“Cybersecurity by the Numbers”

Eoin Keary

CTO/Founder edgescan.com OWASP Leader/Member/Ireland Founder

(ex)OWASP Global Board Member

@eoinkearyeoin@bccriskadvisory.com

Why am I here??

“Doing” security for quite a while….

Before SAST, DAST, IAST, CI, CD were “things”;Was a Software Developer & Moved to Software Breaking;

Was a Leader of Global Penetration Engagements Team for EY;

Wrote/Contributed to the OWASP Testing Guide, OWASP Code Review Guide, OWASP CISO Guide, OWASP SAMM….

Responsible for some of the most impactful security breaches* against Irish financial institutions in the last 10 years. *ethical security assessments

What we do….

Effective, Scalable #Fullstack Vulnerability Management 4

#fullstack vulnerability managementWeb Applications, API and HostManaged ServiceContinuous AssessmentFalse-Positive free

Manages over 100,000 systems globally.

Professional ServicesPenetration TestingSoftware SecurityRed TeamingDdoS System HardeningSecurity ArchitectureCompliance

edgescan™…basis for measurement

• edgescan™ is a sophisticated, enterprise-grade vulnerability assessment and management solution that gives you the tools you need to control and manageIT security risk

• edgescan™ helps from small & medium-sized to large enterprises identify and remediate known vulnerabilities in any platform

or web application

• edgescan™ is a cloud based SaaS which provides a unique combination of technology and human expertise to assist you with maintaining a strong security posture

Effective, Scalable #Fullstack Vulnerability Management 5

2017 – so far

• Lloyds 48hr DDoS – 20,000,000 • Trump – administration details leaked• Clash of Clans – 1,000,000• Cellebrite – 900 GB of Data• SWIFT – Fake Trade Documents - 3 banks – India• CoPilot – GPS – 220,000 Records• Sentara HealthCare – 5,000 Patient records

Globally, every second, 18 adults become victims of cybercrime- Symantec

“The loss of industrial information and intellectual property through cyber espionage constitutes the greatest transfer of wealth in history” - Gen. Keith Alexander

“One hundred BILLION dollars” - Dr Evil

Eoin, I didn’t click it – My Mam

Attack Vectors & Threat Actors

Malware/Ransomware Phishing Hacking CEO Fraud Human Error / Insiders DdoS

Organised Crime – Dedicated. Motivated by profit

Hacktivisim – political, social motivations “Script kiddies” - curious Automated scanners/worms – systems used to

identify “soft targets” Cyber Terrorism – Political motivations Nation States: Cyber Espionage/APT Insiders

Two weeks of ethical hacking

Ten man-years of development

Business Logic Flaws

Code FlawsSecurity Errors

An inconvenient truth

Agile Risk Model

Fail Early – Fail Often“Push Left”Spread-Risk

Make this more difficult: Lets change the application code once a month.

Continuous Testing:

Keeping Pace with: DevelopmentNew VulnerabilitiesContinuous patching requirementsNew Deployments (Services, Systems)

#FullStack SecurityWeb Applications

App ServerSSL/TLS

DatabasesServices

Operating SystemsNetworks

Measure “Attack Surface” & Improvement

Measure Attack Surface / Asset ClassificationContinuous Asset Profiling and AlertingVulnerability Type & Stack Location

Time to Fix a vulnerabilityMost Common Vuln

Areas of focus…Doing things right != Doing the right things.

Context

GPDR EU directive:

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU).

• a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 5 & 6[16])

Box ticking

Article 32, Security of Processing:“…the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, …”

Recital (78) “The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this regulation are met.”

  ”… to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.....”

“…enabling the data subject to monitor the data processing, enabling the controller to create and improve security features.”

Recital (49)

“The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist,…. unlawful or malicious actions…”

Recital (81)

“…the controller should use only processors providing sufficient guarantees…including for the security of processing.”

#ProTip: Scope GDPR compliance from Data Classification upwards….

Playing Catchup

Legal is pushing cyber

Goal: GDPR compliant by May 25th 2018GDPR = Legal + Privacy + IT + Cyber

#Fullstack Continuous Assessment is ImportantVisibility, Metrics and continuous improvement

GDPR VendorsClients

So….

Lets Dig a Little Deeper……..

Deeper Look….

Based on 1000’s of continuous assessments using edgescan.com

Both Host, WebServer and Web application assessed - #fullstack

See: https://edgescan.com/resources.php

Vulnerability Breakdown - #fullstack

Most Common Vulnerability - WebAppsMajority of Vulnerabilities are ”Browser security” issues – Attack the user!!

XSS is still very common and old.First discovered in the mid 90’s

Most Common Vulnerability - Infrastructure

Configuration Vulnerabilities common

Majority are TLS/SSL Crypto

7 Systems in every 100– are “unsupported”

Risk Dispersion

More Network Issues discovered

- BUT –

Most Risk is on App Layer(95% of Critical Risk)(82% of High Risk)

Time-2-Fix

Average Time to Fix

Oldest Critical Vulnerabilities

Oldest “Known” vulnerability discovered in 2016 by edgescan;CVE-2007-6420 - Cross-site request forgery (CSRF) CVE-2007-3847 - Apache 2.3.0 DoSCVE-2007-5000 - Apache HTTP Server XSSCVE-2007-6388 - Apache HTTP Server XSS

9 year old vulnerabilities exist in the wild on live servers. Poor/Non existent patching is the major root cause.

Good News is the frequency of occurrence is between 1.5% and 3%

What else happened in 2007?First iPhone was launched…

Conclusion

Consider Infosec impact from GDPRConstant assessment is important as everything changes “Push Left” – Use SAST and Review before deploymentMeasure Improvement and Weakness

Thank YOU!

eoin@bccriskadvisory.com@edgescan

www.edgescan.com