Upload
tony-perez
View
169
Download
1
Embed Size (px)
Citation preview
Tony Perezperezbox
VP of Product ManagementGoDaddy Security Business
Sucuri Co-Founder
US Department of Homeland Security
GRIZZLY STEEPE
2016 Joint Analysis Report (JAR)
Spring of 2016Summer of 2015
EmailWebsite
Delivery Mechanisms
They could use websites as an attack vector
via a technique known as water-hole attack.
They could depend on our curiosity as
humans to click on something. (links are meant to be
clicked, attachments opened)
Attackers in both scenarios knew…
There is an exponential growth
event expected in the world
of websites.
Facilitated by the emphasis
being placed by platforms to
make the process of getting
online even simpler.
Process simplification
simplifies the process of
getting online, but lowers
the technical aptitude.
The lower the technical
aptitude the more security
issues we can expect.
“Give a person a tool, secure them today; teach a person to think, secure them tomorrow."
website owners
SALES
MARKETING
PRODUCT
SECURITY
•
•
We must look at not introducing a new security approach, but rather improving
our approach.
“Attackers are successful not because we’re technically incapable, but because we are behaviorally weak."
A Layered Approach to Security
Defense in Depth
“Defense in Depth subscribes to the ideology that there is no single solution that
ensures 100% protection."
The layout and designOf Beaumaris Castle, 1295.
Early employment of a Defense in Depth strategy.
Beaumaris Castle Map
Access ControlWe like to use a Blacklist approach
because we believe it to be more convenient.
All IPs
Adding Deny Rules
for latest batch of Bad IPs
Bad IP Blacklisted
Access Control
Non-Whitelisted IPs
Verified IPs
All IPs
Alternatively, we employ a Whitelist approach.Instead of focusing on all the bad, we focus on the good.
Understanding Threats
Cyber Criminal Trifecta
• Highly motivated
• Technology that exponentially
improves their success rate
• Criminal supply chain where
information can be shared,
exchanged and sold amongst
themselves.
Top 5 Threats
Weak Credentials Software Vulnerability
Poorly Configured Environment
Third-Party Integrations Site Availability
Weak Credentials
• Creatures of habit.
• Same credentials across all systems.
• Don’t update their passwords.
• Never think it’ll happen to them.
• Think of themselves as being unique.
Software Vulnerability
• Do not update.
• Not capable of keeping up with all
the attack vectors.
• Do not maintain or administer their
web environments.
• Resources are limited.
Poorly Configured Environment
• Manage soup kitchen servers.
• Do not employ functional isolation.
• Do not leverage least privilege principles.
• Employ configurations that are most
convenient for themselves.
Third-Party Integrations
•
•
Site Availability
•
•
“Today’s attacks are automated and target low-hanging fruit. Don’t be low-hanging fruit."
A Practical Approach to SecurityInstead of focusing on every possible scenario, we focus on
the ones that are most important to us as an organization.
IF EVERYTHING
IS IMPORTANT,
Checklist Mentality
Never use a Checklist MentalityIt’s not about doing x, y, and z.
Risk ManagementIt’s about risk reduction, not risk elimination.
Three Risk Considerations
We must Clearly
Define Scope
Risk willNEVER be Zero
Risk is aContinuous Process
Risk Management
5 Risk Mitigation Options:
Options Association
Website owner decides that this risk is too high with storing credit cards, decide to discontinue
storing card information locally. Avoids risk.
Website owner deploys security controls to mitigate risks; deploy a firewall to combat exploit attempts,
patch out of date software, etc... Remediates risk.
Website owner chooses a third-party to collect and process credit card
information. Transfers risk to third-party.
Website owner acknowledges a vulnerability exists, but it’s low severity and only exploitable if the
user is an admin. Decides to accept risk.
Risk Avoidance
Risk Remediation
Risk Transference
Risk Acceptance
Brochure Site Social Platform Health Application Ecommerce
• Ensuring they protect their
brand is important
• Probably don’t want to get
blacklisted by Google if SEO
is the game.
• Availability is probably very
important.
• Ensuring a safe experience
for your users is high on the
list of requirements.
• Want to ensure their user
information is safe.
• Encryption at rest and in
transit are very important.
• Safe keeping of health
information is high on the
list.
• Regulations like HIPPA are
of the utmost importance.
• Encryption at rest and in
transit are very important.
• Safe keeping of the payment
flow and payment data is
very important.
• Safe keeping of the
customer data is high on the
list of requirements.
• Your site being available is
probably pretty important.
• Regulations like PCI are of
utmost importance.
A Risk Thought Exercise
IDENTIFY
Category
Subcategory
Asset Inventory & Management
• Web Properties
• Web servers / infrastructure
• Modules / extensions
• Third-party integration / services
• Access points / nodes
PROTECT
Category
Subcategory
Protective Technologies
• Cloud-based Firewall
• Application-level Firewall
• Server / Application Hardening
DETECT
Category
Subcategory
Continuous Monitoring
• Server level monitoring
• Application level monitoring
• User access monitoring
• Change and integrity monitoring
RESPOND
Category
Subcategory
Analysis & Mitigation
• Deploy an incident response team
• Develop an incident response report
• Mitigate effects of an event
RECOVER
Category
Subcategory
Recovery Planning
• Review the output of all phases, document,
and deploy updates to the processes.
• Team review of all findings.
A Framework for Websites, built on NIST
Leverage aSensible Framework
Create an Inventoryof Your Assets
ImplementSecurity Controls
Revisit theProcess Repeatedly
Actively Administerand Manage
Security is a Continuous Process
Thank You!I’d be happy to take your questions.