Cybersecurity by the numbers
-
Upload
eoin-keary -
Category
Internet
-
view
9 -
download
0
Transcript of Cybersecurity by the numbers
“Cybersecurity by the Numbers”
Eoin Keary
CTO/Founder edgescan.com OWASP Leader/Member/Ireland Founder
(ex)OWASP Global Board Member
Why am I here??
“Doing” security for quite a while….
Before SAST, DAST, IAST, CI, CD were “things”;Was a Software Developer & Moved to Software Breaking;
Was a Leader of Global Penetration Engagements Team for EY;
Wrote/Contributed to the OWASP Testing Guide, OWASP Code Review Guide, OWASP CISO Guide, OWASP SAMM….
Responsible for some of the most impactful security breaches* against Irish financial institutions in the last 10 years. *ethical security assessments
What we do….
Effective, Scalable #Fullstack Vulnerability Management 4
#fullstack vulnerability managementWeb Applications, API and HostManaged ServiceContinuous AssessmentFalse-Positive free
Manages over 100,000 systems globally.
Professional ServicesPenetration TestingSoftware SecurityRed TeamingDdoS System HardeningSecurity ArchitectureCompliance
edgescan™…basis for measurement
• edgescan™ is a sophisticated, enterprise-grade vulnerability assessment and management solution that gives you the tools you need to control and manageIT security risk
• edgescan™ helps from small & medium-sized to large enterprises identify and remediate known vulnerabilities in any platform
or web application
• edgescan™ is a cloud based SaaS which provides a unique combination of technology and human expertise to assist you with maintaining a strong security posture
Effective, Scalable #Fullstack Vulnerability Management 5
2017 – so far
• Lloyds 48hr DDoS – 20,000,000 • Trump – administration details leaked• Clash of Clans – 1,000,000• Cellebrite – 900 GB of Data• SWIFT – Fake Trade Documents - 3 banks – India• CoPilot – GPS – 220,000 Records• Sentara HealthCare – 5,000 Patient records
Globally, every second, 18 adults become victims of cybercrime- Symantec
“The loss of industrial information and intellectual property through cyber espionage constitutes the greatest transfer of wealth in history” - Gen. Keith Alexander
“One hundred BILLION dollars” - Dr Evil
Eoin, I didn’t click it – My Mam
Attack Vectors & Threat Actors
Malware/Ransomware Phishing Hacking CEO Fraud Human Error / Insiders DdoS
Organised Crime – Dedicated. Motivated by profit
Hacktivisim – political, social motivations “Script kiddies” - curious Automated scanners/worms – systems used to
identify “soft targets” Cyber Terrorism – Political motivations Nation States: Cyber Espionage/APT Insiders
Two weeks of ethical hacking
Ten man-years of development
Business Logic Flaws
Code FlawsSecurity Errors
An inconvenient truth
Agile Risk Model
Fail Early – Fail Often“Push Left”Spread-Risk
Make this more difficult: Lets change the application code once a month.
Continuous Testing:
Keeping Pace with: DevelopmentNew VulnerabilitiesContinuous patching requirementsNew Deployments (Services, Systems)
#FullStack SecurityWeb Applications
App ServerSSL/TLS
DatabasesServices
Operating SystemsNetworks
Measure “Attack Surface” & Improvement
Measure Attack Surface / Asset ClassificationContinuous Asset Profiling and AlertingVulnerability Type & Stack Location
Time to Fix a vulnerabilityMost Common Vuln
Areas of focus…Doing things right != Doing the right things.
Context
GPDR EU directive:
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU).
• a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 5 & 6[16])
Box ticking
Article 32, Security of Processing:“…the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, …”
Recital (78) “The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this regulation are met.”
”… to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.....”
“…enabling the data subject to monitor the data processing, enabling the controller to create and improve security features.”
Recital (49)
“The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist,…. unlawful or malicious actions…”
Recital (81)
“…the controller should use only processors providing sufficient guarantees…including for the security of processing.”
#ProTip: Scope GDPR compliance from Data Classification upwards….
Playing Catchup
Legal is pushing cyber
Goal: GDPR compliant by May 25th 2018GDPR = Legal + Privacy + IT + Cyber
#Fullstack Continuous Assessment is ImportantVisibility, Metrics and continuous improvement
GDPR VendorsClients
So….
Lets Dig a Little Deeper……..
Deeper Look….
Based on 1000’s of continuous assessments using edgescan.com
Both Host, WebServer and Web application assessed - #fullstack
See: https://edgescan.com/resources.php
Vulnerability Breakdown - #fullstack
Most Common Vulnerability - WebAppsMajority of Vulnerabilities are ”Browser security” issues – Attack the user!!
XSS is still very common and old.First discovered in the mid 90’s
Most Common Vulnerability - Infrastructure
Configuration Vulnerabilities common
Majority are TLS/SSL Crypto
7 Systems in every 100– are “unsupported”
Risk Dispersion
More Network Issues discovered
- BUT –
Most Risk is on App Layer(95% of Critical Risk)(82% of High Risk)
Time-2-Fix
Average Time to Fix
Oldest Critical Vulnerabilities
Oldest “Known” vulnerability discovered in 2016 by edgescan;CVE-2007-6420 - Cross-site request forgery (CSRF) CVE-2007-3847 - Apache 2.3.0 DoSCVE-2007-5000 - Apache HTTP Server XSSCVE-2007-6388 - Apache HTTP Server XSS
9 year old vulnerabilities exist in the wild on live servers. Poor/Non existent patching is the major root cause.
Good News is the frequency of occurrence is between 1.5% and 3%
What else happened in 2007?First iPhone was launched…
Conclusion
Consider Infosec impact from GDPRConstant assessment is important as everything changes “Push Left” – Use SAST and Review before deploymentMeasure Improvement and Weakness