1. Alison Gianotto (aka “snipe”)WHO AM I?
• Former
agency
CTO/CSO
• Security
&
privacy
advocate
• 20
years
in
IT
&
so<ware
development
• Co-‐author
of
a
few
PHP/MySQL
books
• Survivor
of
more
corporate
audits
than
I
care
to
remember
• @snipeyhead
on
TwiJer
1
dotScale
May
2014
-‐
#dotScale
2. IT IS IMPOSSIBLE TO ANTICIPATE
EVERY RISK.
2
dotScale
May
2014
-‐
#dotScale
Srsly.
3. IT IS INAPPROPRIATE TO MITIGATE
EVERY RISK.
3
dotScale
May
2014
-‐
#dotScale
No, Srsly.
4. WHY PEOPLE HACK
4
• To
steal/sell
idenOOes,
credit
card
numbers,
corporate
secrets,
military
secrets
• Fun/Notoriety
• PoliOcal
(“HackOvism”)
• Revenge
• Blackhat
SEO
• ExtorOon/Ransomware
dotScale
May
2014
-‐
#dotScale
5. MEGA BREACHES: RESULTING IN
PERSONAL DETAILS OF >= 10
MILLION IDENTITIES EXPOSED IN AN
INDIVIDUAL INCIDENT.
5
dotScale
May
2014
-‐
#dotScale
6. THERE WERE EIGHT MEGA-
BREACHES IN 2013, COMPARED
WITH ONLY ONE IN 2012.
6
Source:
Symantec
Internet
Security
Threat
Report
2014
::
Volume
19,
Published
April
2014
+700%
dotScale
May
2014
-‐
#dotScale
7. OCT 2013: ADOBE
EXPOSED CUSTOMER DATA, DEBIT/
CREDIT CARD NUMBERS, SOURCE
IMPACTED: 152 MILLION USERS
7
Source:
Symantec
Internet
Security
Threat
Report
2014
::
Volume
19,
Published
April
2014
dotScale
May
2014
-‐
#dotScale
8. DEC 2013: TARGET
EXPOSED CUSTOMER DATA, DEBIT/
CREDIT CARD NUMBERS, PINS
IMPACTED: 110 MILLION USERS
8
Source:
Symantec
Internet
Security
Threat
Report
2014
::
Volume
19,
Published
April
2014
dotScale
May
2014
-‐
#dotScale
9. BREACHGrowth
• credit card info
• birth dates
• government ID numbers
• home addresses
• medical records
• phone numbers
• financial informa9on
• email addresses
• login
• passwords
Data Stolen
9
232
552
0
100
200
300
400
500
600
2011
2013
Iden))es
Stolen
by
Year
(in
Millions)
Source:
Symantec
Internet
Security
Threat
Report
2014
::
Volume
19,
Published
April
2014
dotScale
May
2014
-‐
#dotScale
10. 190,000
464,000
570,000
2011
2012
2013
ATTACKS
10
Source:
Symantec
Internet
Security
Threat
Report
2014
::
Volume
19,
Published
April
2014
Per Day
dotScale
May
2014
-‐
#dotScale
11. SOMETIMES YOUR EFFORTS TO
MITIGATE RISK CAN INCREASE
YOUR ATTACK SURFACE.
11
dotScale
May
2014
-‐
#dotScale
Because THAT’S fair.
12. DEFENSE IN DEPTH PROMISES
12
• MiOgates
single
points
of
failure.
(“Bus
factor”)
• Requires
more
effort
on
the
part
of
the
aJacker,
theoreOcally
exhausOng
aJacker
resources.
Except...
dotScale
May
2014
-‐
#dotScale
13. DEFENSE IN DEPTH CHALLENGES
13
• Larger,
more
complicated
systems
are
harder
to
maintain.
• Can
lead
to
more
cracks
for
bad
guys
to
poke
at
• More
surfaces
that
can
get
be
overlooked
• The
bad
guys
have
nearly
limitless
resources.
We
don’t.
• AJacks
are
commodiOzed
now.
Botnets
for
$2/hour.
dotScale
May
2014
-‐
#dotScale
14. HACKERS ARE NOT YOUR ONLY
PROBLEM.
14
dotScale
May
2014
-‐
#dotScale
Sorry. :(
16. CONFIDENTIALITY IS A SET OF
RULES THAT LIMITS ACCESS TO
INFORMATION
16
dotScale
May
2014
-‐
#dotScale
17. INTEGRITY IS THE ASSURANCE
THAT THE INFORMATION IS
TRUSTWORTHY & ACCURATE.
17
dotScale
May
2014
-‐
#dotScale
18. AVAILABILITY IS A GUARANTEE OF
READY ACCESS TO THE INFO BY
AUTHORIZED PEOPLE.
18
dotScale
May
2014
-‐
#dotScale
19. APPSEC STRATEGY
PICK
TWO
19
ABSOLUTELY
F*CKED
UTTERLY
F*CKED
COMPLETELY
F*CKED
dotScale
May
2014
-‐
#dotScale
20. CREATING A RISK MATRIX
20
• Type
of
resource
• Third-‐Party
• Diagram
ID
• DescripOon
• Triggering
AcOon
• Consequence
of
Failure
• Risk
of
Failure
• Probability
of
Failure
• User
Impact
• Method
used
for
monitoring
this
risk
• Efforts
to
MiOgate
in
Case
of
Failure
• Contact
info
Grab
a
starter
template
here!
hJp://snipe.ly/risk_matrix
dotScale
May
2014
-‐
#dotScale
21. 20 THINGS YOU CAN START
DOING TODAY.
21
Dooo eeeeeet.
dotScale
May
2014
-‐
#dotScale
22. #1. CAPTURE ALL THE FLAGS!
22
dotScale
May
2014
-‐
#dotScale
23. 23
• Strip
specific
messaging
from
login
forms.
• Use
solid
password+salOng
like
bcrypt.
• Implement
brute-‐force
prevenOon
for
all
login
systems.
• Encrypt
everything,
where
feasible.
• Supress
debugging
and
server
informaOon
(language/
framework
versions,
web
server
versions,
stack-‐traces,
etc.)
WHAT DEVS LEARN FROM CTF
dotScale
May
2014
-‐
#dotScale