Contenu connexe


Nothing is secure.pdf

  1. Nothing is secure Bozhidar Bozhanov
  2. About me ● Software engineer and architect ● Founder of a cybersecurity startup ● Minister of electronic governance of Bulgaria (2021-2022) ● Member of Bulgarian parliament ● ● Twitter: @bozhobg
  3. Network security is hard ● What is “network security” anyway? ● Network firewall, WAF ● Network segmentation, DMZ ● IDS? ● VPN / ZTNA ● DNS securuty ● DDoS ● Email security (in & out) ● Honeypots ● ….
  4. Endpoint security is hard ● AV/NGAV/EPP/EDR/XDR? ● DLP ● BYOD policies ● USB policies ● AD/Azure AD ● Mobile security, MDM ● IoT ● Printers (example: Bangladesh bank)
  5. Cloud security is hard ● IaaS configurations ● IAM, API access ● Container management ● Cloud monitoring, security centers, agents ● SaaS - MFA ● SaaS - “trust us” ● SaaS - shadow IT
  6. Custom development is hard ● OWASP ● Configuring =CSP, CSRF tokens ● Upload filters ● XSS - input & output ● Access control per HTTP endpoint ● Dependency management, hot patching ● SDLC ● Regular pentests
  7. Off-the-shelf security is hard ● “Custom software is hard, I’ll get something off-the-shelf” ● Same problems, but outside our control ● Which ports does it use? ● How do we collect the ogs (example: SAP security audit log) ● How to hide problems behind the firewall? ● Virtual pathing ● Vendor goes bankrupt/acquired/stops support
  8. "No problem, we’ll get the best security tools and that will fix things"
  9. Security tools are hard ● Sometimes missing exactly the thing that we need ● Blocks normal usage, but lets the bad guys in (example: downloading binaries as base64 text files) ● Expensive ● Allegedly integrated, but you need many tools which hardly talk to each other ● Data sheet (only) functionality ● False positives
  10. Attacks abound ● Supply chain (solorigate) ● Pseudo-airgapped (Jeep hack, VLAN-”airgapped”) ● Unvetted companies and experts (“where did this backdoor come from?”) ● Physical access compromise (MIFARE classic, HRM integration) ● Social engineering (“weakest link”, example: “not my job to care”) ● 0days (example: Pegasus iPhone 0day)
  11. All of that is hard even if we have qualified people
  12. Many organizations don’t have them. The public sector doesn’t have them.
  13. We’ve built something overly complex on a bunch of silicon, “mirrors” in a tube and 0s and 1s. There’s no built-in security, it’s always added later. That makes things very, very hard.
  14. Nothing is secure… ...but we have to manage risk
  15. Government at the moment
  16. Long-term policies Trained people Standardization Responsibility of vendors Limiting 0day stashing
  17. Nothing is secure… …but it has to become less and less insecure.
  18. Thank you!