Home >Internet >Security its-more-than-just-your-database-you-should-worry-about

Security its-more-than-just-your-database-you-should-worry-about

Date post:07-Jul-2015
Category:
View:387 times
Download:0 times
Share this document with a friend
Description:
Security isn’t deploying some overbearing big brother of a hardware or software solution; it’s not running scanning software which tells you you’re safe; because in reality in these type of setups you’re not. Security is akin to high availability you deploying multiple redundancies to ensure you can still operate, the same can and should be applied to security; identify the potential areas of attack, reduces this attack surface and deploy multiple redundancies to secure your deployments.
Transcript:
  • 1. SecurityIt's more than just your database you shouldworry aboutDavid BusbyInformation Security Architect2014-11-02

2. Sample Text Page David BusbyPercona since January 2013R.D.B.AEMEA && Security LeadI.S.A (current)14 years sysadmin / devJu-Jitsu instructor for N.F.P club.Volunteer assist teaching computing at Secondaryschool2 3. Agenda Got F.U.D?What is an attack surface? D.A.C, M.A.C, I.P.S, I.D.S, WTF? Heartbleed / Shellshock / #gate / #bandwagon Detection or prevention: the boy who criedwolf Emerging tech to keep an eye on. 2014 it's been interesting3 4. Here be dragons ... Previous talks focused on a select set ofidentification and prevention This talk is different Focus is on a mindset change for pureidentification of potential attack vectors.Aswell as clarification of some points alongthe way There's F.U.D by the ton; and we each get ashovel.4 5. Got F.U.D? Fear Uncertainty Doubt C.R.I.M.E (CVE-2012-4929) B.E.A.S.T (CVE-2011-3389) Heartbleed (CVE-2014-0160) Shellshock CVE-2014-6271, 6277, 6278, 7169,7186, 7187 P.O.O.D.L.E (CVE-2014-3566)5 6. What's an attack surface? Potential areas for compromise Application Database Network Hardware Software Employees Other6 7. What's an attack surface? Application Engine / Interpreter, e.g. Java, PHP, etc. e.g. PHP CVE-2011-4885 (hash collide) Framework Or most likely a plugin Developer errors, SQLi, XSS, CSRF etc ... HTTP Service Apache, Nginx, Lighthttpd, etc. Sysadmin errors e.g. missconfiguration of SSLcipers / certs7 8. What's an attack surface? Database Weak passwords Overpermissive grants Overly broad host spefications e.g. @% Vulnerabilities in service (often denoted by CVE'se.g. CVE-2012-2122) Poor isolation (Network, users etc) Malicious plugins e.g. UDF's8 9. What's an attack surface? Network Overly open ACL Little or no isolation Little or no monitoring Little or no packet inspection An open playground Hardware embedded OS vulnerabilities Other entry points It's not limited to Ethernet / 2.4 && 5 GHz WiFi(look at the NSA ANT catalogue)9 10. What's an attack surface? Hardware Lack of tamper evident seals Lack of control of use Malicious USB / Firewire / etc COTTONMOUTH-I Iron Geek's plug & prey USB Rubber Ducky Embedded firmware vulnerabilites Freebie / Gift / Other Lack of physical access controls e.g. Barclays 1.3M Theft Lack of $vendor updates (e.g. Android)10 11. What's an attack surface? Lock all the things! Combination T.S.A locks Easily picked Traditional tumbler locks Picking / bump keys Biometrics Mythbusters Key pads Check for wear / dirt marks / vedor codes Key switches (e.g. in lifts) As per above Room card keys Magstripe read and write RFID Easily read tags content and replay11 12. What's an attack surface? And then there's I.o.T T.V Cameras Light bulbs Fridges Home automation Locks Printer Cloud print Etc Supervisory Control And Data Acquisition Let's put a hydro electric dam controll system on the internet!12 13. What's an attack surface? But wait there's more! Your carsMedical devices (more famously RF enabledpacemakers), wireless insulin pumps etc https://www.iamthecavalry.org/13 14. What's an attack surface? Software Modified binaries Install for FREE STUFF! Unaudited source code cough cough Truecrypt, openssl ... Poor isolation (no M.A.C, only D.A.C) Process injection, buffer overflows etc Unpatched software14 15. What's an attack surface? Employees I put all my details on this pastebin, can you take alook? Sure you can use my phone / workstation! So all I have to do is click this link? Oh you're from HR? Sure I can install that! A magic trick? YEY! FREE STUFF?!15 16. What's an attack surface? Employees Phishing / Spear Phishing Social engineering D.L.P bypass is no longer just crafted devices Making comodity USB "evil" Derbycon presentation Adam Caudil && Brandon Wilson Implied trust Uniform / Badge != Proof16 17. What's an attack surface? Other Side channel attacks Cache timing Co-residency (side channel against cloud) Unintentional emissions Melissa Elliot Noise Floor S.D.R (Software Defined Radio) Monitor / Display, RAM, F.S.B, etc ...17 18. F.U.D!18 19. Well not so much19 20. D.A.C, M.A.C, I.P.S, I.D.S WTF? Discretionary Access Control POSIX permissions File mode UID GID Software runs with same permissions as userand group e.g. your brower could read ~/.ssh/id_rsa inthis model20 21. D.A.C, M.A.C, I.P.S, I.D.S WTF?Mandatory Access Control SELinux Process running with context x e.g. MySQL Access to resource y listen *:3306 Denied access to resource z Connect *:80 App armor Gazzang (Has some M.A.C)21 22. Heartbleed/Shellshock/#bandwagon Media Need to drive views / purchases aka revenue F.U.D slinging is an effective method for this.(Everything is a Virus) e.g. The Registers Critical SSL vulnerability outtomorrow No detail No sources PURE F.U.D22 23. Heartbleed/Shellshock/#bandwagon But naming vulnerabilites has its place C.R.I.M.E / CVE-2012-4929 B.E.A.S.T / CVE-2011-3389 Heartbleed CVE-2014-0160 Shellshock CVE-2014-6271, 6277, 6278,7169, 7186, 7187 P.O.O.D.L.E CVE-2014-356623 24. Heartbleed/Shellshock/#bandwagon Even if it can go a bit far ...24 25. Heartbleed/Shellshock/#bandwagon There is hope behind the hype. Elastica Inc @ Vimeo Heartbleed instructional video Shellshock instructional video Poodle instructional video25 26. Detection or preventionWhy not both? Block known bad By writing your own rules Reguarly syncing with emerging rules Allow known good IPS / WAF blocking your app? Write an exeception,carefully! Be selective! e.g. don't: if /cart(.*) then skip Log everything else And check the logs!26 27. Detection or preventionWhy not both? Generate alerts e.g. logstash can send alerts to nagios Y.M.W.V You will know your applications behaviour Consider what's out of context e.g. 10x increase in additions to shopping cart forinvalid items (could be someoneattempting SQLi) 10x increase in requests, could be a DoS27 28. Detection or prevention Detection Alert on set conditions SQLi, Fuzzing, out of context requests. Write Rules / exceptions to reduce noise Be specific in said rules! Prevention Block and alert Reduce noise through blacklists. {"timestamp":"2014-05-15T07:30:42.970624","event_type":"alert","src_ip":"101.227.170.42","src_port":58613,"dest_ip":"XXX.XXX.XXX.XXX","dest_port":22,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2500002,"rev":3231,"signature":"ET COMPROMISED KnownCompromised or Hostile Host Traffic group 2","category":"Misc Attack","severity":2}}28 29. Detection or prevention Reduce NOISE! Avoiding the boy who cried wolf Aka staff becoming desensitized to the slew of alerts that ohthat's normal, just ignore Familiarity breeds comtempt Why not just buy $product? It's still an option but be 100% sure you know what you're buying. Paying over the odds for rebranded nessus is never good. Ongoing rule updates, custom rule support, $vendor support totune the appliance to your needs.29 30. Emerging tech to keep an eye on Fidoalliance.org U2F (Universal two factor) UAF (Universal authentication framework) Google, yubico, ARM, bank of america, Lenovo,Mastercard, Discover, Microsoft, Paypal, Qualcomm,RSA, Samsung, Visa The list of members is extensive TL;DR improve security by implementing a commontwo factor auth standard; and comoditizing it toimprove addoption.30 31. Emerging tech to keep an eye on Keybase.io Nodejs socializes GPG Tracking sign a snapshot of their key andidentity profile On this date I verify this is Joe Blogs'sgpg key, twitter account etc TL;DR wrapper and service to help spread the use ofGPG https://keybase.io/oneiroi/31 32. Emerging tech to keep an eye on Suricata IDS / IPS Libjannson eve.json Compatible with E.L.K stack: blog post Multi threaded Claims 10Gbit support with no ruleset sacrifice Protocol identification File identification, extraction Open Information Security Foundation32 33. Emerging tech to keep an eye on E.L.K (Elastic search, Logstash, Kibana) Easily store, index and visualize data e.g. suricata data33 34. Emerging tech to keep an eye on Docker Wrapper for LXC Linux containers Vagrant / git esq cli Raw hardware access Not paravirtual Suffers from container breakout Gains root on host system REST API is very open Docker Security page Dan Walsh SELinux and Docker34 35. Emerging tech to keep an eye on Haka Software defined security $developer sentric security LUA DSL Another tool in the $devops chain E.L.K support Why not IPTables / Netfilter / other Why not both? Eases developers adoption35 36. 2014 it's been interesting 2014 Isn't over yet ... Heartbleed, shellshock, poodle F.U.D Gmail leak (wasn't gmail, just happened to havegmail addresses) Dropbox leak (wasn't dropbox, just happened thatusers were using same credentials) Home Depot Target (Fall 2013, still in the news)36 37. 2014 it's been interesting 2014 No more head in the sand No more features before security The cost of compromise is proven Increasing Ubiquity of I.o.T without proper security measures is not maintainable Time to build security into the product, not as anafterthought.37 38. 2014 it's been interesting 2014 You are not alone! https://www.iamthecavalry.org/ http://www.openinfosecfoundation.org/ https://www.reddit.com/r/netsec http://seclists.org/fulldisclosure/ https://bugcrowd.com https://44con.com/ http://dc4420.org/ Deploy your own Responsible disclosure program38 39. The End Questions? (And Thank you for attending!) I also have a tirade of equipment with me ifanyone is interested in learning more; see meafter this talk.39

Popular Tags:

Click here to load reader

Embed Size (px)
Recommended