 4.1 – 2

• IIS 6 – 13

• Apache 1.3 – 4

• NGINX 1.6 - 1

Software Patching

Confidential

• IIS 4.0 – 1

• IIS 6 – 13

• Apache 1.3 – 4

• NGINX 1.6 - 1

12% of App Servers EOL

• PHP 4.1 -1

• PHP 5.2 – 2

• PHP 5.3 – 5

• Phusion Passenger 4.0 – 2

• Jetty 4.0 - 1

Software Patching

Confidential

• IIS 4.0 – 1

• IIS 6 – 13

• Apache 1.3 – 4

• NGINX 1.6 - 1

• PHP 4.1 -1

• PHP 5.2 – 2

• PHP 5.3 – 5

• Jetty 4.0 - 1

60% of CMS software EOL

• vBulletin 3.0 – 1

• WordPress 3.0 – 2

• Drupal 6.x - 2

Software Patching

Confidential

• IIS 4.0 – 1

• IIS 6 – 13

• Apache 1.3 – 4

• NGINX 1.6 - 1

• PHP 4.1 -1

• PHP 5.2 – 2

• PHP 5.3 – 5

• Jetty 4.0 - 1

• vBulletin 3.0 – 1

• Drupal 6.x - 2

Web Encryption

Confidential

36% running SSLv2 or SSLv3

32% with invalid certificate subjects

12% with expired certificates

DNS Security

Confidential

45% missing basic domain hijacking

protection

11 different DNS hosting providers

Email Security

Confidential

44% missing email

encryption

6 email hosting providers

97% missing email domain

authentication (SPF / DKIM)

Confidential

Insurance CompanyWhat you can learn starting with just the company

- No inside information

- No hacking

- JUST LOOKING

Confidential

347 Web

Servers

Hosting Providers

Confidential

42 Hosting

Providers

Hosting Countries

Confidential

18 Hosting

Countries

Email Providers

Confidential

33 Email

Providers

Software

Confidential

Software Patching

Confidential

• IIS 6.0 – 55

• NGINX 1.4 – 2

• NGINX 1.2 -1

Software Patching

Confidential

• IIS 6.0 - 55

• NGINX 1.4 – 2

• NGINX 1.2 - 1

• PHP 5.3 – 5

• PHP 5.4 -1

• Phusion Passenger 4.0 - 2

Software Patching

Confidential

• IIS 4.0 – 1

• IIS 6 – 13

• Apache 1.3 – 4

• NGINX 1.6 - 1

• PHP 4.1 -1

• PHP 5.2 – 2

• PHP 5.3 – 5

• Jetty 4.0 - 1

• Adobe GoLive – 1

• Drupal 6.22 – 1

• Drupal 7.3 - 1

Software Patching

Confidential

• IIS 4.0 – 1

• IIS 6 – 13

• Apache 1.3 – 4

• NGINX 1.6 - 1

• PHP 4.1 -1

• PHP 5.2 – 2

• PHP 5.3 – 5

• Jetty 4.0 - 1

• Adobe GoLive – 1

• Drupal 6.22 – 1

• Drupal 7.3 - 1

Web Encryption

Confidential

37% running SSLv2 or SSLv3

38% with invalid certificate subjects

7% with expired certificates

DNS Security

Confidential

70% missing basic domain hijacking

protection

90 different DNS hosting providers

Email Security

Confidential

17% missing email

encryption

33 email hosting providers

98% missing email domain

authentication (SPF / DKIM)

Confidential

Michael Fowkesmike@riskrecon.net

Control your third party risk reality

Evaluation How-to:

Your feedback drives

SIG Event content

By signing and

submitting your

evaluation, you are

automatically entered

into a prize drawing

Option 1: App

1. Select Schedule2. Select Schedule by Day3. Select Day4. Select Session5. Scroll to Description

6. Click on the Evaluation link

Option 2: Browser

1. Go to www.sig.org/eval2. Select Session (#28)

COMPLETE &SUBMIT EVAL

Tweet: #SIGfall16

Session #28

Hacking Skills Not Required: Your Vendor Security Programs are not a Secret

Speakers:

www.sig.org/eval

Download the App: bit.ly/SIGfall16

RiskRecon Michael Fowkes 801-558-6150 mike@riskrecon.net

Bloomberg Chris Berger 631-374-1185 CBerger17@Bloomberg.net

Hacking Skills Not Required -...

Documents