hacking skills not required -...
Post on 04-Jun-2020
3 Views
Preview:
TRANSCRIPT
Your Vendor Security Programs are
not a Secret
Hacking Skills Not Required:
Bloomberg
Chris BergerGlobal Head of Vendor Risk
RiskRecon
Michael FowkesVP, Engineering & Analytics
sig.org/eval
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
In our New WorldData is the Silver Bullet
(…it might be the only bullet…)
Control your third party risk reality
Confidential
Confidential
Confidential
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
SaaS growthvs on-premise
SaaS – 17.3% CAGR vs On-prem – 3.1% CAGR
% of enterprise apps SaaS-based by 2018
5x
27.8%“10x increase in number of cloud based solutions by 2018” – IDC Chief Analyst (2015)
$216 BillionCloud market site by 2020
17.3% CAGRCloud market thru 2020
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
Confidential
Confidential
Confidential
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
When companies do things on the internet….
Confidential
…they reveal a lot of stuff
Confidential
Confidential
Confidential
Confidential
Confidential
Confidential
Confidential
Confidential
Confidential
Confidential
Confidential
Confidential
Confidential
Data Processing
CompanyWhat you can learn starting with just the company
name
- No inside information
- No hacking
- JUST LOOKING
Confidential
265 Web
Servers
Confidential
28 Hosting
Providers
Confidential
7 Hosting
Countries
Confidential
6 Email
Providers
Software
Confidential
Software Patching
Confidential
8% of Web Servers EOL
• IIS 4.0 – 1
• Netscape Enterprise 4.1 – 2
• IIS 6 – 13
• Apache 1.3 – 4
• NGINX 1.6 - 1
Software Patching
Confidential
8% of Web Servers EOL
• IIS 4.0 – 1
• Netscape Enterprise 4.1 – 2
• IIS 6 – 13
• Apache 1.3 – 4
• NGINX 1.6 - 1
12% of App Servers EOL
• PHP 4.1 -1
• PHP 5.2 – 2
• PHP 5.3 – 5
• Phusion Passenger 4.0 – 2
• Jetty 4.0 - 1
Software Patching
Confidential
8% of Web Servers EOL
• IIS 4.0 – 1
• Netscape Enterprise 4.1 – 2
• IIS 6 – 13
• Apache 1.3 – 4
• NGINX 1.6 - 1
12% of App Servers EOL
• PHP 4.1 -1
• PHP 5.2 – 2
• PHP 5.3 – 5
• Phusion Passenger 4.0 – 2
• Jetty 4.0 - 1
60% of CMS software EOL
• vBulletin 3.0 – 1
• WordPress 3.0 – 2
• WordPress 4.3 – 2
• Drupal 6.x - 2
Software Patching
Confidential
8% of Web Servers EOL
• IIS 4.0 – 1
• Netscape Enterprise 4.1 – 2
• IIS 6 – 13
• Apache 1.3 – 4
• NGINX 1.6 - 1
12% of App Servers EOL
• PHP 4.1 -1
• PHP 5.2 – 2
• PHP 5.3 – 5
• Phusion Passenger 4.0 – 2
• Jetty 4.0 - 1
60% of CMS software EOL
• vBulletin 3.0 – 1
• WordPress 3.0 – 2
• WordPress 4.3 – 2
• Drupal 6.x - 2
Web Encryption
Confidential
36% running SSLv2 or SSLv3
32% with invalid certificate subjects
12% with expired certificates
DNS Security
Confidential
45% missing basic domain hijacking
protection
11 different DNS hosting providers
Email Security
Confidential
44% missing email
encryption
6 email hosting providers
97% missing email domain
authentication (SPF / DKIM)
Confidential
Insurance CompanyWhat you can learn starting with just the company
name
- No inside information
- No hacking
- JUST LOOKING
Confidential
347 Web
Servers
Hosting Providers
Confidential
42 Hosting
Providers
Hosting Countries
Confidential
18 Hosting
Countries
Email Providers
Confidential
33 Email
Providers
Software
Confidential
Software Patching
Confidential
12% of Web Servers EOL
• IIS 6.0 – 55
• NGINX 1.4 – 2
• NGINX 1.2 -1
Software Patching
Confidential
12% of Web Servers EOL
• IIS 6.0 - 55
• NGINX 1.4 – 2
• NGINX 1.2 - 1
10% of App Servers EOL
• PHP 5.3 – 5
• PHP 5.4 -1
• Phusion Passenger 4.0 - 2
Software Patching
Confidential
8% of Web Servers EOL
• IIS 4.0 – 1
• Netscape Enterprise 4.1 – 2
• IIS 6 – 13
• Apache 1.3 – 4
• NGINX 1.6 - 1
12% of App Servers EOL
• PHP 4.1 -1
• PHP 5.2 – 2
• PHP 5.3 – 5
• Phusion Passenger 4.0 – 2
• Jetty 4.0 - 1
9% of CMS software EOL
• Adobe GoLive – 1
• Drupal 6.22 – 1
• Drupal 7.3 - 1
Software Patching
Confidential
8% of Web Servers EOL
• IIS 4.0 – 1
• Netscape Enterprise 4.1 – 2
• IIS 6 – 13
• Apache 1.3 – 4
• NGINX 1.6 - 1
12% of App Servers EOL
• PHP 4.1 -1
• PHP 5.2 – 2
• PHP 5.3 – 5
• Phusion Passenger 4.0 – 2
• Jetty 4.0 - 1
9% of CMS software EOL
• Adobe GoLive – 1
• Drupal 6.22 – 1
• Drupal 7.3 - 1
Web Encryption
Confidential
37% running SSLv2 or SSLv3
38% with invalid certificate subjects
7% with expired certificates
DNS Security
Confidential
70% missing basic domain hijacking
protection
90 different DNS hosting providers
Email Security
Confidential
17% missing email
encryption
33 email hosting providers
98% missing email domain
authentication (SPF / DKIM)
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
Confidential
Confidential
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements
Michael Fowkesmike@riskrecon.net
Control your third party risk reality
Evaluation How-to:
Your feedback drives
SIG Event content
By signing and
submitting your
evaluation, you are
automatically entered
into a prize drawing
Why?
Option 1: App
1. Select Schedule2. Select Schedule by Day3. Select Day4. Select Session5. Scroll to Description
6. Click on the Evaluation link
Option 2: Browser
1. Go to www.sig.org/eval2. Select Session (#28)
How?
COMPLETE &SUBMIT EVAL
Tweet: #SIGfall16
Session #28
Hacking Skills Not Required: Your Vendor Security Programs are not a Secret
Speakers:
www.sig.org/eval
Download the App: bit.ly/SIGfall16
RiskRecon Michael Fowkes 801-558-6150 mike@riskrecon.net
Bloomberg Chris Berger 631-374-1185 CBerger17@Bloomberg.net
top related