adelaide half day security conference 2019 files/final... · web apis are a primary target for...

CLICK TO EDIT MASTER TITLE STYLE

Click To Edit Subtitle Style

ADELAIDE HALF DAYSECURITY CONFERENCE 2019

#SecDaySA

Friday 7 June 2019



We

Welcome and opening address

Nathan MorelliAdelaide Branch Chair at AISA

CYBERsmartsafe

secure

Thank you to our sponsors

Venue Sponsor

Event Sponsors



We

Akamai’s state of the internet

Fernando SertoHead of Security Technology and Strategy for

APJ at Akamai

AkamaiThreat Brief AISA AdelaideFernando SertoHead of Security Technology and Strategy, APAC

7/June/2019

Growth of Web API Use: 2014 through 2018

54%

17%

14%

14%

6%

26%

69%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

2014 2018

Web Hits by Content Type

Text / HTML Text / XML App / XML App / JSON

83%API

Source: Akamai ESSL Network, SOTI Q1 2019

API calls now dominate overall web hits

Things On The Internet Make Majority Of API Calls

About 1/3rd of Web API calls come from browsers.

The other 2/3rds come from mobile phones, gaming consoles, smart TVs, etc…

This is a huge challenge! 66%

Source: Akamai SOTI Q1 2019

http://petstore.com/api/v1/pet/’%20or%20’1’=’1

=SELECT * FROM pets WHERE petID = ‘’ or ‘1’ = ‘1’

API SQL Injection - Concept

API SQL Injection - Real life

Web APIs Are A Primary Target For Attackers Today

Web sites & Web APIs share the same (old) attack vectors – but APIs

are often unprotected

APIs are more performant and less expensive to attack compared with

traditional web forms

4Xmore Credential

Stuffing attacks on APIs

76%SQL injection

13%Local file include

Code injection

6%

Command injection

3%

Cross-site injection

2%

Holiday Season 2018MOBILES and APIs

SQLi

~50% WEB

~76% MOBILE

vs

* Data pre-Holiday Season

MUST HAVE: Positive and Negative Security Models

Example: What’s In Your API Response?Developers often make assumptions that systems will be used as intended…..”Only my mobile app will call my API”

curl https://api.orderinput.com/v1/sku\-u sku_4bC39lelyjwGarjt:\-d currency=usd\-d inventory [type]=finite\-d inventory[quantity]=500\-d price=3\-d product=prod_BgrChzDbl\-d attributes[size]=medium]

http 200 OKhttps ://success.api.orderinput.com/v1/sku-idAPI response includes some interesting data

Simple order request to order entry APIs

order_number=14586

Example: What’s In Your API Response?

It is rare for developers to consider attack scenarios, especially non-traditional ones…..”Sequential order numbers makes sense”

http 200 OKhttps ://success.api.orderinput.com/v1/sku-id

But what if I submit subsequent orders over time and various geographies?

order_number=23697

Example: But Why?

Honestly - We don’t know. Same store sales data?

Competition?Investor?

API DoS is a problem!

Specially crafted request that causesmultiple hash collision can cause DoSattack on server.

Eg:{"4vq":"key1", "4wP2":"key2", "5Uq":"key3", "5VP":"key4", "64q":"key5" }

The large payload of the above pattern whensent to a vulnerable json_decode functionin a server can slow down the server.

Specially crafted request with deep nesting

as shown below can exhaust server memory

very quickly.

Eg: {“p”:{“p”:{“p”:{……………….}}}}

The large payload of the above pattern whensent to a vulnerable deserializer can slow down a server.

The problems mentioned above can be mitigated if you perform validation on maximum allowed parameters and setting maximum nesting depth.

CYBERsmartsafe

secure2018 DDOS Trends

❑ The size of the largest attacks have grown by approximately 6%on an annual basis

❑Cyclic growth and retreat on a two-year basis observed on themedian size of the attacks

❑Smaller, more focused attacks can do as much damage as thelarger-scaled counterparts

Attack Density &

Trends 2017-18

Second Half of 2018DDoS ATTACKS AND PEAK BW/VECTOR

DDOS Attacks by-Week ‘18

2017 Q1 2017 Q2 2017 Q3 2017 Q4 2018 Q1 2018 Q2 2018 Q3 2018 Q4

1850 2354 2535 2348 2057 1845 2364 2142

DDOS by Quarter

Attack Density &

Trends 2017-18

39.8%

97.7%

95%

1.35 Tbps

DDOS attack density grew from 560 Mbps to 783 Mbps

DDOS ATTACK DENSITY

Growth observed in attack size with a median in Januaryof .56 Gbps ballooning to 1.548 Gbps by December

DDOS ATTACK SIZE

Jan ’17: < 4.19 GbpsJan ‘18: < 5.91 GbpsDec ‘18: < 11.34 Gbps

INCREASING MAGNITUDE OF THE DDOS ATTACKS

On March 01, a software development companyexperienced a 1.35 Tbps DDoS attack using memcachedUDP reflection.

ONE OF THE LARGEST ATTACKS ON AKAMAI

Summary: DDOS Attack Trends

DDoS Attacks in FinServ

DDoSINTERESTING TRENDS

• FSI companies usually get attacked with smaller volumetric attacks but get attacked a lot more often.• Major Bank in Asia Pacific was hit with a 3.9Gbps attack after Christmas

• Another Major Bank keeps getting attacks between 600Mbps and 3Gbps

• We are seeing more and more attacks that last less than a few minutes –sometimes it is hard to pick those up on monitoring tools.• Organization getting hit with small bursts of 3Gbps

Holiday Season 2018ATTACK TRAFFIC

7 million

SOTI – Cred Abuse By Vertical 2018

27.985 Billion

Credential Stuffing

Attempts in 8

months.

115 Million attempts

per day

Credential AbuseAttacks per day

Credential Abuse – FinServAttacks per day

Credential Abuse: Top Credit Union in US* recap for some

Credential Abuse into DDoS – Customer Case

• Over one weekend, Digital Bank’s login site was subject to aggressive credential stuffing attack which brought their internet banking (IB) site down.

• 65k IP addresses participated in the attack, from more than 120 countries.

• Two days later, a large DDoS attack was targeted against flagship Internet Bank login site, which brought the site down as well

Bots Bots Bots

Protecting 3rd Party Scripts

The Zero Trust buzzword

European Fin Serv Phishing

Campaign

It starts with a text message


Campaign

The phishing page

Phishing page setup on ‘bankieren.cp2-rabobank.net/NL2/’ where they have imitated the Rabobank page in attempts to try to obtain credentials from unaware Rabobank users.


Campaign

Is it working?

Source: CyberWarZone.com

https://cyberwarzone.com/x-co-rabonl-used-for-rabobank-phishing-attack/



We

Cybersecurity at UniSA

Dr Ben Martini and Dr Gaye DeehanProgram Directors at UniSA



We

Malicious office hardware

Norman YueOffensive Cyber Security Researcher

CYBERsmartsafe

secure

Backdooring Stuff

Some thoughts on modern meme theory, and its applications to securing the business-cyber agile cloud

ecosystem.

CYBERsmartsafe

secure

Background / Motivation

Improvise. Adapt. Overcome.

CYBERsmartsafe

secure

the use of a computer program to record every keystroke made by a computer user, especially in order to gain fraudulent access to passwords and other confidential

information

Keylogging

CYBERsmartsafe

secure

Into the (Scan) Matrix!

Source: ZX Spectrum 128 Service Manual

CYBERsmartsafe

secure

Scan Matrix Sniffer

CYBERsmartsafe

secure

Scan Matrix -> Serial (+ Debugging)

CYBERsmartsafe

secure

Exfil (Wifi, Bluetooth)

CYBERsmartsafe

secure

Source Code!

github.com/CreateRemoteThread/starscream

CYBERsmartsafe

secure

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating

system via a vulnerable application

Command Injection

CYBERsmartsafe

secure

USB Hubs: Mouse (Compact)

CYBERsmartsafe

secure

USB Hubs: Mouse (Deluxe)

CYBERsmartsafe

secure

Extending the Attack

CYBERsmartsafe

secure

Modern Solutions for Modern Problems…

CYBERsmartsafe

secure

Abusing USB-C Power Delivery

CYBERsmartsafe

secure

USB Type-C

Power negotiation in USB-C is effectively optional.

CYBERsmartsafe

secure

USB Type-C

CYBERsmartsafe

secure

USB-C: What if…

+

CYBERsmartsafe

secure

USB-C: Prototype

CYBERsmartsafe

secure

USB-C: (but not game over)

CYBERsmartsafe

secure

Non-Traditional Exfil

CYBERsmartsafe

secure

Traditional Exfil

github.com/avast/retdec

CYBERsmartsafe

secure

Rethinking the Problem!

“Telstra Air”

CYBERsmartsafe

secure

Tools of the Trade (2018!)

CYBERsmartsafe

secure

Tools of the Trade (2019, Home Edition)

CYBERsmartsafe

secure

On Defensive Measures

Traditional controls are cat and mouse at best.

One bite-sized chunk at a time…

CYBERsmartsafe

secure

A Simple Start: SSL / User Behaviour



We

Beyond the C-I-A triad: Applying a privacy perspective to

traditional security controls

Nicole StephensenPrincipal Consultant at Ground Up Consulting

Beyond the CIA triad:

Applying a privacy perspective to traditional security controls

AISA ADELAIDE

7 June 2019

Nicole Stephensen

Once upon a time…

THEN

PRIVACY

LENS

Data vs. personal information

DATA

Information, especially facts or

numbers, collected to be examined and

considered and used to help decision-

making, or information in an electronic

form that can be stored and used by a

computer

PERSONAL INFORMATION

Information that identifies an

individual or could reasonably lead

to the identification of an individual

1. Collection limitation

Does your restaurant

need all of this PI

simply to reserve a

table?

2. Harms

Lost opportunity

Economic loss

Social detriment

Loss of liberty

Illegal

Collective

Unfair

Individual

3. Watch out for function creep

What it’s originally for… The expanded use…

Combining with other tech or data

sets

Apply a ‘privacy lens’ to reduce risk and

improve outcomes

PI

THANK

YOU!



We

Cyber metrics and selling the dream

Ben WatersCo-founder and COO at Cydarm Technologies

CYBERsmartsafe

secure

whoami

• Ben Waters, Co-founder & COO, Cydarm

• 8 years in cybersecurity

• Generalist – architecture, governance, risk, compliance,

security operations, awareness

• Problem solver

CYBERsmartsafe

secure

Why the talk

“Failure is instructive. The person who really thinks learns quite as much from his failures as from his successes.”

– John Dewey

CYBERsmartsafe

secure

Setting the scene

• Organisation with lower security maturity

• Hadn’t had security leadership in a long time

• Culturally – lots of freedom, aversion to authority

• High insider threat

CYBERsmartsafe

secure

Take 1

Approach:

• “What have we done before?”

• “What data can I get?”

CYBERsmartsafe

secure

End Result: Failure

Security platforms *generally* don’t produce useful data.

CYBERsmartsafe

secure

Security Controls don’t produce great data

Confusion Matrix

Positive Negative

True Attack Blocked Legitimate traffic/process

False Legitimate traffic/process Control Failure | Misses

CYBERsmartsafe

secure

Example

CYBERsmartsafe

secure

Findings

• Data quality is important

CYBERsmartsafe

secure

Findings

• Heterogeneous environments are hard

CYBERsmartsafe

secure

Lessons Learned

• Don’t put up metrics you can’t explain

• Accuracy and integrity of the data is really critical

• Get comfortable saying “I can’t measure that”

CYBERsmartsafe

secure

Take 2

Approach:

1. Figure out what we should measure;

2. Figure out if we could measure it.

CYBERsmartsafe

secure

Back to Basics – “Security Hygiene”

• Vulnerability management & Patching

• Configuration management

• Identity and access management

• Employee lifecycle

CYBERsmartsafe

secure

Vulnerability & Patching Metrics

• Vulnerability age

• Vulnerability age by severity

• Vulnerability age over time

CYBERsmartsafe

secure

Configuration Management Metrics

• Systems meeting a defined baseline

• No. Unauthorised software

CYBERsmartsafe

secure

Identity and Access Metrics

• No. users w/ local admin by department

• Accounts not logged in over x days

CYBERsmartsafe

secure

Employee lifecycle

• Awareness training as part of onboarding

• Awareness training delivered prior to travel

• Adherence to offboarding process

CYBERsmartsafe

secure

End Result

• Could only obtain data for ~60% of metrics

• Improved business & IT engagement and ownership of security

• Mandate to resolve control coverage issues

Key Takeaways

CYBERsmartsafe

secure

Metrics need to be actionable

Metrics you choose will probably have to reflect security maturity

• Decision Support

• Prioritisation

CYBERsmartsafe

secure

Measure inputs and outputs

Inputs

• You can control this

Outputs

• Have your inputs made a difference?

CYBERsmartsafe

secure

Example: Phishing Awareness Training

CYBERsmartsafe

secure

Understand the audience

CYBERsmartsafe

secure

Thanks!

Ben Waters

0416 199 402

[email protected]

@cydarmtech

mailto:[email protected]



We

Closing address

Damien ManuelBoard of Directors Chair at AISA

109

Our Structure• Not-for-profit Charity• 8 Branches in all major capital cities plus cloud branch

• Operated by branch executives (branch chair and branch deputy with a committee) - all volunteers (100+)

National Board of Directors - all volunteers• Damien Manuel (Chair) (VIC - elected)• Alex Woerndle (Deputy Chair) (VIC - appointed)• Helaine Leggatt (VIC - elected)• Mike Trovato (VIC) – elected)• Alex Hoffmann (SA - elected)• Tracey Edwards (VIC - elected)• Nicole Murdoch (QLD - appointed)• Stephen Knights (NSW - elected)• Joshua Craig (Secretary) (VIC)

Employees - paid staff• Megan Spielvogel – Marketing & Operations

Manager• Sandra Blair – Admin & Finance• Susanna Palermo – Event & Sponsorship Manager• Nick Moore – Digital Content & Communications

Producer

Our Members

Who are our members?

Membership trend – 2022 goal is 40,000 members

780

975

1630

1820

1991

2394

27602666

2869

3330

0

500

1000

1500

2000

2500

3000

3500

4000

4500

5000

2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019

Commercial In Confidence – Not for public distribution

The Ecosystem

Training Partners

Certification Partners

Education Partners

SponsorsKeystone Foundation Core

BranchesNT, QLD, NSW, VIC, ACT, TAS,

SA, WA + Cloud

EventsBranches (Content, Thought, Social)BrisSecPerthSA Security DayACT Security DayAustralian Cyber ConferenceAwards (logo defined)

MembershipFull Member - $77 + joining fee $22Associate Member Corporate Partnership Program (CPP)

Additional ItemsEABLocal partnershipsInternational partnershipsFortnightly eDMNews feed

TBC



We

Final remarks

Nathan MorelliAdelaide Branch Chair at AISA

adelaide half day security conference 2019 files/final... · web apis are a primary target for...

Documents