Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Security
It's more than just your database you should
worry about
David Busby
Information Security Architect
2015-08-05
Sample Text Page
• David Busby
–Percona since January 2013
–R.D.B.A
–EMEA && Security Lead
–I.S.A (current)
–15 years sysa...
Agenda
• Got F.U.D?
• What is an attack surface?
• D.A.C, M.A.C, I.P.S, I.D.S, WTF?
• Heartbleed / Shellshock / #gate / #b...
Here be dragons ...
• Previous talks focused on a select set of
identification and prevention
●
This talk is different …
●...
Got F.U.D?
• Fear Uncertainty Doubt
• C.R.I.M.E (CVE-2012-4929)
• B.E.A.S.T (CVE-2011-3389)
• Heartbleed (CVE-2014-0160)
•...
What's an “attack surface”?
• Potential areas for compromise
– Application
– Database
– Network
– Hardware
– Software
– Em...
What's an “attack surface”?
• Application
– Engine / Interpreter, e.g. Java, PHP, etc.
●
e.g. PHP CVE-2011-4885 (hash coll...
What's an “attack surface”?
• Database
– Weak passwords
– Overpermissive grants
– Overly broad host spefications e.g. @%
●...
What's an “attack surface”?
• Network
– Overly open ACL
– Little or no isolation
– Little or no monitoring
– Little or no ...
What's an “attack surface”?
• Hardware
– Lack of control of use
– Malicious USB / Firewire / etc
●
COTTONMOUTH-I
●
Iron Ge...
What's an “attack surface”?
• Lock all the things!
– Combination T.S.A locks
●
Easily picked
– Traditional tumbler locks
●...
What's an “attack surface”?
• And then there's … I.o.T
– T.V
– Cameras
– Light bulbs
– Fridges
– Home automation
– Locks
–...
What's an “attack surface”?
13
What's an “attack surface”?
• But wait … there's more!
• Your cars
–Hacking 2014 Jeep Cherokee & Chrysler via internet con...
What's an “attack surface”?
• Software
– Modified binaries
– “Install for FREE STUFF!”
– Unaudited source code … cough cou...
What's an “attack surface”?
• Employees
– “I put all my details on this pastebin, can you take a
look?”
– “Sure you can us...
What's an “attack surface”?
• Employees
– Phishing / Spear Phishing
– Social engineering
– D.L.P bypass is no longer just ...
What's an “attack surface”?
18
What's an “attack surface”?
• Other
– Side channel attacks
●
Cache timing
●
Co-residency (side channel against “cloud”)
– ...
“Weaponized” lunches?!
• Portable Instrument for Trace Acquisition
20
F.U.D!
21
Well … hold on
22
D.A.C, M.A.C, I.P.S, I.D.S … WTF?
• Discretionary Access Control
– POSIX permissions
●
File mode
●
UID
●
GID
●
Software ru...
D.A.C, M.A.C, I.P.S, I.D.S … WTF?
• Mandatory Access Control
– SELinux
●
Process running with context x
●
e.g. MySQL
●
Acc...
Heartbleed/Shellshock/#bandwagon
• “Media”
– Need to drive views / purchases aka revenue
– F.U.D “slinging” is an effectiv...
Heartbleed/Shellshock/#bandwagon
• But naming vulnerabilites has its place
●
C.R.I.M.E / CVE-2012-4929
●
B.E.A.S.T / CVE-2...
Heartbleed/Shellshock/#bandwagon
• Even if it can go a bit far ...
27
Heartbleed/Shellshock/#bandwagon
• There is hope behind the hype.
●
Elastica Inc @ Vimeo
●
Heartbleed instructional video
...
Detection or prevention
• Why not both?
– Block known “bad”
●
By writing your own rules
●
Reguarly syncing with emerging r...
Detection or prevention
• Why not both?
– Generate alerts
●
e.g. logstash can send alerts to nagios
– Y.M.W.V
●
You will k...
Detection or prevention
• Detection
●
Alert on set conditions
●
SQLi, Fuzzing, out of context requests.
●
Write Rules / ex...
Detection or prevention
• Reduce NOISE!
– Avoiding the “boy who cried wolf”
– Aka staff becoming desensitized to the slew ...
Emerging tech to keep an eye on
• Fidoalliance.org
– U2F (Universal two factor)
– UAF (Universal authentication framework)...
Emerging tech to keep an eye on
• Keybase.io
– Nodejs
– “socializes” GPG
●
Tracking → sign a “snapshot” of their key and
i...
Emerging tech to keep an eye on
• Suricata
– IDS / IPS
– Libjannson → eve.json
●
Compatible with E.L.K stack: blog post
– ...
Emerging tech to keep an eye on
• E.L.K (Elastic search, Logstash, Kibana)
– Easily store, index and visualize data
●
e.g....
Emerging tech to keep an eye on
• Docker
– No longer using LXC by default
●
Uses their own libcontainer
– Vagrant / git es...
Emerging tech to keep an eye on
• Haka
– “Software defined security”
– $developer sentric security
– LUA DSL
– Another too...
Emerging tech to keep an eye on
• Vaultproject.io
– AES GCM 256bit
●
nonce per object
– Audit backends
– HA Capable
– Pote...
Emerging tech to keep an eye on
• USB Armory
– Freescale i.MX53 ARM® Cortex™-A8 800Mhz
– 512MB DDR3
– <500 mA USB powered
...
2014 … it's been interesting
• 2014
– Heartbleed, shellshock, poodle
– F.U.D
●
Gmail “leak” (wasn't gmail, just happened t...
2015 … it's been interesting
• 2015
– Hackingteam breach
– Many flash vulnerabilties
– BIND9 DoS CVE-2015-5477
– YubiKey N...
2014 → 2015 … it's been interesting
• 2014 → 2015
– PLEASE!
●
No more “head in the sand”
●
No more “features before securi...
2014 → 2015 … it's been interesting
• 2014 → 2015
– You are not alone!
– https://www.iamthecavalry.org/
– http://www.openi...
The End …
• Questions? (And Thank you for attending!)
45
Nächste SlideShare
Wird geladen in …5
×

Security its-more-than-just-your-database-you-should-worry-about

523 Aufrufe

Veröffentlicht am

Security isn’t deploying some overbearing big brother of a hardware or software solution; it’s not running scanning software which tells you you’re safe; because in reality in these type of setups you’re not.
Security is akin to high availability you deploying multiple redundancies to ensure you can still operate, the same can and should be applied to security; identify the potential areas of attack, reduces this attack surface and deploy multiple redundancies to secure your deployments.


In this session we'll wade through F.U.D

Discuss what an attack surface is, including some not so well known examples of exploitation of said surface, demo of malicious HID devices and lock picking; discuss IoT (internet of things) and how commodity internet connected devices are racing ahead of any measures of security

Discretionary vs Mandatory access controls, IPS vs IDS.

Cover the recent trend in vulnerability naming, and some of the more ridiculous examples.

Discuss attack detection and prevention, question why there's still a view that there needs to be a separation of the two.

Cover some emerging technologies of note to aid in hardening infrastructure.


The focus here is to promote an attitude change to thinking about points of vulnerability, and promote better security as a whole

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Security its-more-than-just-your-database-you-should-worry-about

  1. 1. Security It's more than just your database you should worry about David Busby Information Security Architect 2015-08-05
  2. 2. Sample Text Page • David Busby –Percona since January 2013 –R.D.B.A –EMEA && Security Lead –I.S.A (current) –15 years sysadmin / dev –Ju-Jitsu instructor for N.F.P club. –Volunteer assist teaching computing at Secondary school 2
  3. 3. Agenda • Got F.U.D? • What is an attack surface? • D.A.C, M.A.C, I.P.S, I.D.S, WTF? • Heartbleed / Shellshock / #gate / #bandwagon • Detection or prevention: the boy who cried wolf • Emerging tech to keep an eye on. • 2014 → 2015 … it's been “interesting” 3
  4. 4. Here be dragons ... • Previous talks focused on a select set of identification and prevention ● This talk is different … ● Focus is on a mindset change for pure identification of potential attack vectors. Aswell as clarification of some points along the way ● There's F.U.D by the ton; and we each get a shovel. 4
  5. 5. Got F.U.D? • Fear Uncertainty Doubt • C.R.I.M.E (CVE-2012-4929) • B.E.A.S.T (CVE-2011-3389) • Heartbleed (CVE-2014-0160) • Shellshock CVE-2014-6271, 6277, 6278, 7169, 7186, 7187 • P.O.O.D.L.E (CVE-2014-3566) 5
  6. 6. What's an “attack surface”? • Potential areas for compromise – Application – Database – Network – Hardware – Software – Employees – Other 6
  7. 7. What's an “attack surface”? • Application – Engine / Interpreter, e.g. Java, PHP, etc. ● e.g. PHP CVE-2011-4885 (hash collide) – Framework ● Or most likely a plugin – Developer errors, SQLi, XSS, CSRF etc ... – HTTP Service Apache, Nginx, Lighthttpd, etc. – Sysadmin errors e.g. missconfiguration of SSL cipers / certs 7
  8. 8. What's an “attack surface”? • Database – Weak passwords – Overpermissive grants – Overly broad host spefications e.g. @% ● Vulnerabilities in service (often denoted by CVE's e.g. MySQL CVE-2012-2122) – Poor isolation (Network, users etc) – Malicious plugins e.g. UDF's 8
  9. 9. What's an “attack surface”? • Network – Overly open ACL – Little or no isolation – Little or no monitoring – Little or no packet inspection – “An open playground” – Hardware embedded OS vulnerabilities – Other entry points ● It's not limited to Ethernet / 2.4 && 5 GHz WiFi (look at the NSA ANT catalogue) 9
  10. 10. What's an “attack surface”? • Hardware – Lack of control of use – Malicious USB / Firewire / etc ● COTTONMOUTH-I ● Iron Geek's plug & prey ● USB Rubber Ducky ● USB LAN Turtle ● Thunderstrike 2 – Embedded firmware vulnerabilites – “Freebie” / “Gift” / “Other” – Lack of physical access controls ● e.g. Barclays £1.3M Theft – Lack of $vendor updates (e.g. Android) – ROWHAMMER 10
  11. 11. What's an “attack surface”? • Lock all the things! – Combination T.S.A locks ● Easily picked – Traditional tumbler locks ● Picking / bump keys – Biometrics ● Mythbusters • Key pads – Check for wear / dirt marks / vendor codes • Key switches (e.g. in lifts) – As per above • Room card keys – Magstripe read and write • RFID – Easily read tags content and replay 11
  12. 12. What's an “attack surface”? • And then there's … I.o.T – T.V – Cameras – Light bulbs – Fridges – Home automation – Locks – Printer ● Cloud print … – Etc – Supervisory Control And Data Acquisition ● Let's put a hydro electric dam controll system on the internet! 12
  13. 13. What's an “attack surface”? 13
  14. 14. What's an “attack surface”? • But wait … there's more! • Your cars –Hacking 2014 Jeep Cherokee & Chrysler via internet conn • Medical devices – Hospira drug pump – Wireless insulin pump – RF Enabled pacemakers • https://www.iamthecavalry.org/ 14
  15. 15. What's an “attack surface”? • Software – Modified binaries – “Install for FREE STUFF!” – Unaudited source code … cough cough ● Truecrypt, openssl ... – Poor isolation (no M.A.C, only D.A.C) – Process injection, buffer overflows etc … – Unpatched software – Legacy software ● e.g. Adobe Flash 15
  16. 16. What's an “attack surface”? • Employees – “I put all my details on this pastebin, can you take a look?” – “Sure you can use my phone / workstation!” – “So all I have to do is click this link?” – “Oh you're from HR? Sure I can install that!” – “A magic trick? YEY!” – “FREE STUFF?!” 16
  17. 17. What's an “attack surface”? • Employees – Phishing / Spear Phishing – Social engineering – D.L.P bypass is no longer just crafted devices ● Making comodity USB "evil" ● Derbycon presentation ● Adam Caudil && Brandon Wilson – Implied trust ● Uniform / Badge != Proof 17
  18. 18. What's an “attack surface”? 18
  19. 19. What's an “attack surface”? • Other – Side channel attacks ● Cache timing ● Co-residency (side channel against “cloud”) – Unintentional “emissions” ● Melissa Elliot “Noise Floor” ● S.D.R (Software Defined Radio) ● Monitor / Display, RAM, F.S.B, etc … 19
  20. 20. “Weaponized” lunches?! • Portable Instrument for Trace Acquisition 20
  21. 21. F.U.D! 21
  22. 22. Well … hold on 22
  23. 23. D.A.C, M.A.C, I.P.S, I.D.S … WTF? • Discretionary Access Control – POSIX permissions ● File mode ● UID ● GID ● Software runs with same permissions as user and group ● e.g. your brower could read ~/.ssh/id_rsa in this model 23
  24. 24. D.A.C, M.A.C, I.P.S, I.D.S … WTF? • Mandatory Access Control – SELinux ● Process running with context x ● e.g. MySQL ● Access to resource y ● listen *:3306 ● Denied access to resource z ● Connect *:80 – App armor – Gazzang (Has some M.A.C) 24
  25. 25. Heartbleed/Shellshock/#bandwagon • “Media” – Need to drive views / purchases aka revenue – F.U.D “slinging” is an effective method for this. (Everything is a Virus) ● e.g. The Registers “Critical SSL vulnerability out tomorrow” ● No detail ● No sources ● PURE F.U.D 25
  26. 26. Heartbleed/Shellshock/#bandwagon • But naming vulnerabilites has its place ● C.R.I.M.E / CVE-2012-4929 ● B.E.A.S.T / CVE-2011-3389 ● Heartbleed CVE-2014-0160 ● Shellshock CVE-2014-6271, 6277, 6278, 7169, 7186, 7187 ● P.O.O.D.L.E CVE-2014-3566 26
  27. 27. Heartbleed/Shellshock/#bandwagon • Even if it can go a bit far ... 27
  28. 28. Heartbleed/Shellshock/#bandwagon • There is hope behind the hype. ● Elastica Inc @ Vimeo ● Heartbleed instructional video ● Shellshock instructional video ● Poodle instructional video 28
  29. 29. Detection or prevention • Why not both? – Block known “bad” ● By writing your own rules ● Reguarly syncing with emerging rules – Allow known “good” ● IPS / WAF blocking your app? Write an exeception, carefully! ● Be selective! ● e.g. don't: if /cart(.*) then skip – Log everything else ● And check the logs! 29
  30. 30. Detection or prevention • Why not both? – Generate alerts ● e.g. logstash can send alerts to nagios – Y.M.W.V ● You will know your applications behaviour ● Consider what's “out of context” ● e.g. 10x increase in additions to shopping cart for invalid items (could be someoneattempting SQLi) ● 10x increase in requests, could be a DoS 30
  31. 31. Detection or prevention • Detection ● Alert on set conditions ● SQLi, Fuzzing, out of context requests. ● Write Rules / exceptions to reduce “noise” ● Be specific in said rules! • Prevention ● Block and alert ● Reduce “noise” through blacklists. ● {"timestamp":"2014-05- 15T07:30:42.970624","event_type":"alert","src_ip":"101.227.170.42","src_port":58613,"dest_ip":"XXX.XXX.XXX.XXX ","dest_port":22,"proto":"TCP","alert": {"action":"allowed","gid":1,"signature_id":2500002,"rev":3231,"signature":"ET COMPROMISED Known Compromised or Hostile Host Traffic group 2","category":"Misc Attack","severity":2}} 31
  32. 32. Detection or prevention • Reduce NOISE! – Avoiding the “boy who cried wolf” – Aka staff becoming desensitized to the slew of alerts that “oh that's normal, just ignore” – “Familiarity breeds comtempt” • Why not just buy $product? – It's still an option but be 100% sure you know what you're buying. ● Paying over the odds for rebranded nessus is never good. ● Ongoing rule updates, custom rule support, $vendor support to “tune” the appliance to your needs. 32
  33. 33. Emerging tech to keep an eye on • Fidoalliance.org – U2F (Universal two factor) – UAF (Universal authentication framework) – Google, yubico, ARM, bank of america, Lenovo, Mastercard, Discover, Microsoft, Paypal, Qualcomm, RSA, Samsung, Visa … ● The list of members is extensive – TL;DR improve security by implementing a common two factor auth standard; and comoditizing it to improve addoption. 33
  34. 34. Emerging tech to keep an eye on • Keybase.io – Nodejs – “socializes” GPG ● Tracking → sign a “snapshot” of their key and identity profile ● “On this date I <name> verify this is Joe Blogs's gpg key, twitter account … etc” – TL;DR wrapper and service to help spread the use of GPG – https://keybase.io/oneiroi/ 34
  35. 35. Emerging tech to keep an eye on • Suricata – IDS / IPS – Libjannson → eve.json ● Compatible with E.L.K stack: blog post – Multi threaded ● Claims 10Gbit support with no ruleset sacrifice ● Protocol identification ● File identification, extraction – Open Information Security Foundation 35
  36. 36. Emerging tech to keep an eye on • E.L.K (Elastic search, Logstash, Kibana) – Easily store, index and visualize data ● e.g. suricata data 36
  37. 37. Emerging tech to keep an eye on • Docker – No longer using LXC by default ● Uses their own libcontainer – Vagrant / git esq cli – Raw hardware access ● Not paravirtual – Suffers from “container breakout” ● Gains root on host system – REST API is very open – Docker Security page – Dan Walsh SELinux and Docker – Docker SWARM On ARM 37
  38. 38. Emerging tech to keep an eye on • Haka – “Software defined security” – $developer sentric security – LUA DSL – Another tool in the $devops chain – E.L.K support • Why not IPTables / Netfilter / other – Why not both? – Eases developers adoption 38
  39. 39. Emerging tech to keep an eye on • Vaultproject.io – AES GCM 256bit ● nonce per object – Audit backends – HA Capable – Potential for credential auto rotation 39
  40. 40. Emerging tech to keep an eye on • USB Armory – Freescale i.MX53 ARM® Cortex™-A8 800Mhz – 512MB DDR3 – <500 mA USB powered – ARM® TrustZone® ● Secure boot, storage, memory 40
  41. 41. 2014 … it's been interesting • 2014 – Heartbleed, shellshock, poodle – F.U.D ● Gmail “leak” (wasn't gmail, just happened to have gmail addresses) ● Dropbox “leak” (wasn't dropbox, just happened that users were using same credentials) – Home Depot – Target (Fall 2013, still “in the news”) 41
  42. 42. 2015 … it's been interesting • 2015 – Hackingteam breach – Many flash vulnerabilties – BIND9 DoS CVE-2015-5477 – YubiKey NEO key extraction – OpenSSL ● FREAK ● LOG JAM – GHOST (CVE-2015-0235) – ICANN Root DNS compromise 42
  43. 43. 2014 → 2015 … it's been interesting • 2014 → 2015 – PLEASE! ● No more “head in the sand” ● No more “features before security” – The cost of compromise is proven – Increasing Ubiquity of I.o.T ● without proper security measures is not maintainable – It is beyond time to ensure security is in the product, not as an afterthought. 43
  44. 44. 2014 → 2015 … it's been interesting • 2014 → 2015 – You are not alone! – https://www.iamthecavalry.org/ – http://www.openinfosecfoundation.org/ – https://www.reddit.com/r/netsec – http://seclists.org/fulldisclosure/ – https://bugcrowd.com – https://44con.com/ – http://dc4420.org/ – Deploy your own “Responsible disclosure program”, and if you can Bug Bounty 44
  45. 45. The End … • Questions? (And Thank you for attending!) 45

×