Upload File

security pitfalls - home : security and privacylistically cyber security & safety risks...

  • Home
  • Documents
  • Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors
30
Security Pitfalls A review of recurring failures Dr. Dominik Herrmann Download slides at https://dhgo.to/pitfalls

Upload: others

Post on 14-Jul-2020

4 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

SecurityPitfallsAreviewofrecurringfailures

Dr.DominikHerrmann

Downloadslidesathttps://dhgo.to/pitfalls

Page 2: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

For common Internet Crime Schemes see http://www.ic3.gov/crimeschemes.aspx 2

Researchonsecurity,privacy,onlinetracking,forensics.

Postdocresearcher UniversityofHamburg

Temporaryprofessor UniversityofSiegen

JuniorFellow GermanInformaticsSociety

Page 3: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

Mediareportsaboutsecurityrevolvearoundfear,uncertainty,anddoubt.

3

Page 4: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

Manyvulnerabilitiescouldbeavoided,ifvendorsfollowedbestpracticesandsecuritymanagementstandards.

4https://www.enisa.europa.eu/activities/Resilience-and-CIIP/smart-infrastructures/intelligent-public-transport/good-practices-recommendations/at_download/fullReport

Page 5: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

Problem:Bestpracticesareoftenabstractandoforganizationalnature.

5https://www.enisa.europa.eu/activities/Resilience-and-CIIP/smart-infrastructures/intelligent-public-transport/good-practices-recommendations/at_download/fullReport

integratecybersecurityincorporategovernance

implementastrategy addressingho-listically cybersecurity&safetyrisks

implementriskmgmt. forcybersecu-rity inmulti-stakeholderenvironmentsincl.contractorsanddependencies

clearlyandroutinelyspecifytheircybersecurityrequirements

annuallyreviewcybersecurityprocess-es,practicesandinfrastructures

createproducts/solutions thatmatchthecybersecurityrequirements ofend-users

collaborateinthedevelopmentofIPT-specificstandards andapplythemtoIPTsolutions

developatrustedinformationsharingplatform onrisksandvulnerabilities

providesecurityguidance forsystems,productsandsolutions

OPERATORS MANUFACTURERS

Page 6: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

Asmoreandmoredataisstoredandprocessed,securingdataagainstattacksbecomesmoreimportant.

https://www.schneier.com/blog/archives/2016/09/organizational_1.html 6

availabilityconfidentiality

integrity

RANSOMWAREDATALEAKS

ORGANIZATIONALDOXING

DATAMANIPULATION

Page 7: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

7

TheClassicalEngineeringPerspective

PROACTIVESECURITY

Page 8: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

8

Weakness1: Outofsight,outofmind

Page 9: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

Exploitingknownvulnerabilitiesisstillaverysuccessfulattackvector.Vendorsandusersfailtopatchtheirsoftwareinatimelymanner.

http://www.wired.co.uk/news/archive/2016-04/06/panama-papers-mossack-fonseca-website-security-problems 9

Mossack FonsecaranoldOutlookWebAccess(2009),Drupal(2013,25vulns)

Heartbleed (2014)128kvulnerabledevicesin9/2016

Page 10: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

http://bc.ctvnews.ca/security-flaw-lets-smartphone-users-hack-transit-gates-1.2852464 10

UltraReset attackonMiFare Ultralight(NewJersey&SanFrancisco,2012)…stillworksin2016(Vancouver)

Page 11: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

11Weakness2: Foolswithtools…don’tknowtheirtrade

Page 12: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

Duetounawareness,carelessness,andhaste,vendorsshipproductswithembarrassingsecurityholes,forinstanceinuserauthentication.

http://heise.de/-3248831and http://heise.de/-3308004 12

ABUS,Blaupunkt,Lupusalarmsystems(2016):

insecuredefaultpasswordscanbedisabledwithoutthePIN

also:Loxone SmartHome (2016)

Page 13: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

Manyindustriesarecurrentlylearninghowtodosecurityproperly.

http://www.hotforsecurity.com/blog/vulnerability-in-vaillant-heating-systems-allows-unauthorized-access-5926.html 13

Vaillant heatings (2015):

authenticationandpasswordcheckperformedbyaJavaappletintheuser’sbrowser

Page 14: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

14Weakness3: Underestimatingtheadversary

Page 15: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

Insecuredesignsresultfromsoftwaredevelopersmakingpoordecisionsbecauseofwrongassumptions.

http://www.forbes.com/sites/thomasbrewster/2015/02/02/bmw-door-hacking/ 15

BMWConnectedDrive (2015)

– allcarsusedthesamecryptographickey

– communicationwithBMWserverswasnot protected

Impact: cardoorscouldbeunlockedbysendingafakedSMStothecar

Page 16: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

Insecuredesignsresultfromsoftwaredevelopersmakingpoordecisionsbecauseofwrongassumptions.

16

BMWConnectedDrive (2015)

– allcarsusedthesamecryptographickey

– communicationwithBMWserverswasnotprotected

Impact: cardoorscouldbeunlockedbysendingafakedSMStothecar

“Nooneisableto…”– reverseengineerthehard-warewherethekeyisstored

– setupafakeGSMnetworktosendanSMStothecar

Page 17: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

Insecuredesignsresultfromsoftwaredevelopersmakingpoordecisionsbecauseofwrongassumptions.

17

BMWConnectedDrive (2015)

– allcarsusedthesamecryptographickey

– communicationwithBMWserverswasnotprotected

Impact: cardoorscouldbeunlockedbysendingafakedSMStothecar

Researchersjustdidit.– reverseengineerthehard-warewherethekeyisstored

– setupafakeGSMnetworktosendanSMStothecar

Page 18: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

Insecuredesignsresultfromsoftwaredevelopersmakingpoordecisionsbecauseofwrongassumptions.

http://fortune.com/2016/08/11/volkswagen-car-remote-warning/ 18

Page 19: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

19

Weakness4: Outsourcingsecuritytovendors……cangetoutofhandquickly

Page 20: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

TheRFIDticketsusedforpublictransportinBerlinstoredthelast10waypoints,whichcouldbeusedtocreatepersonallocationprofilesofcommuters.

http://glm.io/118226 20

– operatorsdeniedtheleakuntilprovenwrong– claimedthattrackingwasenabledbyvendor

withouttheirknowledge

Page 21: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

21

Weakness5: SocialEngineering

Page 22: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

High-profilefraudsheavilyrelyonsocialengineering.

http://www.securityweek.com/austrian-firm-fires-ceo-after-56-million-cyber-scamhttps://www.leoni.com/en/press/releases/details/leoni-targeted-by-criminals/ 22

“FakePresidentFraud”

also:“SpearPhishing”

Page 23: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

Consumershaveprivacyrights,e.g.toaccessanddeletetheirpersonaldata.Handlingrequestsisveryfrustratingforconsumersandvendors.

http://arxiv.org/abs/1602.01804 23

Weconductedafieldstudywith150appsand120websites.

Evenafterthesecondmailonly 1in2vendorscomplied.

1in4websiteownerscouldbetrickedintosendingthedatatoadifferent e-mailaddress.

Mostvendorsdeletedouraccountswithoutpriorconfirmation.

Page 24: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

24

AMoreRecentApproach

REACTIVESECURITY

TheClassicalEngineeringPerspective

PROACTIVESECURITY

Page 25: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

Itisdifficulttotrackdownproficientadversaries.

https://bitcoin.org,https://torproject.org 25

anonymizedcommunications

cryptographiccurrencies

Page 26: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

26

notallhackersareequal

intrusiondetection

emergencyprotocols

3CONSIDERATIONSFORREACTIVESECURITY

findanomalies(logging&audits)

operationsandcommunications

blackhats vs.whitehats

Page 27: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

Vendorsoftenmisstheopportunitytocollaboratewithsecurityresearchers.

https://www.schneier.com/blog/archives/2013/08/scientists_bann.html 27

opportunityforvendorsbugsuncoveredbythesecuritycommunity

Page 28: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

Vendorsoftenmisstheopportunitytocollaboratewithsecurityresearchers.

https://www.cnet.com/news/judge-orders-halt-to-defcon-speech-on-subway-card-hacking/ 28

opportunityforvendorsbugsuncoveredbythesecuritycommunity

Page 29: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

Asaresultthereisaflourishingblackmarketforsecurityvulnerabilities.Inresponse,thesoftwareindustryhasstartedtosetupbugbountyprograms.

29

opportunityforvendorsbugsuncoveredbythesecuritycommunity

blackmarketforzero-dayexploits

whitemarketbugbountyprograms

Page 30: Security Pitfalls - Home : Security and Privacylistically cyber security & safety risks implement risk mgmt. for cybersecu-rity in multi-stakeholder environments incl. contractors

Considerattacksonconfidentiality,integrity,andavailableofyour(customers’)data.

Learnfromattacksonothersandavoidcommonmistakesinproactivemeasures.

Preparetoreacttosecurityincidentsandcollaboratewiththesecuritycommunity.

1

2

3

TAKE-AWAYMESSAGES

SecurityPitfalls

[email protected]:https://dhgo.to/pitfalls


ICT IGCSE Theory Revision Presentation - Home :: EICTTA. Safety and security... · 2019-03-14 · ICT IGCSE Theory –Revision Presentation Safety and Security rity 8.1 Physical Safety

Q79 - DTIC · 85 5 21 q79. security classi#;icatton of 'his page - ___ i___ report docw.mentatvio~ pace "v. re' 37t security classification lb. re•tri.rivf .. iarkings 2s le. rity

A Developmental Approach to Building Sustainable Security ...€¦ · rity cooperation, security sector reform, building partner capacity, and defense institution– building (DIB),

SIXray: A Large-Scale Security Inspection X-Ray Benchmark for …openaccess.thecvf.com/content_CVPR_2019/papers/Miao... · 2019-06-10 · rity Inspection X-ray images. Our dataset,

VCU School of EngineeringResearch Topics • System security: cloud computing secu-rity, distributed system security, and data processing systems security • Mechanisms to enable

EZSetup: A Novel Tool for Cybersecurity Practices ... · In this paper, we propose a novel Web application called EZSetup, which is capable of creating a variety of user-defined cybersecu-rity

Security Guide - SUSE Linux Enterprise Server 15 SP2€¦ · SUSE Linux Enterprise Server 15 SP2 Introduces basic concepts of system security, covering both local and network secu-rity

SECL, RITY CLASSIFICATION I AD-A227 · PDF filesecl, rity classification of tw's page report doc i.... la report l'n c 1a security a si f1'e dclassficaton a sec .urity classfication

ISAO 700-1: Introduction to Analysis2 INTRODUCTION Analysis is a continuous process and is crucial to understanding the cybersecu-rity situation. The basis for analysis is knowing

INSECURE - MCLIBRE › descargar › docs › revistas › ... · Updated Astaro Security Gateway appliances Astaro Corporation announced the release of version 7.3 of Astaro Secu-rity

Special Report: 201 9 Email Secu rity TrendsSecu rity Trends Global IT security professionals ... and Office 365, as well as the related business impacts, security spending and

The Journey to Secure SCADA Systems - SANS by Step - The...The Journey to Secure SCADA Systems 10 Our Journey 2005: EPRI Program 86 EIS ... training 2007: First CyberSecu rity Plan

Mobile Security Review 2010 - AV-Comparatives...Mobile Security password is required. Conclusion ESET Mobile Security is a straightforward secu-rity solution that can be used easily

Soli ca rity

Security Certification and Labeling in Internet of Things · potential security breaches, a testing and certification phase with adequate coverage and linked to the main known secu-rity

UCO: A Unified Cybersecurity Ontology - UMBC … and cyber situational awareness in cybersecu-rity systems. The ontology incorporates and integrates heterogeneous data and knowledge

Security Guide - openSUSE Leap 15...openSUSE Leap 15.1 Introduces basic concepts of system security, covering both local and network secu-rity aspects. Shows how to use the product

M ARITIM E INDUSTRY AUTHO RITY

SECURITY AND HOME AUTOMATION - DynamiX SE...that your security system dramatically enhances your lifestyle. Here are just a few of the ways you can use the features of your secu-rity

Security Science: The Theory and Practice of Secu rity€¦ · first bachelor of science (security) program in Australia, a BSc (security) honors degree, a masters of science (security

dawn-reiss.squarespace.com · How to Buy Security Technology Stocks rity evolves, here's what investors uld consider 716 (Getty Images) ... everything from geolocation to biometrics

CYBER DIPLOMACY › wp-content › uploads › 2019 › ... · in cybersecurity research, innovation and de-ployment. In 2018, building on the Cybersecu-rity Act, the European Commission

Made By Makayla, Rity, Ashlee and Briannah

WATER, SECURITY, AND CONFLICT - Pacific Institute · water security and contributing to conflict, migration, and food insecu-rity in many parts of the developing world. A water and

Trust Services Principles and Criteria for Security ... · Trust Services Principles and Criteria for Security, Availability, Processing Integ-rity, ... (SOC 3SM engagement)

Qoyllur Rity

Robust, low-cost, auditable random number generation for ... · Security and privacy !Embedded systems secu-rity; Computer systems organization !Embedded hardware; Keywords Random

Attachment Security and Temperament in Infancy and … · Relations between attachment security and temperament were stud ... Data for Sample 6 are from a master's thesis by ... rity

KMG | KMG SHIPPING · LIC. OSCAR GUERRA ame : ariti e Security Department 16541 - PANAMA PÄNÄMÄ PLACE SHIPS se RITY June 11, 2018 DATE

Security and Privacy Assurance Research (SPAR · Security: SPAR technologies’ achieve strong security with a limited amount of secu-rity imperfections. However, SPAR technologies

SOCIAL SECURITY DISABILITY HANDBOOK · PDF fileYour Social Security Disability Case ... rity office and request Form 7004-SM (see page 28). If you do not have enough quarters of work

Complimentary article reprint Quantifying RISK...Quantifying risk It is this drive to quantify cyber risk and cal-culate the return on investment in cybersecu-rity that is fueling

Wall Security X web - Alu&Wood · 2016. 5. 9. · wall secu rity forte come un muro, flessibile come una dierre. a wall security puoi chiedere tutto. l’affidabilitÀ di una blindata,

Biometric System Security - Carleton...Security is \freedom from risk or danger", while computer and data secu-rity is \the ability of a system to protect information and system resources

Building Code for Power System Software Security · Building Code for Power System Software Security ... System requirements à device requirements à ... rity or confidentiality