Fixing Infosec

Transcript

1. Fixing Infosec. Evan d’Entremont

2. About Me • ~10 years as a software dev –

   Marketing – SAAS – Telematics • AtlSecCon speaker (twice) • Have won this battle • Not Satoshi

3. About Me

4. About You • Students • Newly minted “professionals” • Salespeople

   • Free Beer Enthusiats Hackers

5. What is the problem? • Everything is broken. • OWASP

   TOP 10 • Unvalidated Input • Broken Access Control • Broken Authentication and Session Management • Cross Site Scripting • Buffer Overflow • Injection Flaws • Improper Error Handling • Insecure Storage • Application Denial of Service • Insecure Configuration Management

6. What is the problem? • Everything is broken • Everything

   has always been broken. • OWASP TOP 10; 2004 • Unvalidated Input • Broken Access Control • Broken Authentication and Session Management • Cross Site Scripting • Buffer Overflow • Injection Flaws • Improper Error Handling • Insecure Storage • Application Denial of Service • Insecure Configuration Management

7. What is the problem? • Everything is broken • Everything

   has always been broken. • OWASP TOP 10; 2007 • Cross Site Scripting • Injection Flaws • Malicious File Execution • Insecure Direct Object Reference • Cross Site Request Forgery • Improper Error Handling • Broken Authentication and Session Management • Insecure Cryptographic Storage • Insecure Communications • Failure to Restrict URL Access

8. What is the problem? • Everything is broken • Everything

   has always been broken. • OWASP TOP 10; 2010 • Injection • Cross Site Scripting • Broken Authentication and Session Management • Insecure Direct Object Reference • Cross Site Request Forgery • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficent Transport Layer Protection • Unvalidated Redirects and Forwards

9. What is the problem? • Everything is broken • Everything

   has always been broken. • OWASP TOP 10; 2013 • Injection • Broken Authentication and Session Management • Cross Site Scripting • Insecure Direct Object Reference • Security Misconfiguration • Sensitive Data Exposure • Missing Function Level Access Control • Cross Site Request Forgery • Using Components with Known Vulnerabilities • Unvalidated Redirects and Forwards

10. What is the problem? • Everything is broken • Everything

    has always been broken. • OWASP TOP 10; 2017 • Injection • Broken Authentication • Sensitive Data Exposure • XML External Entities (XXE) • Broken Access Control • Security Misconfiguration • Cross Site Scripting • Insecure Deserialization • Using Components with Known Vulnerabilities • Insufficent Logging and Monitoring

11. What is the problem? • OWASP TOP 10; 2017 •

    Injection • Broken Authentication • Sensitive Data Exposure • XML External Entities (XXE) • Broken Access Control • Security Misconfiguration • Cross Site Scripting • Insecure Deserialization • Using Components with Known Vulnerabilities • Insufficent Logging and Monitoring • OWASP TOP 10; 2004 • Unvalidated Input • Broken Access Control • Broken Authentication and Session Management • Cross Site Scripting • Buffer Overflow • Injection Flaws • Improper Error Handling • Insecure Storage • Application Denial of Service • Insecure Configuration Management

12. What is the problem? • OWASP TOP 10; 2017 •

    Injection • Broken Authentication • Sensitive Data Exposure • Broken Access Control • Security Misconfiguration • Cross Site Scripting • OWASP TOP 10; 2004 • Unvalidated Input • Broken Access Control • Broken Authentication and Session Management • Cross Site Scripting • Injection Flaws • Improper Error Handling • Insecure Configuration Management

13. What is the problem? • •

14. Why has nothing changed? No one cares.

15. How did we get here? • Technical Debt • Financial

    Reasons • Education lack thereof

16. Technical Debt • Technical Debt is a concept in software

    development that reflects the implied cost of additional rework caused by choosing an easy solution now instead of using a better approach that would take longer. • If you end up going a different route, there’s less lost code (and therefore productivity) • If you end up keeping it, there is interest on that debt...

17. Technical Debt • OWASP TOP 10; 2017 • Injection •

    Broken Authentication • Sensitive Data Exposure • XML External Entities (XXE) • Broken Access Control • Security Misconfiguration • Cross Site Scripting • Insecure Deserialization • Using Components with Known Vulnerabilities • Insufficent Logging and Monitoring • OWASP TOP 10; 2004 • Unvalidated Input • Broken Access Control • Broken Authentication and Session Management • Cross Site Scripting • Buffer Overflow • Injection Flaws • Improper Error Handling • Insecure Storage • Application Denial of Service • Insecure Configuration Management • Code written in 2004 is suceptible to todays problems...

18. Technical Debt • OWASP TOP 10; 2017 • XML External

    Entities (XXE) • Insecure Deserialization • Using Components with Known Vulnerabilities • Insufficent Logging and Monitoring • OWASP TOP 10; 2004 • Buffer Overflow • Application Denial of Service • Code written in 2004 is suceptible to todays problems...

19. Poker Odds Which is more important.. Security or Profit?

20. Poker Odds Which is more important.. Security or Profit? –

    A 2010 decision, for example, eBay Domestic Holdings Inc. v. Newmark, held that corporate directors are bound by "fiduciary duties and standards" which include "acting to promote the value of the corporation for the benefit of its stockholders."

21. Poker Odds • Poker odds • •

22. Poker Odds • Think of it like insurance – Most

    people don’t cash out. Those who do are better off having it than not. • The problem with infosec – Home Depot was out $28M on sales of $83.18B: 0.03%

23. Poker Odds Fortune 1000 - $225 per record (Ponemon Institute)

    – Chance of 10000+ record breach is 11% • $247,500 bet – Chance of 100000+ record breach is 0.5% • $1,250,000 bet – Chance of 1000000+ record breach is 0.25% • $5,620,000 bet

24. doesn’t care. • Threat model is a literal 7 year

    old • If someone used the same leverage to pressure you into giving them sex instead of your SSN it would be considered rape. - /u/Velostodon • Didn’t lose customers... Currently expanding their services to include selling your income and job title.

25. doesn’t care. • Affected users include parl.gc.ca, mil.gov, etc. •

    Settlement cost only $4 per user. • Still getting signups...

26. HZone doesn’t care. • 4.6 out of 5 on the

    App Store • Architectural issues included public mongoDB database accessed in the clear.

27. [redacted] didn’t care. • Technical Debt • Invesment vs reward

    • Threat profiles • Major undertaking

28. How do we fix this?

29. How do we fix this? • Shame companies – Doesn’t

    work. Any press is good press. – Victim Blaming • Skills Transfer – Same mistakes over and over – Ongoing traning - costs money. – Mentorship – costs short term productivity

30. How do we fix this? • Bug Bounties – –

    NSA pays $1,000,000 – Companies often see hackers as mercanaries – Requires spending as much or more money than the attackers; or relying on your average hacker to ‘care’ – If working for the good guys was more profitable, this wouldn’t be an issue. * Secure boot firmware

31. How do we fix this? • Bug Bounties – Zerodium

    NSA pays $1,000,000 – Companies often see hackers as mercanaries – Requires spending as much or more money than the attackers; or relying on your average hacker to ‘care’ – If working for the good guys was more profitable, this wouldn’t be an issue.

32. Create Risk. • Corporate Death Penalty – "Those breaches were

    bad. But they affected people who had chosen to do business with these companies by buying books or airplane trips." - Wired – "Under the law of Georgia, where Equifax is incorporated, the state attorney general may file a lawsuit in state court to dissolve a corporation if the corporation "has continued to exceed or abuse the authority conferred upon it by law."

33. Create Risk. • Insurance Deductibles – Companies often have Cyber-insurance;

    – Require them to meet standards or not recieve payouts. – Enforcement / Monitoring • Government “incentives” – Fines for breaches – Disclosure requirements – Compensation requirements – Data licensing

34. When will it change?

35. When will it change?

36. When will it change?

37. When will it change? When someone dies. Expect an immediate,

    rushed, legislative solution, followed by standards bodies filling in the gaps. Companies who have prepared will be better off when it happens. This is only a matter of time.

38. Questions? Comments? [email protected] https://github.com/evandentremont @[redacted]