ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For...
Transcript of ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For...
![Page 1: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/1.jpg)
CLICK TO EDIT MASTER TITLE STYLE
Click To Edit Subtitle Style
ADELAIDE HALF DAYSECURITY CONFERENCE 2019
#SecDaySA
Friday 7 June 2019
![Page 2: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/2.jpg)
CLICK TO EDIT MASTER TITLE STYLE
Click To Edit Subtitle Style
We
Welcome and opening address
Nathan MorelliAdelaide Branch Chair at AISA
![Page 3: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/3.jpg)
CYBERsmartsafe
secure
Thank you to our sponsors
Venue Sponsor
Event Sponsors
![Page 4: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/4.jpg)
CLICK TO EDIT MASTER TITLE STYLE
Click To Edit Subtitle Style
We
Akamai’s state of the internet
Fernando SertoHead of Security Technology and Strategy for
APJ at Akamai
![Page 5: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/5.jpg)
AkamaiThreat Brief AISA AdelaideFernando SertoHead of Security Technology and Strategy, APAC
7/June/2019
![Page 6: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/6.jpg)
Growth of Web API Use: 2014 through 2018
54%
17%
14%
14%
6%
26%
69%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
2014 2018
Web Hits by Content Type
Text / HTML Text / XML App / XML App / JSON
83%API
Source: Akamai ESSL Network, SOTI Q1 2019
API calls now dominate overall web hits
![Page 7: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/7.jpg)
Things On The Internet Make Majority Of API Calls
About 1/3rd of Web API calls come from browsers.
The other 2/3rds come from mobile phones, gaming consoles, smart TVs, etc…
This is a huge challenge! 66%
Source: Akamai SOTI Q1 2019
![Page 8: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/8.jpg)
http://petstore.com/api/v1/pet/’%20or%20’1’=’1
=SELECT * FROM pets WHERE petID = ‘’ or ‘1’ = ‘1’
API SQL Injection - Concept
![Page 9: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/9.jpg)
API SQL Injection - Real life
![Page 10: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/10.jpg)
Web APIs Are A Primary Target For Attackers Today
Web sites & Web APIs share the same (old) attack vectors – but APIs
are often unprotected
APIs are more performant and less expensive to attack compared with
traditional web forms
4Xmore Credential
Stuffing attacks on APIs
76%SQL injection
13%Local file include
Code injection
6%
Command injection
3%
Cross-site injection
2%
![Page 11: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/11.jpg)
Holiday Season 2018MOBILES and APIs
SQLi
~50% WEB
~76% MOBILE
vs
* Data pre-Holiday Season
MUST HAVE: Positive and Negative Security Models
![Page 12: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/12.jpg)
Example: What’s In Your API Response?Developers often make assumptions that systems will be used as intended…..”Only my mobile app will call my API”
curl https://api.orderinput.com/v1/sku\-u sku_4bC39lelyjwGarjt:\-d currency=usd\-d inventory [type]=finite\-d inventory[quantity]=500\-d price=3\-d product=prod_BgrChzDbl\-d attributes[size]=medium]
http 200 OKhttps ://success.api.orderinput.com/v1/sku-idAPI response includes some interesting data
Simple order request to order entry APIs
order_number=14586
![Page 13: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/13.jpg)
Example: What’s In Your API Response?
It is rare for developers to consider attack scenarios, especially non-traditional ones…..”Sequential order numbers makes sense”
http 200 OKhttps ://success.api.orderinput.com/v1/sku-id
But what if I submit subsequent orders over time and various geographies?
order_number=23697
![Page 14: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/14.jpg)
Example: But Why?
Honestly - We don’t know. Same store sales data?
Competition?Investor?
![Page 15: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/15.jpg)
API DoS is a problem!
Specially crafted request that causesmultiple hash collision can cause DoSattack on server.
Eg:{"4vq":"key1", "4wP2":"key2", "5Uq":"key3", "5VP":"key4", "64q":"key5" }
The large payload of the above pattern whensent to a vulnerable json_decode functionin a server can slow down the server.
Specially crafted request with deep nesting
as shown below can exhaust server memory
very quickly.
Eg: {“p”:{“p”:{“p”:{……………….}}}}
The large payload of the above pattern whensent to a vulnerable deserializer can slow down a server.
The problems mentioned above can be mitigated if you perform validation on maximum allowed parameters and setting maximum nesting depth.
![Page 16: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/16.jpg)
CYBERsmartsafe
secure2018 DDOS Trends
❑ The size of the largest attacks have grown by approximately 6%on an annual basis
❑Cyclic growth and retreat on a two-year basis observed on themedian size of the attacks
❑Smaller, more focused attacks can do as much damage as thelarger-scaled counterparts
![Page 17: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/17.jpg)
Attack Density &
Trends 2017-18
![Page 18: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/18.jpg)
Second Half of 2018DDoS ATTACKS AND PEAK BW/VECTOR
![Page 19: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/19.jpg)
DDOS Attacks by-Week ‘18
2017 Q1 2017 Q2 2017 Q3 2017 Q4 2018 Q1 2018 Q2 2018 Q3 2018 Q4
1850 2354 2535 2348 2057 1845 2364 2142
DDOS by Quarter
![Page 20: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/20.jpg)
Attack Density &
Trends 2017-18
39.8%
97.7%
95%
1.35 Tbps
DDOS attack density grew from 560 Mbps to 783 Mbps
DDOS ATTACK DENSITY
Growth observed in attack size with a median in Januaryof .56 Gbps ballooning to 1.548 Gbps by December
DDOS ATTACK SIZE
Jan ’17: < 4.19 GbpsJan ‘18: < 5.91 GbpsDec ‘18: < 11.34 Gbps
INCREASING MAGNITUDE OF THE DDOS ATTACKS
On March 01, a software development companyexperienced a 1.35 Tbps DDoS attack using memcachedUDP reflection.
ONE OF THE LARGEST ATTACKS ON AKAMAI
Summary: DDOS Attack Trends
![Page 21: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/21.jpg)
DDoS Attacks in FinServ
![Page 22: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/22.jpg)
DDoSINTERESTING TRENDS
• FSI companies usually get attacked with smaller volumetric attacks but get attacked a lot more often.• Major Bank in Asia Pacific was hit with a 3.9Gbps attack after Christmas
• Another Major Bank keeps getting attacks between 600Mbps and 3Gbps
• We are seeing more and more attacks that last less than a few minutes –sometimes it is hard to pick those up on monitoring tools.• Organization getting hit with small bursts of 3Gbps
![Page 23: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/23.jpg)
Holiday Season 2018ATTACK TRAFFIC
7 million
![Page 24: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/24.jpg)
Holiday Season 2018ATTACK TRAFFIC
7 million
![Page 25: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/25.jpg)
SOTI – Cred Abuse By Vertical 2018
27.985 Billion
Credential Stuffing
Attempts in 8
months.
115 Million attempts
per day
![Page 26: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/26.jpg)
Credential AbuseAttacks per day
![Page 27: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/27.jpg)
Credential Abuse – FinServAttacks per day
![Page 28: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/28.jpg)
Credential Abuse: Top Credit Union in US* recap for some
![Page 29: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/29.jpg)
Credential Abuse into DDoS – Customer Case
• Over one weekend, Digital Bank’s login site was subject to aggressive credential stuffing attack which brought their internet banking (IB) site down.
• 65k IP addresses participated in the attack, from more than 120 countries.
• Two days later, a large DDoS attack was targeted against flagship Internet Bank login site, which brought the site down as well
![Page 30: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/30.jpg)
Bots Bots Bots
![Page 31: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/31.jpg)
![Page 32: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/32.jpg)
![Page 33: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/33.jpg)
![Page 34: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/34.jpg)
Protecting 3rd Party Scripts
![Page 35: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/35.jpg)
The Zero Trust buzzword
![Page 36: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/36.jpg)
European Fin Serv Phishing
Campaign
It starts with a text message
![Page 37: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/37.jpg)
European Fin Serv Phishing
Campaign
The phishing page
Phishing page setup on ‘bankieren.cp2-rabobank.net/NL2/’ where they have imitated the Rabobank page in attempts to try to obtain credentials from unaware Rabobank users.
![Page 38: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/38.jpg)
European Fin Serv Phishing
Campaign
Is it working?
Source: CyberWarZone.com
![Page 39: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/39.jpg)
![Page 40: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/40.jpg)
CLICK TO EDIT MASTER TITLE STYLE
Click To Edit Subtitle Style
We
Cybersecurity at UniSA
Dr Ben Martini and Dr Gaye DeehanProgram Directors at UniSA
![Page 41: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/41.jpg)
CLICK TO EDIT MASTER TITLE STYLE
Click To Edit Subtitle Style
We
Malicious office hardware
Norman YueOffensive Cyber Security Researcher
![Page 42: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/42.jpg)
CYBERsmartsafe
secure
Backdooring Stuff
Some thoughts on modern meme theory, and its applications to securing the business-cyber agile cloud
ecosystem.
![Page 43: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/43.jpg)
CYBERsmartsafe
secure
Background / Motivation
Improvise. Adapt. Overcome.
![Page 44: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/44.jpg)
CYBERsmartsafe
secure
the use of a computer program to record every keystroke made by a computer user, especially in order to gain fraudulent access to passwords and other confidential
information
Keylogging
![Page 45: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/45.jpg)
CYBERsmartsafe
secure
Into the (Scan) Matrix!
Source: ZX Spectrum 128 Service Manual
![Page 46: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/46.jpg)
CYBERsmartsafe
secure
Scan Matrix Sniffer
![Page 47: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/47.jpg)
CYBERsmartsafe
secure
Scan Matrix -> Serial (+ Debugging)
![Page 48: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/48.jpg)
CYBERsmartsafe
secure
Exfil (Wifi, Bluetooth)
![Page 49: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/49.jpg)
CYBERsmartsafe
secure
Source Code!
github.com/CreateRemoteThread/starscream
![Page 50: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/50.jpg)
CYBERsmartsafe
secure
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating
system via a vulnerable application
Command Injection
![Page 51: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/51.jpg)
CYBERsmartsafe
secure
USB Hubs: Mouse (Compact)
![Page 52: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/52.jpg)
CYBERsmartsafe
secure
USB Hubs: Mouse (Deluxe)
![Page 53: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/53.jpg)
CYBERsmartsafe
secure
Extending the Attack
![Page 54: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/54.jpg)
CYBERsmartsafe
secure
Modern Solutions for Modern Problems…
![Page 55: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/55.jpg)
CYBERsmartsafe
secure
Modern Solutions for Modern Problems…
![Page 56: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/56.jpg)
CYBERsmartsafe
secure
Abusing USB-C Power Delivery
![Page 57: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/57.jpg)
CYBERsmartsafe
secure
USB Type-C
Power negotiation in USB-C is effectively optional.
![Page 58: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/58.jpg)
CYBERsmartsafe
secure
USB Type-C
![Page 59: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/59.jpg)
CYBERsmartsafe
secure
USB-C: What if…
+
![Page 60: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/60.jpg)
CYBERsmartsafe
secure
USB-C: Prototype
![Page 61: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/61.jpg)
CYBERsmartsafe
secure
USB-C: (but not game over)
![Page 62: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/62.jpg)
CYBERsmartsafe
secure
Non-Traditional Exfil
![Page 63: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/63.jpg)
CYBERsmartsafe
secure
Traditional Exfil
github.com/avast/retdec
![Page 64: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/64.jpg)
CYBERsmartsafe
secure
Rethinking the Problem!
“Telstra Air”
![Page 65: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/65.jpg)
CYBERsmartsafe
secure
Tools of the Trade (2018!)
![Page 66: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/66.jpg)
CYBERsmartsafe
secure
Tools of the Trade (2019, Home Edition)
![Page 67: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/67.jpg)
CYBERsmartsafe
secure
On Defensive Measures
![Page 68: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/68.jpg)
Traditional controls are cat and mouse at best.
![Page 69: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/69.jpg)
One bite-sized chunk at a time…
![Page 70: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/70.jpg)
CYBERsmartsafe
secure
A Simple Start: SSL / User Behaviour
![Page 71: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/71.jpg)
CLICK TO EDIT MASTER TITLE STYLE
Click To Edit Subtitle Style
We
Beyond the C-I-A triad: Applying a privacy perspective to
traditional security controls
Nicole StephensenPrincipal Consultant at Ground Up Consulting
![Page 72: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/72.jpg)
Beyond the CIA triad:
Applying a privacy perspective to traditional security controls
AISA ADELAIDE
7 June 2019
Nicole Stephensen
![Page 73: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/73.jpg)
Once upon a time…
THEN
![Page 74: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/74.jpg)
NOW
![Page 75: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/75.jpg)
PRIVACY
LENS
![Page 76: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/76.jpg)
![Page 77: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/77.jpg)
Data vs. personal information
DATA
Information, especially facts or
numbers, collected to be examined and
considered and used to help decision-
making, or information in an electronic
form that can be stored and used by a
computer
PERSONAL INFORMATION
Information that identifies an
individual or could reasonably lead
to the identification of an individual
![Page 78: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/78.jpg)
PI
![Page 79: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/79.jpg)
1. Collection limitation
Does your restaurant
need all of this PI
simply to reserve a
table?
![Page 80: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/80.jpg)
2. Harms
Lost opportunity
Economic loss
Social detriment
Loss of liberty
Illegal
Collective
Unfair
Individual
![Page 81: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/81.jpg)
3. Watch out for function creep
What it’s originally for… The expanded use…
Combining with other tech or data
sets
![Page 82: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/82.jpg)
Apply a ‘privacy lens’ to reduce risk and
improve outcomes
PI
![Page 83: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/83.jpg)
THANK
YOU!
![Page 84: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/84.jpg)
CLICK TO EDIT MASTER TITLE STYLE
Click To Edit Subtitle Style
We
Cyber metrics and selling the dream
Ben WatersCo-founder and COO at Cydarm Technologies
![Page 85: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/85.jpg)
CYBERsmartsafe
secure
whoami
• Ben Waters, Co-founder & COO, Cydarm
• 8 years in cybersecurity
• Generalist – architecture, governance, risk, compliance,
security operations, awareness
• Problem solver
![Page 86: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/86.jpg)
CYBERsmartsafe
secure
Why the talk
“Failure is instructive. The person who really thinks learns quite as much from his failures as from his successes.”
– John Dewey
![Page 87: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/87.jpg)
CYBERsmartsafe
secure
Setting the scene
• Organisation with lower security maturity
• Hadn’t had security leadership in a long time
• Culturally – lots of freedom, aversion to authority
• High insider threat
![Page 88: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/88.jpg)
CYBERsmartsafe
secure
Take 1
Approach:
• “What have we done before?”
• “What data can I get?”
![Page 89: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/89.jpg)
CYBERsmartsafe
secure
End Result: Failure
Security platforms *generally* don’t produce useful data.
![Page 90: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/90.jpg)
CYBERsmartsafe
secure
Security Controls don’t produce great data
Confusion Matrix
Positive Negative
True Attack Blocked Legitimate traffic/process
False Legitimate traffic/process Control Failure | Misses
![Page 91: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/91.jpg)
CYBERsmartsafe
secure
Example
![Page 92: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/92.jpg)
CYBERsmartsafe
secure
Findings
• Data quality is important
![Page 93: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/93.jpg)
CYBERsmartsafe
secure
Findings
• Heterogeneous environments are hard
![Page 94: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/94.jpg)
CYBERsmartsafe
secure
Lessons Learned
• Don’t put up metrics you can’t explain
• Accuracy and integrity of the data is really critical
• Get comfortable saying “I can’t measure that”
![Page 95: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/95.jpg)
CYBERsmartsafe
secure
Take 2
Approach:
1. Figure out what we should measure;
2. Figure out if we could measure it.
![Page 96: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/96.jpg)
CYBERsmartsafe
secure
Back to Basics – “Security Hygiene”
• Vulnerability management & Patching
• Configuration management
• Identity and access management
• Employee lifecycle
![Page 97: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/97.jpg)
CYBERsmartsafe
secure
Vulnerability & Patching Metrics
• Vulnerability age
• Vulnerability age by severity
• Vulnerability age over time
![Page 98: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/98.jpg)
CYBERsmartsafe
secure
Configuration Management Metrics
• Systems meeting a defined baseline
• No. Unauthorised software
![Page 99: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/99.jpg)
CYBERsmartsafe
secure
Identity and Access Metrics
• No. users w/ local admin by department
• Accounts not logged in over x days
![Page 100: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/100.jpg)
CYBERsmartsafe
secure
Employee lifecycle
• Awareness training as part of onboarding
• Awareness training delivered prior to travel
• Adherence to offboarding process
![Page 101: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/101.jpg)
CYBERsmartsafe
secure
End Result
• Could only obtain data for ~60% of metrics
• Improved business & IT engagement and ownership of security
• Mandate to resolve control coverage issues
![Page 102: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/102.jpg)
Key Takeaways
![Page 103: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/103.jpg)
CYBERsmartsafe
secure
Metrics need to be actionable
Metrics you choose will probably have to reflect security maturity
• Decision Support
• Prioritisation
![Page 104: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/104.jpg)
CYBERsmartsafe
secure
Measure inputs and outputs
Inputs
• You can control this
Outputs
• Have your inputs made a difference?
![Page 105: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/105.jpg)
CYBERsmartsafe
secure
Example: Phishing Awareness Training
![Page 106: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/106.jpg)
CYBERsmartsafe
secure
Understand the audience
![Page 107: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/107.jpg)
CYBERsmartsafe
secure
Thanks!
Ben Waters
0416 199 402
@cydarmtech
![Page 108: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/108.jpg)
CLICK TO EDIT MASTER TITLE STYLE
Click To Edit Subtitle Style
We
Closing address
Damien ManuelBoard of Directors Chair at AISA
![Page 109: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/109.jpg)
109
Our Structure• Not-for-profit Charity• 8 Branches in all major capital cities plus cloud branch
• Operated by branch executives (branch chair and branch deputy with a committee) - all volunteers (100+)
National Board of Directors - all volunteers• Damien Manuel (Chair) (VIC - elected)• Alex Woerndle (Deputy Chair) (VIC - appointed)• Helaine Leggatt (VIC - elected)• Mike Trovato (VIC) – elected)• Alex Hoffmann (SA - elected)• Tracey Edwards (VIC - elected)• Nicole Murdoch (QLD - appointed)• Stephen Knights (NSW - elected)• Joshua Craig (Secretary) (VIC)
Employees - paid staff• Megan Spielvogel – Marketing & Operations
Manager• Sandra Blair – Admin & Finance• Susanna Palermo – Event & Sponsorship Manager• Nick Moore – Digital Content & Communications
Producer
![Page 110: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/110.jpg)
Our Members
![Page 111: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/111.jpg)
Who are our members?
![Page 112: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/112.jpg)
Membership trend – 2022 goal is 40,000 members
780
975
1630
1820
1991
2394
27602666
2869
3330
0
500
1000
1500
2000
2500
3000
3500
4000
4500
5000
2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
![Page 113: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/113.jpg)
Commercial In Confidence – Not for public distribution
![Page 114: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/114.jpg)
The Ecosystem
![Page 115: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/115.jpg)
Training Partners
Certification Partners
Education Partners
SponsorsKeystone Foundation Core
BranchesNT, QLD, NSW, VIC, ACT, TAS,
SA, WA + Cloud
EventsBranches (Content, Thought, Social)BrisSecPerthSA Security DayACT Security DayAustralian Cyber ConferenceAwards (logo defined)
MembershipFull Member - $77 + joining fee $22Associate Member Corporate Partnership Program (CPP)
Additional ItemsEABLocal partnershipsInternational partnershipsFortnightly eDMNews feed
TBC
![Page 116: ADELAIDE HALF DAY SECURITY CONFERENCE 2019 files/FINAL... · Web APIs Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors –but APIs](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3391c9623174b0b3549da/html5/thumbnails/116.jpg)
CLICK TO EDIT MASTER TITLE STYLE
Click To Edit Subtitle Style
We
Final remarks
Nathan MorelliAdelaide Branch Chair at AISA