issues in security 19 october 2016sig.org/...01...security_breaches_ntt_2016_10_15.pdf · issues in...
TRANSCRIPT
Issues in SecurityAvoid Bad Press and Prevent Security Breaches Christopher Camejo-Public-Approved-1.0
Christopher Camejo19 October 2016
© 2016 NTT Security
Contents
Christopher Camejo-Public-Approved-1.0
ICS, IoT, and Embedded Systems
The Cloud
Software Vulnerabilities
Evaluating Products
Back to Basics
Know Your Enemy
Security 101
© 2016 NTT Security
Security 101
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
There’s No Such Thing As “Secure”
Christopher Camejo-Public-Approved-1.0
Software bugs
New attack techniques
Computers getting more powerful
User error
© 2016 NTT Security
There’s No Such Thing as “Cyber”
Christopher Camejo-Public-Approved-1.0
Web
ApplicationsNetwork
Hacking Wireless
Malicious
USB
Physical
InfiltrationSocial
Engineering
Phishing
Mobile
Devices
© 2016 NTT Security
Comparing Security – Don’t be the slowest guy in the crowd
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
Comparing Security – There are many threats
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
Comparing Security – Targeted Threats
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
Defense in Depth
Christopher Camejo-Public-Approved-1.0
• Technology is useless unless it is properly designed, configured, and maintained
• Data can only be protected if it’s handled inside the security regime that has been built to protect it
• Humans can be vulnerabilities too• We need people to follow the processes for them to
be effective
• We implement security because we have something to protect
• The appropriate level of security should be determined by the criticality of the data we need to protect
• Technology helps deal with a large number of threats quicklyTechnology
Processes
People
Data
© 2016 NTT Security
Detection and Response
Christopher Camejo-Public-Approved-1.0
Can’t rely on protection alone
Alerts are useless without response
Monitoring and response are expensive
© 2016 NTT Security
Know Your Enemy
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
Hacktivists
Christopher Camejo-Public-Approved-1.0
Political Statements
Disruption
Maximum Embarrassment
Anonymous
Syrian Electronic Army
Honker Union
© 2016 NTT Security
Anonymous DDoS
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
SQL Injection
administrator
Log In
********
SELECT id FROM accounts WHERE username EQ ‘administrator’ AND password EQ ‘trustno1’;
administrator’;--
Log In
******
SELECT id FROM accounts WHERE username EQ ‘administrator’;--’ AND password EQ ‘owned!’;
id username password
1 administrator trustno1
2 joe joe
3 bill 1qazxdr5
id username password
1 administrator trustno1
2 joe joe
3 bill 1qazxdr5
accounts
accounts
SELECT id FROM accounts WHERE username EQ ‘administrator’ AND password EQ ‘owned!’;
SELECT id FROM accounts WHERE username EQ ‘’; SELECT password --’ AND password EQ ‘’;Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
Criminal Organizations
Christopher Camejo-Public-Approved-1.0
Money
Money
Money
Mostly Eastern European
Some Southeast Asia
Some individual fraudsters
© 2016 NTT Security
Case Study: Target
•40 million credit cards compromised
•70 million other records stolen
November-December 2013
•Developed by 17 year old from St Petersburg and 6 others
•Sold for about $2,000
•Customizable to evade anti-virus
•Sample undetectable as of Jan 16, 2013 (1.5 months after the attack)
Malware
•Entry via HVAC company and invoicing website
•Infect POS systems
•Capture cards from RAM before encryption
•Consolidate on another server and FTP it out
The Attack
•Cards sold on rescator.la, run by a Ukranian
•$20-$135 per card, foreign cards worth more than US cards
•Cards sold with zip codes so they can be used nearby and avoid fraud alerts
Black Markets
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
Business Email Compromise
U.S. Oct 2013-Aug 2015
• 7,066 Victims
• $747,659,840
Ubiquiti Networks-June 5, 2015
• $46.7 million wired out
• $31.8 million unrecovered
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
Case Study: Ransomware
•Hospital computers offline for 2 weeks
•40 bitcoin ($17,000) ransom paid
Ransomware
Ransomware infection on Feb 5th (drive-by?)
Doctors and nurses resorted to faxes and paper notes
Patients turned away and transferred
Ransom paid Feb 19th
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
Criminal DDoS
Attack on Krebsonsecurity.com September 20, 2016:
620 gigabits/sec
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
State Sponsored
Christopher Camejo-Public-Approved-1.0
Defense Intelligence
Industrial Espionage
Monitoring Dissidents
China
Russia
Iran
North Korea
Five Eyes
© 2016 NTT Security
Spear Phishing and Whaling
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
“Sophisticated attack” against RSA
Stole token seeds
Social engineered defense contractors
Log into target VPNs using tokens
RSA Attack
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
“But I’m not a target”
Christopher Camejo-Public-Approved-1.0
Caught in the crossfire
• You are the backdoor
• Revenge attacks
Collateral damage
• Viruses spread
• Botched exploits
You have something worth money
• Cash in your bank
• Intellectual property or PII
© 2016 NTT Security
Back to Basics
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
Security Basics – Part 1
Christopher Camejo-Public-Approved-1.0
Patching Chronically behind
Legacy systems “can’t be patched”
System Configs
Default and insecure
Infrastructure devices
Passwords Blank, default, and weak
Reuse
© 2016 NTT Security
Security Basics – Part 2
Christopher Camejo-Public-Approved-1.0
Data Retention
Storing unnecessary data
Storing data longer than necessary
EncryptionUsing weak or no encryption
Not managing keys and certificates
© 2016 NTT Security
Evaluating Products
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
The Big Questions
Is this solution suitable for the data it will handle?
• Designed for purpose• Encryption• Compliance requirements
What is the vendor’s track record?
• Lots of past vulnerabilities?• How long to fix vulnerabilities?• History of backdoors or other shenanigans?• Geopolitical considerations?
Can we run it in a secure manner?
• Compatible with other systems• People skilled in installation and operation
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
Trust but Verify
Christopher Camejo-Public-Approved-1.0
• Make sure it does what it says on the label
• Find incompatibilities when you can still walk away
Proof of Concept
• Scanning tools alone are not enough
• Tester skill has a huge impact on test outcome
Adversarial Security Testing
© 2016 NTT Security
Poll Question:
Does your organization perform security reviews of products before making purchasing decisions?
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
Encryption Works*
Christopher Camejo-Public-Approved-1.0
*terms and conditions may apply
Algorithm
Key strength
RNG
Understand the options
• Algorithm and key strength
• Forward secrecy
Trusting CAs and keys
• Self-signed certs
• Hardcoded certs
• Who runs the CA?
Consider your crypto tools
• Open source is easy to audit
• Closed source is difficult to audit
• Hardware is nearly impossible to audit
© 2016 NTT Security
Beware of Snake Oil
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
It Takes Tuning
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
Software Vulnerabilities
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
Why do Software Vulnerabilities Exist?
Christopher Camejo-Public-Approved-1.0
• They don’t teach secure coding in school
Programming techniques
• “That’s only theoretical”
Ignorance, Hubris, or Complacency
• Bug fixes cost money, new features sell software
Profit
© 2016 NTT Security
Hackers Are Your Friends
Christopher Camejo-Public-Approved-1.0
•Rogues knew a good deal about lock-picking long before locksmiths discussed it among themselves, as they have lately done. If a lock, let it have been made in whatever country, or by whatever maker, is not so inviolable as it has hitherto been deemed to be, surely it is to the interest of honest persons to know this fact, because the dishonest are tolerably certain to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance. -A. C. Hobbs 1853
If the good guys can find it the bad guys can too
• Someone trying to make something work better or differently than it was designed toHacker:
• Someone looking for vulnerabilities to help improve securityHacker (White Hat):
• Someone looking to exploit vulnerabilities for fun or profitHacker (Black Hat):
© 2016 NTT Security
CERT, CVE, and CVSS
Christopher Camejo-Public-Approved-1.0
• https://www.cert.org/
• https://www.us-cert.gov/Computer Emergency
Readiness Team
• http://cve.mitre.org/
• https://nvd.nist.gov/Common Vulnerabilities
and Exposures
How complex is the exploit?
Where can it be exploited
from?
Are credentials required?
What is the impact?
Common Vulnerability Scoring System
© 2016 NTT Security
Disclosure Process
Christopher Camejo-Public-Approved-1.0
Find vulnerabilityReport to
vendorVendor ignores
Vendor fixes vulnerability
• Patch released
• Researcher gets credit
Vendor doesn’t fix vulnerability
• “Zero Day”
• Users mitigate
Find vulnerabilityReport to
vendorDeadline for
disclosure
Find vulnerabilityAnnounce
publiclyChaos!
Vuln rediscovered and exploited
Mitigate before it gets exploited
© 2016 NTT Security
Selling Out
Christopher Camejo-Public-Approved-1.0
Why should I be an unpaid QA person for a billion dollar corporation?
$500-$20,000
Microsoft
$500-$100,000
Apple
Up to $200,000
Tesla
$100-$10,000
Bug Bounties
© 2016 NTT Security
Poll Question:
Do your contracts with outsourced developers include provisions for secure software development and security testing?
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
The Cloud
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
Cloud thoughts
Christopher Camejo-Public-Approved-1.0
• How is your data segmented from other customers?• How long is your data retained?• How is your data destroyed?
Data Protection
• What is logged and for how long?
• Are audit logs vulnerable to modification?
• Can you access logs?
Logging
• Is the application tested regularly and can you see the results?
• Are application firewalls used?
Application Security
• What jurisdictions is your data stored in?
• Under what conditions will the provider hand over your data?
Legal
© 2016 NTT Security
Behind the Curtain
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
Poll Question:
Does your organization include security requirements in contracts with cloud providers?
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
ICS, IoT and “embedded”
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
Security Through Obscurity
Christopher Camejo-Public-Approved-1.0
Shannon’s Maxim
• The enemy knows the system, one ought design systems under the assumption that the enemy will immediately gain full familiarity with them.
• What people who underestimate the intelligence and determination of hackers think their system will be protected by
Complicated
Obscure
© 2016 NTT Security
Long Term Support
Christopher Camejo-Public-Approved-1.0
According to ICS-CERT analysis, the ISO-TSAP protocol is functioning to specifications; however, authentication is not performed nor are payloads encrypted or obfuscated.
Like ISO-TSAP, many protocols used in industrial control systems were intentionally designed to be open and without security features.
© 2016 NTT Security
Critical Infrastructure
Christopher Camejo-Public-Approved-1.0
“From March to June 2013, we observed attacks originating in 16 countries, accounting for a total of 74 attacks on seven honeypots within the honeynet.”
“Out of these 74 attacks, 11 were considered ‘critical.’”
“When we refer to attacks as critical, we mean those without established motivations but can cause the catastrophic failure of an ICS device’s operation.”
© 2016 NTT Security
Supply Chain
Christopher Camejo-Public-Approved-1.0
© 2016 NTT Security
Takeaways
Make decisions based on the sensitivity of data and what the threats are
Test everything before you commit…
…especially cloud services
“Embedded” systems are long overlooked, pay closer attention to them
There’s a lot of snake oil in the security space, get an expert
Christopher Camejo-Public-Approved-1.0
Thank you
Christopher [email protected]