Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)

Premium community conference on Microsoft technologies itcampro@ itcamp14#

Security Myths and Facts in Today's IT World

Tudor DamianIT Solutions Specialist, Transcent

Microsoft MVP on Hyper-V

[email protected] – www.tudy.tel

mailto:[email protected]

http://www.tudy.tel/


Huge thanks to our sponsors & partners!


• Some security myths

– The illusion of security

– The “outside” threat

– The policies

– The tools

– The trust

• Staying up to date

• A couple of useful resources

Agenda


SECURITY MYTHS


• It won’t happen to me

• We have [insert your favorite security feature here], so you know your data is safe

• Password expiration and complexity reduces risk

• Encrypting the data is enough to protect it

The illusion of Security


• 51% of respondents have had at least one web application security incident since the beginning of 2011. 18% of those respondents experienced losses of at least $500,000. 28% don’t know the cost of their breaches. (Forrester Research, 2012)

• “90% of businesses have been hacked at least once in 2010” (Ponemon Research, 2011; the study polled 583 U.S. companies from a wide variety of businesses, both private and government, and ranging from small businesses with under 500 employees all the way to enterprises with more than 75000 employees)

The illusion of Security (cont’d)


• The greatest security threats come from the Internet

• Our employees wouldn’t do such a thing

The “Outside” Threat


– “One in five workers (21%) let family and friends use company laptops and PCs to access the Internet” (McAfee)

– “One in ten confessed to downloading content at work they should not” (McAfee)

– “More than half (51%) connect their own devices or gadgets to their work PC... a quarter of who do so every day” (McAfee)

– “39% of companies said insider negligence was the root cause of data breaches.” (Ponemon Research, 2011)

– “Six out of ten respondents blame “human error” for their data security breaches, and 45% blame fraud and abuse by insiders, such as employees or contractors.” (Ponemon Research, 2011)

The “Outside” Threat (cont’d)


• Moving the CISO outside of IT will automatically ensure good security

• Adhering to security practices is the CISO’s problem, not ours

• Let’s just get the policy in place and we should be good to go!

The Policies


• “5% have accessed areas of their IT system they shouldn’t have” (McAfee)

• 65% of employees have given out their password to colleagues. 75% of employees knew at least one of their colleagues’ passwords. 70% used the same password everywhere. (street study, London)

The Policies (cont’d)


• Buy [this tool] and it will solve all your problems

• Intrusion Detection is the wave of the future

• Biometrics will solve all access control problems

• Antivirus software will save me from viruses

The Tools


• “More than half (51%) had no idea how to update the anti-virus protection on their company PC” (McAfee)

• “Two thirds (62%) admitted they have a very limited knowledge of IT Security” (McAfee)

The Tools (cont’d)


• GnuTLS

– Undiscovered for 10 years

• Heartbleed

– Introduced in Dec ’11

– Released March ‘12

– Fix released April ‘14

• OAuth, OpenID

– Covert Redirect

The Tools – “Open Source is safer”

http://www.pcworld.com/article/2105145/what-you-need-to-know-about-the-gnutls-linux-bug.htmlhttp://heartbleed.com/http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/

http://www.pcworld.com/article/2105145/what-you-need-to-know-about-the-gnutls-linux-bug.html

http://heartbleed.com/

http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/


• Can I trust my infrastructure?

• Can I trust my contractors?

• Can I trust my service providers?

• Can I trust my employees?

• Can I trust myself?

• If yes, why?

The trust


• Late February - early March

• 230 million records

– customers names

– e-mail addresses

– encrypted passwords

– e-mail addresses

– postal addresses

– phone numbers

– dates of birth

Doing any shopping online?


The Cost of Data Breaches

“Security Breaches cost $90 to $305 per lost record” (Forrester Research)

$197.5 average x 867,252,711 = $171,282,410,422.5

That’s over 300.000 xLamborghini Aventador


• …or, if you used $5.000 Alienware laptops as bricks, you could build a 1.5m tall wall around Romania

The Cost of Data Breaches (cont’d)


LET’S HAVE SOME FUN


• They run Windows AD

• They still have Windows XP/Vista/7/8 PCs & laptops

• Users/devs are local admins on their PC

• The sysadminsgenerally use their own Domain Admin credentials to log into servers/workstations

Imagine this Software Company


DEMO

Pass-the-Hash (PtH) attacks


• Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques v1.1 (June 2013)– http://www.microsoft.com/en-us/download/details.aspx?id=36036

• Configuring Additional LSA Protection in Windows 8.1– http://technet.microsoft.com/en-us/library/dn408187.aspx

Pass-the-Hash attack mitigation

http://www.microsoft.com/en-us/download/details.aspx?id=36036

http://technet.microsoft.com/en-us/library/dn408187.aspx


DEMO

Crack-the-Hash, or Why LM Hashes are Bad™


• During PtH attack, we saw something like this:Administrator:TRANSCENT:BFF196677961A037DB2294261F598B4C:FCE550E11EB2810882EADCBC48E27366

• Contents: USER:DOMAIN:LMHASH:NTHASH

• The red part is fun to deal with

So, what about those hashes?


The LM hash is computed as follows:

• Password restricted to 14 characters• Converted to UPPERCASE• Encoded in the System OEM Code Page• Null-padded to 14 bytes• The “fixed-length” password is split into two seven-byte halves• Halves used to create two DES keys, one from each 7-byte half

– A null bit is inserted after every 7 bits (1010100 becomes 10101000)– This generates the 64 bits needed for a DES key

• The two keys are used to DES-encrypt “KGS!@#$%”– Result: two 8-byte ciphertext values

• Ciphertext values are concatenated to form a 16-byte value, “LM hash”

• TL;DR - LM Hashes are a cracking heaven

What you need to know about LM hashes


STAYING UP-TO-DATE

Security reports


• Security is all about people

• A healthy dose of paranoia is required

• Well prepared IT staff

• Regular security trainings for all employees

Security Awareness


• 8 browsers

• 657 samples of socially engineered malware (SEM)

• Block rates ranged from 99.9% to 4.1%,

https://www.nsslabs.com/reports/browser-security-comparative-analysis-report-socially-engineered-malware

The Browser Wars (part 1) – malware detection

Source: mobzine.ro

https://www.nsslabs.com/reports/browser-security-comparative-analysis-report-socially-engineered-malware


• Sandbox escapes or 3rd party code execution:

– IE 11 (W8.1 x64)

– Mozilla Firefox (W8.1 x64)

– Google Chrome (W8.1 x64)

– Adobe Flash (W8.1 x64)

– Adobe Reader XI (W8.1 x64)

– Apple Safari on Mac OS X Mavericks

$850.000 total prize money, paid to eight entrants

www.pwn2own.com

The Browser Wars (part 2) – Pwn2Own 2014

Source: mobzine.ro

http://www.pwn2own.com/


http://www.microsoft.com/security/sir/

Microsoft Security Intelligence Report

http://www.microsoft.com/security/sir/


• The 2012 Verizon DBIR found that

– 85% of breaches took weeks to discover

– 96% of breaches were not highly difficult

– 97% of breaches were avoidable through simple/intermediate controls

http://www.verizonenterprise.com/DBIR/2012/

• The 2014 DBIR report shows that 92% of the 100.000 incidents they’ve analyzed over the past 10 years can be described by just 9 basic patterns


Verizon Data Breach Investigations Report (1)




Verizon Data Breach Investigations Report (2)


Cisco 2014 Annual Security Report

https://www.cisco.com/web/offers/lp/2014-annual-security-report/

https://www.cisco.com/web/offers/lp/2014-annual-security-report/


http://www.cvedetails.com/

http://www.mcafee.com/us/threat-center.aspx

http://www.kaspersky.com/internet-security-center

http://www.gartner.com/technology/core/products/research/topics/securityPrivacy.jsp

Other Sources


http://www.mcafee.com/us/threat-center.aspx

http://www.kaspersky.com/internet-security-center



A COUPLE OF USEFUL RESOURCES


http://technet.microsoft.com/en-us/security/jj653751

Enhanced Mitigation Experience Toolkit

http://technet.microsoft.com/en-us/security/jj653751


http://technet.microsoft.com/en-us/library/cc677002.aspx

Microsoft Security Compliance Manager

http://technet.microsoft.com/en-us/library/cc677002.aspx


Q & A

Technology

Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)