Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Booking.com
W
E
AR
E
H
IR
IN
G
Work @ Booking: http://grnh.se/seomt7
Security Theatre
@thomas_shone
Image by Matt McGee released under CC BY-ND 2.0
Illusion
Denial
I know about OWASP!
If you are hacked via OWASP Top
10, you’re not allowed to call it
“advanced” or “sophisticated”
@thegrugq
Reference: https...
My app is secure... I think
Wim Godden
February 26, 2016 @ 14:00
Hampstead
But I use antivirus!
Crypting services makes most
antivirus techniques useless
Reference: http://krebsonsecurity.com/2014/05/antivirus-is-dead-...
Let us put an unsecured node.js
server on your personal
computer
TrendMicro Antivirus on Windows
Jan 2016
https://code.goo...
Remote code-executions via your
mail client downloading an
email
Sophos Antivirus
June 2015
https://lock.cmpxchg8b.com/sop...
Internet of Things
Reference: https://www.yahoo.com/tech/dutch-consumer-group-demands-samsung-151703102.html
Reference: http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html
We’re all bad at security
Users are bad at security
➢ Weak passwords
➢ Password reset questions
➢ Human verification sucks
➢ Clickbait and phishing
...
Developers are bad at security
Reference: https://github.com/
Hackers are bad at security
A study in scarlet
43 applications, libraries or frameworks
over 4,800 versions
over 10 million files
Quick Demo
How the fingerprinting works
255,000 scans
About 6k/month from June 2012 till now
Results
July 2015
Most popular software
It’s not what you think
How bad is it?
Why is it so bad?
I have seen things
Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn
Versioning Hell
1.3-final-beta6-pre-patch3
OpenX
Backdoored for almost a year
Lessons Learnt
Versioning
Projects with bad versioning also have some
of the worst security issues
Automatic Patching
If your software comes with automatic
upgrading, people will use it
Plugins and Templates
If an update needs manual changes for
plugins or template, no one updates
Patch Fatigue Exists
Image by Aaaron Jacobs released under CC BY-SA 2.0
Anger
Image by Josh Janssen released under CC BY-ND 2.0
Why doesn’t someone do
something about it?
Private industry keep
threatening security researchers
"How many Fortune 500
companies are hacked right now?
Answer, 500."
Mikko Hypponen, CRO of F-Secure
Reference: https://twi...
Why don’t we have some form of
standard?
We have ISO 27001/2, ISO 15408,
RFC 2196, PCI DSS, NIST, …
Reference: https://en.wikipedia.org/wiki/Cyber_security_standar...
Why doesn’t the government do
something about it?
A Ukrainian power plant was
hacked & shutdown because
someone had macros enabled in
Excel
Reference: https://t.co/PA7cDQC9...
NSA: We’re just upgrading your
megaflops, promise.
Reference: https://t.co/PA7cDQC9EIImage by Unknown released into the Public Domain
Bargaining
Image by Jeroen Moes released under CC BY-SA 2.0
But what if we installed
advanced IDSs, WAFs and
specialised network hardware
We probably only knew about
one of the two backdoors in our
system
Juniper Networks
Dec 2015
http://www.wired.com/2015/12/...
IDSs produce reports. Managers
likes reports: it helps them feel
like they can "manage" security
http://security.stackexch...
We’ll start following prescribed
security standards
That’s great for your insurance
premiums
Depression
Ninety percent of
everything is crap.
Sturgeon's law
Reference: https://en.wikipedia.org/wiki/Sturgeon%27s_law
Acceptance
Image by Stephan Brunet released under CC BY-SA 3.0
Effective?
Most of our security
practices are ineffective
We do security in
isolation
Holistic
Hardware
Drivers
Services
Your Dependencies
Operating System
Your Software
Humans
Network / Internet
Area of Influence
Drivers
Services
Operating System
203.5M LoC
Area of Influence
Hardware
Disclaimer: Numbers generated using cloc (Service ...
Operating System
Area of Influence
Humans DNA
7B LoC
Source: http://www.examiner.com/article/dna-the-ultimate-source-code
Hardware
Drivers
Services
Your Dependencies
Operating System
Your Software
Humans
Network / Internet
HR/Training
System
Ad...
Layered
Image by Cadw released under OGL via Commons
Image by Albert Bridge released under CC BY-SA 2.0
Surface Area
Alertness
Image by MeganCollins released under CC BY-NC-ND 3.0
Mitigation
Image by Pivari.com released under CC BY-SA 3.0
Trust
Trust?
Be aware of what you’re
trusting
The hardest part of
security is not writing
secure code
It’s understanding
where you misplace
your trust
Trust is a chain
I trust my computer is not
compromised
Up-to-date patches
TR
U
ST
I trust that the software is
without vulnerability
Vulnerability research and security updates
TR
U
ST
I trust that the software is
configured properly
Automated provisioning
TR
U
ST
I trust that the network is
configured properly and secure
Good system administrators
TR
U
ST
I trust you are who you say you
are
TLS Certificate Peer Verification or
Authentication
TR
U
ST
I trust you are allowed to talk to
me about this topic
Authorization
TR
U
ST
I trust that what you send me
hasn’t been tampered with
Hashes or signatures
TR
U
ST
I trust that what we talk about is
just between us
Public and private keys
TR
U
ST
I trust your computer is not
compromised
????
TR
U
ST
I trust that what we talk about
won’t be share with others
Contracts, Legalities, Terms of use, ????
TR
U
ST
I trust that the user won’t be the
weak link
Training and procedures
TR
U
ST
Turn your chain into a
mesh
Image by ineverfinishanyth released under CC BY-NC-SA 2.5
Common Mistakes
Weakening
Compromising encryption or hashing is
about reducing time to crack
Implementation
A bad implementation helps reduce the time
to crack
Authentication
2 Factor Authentication
composer require pragmarx/google2fa
OAuth2
composer require league/oauth2-client
Sessions
Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false)
{
parse_str($_SERVER['QUERY_STRING']);
session_write_clo...
if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false)
{
parse_str($_SERVER['QUERY_STRING']);
session_write_clo...
if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false)
{
parse_str($_SERVER['QUERY_STRING']);
session_write_clo...
Encryption
Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
Avoid old tutorials on
encryption
https://gist.github.com/paragonie-
scott/e9319254c8ecbad4f227
Failed: Error Number: 60. Reason: SSL certificate problem, verify that
the CA cert is OK. Details: error:14090086:SSL rout...
Hashing
Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
One way encoding
Comparisons / Integrity Checks
278,362,281
Number of accounts publicly leaked
Reference: https://haveibeenpwned.com/
Weak hash functions
+/- 690GB rainbow tables
$password = 'rasmuslerdorf';
$hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a';
// Is this call safe?...
Timing Attacks
Brute forcing cryptographic functions via
time taken to execute
$string1 = 'abcd';
$string2 = 'abce';
$string3 = 'acde';
for ($i=0; $i<10000; $i++) { ($string1 === $string2); }
// Time t...
Timing attacks can be used to
work out if an account exists [...].
@troyhunt, haveibeenpwned.com
Reference: https://t.co/5...
Well actually
Amount of randomness matters
Reference: http://blog.ircmaxell.com/2012/12/seven-ways-to-screw-up-bcrypt.html
$password = 'rasmuslerdorf';
$hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a';
// Check the password...
Randomness
Image by Wouter van Emmerik released under CC BY-SA 3.0
Never roll your own
Non-deterministic randomness
is critical in encryption
Used for key generation and nonces
Non-deterministic randomness
is hard
Dual_EC_DRBG was in use for 7 years
// NOT cryptographically secure
rand();
// Cryptographically secure (uses OS-specific source)
random_int();
// Cryptograph...
Information Disclosure
HEAD http://example.com/index.php
200 OK
Connection: close
Date: Sat, 26 Dec 2015 13:52:01 GMT
Server: Apache
Content-Type...
HEAD http://example.com/index.php
200 OK
Connection: close
Date: Sat, 26 Dec 2015 13:52:01 GMT
Server: Apache
Content-Type...
Warning: require(assets/includes/footer.php) [function.require]: failed
to open stream: No such file or directory in
/home...
Social Engineering
Weak password reset
processes
Can you Google the answer?
How do you handle customer support reset?
Customer support
training
Convenience vs Security
@N’s (Naoki Hiroshima) Story
How do you mitigate against this?
Hope
Image by Jenny released under CC BY-NC-ND 2.0
Holistic
A.B.C.
Always Be C Patching
Patching Strategy
If a dependency prevents updating, resolve it
now
Version properly
Major.Minor.Patch. How hard is that?
Composer properly
caret (^) makes updating easy
Read
Know about new threats and best practice
changes
Don’t become
comfortable
Comfort breeds contempt
Training Strategy
Have a process for dealing with account
locks and resets
Compromise Strategy
Have a plan before you need it
Information
Only store what you really need
Mistakes will be made
Learn from them
Rate limit
Built it now, or you’ll have to build it while an
incident is underway
Monitor everything
You’re more likely to be alerted by a graph
spiking than your IDS
Decouple roles
Databases, servers, domains, roles, ...
Decouple
plugins/templates
Updates should be simple
Get behind PSR-9 & 10
http://www.php-fig.org/psr/
Group
Performance
Image by Matt McGee released under CC BY-ND 2.0
Thank you
@thomas_shone
Security Theatre - Confoo
Security Theatre - Confoo
Security Theatre - Confoo
Security Theatre - Confoo
Security Theatre - Confoo
Security Theatre - Confoo
Security Theatre - Confoo
Security Theatre - Confoo
Security Theatre - Confoo
Security Theatre - Confoo
Security Theatre - Confoo
Security Theatre - Confoo
Security Theatre - Confoo
Security Theatre - Confoo
Security Theatre - Confoo
Security Theatre - Confoo
Security Theatre - Confoo
Security Theatre - Confoo
Security Theatre - Confoo
Nächste SlideShare
Wird geladen in …5
×

Security Theatre - Confoo

11.600 Aufrufe

Veröffentlicht am

Slides for my talk on Security Theatre for Confoo

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Security Theatre - Confoo

  1. 1. Booking.com W E AR E H IR IN G Work @ Booking: http://grnh.se/seomt7
  2. 2. Security Theatre @thomas_shone Image by Matt McGee released under CC BY-ND 2.0
  3. 3. Illusion
  4. 4. Denial
  5. 5. I know about OWASP!
  6. 6. If you are hacked via OWASP Top 10, you’re not allowed to call it “advanced” or “sophisticated” @thegrugq Reference: https://twitter.com/thegrugq/status/658991205816995840
  7. 7. My app is secure... I think Wim Godden February 26, 2016 @ 14:00 Hampstead
  8. 8. But I use antivirus!
  9. 9. Crypting services makes most antivirus techniques useless Reference: http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/
  10. 10. Let us put an unsecured node.js server on your personal computer TrendMicro Antivirus on Windows Jan 2016 https://code.google.com/p/google-security-research/issues/detail?id=693
  11. 11. Remote code-executions via your mail client downloading an email Sophos Antivirus June 2015 https://lock.cmpxchg8b.com/sophailv2.pdf
  12. 12. Internet of Things
  13. 13. Reference: https://www.yahoo.com/tech/dutch-consumer-group-demands-samsung-151703102.html
  14. 14. Reference: http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html
  15. 15. We’re all bad at security
  16. 16. Users are bad at security ➢ Weak passwords ➢ Password reset questions ➢ Human verification sucks ➢ Clickbait and phishing ➢ Attachments ➢ URL mistype ➢ Routine and workarounds ➢ Convenience trumps security
  17. 17. Developers are bad at security Reference: https://github.com/
  18. 18. Hackers are bad at security
  19. 19. A study in scarlet
  20. 20. 43 applications, libraries or frameworks over 4,800 versions over 10 million files
  21. 21. Quick Demo How the fingerprinting works
  22. 22. 255,000 scans About 6k/month from June 2012 till now
  23. 23. Results July 2015
  24. 24. Most popular software It’s not what you think
  25. 25. How bad is it?
  26. 26. Why is it so bad?
  27. 27. I have seen things Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn
  28. 28. Versioning Hell 1.3-final-beta6-pre-patch3
  29. 29. OpenX Backdoored for almost a year
  30. 30. Lessons Learnt
  31. 31. Versioning Projects with bad versioning also have some of the worst security issues
  32. 32. Automatic Patching If your software comes with automatic upgrading, people will use it
  33. 33. Plugins and Templates If an update needs manual changes for plugins or template, no one updates
  34. 34. Patch Fatigue Exists Image by Aaaron Jacobs released under CC BY-SA 2.0
  35. 35. Anger Image by Josh Janssen released under CC BY-ND 2.0
  36. 36. Why doesn’t someone do something about it?
  37. 37. Private industry keep threatening security researchers
  38. 38. "How many Fortune 500 companies are hacked right now? Answer, 500." Mikko Hypponen, CRO of F-Secure Reference: https://twitter.com/mikko/status/184329161257652227
  39. 39. Why don’t we have some form of standard?
  40. 40. We have ISO 27001/2, ISO 15408, RFC 2196, PCI DSS, NIST, … Reference: https://en.wikipedia.org/wiki/Cyber_security_standards
  41. 41. Why doesn’t the government do something about it?
  42. 42. A Ukrainian power plant was hacked & shutdown because someone had macros enabled in Excel Reference: https://t.co/PA7cDQC9EI
  43. 43. NSA: We’re just upgrading your megaflops, promise.
  44. 44. Reference: https://t.co/PA7cDQC9EIImage by Unknown released into the Public Domain
  45. 45. Bargaining Image by Jeroen Moes released under CC BY-SA 2.0
  46. 46. But what if we installed advanced IDSs, WAFs and specialised network hardware
  47. 47. We probably only knew about one of the two backdoors in our system Juniper Networks Dec 2015 http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of- government-backdoors/
  48. 48. IDSs produce reports. Managers likes reports: it helps them feel like they can "manage" security http://security.stackexchange.com/questions/12164/how-effective-is-an-ids-at-catching-targeted- attacks
  49. 49. We’ll start following prescribed security standards
  50. 50. That’s great for your insurance premiums
  51. 51. Depression
  52. 52. Ninety percent of everything is crap. Sturgeon's law Reference: https://en.wikipedia.org/wiki/Sturgeon%27s_law
  53. 53. Acceptance Image by Stephan Brunet released under CC BY-SA 3.0
  54. 54. Effective?
  55. 55. Most of our security practices are ineffective
  56. 56. We do security in isolation
  57. 57. Holistic
  58. 58. Hardware Drivers Services Your Dependencies Operating System Your Software Humans Network / Internet Area of Influence
  59. 59. Drivers Services Operating System 203.5M LoC Area of Influence Hardware Disclaimer: Numbers generated using cloc (Service LoC limited to latest releases of MySQL, Apache and PHP)
  60. 60. Operating System Area of Influence Humans DNA 7B LoC Source: http://www.examiner.com/article/dna-the-ultimate-source-code
  61. 61. Hardware Drivers Services Your Dependencies Operating System Your Software Humans Network / Internet HR/Training System Administrators Downstream Providers
  62. 62. Layered Image by Cadw released under OGL via Commons
  63. 63. Image by Albert Bridge released under CC BY-SA 2.0 Surface Area
  64. 64. Alertness Image by MeganCollins released under CC BY-NC-ND 3.0
  65. 65. Mitigation Image by Pivari.com released under CC BY-SA 3.0
  66. 66. Trust
  67. 67. Trust?
  68. 68. Be aware of what you’re trusting
  69. 69. The hardest part of security is not writing secure code
  70. 70. It’s understanding where you misplace your trust
  71. 71. Trust is a chain
  72. 72. I trust my computer is not compromised Up-to-date patches TR U ST
  73. 73. I trust that the software is without vulnerability Vulnerability research and security updates TR U ST
  74. 74. I trust that the software is configured properly Automated provisioning TR U ST
  75. 75. I trust that the network is configured properly and secure Good system administrators TR U ST
  76. 76. I trust you are who you say you are TLS Certificate Peer Verification or Authentication TR U ST
  77. 77. I trust you are allowed to talk to me about this topic Authorization TR U ST
  78. 78. I trust that what you send me hasn’t been tampered with Hashes or signatures TR U ST
  79. 79. I trust that what we talk about is just between us Public and private keys TR U ST
  80. 80. I trust your computer is not compromised ???? TR U ST
  81. 81. I trust that what we talk about won’t be share with others Contracts, Legalities, Terms of use, ???? TR U ST
  82. 82. I trust that the user won’t be the weak link Training and procedures TR U ST
  83. 83. Turn your chain into a mesh Image by ineverfinishanyth released under CC BY-NC-SA 2.5
  84. 84. Common Mistakes
  85. 85. Weakening Compromising encryption or hashing is about reducing time to crack
  86. 86. Implementation A bad implementation helps reduce the time to crack
  87. 87. Authentication
  88. 88. 2 Factor Authentication composer require pragmarx/google2fa
  89. 89. OAuth2 composer require league/oauth2-client
  90. 90. Sessions
  91. 91. Image by Wouter van Emmerik released under CC BY-SA 3.0 Never roll your own
  92. 92. if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false) { parse_str($_SERVER['QUERY_STRING']); session_write_close(); session_id($session_to_unset); session_start(); $_SESSION = array(); session_write_close(); session_destroy(); exit; } Mistakes Deep understanding of the language C O D E SAM PLE Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
  93. 93. if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false) { parse_str($_SERVER['QUERY_STRING']); session_write_close(); session_id($session_to_unset); session_start(); $_SESSION = array(); session_write_close(); session_destroy(); exit; } Mistakes Deep understanding of the language C O D E SAM PLE Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505 Writes $_SESSION to disk
  94. 94. if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false) { parse_str($_SERVER['QUERY_STRING']); session_write_close(); session_id($session_to_unset); session_start(); $_SESSION = array(); session_write_close(); session_destroy(); exit; } Mistakes Deep understanding of the language C O D E SAM PLE Extracts URL parameters into the namespace. session_to_unset=a becomes $session_to_unset = “a”; Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505
  95. 95. Encryption
  96. 96. Image by Wouter van Emmerik released under CC BY-SA 3.0 Never roll your own
  97. 97. Avoid old tutorials on encryption https://gist.github.com/paragonie- scott/e9319254c8ecbad4f227
  98. 98. Failed: Error Number: 60. Reason: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed // Many old tutorials and posts suggest disabling peer verifications curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); // Thankfully PHP 5.6+ handles CA certificate location automatically // now thanks to https://wiki.php.net/rfc/improved-tls-defaults and // Daniel Lowrey Avoid advice like this Weakening security for convenience C O D E SAM PLE
  99. 99. Hashing
  100. 100. Image by Wouter van Emmerik released under CC BY-SA 3.0 Never roll your own
  101. 101. One way encoding Comparisons / Integrity Checks
  102. 102. 278,362,281 Number of accounts publicly leaked Reference: https://haveibeenpwned.com/
  103. 103. Weak hash functions +/- 690GB rainbow tables
  104. 104. $password = 'rasmuslerdorf'; $hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a'; // Is this call safe? if (crypt($password, $hash) === $hash) { echo 'Password is correct'; } // What about this one? if (password_verify($password, $hash)) { echo 'Password is correct'; } Bad implementation Where is the weakness? C O D E SAM PLE
  105. 105. Timing Attacks Brute forcing cryptographic functions via time taken to execute
  106. 106. $string1 = 'abcd'; $string2 = 'abce'; $string3 = 'acde'; for ($i=0; $i<10000; $i++) { ($string1 === $string2); } // Time taken: 0.008344 for ($i=0; $i<10000; $i++) { ($string1 === $string3); } // Time taken: 0.006923 Timing Attacks How it works C O D E SAM PLE
  107. 107. Timing attacks can be used to work out if an account exists [...]. @troyhunt, haveibeenpwned.com Reference: https://t.co/5WkQ48suj7
  108. 108. Well actually Amount of randomness matters Reference: http://blog.ircmaxell.com/2012/12/seven-ways-to-screw-up-bcrypt.html
  109. 109. $password = 'rasmuslerdorf'; $hash = '$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a'; // Check the password if (password_verify($password, $hash)) { echo 'Password is correct'; if (password_needs_rehash($hash, PASSWORD_DEFAULT)) { // Rehash and store in database $new_password = password_hash($password, PASSWORD_DEFAULT); } } Rehash Build it into your flow C O D E SAM PLE
  110. 110. Randomness
  111. 111. Image by Wouter van Emmerik released under CC BY-SA 3.0 Never roll your own
  112. 112. Non-deterministic randomness is critical in encryption Used for key generation and nonces
  113. 113. Non-deterministic randomness is hard Dual_EC_DRBG was in use for 7 years
  114. 114. // NOT cryptographically secure rand(); // Cryptographically secure (uses OS-specific source) random_int(); // Cryptographically secure (uses OS-specific source) random_bytes(); // Cryptographically secure (uses OpenSSL library) openssl_random_pseudo_bytes(); Random in code Know the source C O D E SAM PLE
  115. 115. Information Disclosure
  116. 116. HEAD http://example.com/index.php 200 OK Connection: close Date: Sat, 26 Dec 2015 13:52:01 GMT Server: Apache Content-Type: text/html; charset=UTF-8 Client-Date: Sat, 26 Dec 2015 13:52:01 GMT Client-Peer: 192.168.0.101:80 Client-Response-Num: 1 X-Powered-By: PHP/5.5.11 Information Disclosure Every piece of information can be leveraged LO G SAM PLE
  117. 117. HEAD http://example.com/index.php 200 OK Connection: close Date: Sat, 26 Dec 2015 13:52:01 GMT Server: Apache Content-Type: text/html; charset=UTF-8 Client-Date: Sat, 26 Dec 2015 13:52:01 GMT Client-Peer: 192.168.0.101:80 Client-Response-Num: 1 X-Powered-By: PHP/5.5.11 Information Disclosure Every piece of information can be leveraged LO G SAM PLE
  118. 118. Warning: require(assets/includes/footer.php) [function.require]: failed to open stream: No such file or directory in /home/user/path/to/assets/includes/operations.php on line 38 Fatal error: require() [function.require]: Failed opening required 'assets/includes/footer.php' (include_path='.:/usr/lib/php: /usr/local/lib/php') in /home/user/path/to/assets/includes/operations. php on line 38 Information Disclosure Every piece of information can be leveraged LO G SAM PLE
  119. 119. Social Engineering
  120. 120. Weak password reset processes Can you Google the answer? How do you handle customer support reset?
  121. 121. Customer support training Convenience vs Security
  122. 122. @N’s (Naoki Hiroshima) Story How do you mitigate against this?
  123. 123. Hope Image by Jenny released under CC BY-NC-ND 2.0
  124. 124. Holistic
  125. 125. A.B.C.
  126. 126. Always Be C Patching
  127. 127. Patching Strategy If a dependency prevents updating, resolve it now
  128. 128. Version properly Major.Minor.Patch. How hard is that?
  129. 129. Composer properly caret (^) makes updating easy
  130. 130. Read Know about new threats and best practice changes
  131. 131. Don’t become comfortable Comfort breeds contempt
  132. 132. Training Strategy Have a process for dealing with account locks and resets
  133. 133. Compromise Strategy Have a plan before you need it
  134. 134. Information Only store what you really need
  135. 135. Mistakes will be made Learn from them
  136. 136. Rate limit Built it now, or you’ll have to build it while an incident is underway
  137. 137. Monitor everything You’re more likely to be alerted by a graph spiking than your IDS
  138. 138. Decouple roles Databases, servers, domains, roles, ...
  139. 139. Decouple plugins/templates Updates should be simple
  140. 140. Get behind PSR-9 & 10 http://www.php-fig.org/psr/
  141. 141. Group Performance Image by Matt McGee released under CC BY-ND 2.0
  142. 142. Thank you @thomas_shone

×