+ All Categories
Home > Internet > Security its-more-than-just-your-database-you-should-worry-about

Security its-more-than-just-your-database-you-should-worry-about

Date post: 07-Jul-2015
Category:
Upload: david-busby
View: 389 times
Download: 0 times
Share this document with a friend
Description:
Security isn’t deploying some overbearing big brother of a hardware or software solution; it’s not running scanning software which tells you you’re safe; because in reality in these type of setups you’re not. Security is akin to high availability you deploying multiple redundancies to ensure you can still operate, the same can and should be applied to security; identify the potential areas of attack, reduces this attack surface and deploy multiple redundancies to secure your deployments.
Popular Tags:
39
Security It's more than just your database you should worry about David Busby Information Security Architect 2014-11-02
Transcript
Page 1: Security its-more-than-just-your-database-you-should-worry-about

SecurityIt's more than just your database you should worry about

David BusbyInformation Security Architect2014-11-02

Page 2: Security its-more-than-just-your-database-you-should-worry-about

Sample Text Page

•David Busby–Percona since January 2013–R.D.B.A–EMEA && Security Lead–I.S.A (current)–14 years sysadmin / dev–Ju-Jitsu instructor for N.F.P club.–Volunteer assist teaching computing at Secondary

school

2

Page 3: Security its-more-than-just-your-database-you-should-worry-about

Agenda

•Got F.U.D?•What is an attack surface?•D.A.C, M.A.C, I.P.S, I.D.S, WTF?•Heartbleed / Shellshock / #gate / #bandwagon•Detection or prevention: the boy who cried

wolf• Emerging tech to keep an eye on.• 2014 … it's been interesting

3

Page 4: Security its-more-than-just-your-database-you-should-worry-about

Here be dragons ...

• Previous talks focused on a select set of identification and prevention● This talk is different …● Focus is on a mindset change for pure

identification of potential attack vectors. Aswell as clarification of some points along the way

● There's F.U.D by the ton; and we each get a shovel.

4

Page 5: Security its-more-than-just-your-database-you-should-worry-about

Got F.U.D?

• Fear Uncertainty Doubt• C.R.I.M.E (CVE-2012-4929)• B.E.A.S.T (CVE-2011-3389)•Heartbleed (CVE-2014-0160)• Shellshock CVE-2014-6271, 6277, 6278, 7169,

7186, 7187• P.O.O.D.L.E (CVE-2014-3566)

5

Page 6: Security its-more-than-just-your-database-you-should-worry-about

What's an “attack surface”?

• Potential areas for compromise– Application– Database– Network– Hardware– Software– Employees– Other

6

Page 7: Security its-more-than-just-your-database-you-should-worry-about

What's an “attack surface”?

• Application– Engine / Interpreter, e.g. Java, PHP, etc.

● e.g. PHP CVE-2011-4885 (hash collide)– Framework

● Or most likely a plugin– Developer errors, SQLi, XSS, CSRF etc ...– HTTP Service Apache, Nginx, Lighthttpd, etc.– Sysadmin errors e.g. missconfiguration of SSL

cipers / certs

7

Page 8: Security its-more-than-just-your-database-you-should-worry-about

What's an “attack surface”?

•Database – Weak passwords– Overpermissive grants– Overly broad host spefications e.g. @%● Vulnerabilities in service (often denoted by CVE's

e.g. CVE-2012-2122)– Poor isolation (Network, users etc)– Malicious plugins e.g. UDF's

8

Page 9: Security its-more-than-just-your-database-you-should-worry-about

What's an “attack surface”?

•Network – Overly open ACL– Little or no isolation– Little or no monitoring– Little or no packet inspection– “An open playground”– Hardware embedded OS vulnerabilities– Other entry points

● It's not limited to Ethernet / 2.4 && 5 GHz WiFi (look at the NSA ANT catalogue)

9

Page 10: Security its-more-than-just-your-database-you-should-worry-about

What's an “attack surface”?

•Hardware – Lack of tamper evident seals– Lack of control of use– Malicious USB / Firewire / etc

● COTTONMOUTH-I● Iron Geek's plug & prey● USB Rubber Ducky– Embedded firmware vulnerabilites– “Freebie” / “Gift” / “Other”– Lack of physical access controls

● e.g. Barclays £1.3M Theft– Lack of $vendor updates (e.g. Android)

10

Page 11: Security its-more-than-just-your-database-you-should-worry-about

What's an “attack surface”?

• Lock all the things!– Combination T.S.A locks

● Easily picked– Traditional tumbler locks

● Picking / bump keys– Biometrics

● Mythbusters• Key pads– Check for wear / dirt marks / vedor codes

• Key switches (e.g. in lifts)– As per above

• Room card keys– Magstripe read and write

• RFID– Easily read tags content and replay

11

Page 12: Security its-more-than-just-your-database-you-should-worry-about

What's an “attack surface”?

• And then there's … I.o.T– T.V– Cameras– Light bulbs– Fridges– Home automation– Locks– Printer

● Cloud print …– Etc

– Supervisory Control And Data Acquisition● Let's put a hydro electric dam controll system on the internet!

12

Page 13: Security its-more-than-just-your-database-you-should-worry-about

What's an “attack surface”?

• But wait … there's more!• Your cars•Medical devices (more famously RF enabled

pacemakers), wireless insulin pumps etc …• https://www.iamthecavalry.org/

13

Page 14: Security its-more-than-just-your-database-you-should-worry-about

What's an “attack surface”?

• Software – Modified binaries– “Install for FREE STUFF!”– Unaudited source code … cough cough

● Truecrypt, openssl ...– Poor isolation (no M.A.C, only D.A.C)– Process injection, buffer overflows etc …– Unpatched software

14

Page 15: Security its-more-than-just-your-database-you-should-worry-about

What's an “attack surface”?

• Employees – “I put all my details on this pastebin, can you take a

look?”– “Sure you can use my phone / workstation!”– “So all I have to do is click this link?”– “Oh you're from HR? Sure I can install that!”– “A magic trick? YEY!”– “FREE STUFF?!”

15

Page 16: Security its-more-than-just-your-database-you-should-worry-about

What's an “attack surface”?

• Employees – Phishing / Spear Phishing– Social engineering– D.L.P bypass is no longer just crafted devices

● Making comodity USB "evil"● Derbycon presentation

● Adam Caudil && Brandon Wilson– Implied trust

● Uniform / Badge != Proof

16

Page 17: Security its-more-than-just-your-database-you-should-worry-about

What's an “attack surface”?

•Other – Side channel attacks

● Cache timing● Co-residency (side channel against “cloud”)– Unintentional “emissions”

● Melissa Elliot “Noise Floor”● S.D.R (Software Defined Radio)

● Monitor / Display, RAM, F.S.B, etc ...

17

Page 18: Security its-more-than-just-your-database-you-should-worry-about

F.U.D!18

Page 19: Security its-more-than-just-your-database-you-should-worry-about

Well … not so much19

Page 20: Security its-more-than-just-your-database-you-should-worry-about

D.A.C, M.A.C, I.P.S, I.D.S … WTF?

•Discretionary Access Control– POSIX permissions

● File mode● UID● GID● Software runs with same permissions as user

and group● e.g. your brower could read ~/.ssh/id_rsa in

this model

20

Page 21: Security its-more-than-just-your-database-you-should-worry-about

D.A.C, M.A.C, I.P.S, I.D.S … WTF?

•Mandatory Access Control– SELinux

● Process running with context x● e.g. MySQL● Access to resource y

● listen *:3306● Denied access to resource z

● Connect *:80– App armor– Gazzang (Has some M.A.C)

21

Page 22: Security its-more-than-just-your-database-you-should-worry-about

Heartbleed/Shellshock/#bandwagon

• “Media”– Need to drive views / purchases aka revenue– F.U.D “slinging” is an effective method for this.

(Everything is a Virus) ● e.g. The Registers “Critical SSL vulnerability out

tomorrow”● No detail● No sources● PURE F.U.D

22

Page 23: Security its-more-than-just-your-database-you-should-worry-about

Heartbleed/Shellshock/#bandwagon

• But naming vulnerabilites has its place● C.R.I.M.E / CVE-2012-4929● B.E.A.S.T / CVE-2011-3389● Heartbleed CVE-2014-0160● Shellshock CVE-2014-6271, 6277, 6278,

7169, 7186, 7187● P.O.O.D.L.E CVE-2014-3566

23

Page 24: Security its-more-than-just-your-database-you-should-worry-about

Heartbleed/Shellshock/#bandwagon

• Even if it can go a bit far ...

24

Page 25: Security its-more-than-just-your-database-you-should-worry-about

Heartbleed/Shellshock/#bandwagon

• There is hope behind the hype.● Elastica Inc @ Vimeo

● Heartbleed instructional video● Shellshock instructional video● Poodle instructional video

25

Page 26: Security its-more-than-just-your-database-you-should-worry-about

Detection or prevention

•Why not both?– Block known “bad”

● By writing your own rules● Reguarly syncing with emerging rules– Allow known “good”

● IPS / WAF blocking your app? Write an exeception, carefully!● Be selective!

● e.g. don't: if /cart(.*) then skip– Log everything else

● And check the logs!

26

Page 27: Security its-more-than-just-your-database-you-should-worry-about

Detection or prevention

•Why not both?– Generate alerts

● e.g. logstash can send alerts to nagios– Y.M.W.V

● You will know your applications behaviour● Consider what's “out of context”

● e.g. 10x increase in additions to shopping cart for invalid items (could be someoneattempting SQLi)

● 10x increase in requests, could be a DoS

27

Page 28: Security its-more-than-just-your-database-you-should-worry-about

Detection or prevention

• Detection● Alert on set conditions

● SQLi, Fuzzing, out of context requests.● Write Rules / exceptions to reduce “noise”

● Be specific in said rules!• Prevention

● Block and alert● Reduce “noise” through blacklists.● {"timestamp":"2014-05-

15T07:30:42.970624","event_type":"alert","src_ip":"101.227.170.42","src_port":58613,"dest_ip":"XXX.XXX.XXX.XXX","dest_port":22,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2500002,"rev":3231,"signature":"ET COMPROMISED Known Compromised or Hostile Host Traffic group 2","category":"Misc Attack","severity":2}}

28

Page 29: Security its-more-than-just-your-database-you-should-worry-about

Detection or prevention

• Reduce NOISE!– Avoiding the “boy who cried wolf”– Aka staff becoming desensitized to the slew of alerts that “oh

that's normal, just ignore”– “Familiarity breeds comtempt”

• Why not just buy $product?– It's still an option but be 100% sure you know what you're buying.

● Paying over the odds for rebranded nessus is never good.● Ongoing rule updates, custom rule support, $vendor support to

“tune” the appliance to your needs.

29

Page 30: Security its-more-than-just-your-database-you-should-worry-about

Emerging tech to keep an eye on

• Fidoalliance.org– U2F (Universal two factor)– UAF (Universal authentication framework)– Google, yubico, ARM, bank of america, Lenovo,

Mastercard, Discover, Microsoft, Paypal, Qualcomm, RSA, Samsung, Visa …● The list of members is extensive– TL;DR improve security by implementing a common

two factor auth standard; and comoditizing it to improve addoption.

30

Page 31: Security its-more-than-just-your-database-you-should-worry-about

Emerging tech to keep an eye on

• Keybase.io– Nodejs– “socializes” GPG

● Tracking → sign a “snapshot” of their key and identity profile● “On this date I <name> verify this is Joe Blogs's

gpg key, twitter account … etc”– TL;DR wrapper and service to help spread the use of

GPG– https://keybase.io/oneiroi/

31

Page 32: Security its-more-than-just-your-database-you-should-worry-about

Emerging tech to keep an eye on

• Suricata– IDS / IPS– Libjannson → eve.json

● Compatible with E.L.K stack: blog post– Multi threaded

● Claims 10Gbit support with no ruleset sacrifice● Protocol identification● File identification, extraction– Open Information Security Foundation

32

Page 33: Security its-more-than-just-your-database-you-should-worry-about

Emerging tech to keep an eye on

• E.L.K (Elastic search, Logstash, Kibana)– Easily store, index and visualize data

● e.g. suricata data

33

Page 34: Security its-more-than-just-your-database-you-should-worry-about

Emerging tech to keep an eye on

•Docker– Wrapper for LXC

● “Linux containers”– Vagrant / git esq cli– Raw hardware access

● Not paravirtual– Suffers from “container breakout”

● Gains root on host system– REST API is very open– Docker Security page– Dan Walsh SELinux and Docker

34

Page 35: Security its-more-than-just-your-database-you-should-worry-about

Emerging tech to keep an eye on

•Haka– “Software defined security”– $developer sentric security– LUA DSL– Another tool in the $devops chain– E.L.K support• Why not IPTables / Netfilter / other– Why not both?– Eases developers adoption

35

Page 36: Security its-more-than-just-your-database-you-should-worry-about

2014 … it's been interesting

• 2014– Isn't over yet ...– Heartbleed, shellshock, poodle– F.U.D

● Gmail “leak” (wasn't gmail, just happened to have gmail addresses)

● Dropbox “leak” (wasn't dropbox, just happened that users were using same credentials)

– Home Depot– Target (Fall 2013, still “in the news”)

36

Page 37: Security its-more-than-just-your-database-you-should-worry-about

2014 … it's been interesting

• 2014– No more “head in the sand”– No more “features before security”– The cost of compromise is proven– Increasing Ubiquity of I.o.T

● without proper security measures is not maintainable– Time to build security into the product, not as an

afterthought.

37

Page 38: Security its-more-than-just-your-database-you-should-worry-about

2014 … it's been interesting

• 2014– You are not alone!– https://www.iamthecavalry.org/– http://www.openinfosecfoundation.org/– https://www.reddit.com/r/netsec– http://seclists.org/fulldisclosure/– https://bugcrowd.com– https://44con.com/– http://dc4420.org/– Deploy your own “Responsible disclosure program”

38

Page 39: Security its-more-than-just-your-database-you-should-worry-about

The End …

•Questions? (And Thank you for attending!)• I also have a tirade of equipment with me if

anyone is interested in learning more; see me after this talk.

39


Recommended