secure from the start : the changing landscape
DESCRIPTION
In the wake of the Heartbleed bug and a number of other high profile security related failures, we revisit the idea of making sure we’re ahead of the game, secure from the startTRANSCRIPT
Welcome
"In the wake of the Heartbleed bug and a number of other high profile security related failures, we revisit the idea of making sure we’re ahead of the game, secure from the start"
Kieran O'SheaSecure from the Start : The changing landscape
Secure from the Start The changing landscape
Kieran O'Shea
[email protected] • @kieranoshea • http://www.kieranoshea.com/
Overview
Kieran O'Shea
Motivations for this session Analysis on recent high profile issues Types of attack vectors Mitigation; config, tools, plugins & more Questions
Secure from the Start : The changing landscape
Recent issues - Heartbleed
Kieran O'Shea
An OpenSSL exploit Heartbeat reply leaks data in memory Data acquired compromises security
Secure from the Start : The changing landscape
Recent issues - Heartbleed
Kieran O'SheaSecure from the Start : The changing landscape
Recent issues - Heartbleed
Kieran O'SheaSecure from the Start : The changing landscape
Recent issues - Heartbleed
Kieran O'Shea
Fallout Recovery
Secure from the Start : The changing landscape
Recent issues - Ransomware
Kieran O'SheaSecure from the Start : The changing landscape
Realintogive/Wikimedia Commons
Recent issues - Ransomware
Kieran O'Shea
Essentially blackmail Takes different forms Difficult to recover from Infection rates uncertain Millions made by criminals
Secure from the Start : The changing landscape
Recent issues – Back doors
Kieran O'SheaSecure from the Start : The changing landscape
Recent issues - Back doors
Kieran O'SheaSecure from the Start : The changing landscape
Recent issues - Social Engineering
Kieran O'Shea
Should be considered a back door Password resets Security questions "Single Sign On"
Secure from the Start : The changing landscape
Recent issues - Obscurity
Kieran O'Shea
When is security no security at all?
When my hotel reservation iswww.somehotel.com/reservation/12345
So the previous customer's must be...www.somehotel.com/reservation/12344
Secure from the Start : The changing landscape
Attack Vectors - Passwords
Kieran O'Shea
Exploitation of simple passwords Re-use of stolen credentials Brute force
Is this your password?
Secure from the Start : The changing landscape
Attack Vectors - Social Engineering
Kieran O'Shea
Probably our weakest link Guessable info overrides passwords Privileged users exploited
Secure from the Start : The changing landscape
Attack Vectors - External Applications
Kieran O'Shea
Shared use servers amplify risk Exploiting the file system Taking advantage of firewall rules Piggy backing off API connectivity
Secure from the Start : The changing landscape
Attack Vectors - Rogue Code
Kieran O'Shea
Does your theme footer look like this?
Secure from the Start : The changing landscape
Attack Vectors - Rogue Code
Kieran O'Shea
When hackers get control
Secure from the Start : The changing landscape
Attack Vectors - Rogue Code
Kieran O'Shea
When hackers really get control
Secure from the Start : The changing landscape
Mitigation - Passwords
Kieran O'Shea
Secure passwords, auto generated
Avoid re-use between systems
Secure from the Start : The changing landscape
Mitigation - Passwords
Kieran O'Shea
Employ secure password storage Complex & differing passwords easier A variety of services exist, paid & free
Single, secure, master password
Secure from the Start : The changing landscape
Mitigation - Two Factor Authentication
Kieran O'Shea
Something you have, something you know A variety of implementations
Finger prints Smart cards Text Messages Paper based grids
Good degree of separation required Extend to multi-factor authentication
Secure from the Start : The changing landscape
Mitigation - One Time Passwords
Kieran O'Shea
Reduces consequences of interception Remote verification of token Also provides two factor authentication Support for independent infrastructure
Secure from the Start : The changing landscape
Mitigation - SSL
Kieran O'Shea
Protects data in transit Consider what constitutes ”sensitive” Key & Signed certificate Available for free Beware revocation costs Enhance security with forward secrecy Remember client security too
VPN S/MIME Don't settle for plain text
Secure from the Start : The changing landscape
Mitigation - External Applications
Kieran O'Shea
Minimise server sharing, VPS preferable If sharing, protect users from users
Don't chmod 777 Sand box your code, e.g. suPHP Keep an eye on key file changes
Consider onward security of allowed IPs
Secure from the Start : The changing landscape
Mitigation - Plugins
Kieran O'Shea
Two factor authentication (OTP)✔ "YubiKey Plugin" (Henrik Schack)
Modifications to files✔ "WordPress File Monitor Plus" (Scott Cariss)
Login attempts✔ "Limit Login Attempts" (Johan Eenfeldt)
Action logging✔ "Audit Trail" (John Godley)
More involved auditing✔ "The Auditor" (interconnect/it)
Secure from the Start : The changing landscape
Mitigation – Configuration
Kieran O'Shea
Lock down powerful interfaces Work with minimum usable privileges Reduce brute force with fail2ban Block access at an IP level
Maintain access by using a VPN
# Define specific rules for the blog admin panel <Directory /home/kieran/public_html/wp-admin> Order Deny,Allow Deny from all Allow from 95.172.226.96/27 </Directory>
Secure from the Start : The changing landscape
Mitigation – Social engineering
Kieran O'Shea
Don't populate ”password hints” Don't use real ”secret questions” Become aware of back doors Know the warning signs Power of notifications Avoid single points of failure Multiple backups, multiple services At least one backup offline
Secure from the Start : The changing landscape
Questions?
Kieran O'Shea
Kieran O'Shea • [email protected] @kieranoshea • http://www.kieranoshea.com/
Remember, WordCamp tweets archived here: https://wcuk.kieranoshea.com/tweets/
Secure from the Start : The changing landscape