security bootcamp for startups and small businesses

Alison Gianotto @snipeyhead

SECURITY BOOTCAMP FOR STARTUPS

(and Small Businesses)

Alison Gianotto (aka “snipe”)WHO AM I?• FormeragencyCTO/CSO•CTOofAnysha.re•CreatorofSnipe-ITFOSSproject• Security&privacyadvocate•20yearsinITandsoftwaredev•Co-authorofafewPHP/MySQLbooks•@snipeyheadonTwitter

2DomCode2016-Utrecht-#DomCode16

WHAT IS RISK?


Risk is the combination of threat, vulnerability, and mission impact.

WHAT KINDS OF THREATS?


•Notalwayshackers•Physicalthreats:naturaldisasters,suchasflood,fire,earthquakes,etc• Logicalthreats:bugsinhardware,powerfailures•Humanthreats:non-maliciousandmaliciousthreats,suchasdisgruntledemployeesandhackers

RISK TOLERANCE


If vulnerability is high, but mission impact is low, you can probably tolerate that risk.

ONE SIZE DOES NOT FIT ALL


Risk looks different for each organization.

IT IS IMPOSSIBLE TO ANTICIPATE OR MITIGATE EVERY RISK.


WHY SHOULD YOU CARE?


Security breaches cost a company reputation, money, time & trust.



Identity theft and security vulnerabilities affect the lives of real people - your users.



Source:ForbesMagazine,Aug3,2013



Source:BoingBoing-Nov3,2016



Even if your product can’t be weaponized, the data you store and the trust your users have in you can be.


GDPR•Goesintoeffect2018•Couldresultinfinesof€20mor4%ofyourannualturnover,whicheverisGREATER

(General Data Protection Regulation)

In 2013, 61% of reported attacks targeted small and medium businesses, UP from 50% in 2012.


Source:VerizonCommunications2013DataBreachInvestigationsReport

One study found that compromises of mid-size firms rose 64% from 2013 to 2014.


Source:GlobalStateofInformationSecuritySurvey2015

HOW?


Sometimes an attacker will use your product to gain information, sometimes they’ll use YOU.

HOW?


And sometimes your users are the target, and sometimes your company is.

WAYS THEY USE YOUR PRODUCT


•ReflectedXSS•PersistentXSS•CSRF•SQLInjection•Remotefileinclusion•Localfileinclusion/directorytraversal

•DefacementforSEO(pharma,etc)•Privilegeescalation•Malwaredelivery•OtherstuffyouknowfromOWASP

WAYS THEY USE YOU


•Stealingcredentialsfromotherwebsites,hopingyoure-usepasswordsacrosssensitivesystems•Spear-phishing•Wateringholeattacks•Socialengineering•Malware• Insecurethird-partyvendors

DEFENSE IN DEPTH


•Mitigatessinglepointsoffailure.(“Busfactor”)•Requiresmoreeffortonthepartoftheattacker,theoreticallyexhaustingattackerresources.

Except...

DEFENSE IN DEPTH CHALLENGES


• Larger,morecomplicatedsystemscanbehardertomaintain:• Leadstomorecracksforbadguystopokeat•Moresurfacesthatcangetbeoverlooked

• Thebadguyshavenearlylimitlessresources.Wedon’t.•Attacksarecommoditizednow.Botnetsfor<$2/hourandInternetofShit(MiraiDynDNSattack)

CIAConfidentiality, Integrity & Availability

CONFIDENTIALITY IS A SET OF RULES THAT LIMITS ACCESS TO INFORMATION


CONFIDENTIALITY EXAMPLES


•Passwords•Dataencryption(atrestandintransmission)•Two-factorauthenticationorbiometrics.

•CorporateVPN• IPWhitelisting•SSHkeys

CONFIDENTIALITY RISKS


• Nobrute-forcedetection• Novettingofhowthird-partyvendorsuse/storecustomerdata• Informationleakagefromloginmessages(timingattacks,etc.)• SQLinjection

• Privilegeescalationleadingtoadminaccess• Passwordssharedacrosswebsites• Improperdisposal/destructionofpersonaldata• Lost/stolendevices• InsiderThreats

INTEGRITY IS THE ASSURANCE THAT THE INFORMATION IS TRUSTWORTHY & ACCURATE.


INTEGRITY RISKS


• Datalossduetohardwarefailure(servercrash!)• Softwarebugthatunintentionallydeletes/modifiesdata• Dataalterationviaauthorizedpersons(humanerror)

•Dataalterationviaunauthorizedpersons(hackers)•Nobackupsornowaytoverifytheintegrityofthebackupsyouhave• Third-partyvendorwithinadequatesecurity• InsiderThreats

AVAILABILITY IS A GUARANTEE OF READY ACCESS TO THE INFO BY AUTHORIZED PEOPLE.


AVAILABILITY RISKS


•DDoSattacks•Third-partyservicefailures•Hardwarefailures•Softwarebugs•Untestedsoftwarepatches

•Naturaldisasters•Man-madedisasters•InsiderThreats

Hmm… This looks familiar…


INSIDER THREATS

42%58%

• Employees(33%)• Ex-employees(7%)• Customers,partnersorsuppliers(18%)

Source:ClearswiftReport:TheEnemyWithin-PublishedMay2013

• Everythingelse


INSIDER THREATS

Source:ClearswiftReport:TheEnemyWithin-PublishedMay2013

•Oftenverylow-tech•Sometimesmalicious•Sometimesaccidental•Theft/destructionofconfidentialinformation•Sabotage

•Fraud•Defacement•DoSattacks•Sometimesmotivatedbyrevenge

NOT ALL INSIDER THREATS ARE MALICIOUS, BUT THAT DOESN’T MAKE THEM LESS DANGEROUS.



APPLICATION SECURITY

77% OF LEGITIMATE WEBSITES HAD EXPLOITABLE VULNERABILITIES. 1-IN-8 HAD A CRITICAL VULNERABILITY.


Source:SymantecInternetSecurityThreatReport2014::Volume19,PublishedApril2014

BREACHGrowth• credit card info • birth dates • gov ID numbers • home addresses • medical records • phone numbers • financial information • email addresses • login • passwords

Data Stolen


Iden**esStolenbyYear(inMillions)

275

550

825

1100

2011 2012 2013 2014 2015 2016*

554707

1,023

552

267412

Source:SymantecInternetSecurityThreatReport2014/2015

2011 2012 2013 2014 2016

974,000

500,000570,000464,000

190,000

ATTACKS

37

Source:SymantecInternetSecurityThreatReport2014/2016

Per Day

DomCode2016-Utrecht-#DomCode16

APPSEC STRATEGY

PICKTWO

38

COMPLETELYSCREWEDCOMPLETELYSCREWED

COMPLETELYSCREWED

DomCode2016-Utrecht-#DomCode16


WHAT CAN YOU DO?

STOP:


Believing the lie that you’re too small to be a target.

You’re not. I promise.

START:


Evaluating the value of your assets. You have to know what you’re protecting.


VENDOR MANAGEMENT

START:


Documenting ALL of your third-party vendors. Assess risk, and start a vendor management program.

START:


Giving preference to third-party vendors that integrate with LDAP/AD/SSO.

START:


Developing a risk matrix for every project. Keep it updated as new features are added.

RISK MATRIX:


• Type• Third-Party• ServiceDescription• TriggeringAction• ConsequenceofServiceFailure• RiskofFailure• ProbabilityofFailure• UserImpactofFailure

• Methodusedformonitoringthisrisk• EffortstoMitigateinCaseofFailure• Contactinfo

Grabastartertemplatehere!http://snipe.ly/risk_matrix

START:


Giving preference to systems that allow you to show due diligence in the event of a breach.


POLICIES & PROCESS

START:


Implementing policies of “least-privilege”.

START:


Developing a Disaster Recovery Plan. TEST IT. (No, really, test it. Often.)

START:


Developing an Incident Response Plan. Test it, and keep it updated.

START:


Enabling (and requiring) two-factor authentication for everything.

START:


Thinking about any ways a new security measure could actually weaken your security.

REMEMBER:


If your new security policies get in the way of people getting work done, they will find a way around them.

START:


Developing a formal procedure for handling exiting employees.


DATA HANDLING

STOP:


Collecting data about users that you don’t ABSOLUTELY need right now.

START:


Logging (almost) everything. Use a central logging server if you can.

START:


Getting to know what “normal” user behavior looks like. Flag anything out of the ordinary.

START:


Storing offline backups. Make sure you can restore from them successfully.

START:


Encrypting EVERYTHING (where feasible.) in transit and at rest. HTTPS ALL THE THINGS.

START:


Testing that your deployment system can work if Github (or other third-party) is down.


DEV & OPS

START:


Leveraging the built-in data sanitation/CSRF of your language frameworks.

START:


Using prepared statements for your SQL. It’s 2016 already!

START:


Checking for debugging output that can disclose information that can make an attacker’s job easier.

STOP:


Using MD5 for passwords!!!! Use a secure salt+hash like bcrypt.

START:


Looking critically at the complexity of your systems.

START:


Implementing brute-force detection everywhere you can.

STOP:


Using production data in your test environments!

START:


Getting your dev teams involved in Capture the Flag events. (They’re fun!)

START:


Getting penetration tests and vulnerability assessments done.

START:


Building automated scanners into your testing/Continuous Integration pipeline.


COMPANY CULTURE

START:


Building a security-first culture. Make it part of your DNA.

START:


Creating a company culture where your employees are encouraged to ask if they are suspicious.

REMEMBER:


“The security team says no because they are incorrectly held accountable for all flaws.”

— Michael Coates CISO at Twitter, OWASP Global Board Member

START:


Educating employees about social engineering tactics that can be used to gather data about your company.

STOP:


Utilizing policies that punish employees for reporting incidents.

START:


Becoming a passionate security ambassador for your users and your co-workers.

Alison Gianotto (aka “snipe”)THANK YOU!•@snipeyheadonTwitter• [email protected]


Likedthistalk?Leavefeedbackathttp://snipe.ly/domcode16

http://snipe.ly/domcode16

CAPTURE ALL THE FLAGS!


• NotSoSecureCTF:http://ctf.notsosecure.com• SecurityShepherd:https://www.owasp.org/index.php/OWASP_Security_Shepherd• http://hax.tor.hu/• https://pwn0.com/• http://www.smashthestack.org/• http://www.hellboundhackers.org/• http://www.overthewire.org/wargames/• http://counterhack.net/Counter_Hack/Challenges.html• http://www.hackthissite.org/• http://exploit-exercises.com/• http://vulnhub.com/

security bootcamp for startups and small businesses

Technology