issues in security 19 october 2016sig.org/...01...security_breaches_ntt_2016_10_15.pdf · issues in...

Issues in SecurityAvoid Bad Press and Prevent Security Breaches Christopher Camejo-Public-Approved-1.0

Christopher Camejo19 October 2016

© 2016 NTT Security

Contents

Christopher Camejo-Public-Approved-1.0

ICS, IoT, and Embedded Systems

The Cloud

Software Vulnerabilities

Evaluating Products

Back to Basics

Know Your Enemy

Security 101


Security 101



There’s No Such Thing As “Secure”


Software bugs

New attack techniques

Computers getting more powerful

User error


There’s No Such Thing as “Cyber”


Web

ApplicationsNetwork

Hacking Wireless

Malicious

USB

Physical

InfiltrationSocial

Engineering

Email

Phishing

Mobile

Devices


Comparing Security – Don’t be the slowest guy in the crowd



Comparing Security – There are many threats



Comparing Security – Targeted Threats



Defense in Depth


• Technology is useless unless it is properly designed, configured, and maintained

• Data can only be protected if it’s handled inside the security regime that has been built to protect it

• Humans can be vulnerabilities too• We need people to follow the processes for them to

be effective

• We implement security because we have something to protect

• The appropriate level of security should be determined by the criticality of the data we need to protect

• Technology helps deal with a large number of threats quicklyTechnology

Processes

People

Data


Detection and Response


Can’t rely on protection alone

Alerts are useless without response

Monitoring and response are expensive


Know Your Enemy



Hacktivists


Political Statements

Disruption

Maximum Embarrassment

Anonymous

Syrian Electronic Army

Honker Union


Anonymous DDoS



SQL Injection

administrator

Log In

********

SELECT id FROM accounts WHERE username EQ ‘administrator’ AND password EQ ‘trustno1’;

administrator’;--

Log In

******

SELECT id FROM accounts WHERE username EQ ‘administrator’;--’ AND password EQ ‘owned!’;

id username password

1 administrator trustno1

2 joe joe

3 bill 1qazxdr5

id username password

1 administrator trustno1

2 joe joe

3 bill 1qazxdr5

accounts

accounts

SELECT id FROM accounts WHERE username EQ ‘administrator’ AND password EQ ‘owned!’;

SELECT id FROM accounts WHERE username EQ ‘’; SELECT password --’ AND password EQ ‘’;Christopher Camejo-Public-Approved-1.0


Criminal Organizations


Money

Money

Money

Mostly Eastern European

Some Southeast Asia

Some individual fraudsters


Case Study: Target

•40 million credit cards compromised

•70 million other records stolen

November-December 2013

•Developed by 17 year old from St Petersburg and 6 others

•Sold for about $2,000

•Customizable to evade anti-virus

•Sample undetectable as of Jan 16, 2013 (1.5 months after the attack)

Malware

•Entry via HVAC company and invoicing website

•Infect POS systems

•Capture cards from RAM before encryption

•Consolidate on another server and FTP it out

The Attack

•Cards sold on rescator.la, run by a Ukranian

•$20-$135 per card, foreign cards worth more than US cards

•Cards sold with zip codes so they can be used nearby and avoid fraud alerts

Black Markets



Business Email Compromise

U.S. Oct 2013-Aug 2015

• 7,066 Victims

• $747,659,840

Ubiquiti Networks-June 5, 2015

• $46.7 million wired out

• $31.8 million unrecovered



Case Study: Ransomware

•Hospital computers offline for 2 weeks

•40 bitcoin ($17,000) ransom paid

Ransomware

Ransomware infection on Feb 5th (drive-by?)

Doctors and nurses resorted to faxes and paper notes

Patients turned away and transferred

Ransom paid Feb 19th



Criminal DDoS

Attack on Krebsonsecurity.com September 20, 2016:

620 gigabits/sec



State Sponsored


Defense Intelligence

Industrial Espionage

Monitoring Dissidents

China

Russia

Iran

North Korea

Five Eyes


Spear Phishing and Whaling



“Sophisticated attack” against RSA

Stole token seeds

Social engineered defense contractors

Log into target VPNs using tokens

RSA Attack



“But I’m not a target”


Caught in the crossfire

• You are the backdoor

• Revenge attacks

Collateral damage

• Viruses spread

• Botched exploits

You have something worth money

• Cash in your bank

• Intellectual property or PII


Back to Basics



Security Basics – Part 1


Patching Chronically behind

Legacy systems “can’t be patched”

System Configs

Default and insecure

Infrastructure devices

Passwords Blank, default, and weak

Reuse


Security Basics – Part 2


Data Retention

Storing unnecessary data

Storing data longer than necessary

EncryptionUsing weak or no encryption

Not managing keys and certificates


Evaluating Products



The Big Questions

Is this solution suitable for the data it will handle?

• Designed for purpose• Encryption• Compliance requirements

What is the vendor’s track record?

• Lots of past vulnerabilities?• How long to fix vulnerabilities?• History of backdoors or other shenanigans?• Geopolitical considerations?

Can we run it in a secure manner?

• Compatible with other systems• People skilled in installation and operation



Trust but Verify


• Make sure it does what it says on the label

• Find incompatibilities when you can still walk away

Proof of Concept

• Scanning tools alone are not enough

• Tester skill has a huge impact on test outcome

Adversarial Security Testing


Poll Question:

Does your organization perform security reviews of products before making purchasing decisions?



Encryption Works*


*terms and conditions may apply

Algorithm

Key strength

RNG

Understand the options

• Algorithm and key strength

• Forward secrecy

Trusting CAs and keys

• Self-signed certs

• Hardcoded certs

• Who runs the CA?

Consider your crypto tools

• Open source is easy to audit

• Closed source is difficult to audit

• Hardware is nearly impossible to audit


Beware of Snake Oil



It Takes Tuning



Software Vulnerabilities



Why do Software Vulnerabilities Exist?


• They don’t teach secure coding in school

Programming techniques

• “That’s only theoretical”

Ignorance, Hubris, or Complacency

• Bug fixes cost money, new features sell software

Profit


Hackers Are Your Friends


•Rogues knew a good deal about lock-picking long before locksmiths discussed it among themselves, as they have lately done. If a lock, let it have been made in whatever country, or by whatever maker, is not so inviolable as it has hitherto been deemed to be, surely it is to the interest of honest persons to know this fact, because the dishonest are tolerably certain to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance. -A. C. Hobbs 1853

If the good guys can find it the bad guys can too

• Someone trying to make something work better or differently than it was designed toHacker:

• Someone looking for vulnerabilities to help improve securityHacker (White Hat):

• Someone looking to exploit vulnerabilities for fun or profitHacker (Black Hat):


CERT, CVE, and CVSS


• https://www.cert.org/

• https://www.us-cert.gov/Computer Emergency

Readiness Team

• http://cve.mitre.org/

• https://nvd.nist.gov/Common Vulnerabilities

and Exposures

How complex is the exploit?

Where can it be exploited

from?

Are credentials required?

What is the impact?

Common Vulnerability Scoring System


Disclosure Process


Find vulnerabilityReport to

vendorVendor ignores

Vendor fixes vulnerability

• Patch released

• Researcher gets credit

Vendor doesn’t fix vulnerability

• “Zero Day”

• Users mitigate

Find vulnerabilityReport to

vendorDeadline for

disclosure

Find vulnerabilityAnnounce

publiclyChaos!

Vuln rediscovered and exploited

Mitigate before it gets exploited


Selling Out


Why should I be an unpaid QA person for a billion dollar corporation?

Google

$500-$20,000

Microsoft

$500-$100,000

Apple

Up to $200,000

Tesla

$100-$10,000

Bug Bounties


Poll Question:

Do your contracts with outsourced developers include provisions for secure software development and security testing?



The Cloud



Cloud thoughts


• How is your data segmented from other customers?• How long is your data retained?• How is your data destroyed?

Data Protection

• What is logged and for how long?

• Are audit logs vulnerable to modification?

• Can you access logs?

Logging

• Is the application tested regularly and can you see the results?

• Are application firewalls used?

Application Security

• What jurisdictions is your data stored in?

• Under what conditions will the provider hand over your data?

Legal


Behind the Curtain



Poll Question:

Does your organization include security requirements in contracts with cloud providers?



ICS, IoT and “embedded”



Security Through Obscurity


Shannon’s Maxim

• The enemy knows the system, one ought design systems under the assumption that the enemy will immediately gain full familiarity with them.

• What people who underestimate the intelligence and determination of hackers think their system will be protected by

Complicated

Obscure


Long Term Support


According to ICS-CERT analysis, the ISO-TSAP protocol is functioning to specifications; however, authentication is not performed nor are payloads encrypted or obfuscated.

Like ISO-TSAP, many protocols used in industrial control systems were intentionally designed to be open and without security features.


Critical Infrastructure


“From March to June 2013, we observed attacks originating in 16 countries, accounting for a total of 74 attacks on seven honeypots within the honeynet.”

“Out of these 74 attacks, 11 were considered ‘critical.’”

“When we refer to attacks as critical, we mean those without established motivations but can cause the catastrophic failure of an ICS device’s operation.”


Supply Chain



Takeaways

Make decisions based on the sensitivity of data and what the threats are

Test everything before you commit…

…especially cloud services

“Embedded” systems are long overlooked, pay closer attention to them

There’s a lot of snake oil in the security space, get an expert


Thank you

Christopher [email protected]

issues in security 19 october 2016sig.org/...01...security_breaches_ntt_2016_10_15.pdf · issues in...

Documents