Secure from the start : The changing landscape
-
Upload
kieran-oshea -
Category
Internet
-
view
220 -
download
0
description
Transcript of Secure from the start : The changing landscape
![Page 1: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/1.jpg)
Welcome
"In the wake of the Heartbleed bug and a number of other high profile security related failures, we revisit the idea of making sure we’re ahead of the game, secure from the start"
Kieran O'SheaSecure from the Start : The changing landscape
Secure from the Start The changing landscape
Kieran O'Shea
[email protected] • @kieranoshea • http://www.kieranoshea.com/
![Page 2: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/2.jpg)
Overview
Kieran O'Shea
Motivations for this session Analysis on recent high profile issues Types of attack vectors Mitigation; config, tools, plugins & more Questions
Secure from the Start : The changing landscape
![Page 3: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/3.jpg)
Recent issues - Heartbleed
Kieran O'Shea
An OpenSSL exploit Heartbeat reply leaks data in memory Data acquired compromises security
Secure from the Start : The changing landscape
![Page 4: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/4.jpg)
Recent issues - Heartbleed
Kieran O'SheaSecure from the Start : The changing landscape
![Page 5: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/5.jpg)
Recent issues - Heartbleed
Kieran O'SheaSecure from the Start : The changing landscape
![Page 6: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/6.jpg)
Recent issues - Heartbleed
Kieran O'Shea
Fallout Recovery
Secure from the Start : The changing landscape
![Page 7: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/7.jpg)
Recent issues - Ransomware
Kieran O'SheaSecure from the Start : The changing landscape
Realintogive/Wikimedia Commons
![Page 8: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/8.jpg)
Recent issues - Ransomware
Kieran O'Shea
Essentially blackmail Takes different forms Difficult to recover from Infection rates uncertain Millions made by criminals
Secure from the Start : The changing landscape
![Page 9: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/9.jpg)
Recent issues – Back doors
Kieran O'SheaSecure from the Start : The changing landscape
![Page 10: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/10.jpg)
Recent issues - Back doors
Kieran O'SheaSecure from the Start : The changing landscape
![Page 11: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/11.jpg)
Recent issues - Social Engineering
Kieran O'Shea
Should be considered a back door Password resets Security questions "Single Sign On"
Secure from the Start : The changing landscape
![Page 12: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/12.jpg)
Recent issues - Obscurity
Kieran O'Shea
When is security no security at all?
When my hotel reservation iswww.somehotel.com/reservation/12345
So the previous customer's must be...www.somehotel.com/reservation/12344
Secure from the Start : The changing landscape
![Page 13: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/13.jpg)
Attack Vectors - Passwords
Kieran O'Shea
Exploitation of simple passwords Re-use of stolen credentials Brute force
Is this your password?
Secure from the Start : The changing landscape
![Page 14: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/14.jpg)
Attack Vectors - Social Engineering
Kieran O'Shea
Probably our weakest link Guessable info overrides passwords Privileged users exploited
Secure from the Start : The changing landscape
![Page 15: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/15.jpg)
Attack Vectors - External Applications
Kieran O'Shea
Shared use servers amplify risk Exploiting the file system Taking advantage of firewall rules Piggy backing off API connectivity
Secure from the Start : The changing landscape
![Page 16: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/16.jpg)
Attack Vectors - Rogue Code
Kieran O'Shea
Does your theme footer look like this?
Secure from the Start : The changing landscape
![Page 17: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/17.jpg)
Attack Vectors - Rogue Code
Kieran O'Shea
When hackers get control
Secure from the Start : The changing landscape
![Page 18: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/18.jpg)
Attack Vectors - Rogue Code
Kieran O'Shea
When hackers really get control
Secure from the Start : The changing landscape
![Page 19: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/19.jpg)
Mitigation - Passwords
Kieran O'Shea
Secure passwords, auto generated
Avoid re-use between systems
Secure from the Start : The changing landscape
![Page 20: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/20.jpg)
Mitigation - Passwords
Kieran O'Shea
Employ secure password storage Complex & differing passwords easier A variety of services exist, paid & free
Single, secure, master password
Secure from the Start : The changing landscape
![Page 21: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/21.jpg)
Mitigation - Two Factor Authentication
Kieran O'Shea
Something you have, something you know A variety of implementations
Finger prints Smart cards Text Messages Paper based grids
Good degree of separation required Extend to multi-factor authentication
Secure from the Start : The changing landscape
![Page 22: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/22.jpg)
Mitigation - One Time Passwords
Kieran O'Shea
Reduces consequences of interception Remote verification of token Also provides two factor authentication Support for independent infrastructure
Secure from the Start : The changing landscape
![Page 23: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/23.jpg)
Mitigation - SSL
Kieran O'Shea
Protects data in transit Consider what constitutes ”sensitive” Key & Signed certificate Available for free Beware revocation costs Enhance security with forward secrecy Remember client security too
VPN S/MIME Don't settle for plain text
Secure from the Start : The changing landscape
![Page 24: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/24.jpg)
Mitigation - External Applications
Kieran O'Shea
Minimise server sharing, VPS preferable If sharing, protect users from users
Don't chmod 777 Sand box your code, e.g. suPHP Keep an eye on key file changes
Consider onward security of allowed IPs
Secure from the Start : The changing landscape
![Page 25: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/25.jpg)
Mitigation - Plugins
Kieran O'Shea
Two factor authentication (OTP)✔ "YubiKey Plugin" (Henrik Schack)
Modifications to files✔ "WordPress File Monitor Plus" (Scott Cariss)
Login attempts✔ "Limit Login Attempts" (Johan Eenfeldt)
Action logging✔ "Audit Trail" (John Godley)
More involved auditing✔ "The Auditor" (interconnect/it)
Secure from the Start : The changing landscape
![Page 26: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/26.jpg)
Mitigation – Configuration
Kieran O'Shea
Lock down powerful interfaces Work with minimum usable privileges Reduce brute force with fail2ban Block access at an IP level
Maintain access by using a VPN
# Define specific rules for the blog admin panel <Directory /home/kieran/public_html/wp-admin> Order Deny,Allow Deny from all Allow from 95.172.226.96/27 </Directory>
Secure from the Start : The changing landscape
![Page 27: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/27.jpg)
Mitigation – Social engineering
Kieran O'Shea
Don't populate ”password hints” Don't use real ”secret questions” Become aware of back doors Know the warning signs Power of notifications Avoid single points of failure Multiple backups, multiple services At least one backup offline
Secure from the Start : The changing landscape
![Page 28: Secure from the start : The changing landscape](https://reader033.fdocuments.in/reader033/viewer/2022051610/5495f116b47959604d8b4e8f/html5/thumbnails/28.jpg)
Questions?
Kieran O'Shea
Kieran O'Shea • [email protected] @kieranoshea • http://www.kieranoshea.com/
Remember, WordCamp tweets archived here: https://wcuk.kieranoshea.com/tweets/
Secure from the Start : The changing landscape