hacking skills not required -...
TRANSCRIPT
![Page 1: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/1.jpg)
Your Vendor Security Programs are
not a Secret
Hacking Skills Not Required:
Bloomberg
Chris BergerGlobal Head of Vendor Risk
RiskRecon
Michael FowkesVP, Engineering & Analytics
sig.org/eval
![Page 2: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/2.jpg)
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
In our New WorldData is the Silver Bullet
(…it might be the only bullet…)
Control your third party risk reality
Confidential
![Page 3: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/3.jpg)
Confidential
![Page 4: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/4.jpg)
Confidential
![Page 5: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/5.jpg)
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
![Page 6: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/6.jpg)
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
![Page 7: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/7.jpg)
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
SaaS growthvs on-premise
SaaS – 17.3% CAGR vs On-prem – 3.1% CAGR
% of enterprise apps SaaS-based by 2018
5x
27.8%“10x increase in number of cloud based solutions by 2018” – IDC Chief Analyst (2015)
$216 BillionCloud market site by 2020
17.3% CAGRCloud market thru 2020
![Page 8: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/8.jpg)
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
![Page 9: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/9.jpg)
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
![Page 10: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/10.jpg)
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
![Page 11: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/11.jpg)
Confidential
![Page 12: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/12.jpg)
Confidential
![Page 13: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/13.jpg)
Confidential
![Page 14: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/14.jpg)
![Page 15: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/15.jpg)
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
![Page 16: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/16.jpg)
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
![Page 17: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/17.jpg)
When companies do things on the internet….
Confidential
![Page 18: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/18.jpg)
…they reveal a lot of stuff
Confidential
![Page 19: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/19.jpg)
Confidential
![Page 20: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/20.jpg)
Confidential
![Page 21: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/21.jpg)
Confidential
![Page 22: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/22.jpg)
Confidential
![Page 23: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/23.jpg)
Confidential
![Page 24: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/24.jpg)
Confidential
![Page 25: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/25.jpg)
Confidential
![Page 26: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/26.jpg)
Confidential
![Page 27: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/27.jpg)
Confidential
![Page 28: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/28.jpg)
Confidential
![Page 29: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/29.jpg)
Confidential
![Page 30: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/30.jpg)
Confidential
Data Processing
CompanyWhat you can learn starting with just the company
name
- No inside information
- No hacking
- JUST LOOKING
![Page 31: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/31.jpg)
Confidential
265 Web
Servers
![Page 32: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/32.jpg)
Confidential
28 Hosting
Providers
![Page 33: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/33.jpg)
Confidential
7 Hosting
Countries
![Page 34: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/34.jpg)
Confidential
6 Email
Providers
![Page 35: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/35.jpg)
Software
Confidential
![Page 36: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/36.jpg)
Software Patching
Confidential
8% of Web Servers EOL
• IIS 4.0 – 1
• Netscape Enterprise 4.1 – 2
• IIS 6 – 13
• Apache 1.3 – 4
• NGINX 1.6 - 1
![Page 37: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/37.jpg)
Software Patching
Confidential
8% of Web Servers EOL
• IIS 4.0 – 1
• Netscape Enterprise 4.1 – 2
• IIS 6 – 13
• Apache 1.3 – 4
• NGINX 1.6 - 1
12% of App Servers EOL
• PHP 4.1 -1
• PHP 5.2 – 2
• PHP 5.3 – 5
• Phusion Passenger 4.0 – 2
• Jetty 4.0 - 1
![Page 38: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/38.jpg)
Software Patching
Confidential
8% of Web Servers EOL
• IIS 4.0 – 1
• Netscape Enterprise 4.1 – 2
• IIS 6 – 13
• Apache 1.3 – 4
• NGINX 1.6 - 1
12% of App Servers EOL
• PHP 4.1 -1
• PHP 5.2 – 2
• PHP 5.3 – 5
• Phusion Passenger 4.0 – 2
• Jetty 4.0 - 1
60% of CMS software EOL
• vBulletin 3.0 – 1
• WordPress 3.0 – 2
• WordPress 4.3 – 2
• Drupal 6.x - 2
![Page 39: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/39.jpg)
Software Patching
Confidential
8% of Web Servers EOL
• IIS 4.0 – 1
• Netscape Enterprise 4.1 – 2
• IIS 6 – 13
• Apache 1.3 – 4
• NGINX 1.6 - 1
12% of App Servers EOL
• PHP 4.1 -1
• PHP 5.2 – 2
• PHP 5.3 – 5
• Phusion Passenger 4.0 – 2
• Jetty 4.0 - 1
60% of CMS software EOL
• vBulletin 3.0 – 1
• WordPress 3.0 – 2
• WordPress 4.3 – 2
• Drupal 6.x - 2
![Page 40: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/40.jpg)
Web Encryption
Confidential
36% running SSLv2 or SSLv3
32% with invalid certificate subjects
12% with expired certificates
![Page 41: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/41.jpg)
DNS Security
Confidential
45% missing basic domain hijacking
protection
11 different DNS hosting providers
![Page 42: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/42.jpg)
Email Security
Confidential
44% missing email
encryption
6 email hosting providers
97% missing email domain
authentication (SPF / DKIM)
![Page 43: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/43.jpg)
Confidential
Insurance CompanyWhat you can learn starting with just the company
name
- No inside information
- No hacking
- JUST LOOKING
![Page 44: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/44.jpg)
Confidential
347 Web
Servers
![Page 45: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/45.jpg)
Hosting Providers
Confidential
42 Hosting
Providers
![Page 46: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/46.jpg)
Hosting Countries
Confidential
18 Hosting
Countries
![Page 47: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/47.jpg)
Email Providers
Confidential
33 Email
Providers
![Page 48: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/48.jpg)
Software
Confidential
![Page 49: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/49.jpg)
Software Patching
Confidential
12% of Web Servers EOL
• IIS 6.0 – 55
• NGINX 1.4 – 2
• NGINX 1.2 -1
![Page 50: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/50.jpg)
Software Patching
Confidential
12% of Web Servers EOL
• IIS 6.0 - 55
• NGINX 1.4 – 2
• NGINX 1.2 - 1
10% of App Servers EOL
• PHP 5.3 – 5
• PHP 5.4 -1
• Phusion Passenger 4.0 - 2
![Page 51: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/51.jpg)
Software Patching
Confidential
8% of Web Servers EOL
• IIS 4.0 – 1
• Netscape Enterprise 4.1 – 2
• IIS 6 – 13
• Apache 1.3 – 4
• NGINX 1.6 - 1
12% of App Servers EOL
• PHP 4.1 -1
• PHP 5.2 – 2
• PHP 5.3 – 5
• Phusion Passenger 4.0 – 2
• Jetty 4.0 - 1
9% of CMS software EOL
• Adobe GoLive – 1
• Drupal 6.22 – 1
• Drupal 7.3 - 1
![Page 52: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/52.jpg)
Software Patching
Confidential
8% of Web Servers EOL
• IIS 4.0 – 1
• Netscape Enterprise 4.1 – 2
• IIS 6 – 13
• Apache 1.3 – 4
• NGINX 1.6 - 1
12% of App Servers EOL
• PHP 4.1 -1
• PHP 5.2 – 2
• PHP 5.3 – 5
• Phusion Passenger 4.0 – 2
• Jetty 4.0 - 1
9% of CMS software EOL
• Adobe GoLive – 1
• Drupal 6.22 – 1
• Drupal 7.3 - 1
![Page 53: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/53.jpg)
Web Encryption
Confidential
37% running SSLv2 or SSLv3
38% with invalid certificate subjects
7% with expired certificates
![Page 54: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/54.jpg)
DNS Security
Confidential
70% missing basic domain hijacking
protection
90 different DNS hosting providers
![Page 55: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/55.jpg)
Email Security
Confidential
17% missing email
encryption
33 email hosting providers
98% missing email domain
authentication (SPF / DKIM)
![Page 56: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/56.jpg)
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
![Page 57: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/57.jpg)
Confidential
![Page 58: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/58.jpg)
Confidential
![Page 59: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/59.jpg)
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
![Page 60: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/60.jpg)
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
![Page 61: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/61.jpg)
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
Michael [email protected]
Control your third party risk reality
![Page 62: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/62.jpg)
Evaluation How-to:
Your feedback drives
SIG Event content
By signing and
submitting your
evaluation, you are
automatically entered
into a prize drawing
Why?
Option 1: App
1. Select Schedule2. Select Schedule by Day3. Select Day4. Select Session5. Scroll to Description
6. Click on the Evaluation link
Option 2: Browser
1. Go to www.sig.org/eval2. Select Session (#28)
How?
COMPLETE &SUBMIT EVAL
![Page 63: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/63.jpg)
Tweet: #SIGfall16
Session #28
Hacking Skills Not Required: Your Vendor Security Programs are not a Secret
Speakers:
www.sig.org/eval
Download the App: bit.ly/SIGfall16
RiskRecon Michael Fowkes 801-558-6150 [email protected]
Bloomberg Chris Berger 631-374-1185 [email protected]
![Page 64: Hacking Skills Not Required - SIGsig.org/docs2/S28_Hacking_Skills_Not_Required_Your_Vendor_Security_Programs_are_not_a...Hacking Skills Not Required: Bloomberg Chris Berger Global](https://reader035.vdocuments.net/reader035/viewer/2022070722/5f01c2c47e708231d400e857/html5/thumbnails/64.jpg)