iSymposium 2018 - Live Hack with Ben and Kassie Holt

Transcript

1. Live Hack: Even an 11 Year Old Can Do It

   Ben Holt | Stoel Rives Kassie Holt | Beehive Science & Technology Academy For iSymposium on April 26, 2018

2. 53,000+ Number of Confirmed Incidents 2,216 Confirmed Data Breaches Source:

   2018 Verizon DBIR

3. WannaCry NHS NotPetya Maersk 143 Million People 143 Million People

   Employee Data, Episodes Employee Data, Episodes 60,000 Customers 60,000 Customers Cryptocurrency $133 M Cryptocurrency $133 M 57 M Users’ Data 57 M Users’ Data 2017

4. Types of Threats External Internal Physical

5. Physical Security Let’s Talk About

6. Source: 2018 Verizon DBIR

7. Source: 2018 Verizon DBIR

8. Definition: To Pwn • To utterly dominate • Comes from

   a map designer in WarCraft that misspelled a message that “Player has been Pwned” ◦ Urban Dictionary

9. Physical Security To: Kassie From: Dad Can you retrieve my

   customer list? I can’t remember my password. But it is in my user folder on the computer. Let’s Talk About

10. What Happened? • Bypass computer protections • Physically Moved the

    Drive • OS Level Password/User Restrictions Ignored • Can Also Change Password File

11. Physical Access is Dangerous Mitigation is Important • Full Disk

    Encryption • Limit Access to Servers • Limit Number of Password Retries • TCM (Trusted Computing Module) If you learn one thing from me: Use Full Disk Encryption on All Computing Systems

12. External Security Let’s Talk About

13. Source: 2018 Verizon DBIR

14. Source: 2018 Verizon DBIR

15. External Security To: Kassie From: Dad I’m thinking about using

    Google Gruyere Software for our social media platform. I want to be hip and cool. Can you check it out? Let’s Talk About

16. What Happened? • Didn’t Sanitize the Inputs • Looked at

    Cookie and Discovered Username | Role • Application Did Not Forbid “|” in Username • Create New Username with Role In It • Logout • Login • Deny Service

17. Security by Design is Critical Mitigation: Contracts & Oversight •

    Security Needs to Be “Baked-In” • How Do They Test Security? • What Responsibility do They Take? • What is Their Response Plan? • How Do They Store Your Data? Free Services Are Not Free - They Take No Responsibility

18. Internal Security Let’s Talk About

19. Source: 2018 Verizon DBIR

20. Source: 2018 Verizon DBIR

21. Internal Security To: Kassie From: Dad The IT group is

    trying to pass policies that make my remote work so much more difficult. Can you show them that I am secure? That way I can tell them to back off and let me work remotely in peace. Let’s Talk About

22. What Happened? • Remote Access Was Enabled • Attacker Scanned

    Network • User chose a common password • Admin Did not Mitigate • Roll Through Many Password Tries Per Second

23. If a User Can Get In, A Hacker Can Too

    Mitigation: Training and Understanding • Policies are Only as Good as They Are Followed • Train for Understanding with Compliance • Limit Access • Use Two Factor Authentication • Exponential Backoff • Monitor Stupidity is a more dangerous enemy of the good than malice. One may protest against evil; it can be exposed and, if need be, prevented by use of force. Evil always carries within itself the germ of its own subversion in that it leaves behind in human beings at least a sense of unease. Against stupidity we are defenseless. --DIETRICH BONHOEFFER

24. Wrap-Up

25. What Should I Worry About? Source: 2018 Verizon DBIR

26. Questions? Thank You! Ben Holt [email protected] Kassie Holt www.bionicporcupines.com www.facebook.com/bionicporcupines/