the future of internet security · iot turning into ioht ddos attack of orchestrated dvr and iot...
TRANSCRIPT
![Page 1: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/1.jpg)
Keeping up with the ever changing security threats to Drupal and the web
1
Drupalcon 2017
The Future of Internet Security
![Page 2: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/2.jpg)
2
Who is this guy?
technerdteitzel
Cellar Door
Chris TeitzelFounder / CEO Lockr
● 7 years 10 months in Drupal● Omega, Encrypt, Key, File Encrypt, Field Encrypt...
Chris Teitzel@technerdteitzel
![Page 3: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/3.jpg)
3The mysterious future
![Page 4: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/4.jpg)
4The mysterious future
![Page 5: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/5.jpg)
5The mysterious future
![Page 6: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/6.jpg)
6The mysterious future
![Page 7: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/7.jpg)
7The mysterious future
![Page 8: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/8.jpg)
8The mysterious future
![Page 9: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/9.jpg)
9The mysterious future
![Page 10: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/10.jpg)
10The mysterious present
![Page 11: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/11.jpg)
*I’m not inherently saying this is bad, but as developers we have a responsibility
11Don’t be afraid, be proactive about security
As your digital footprint expands, so does the amount of personal data at risk
Your entire life is connected...
![Page 12: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/12.jpg)
12Breaches are not going away
![Page 13: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/13.jpg)
We need to look no further than the acquisition of The Weather Channel by IBM. The ability to feed detailed weather data into Watson multiplies the inherent value of the data.
13Don’t be afraid, be proactive about security
The ability to collect, analyze, forecast and act upon data will drive the next decade of global business growth
Data is the most valuable asset in the world
![Page 14: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/14.jpg)
14
https://www.economist.com/news/leaders/21721656-data-economy-demands-new-approach-antitrust-rules-worlds-most-valuable-resource
“ Whether you are going for a run, watching TV or even just sitting in traffic, virtually every activity creates a digital trace… As
devices from watches to cars connect to the internet, the volume (of data) is increasing: some estimate that a self-driving
car will generate 100 gigabytes per second. Meanwhile, artificial-intelligence (AI) techniques such as machine learning extract more value from data. Algorithms can predict when a
customer is ready to buy, a jet-engine needs servicing or a person is at risk of a disease. Industrial giants such as GE and
Siemens now sell themselves as data firms.”
![Page 15: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/15.jpg)
15PII isn’t just just an acronym, it is someone’s life
Successful Companies Collect Data
● Whether you think the data is important at this time, data can have future value
● Use data to drive your decisions, back up your theories, and lead your company, product and team
![Page 16: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/16.jpg)
16Thermostats will take over the world
IoT Turning into IoHT
● DDoS attack of orchestrated DVR and IoT devices took down Dyn
● Car computers programmed to stop and baby monitors being compromised are just the first wave
● Every connection to the web, creates a new surface for attack and data loss
![Page 17: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/17.jpg)
17Social hacking is as profitable as credit card numbers
Personal Data Everywhere
● Seemingly innocent data can be pieced into an identity○ Quick survey
● Identity theft isn’t the only goal for a breach○ Corporate Espionage○ Political gain
● Inform your users what you are collecting○ It’s not just the right thing to do, it’s the law!
![Page 18: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/18.jpg)
18GDPR covers more than you think
Regulations Increasing
● Poor security has become a “cost of business”● Acronyms for every industry:
○ PCI○ HIPAA, FERPA, FISMA in the U.S.○ The GDPR in the EU (and U.K.)
![Page 19: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/19.jpg)
19GDPR is the future of global data privacy
GDPR Leading the way● May 25, 2018 enforcement begins● More than just a cookie warning● Security by design● Data portability and the right to be forgotten● Protection of personal data
○ Anonymization○ Pseudonymization○ Encryption
● 4% of global revenue as a maximum fine
![Page 20: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/20.jpg)
The two sides to Drupal 20
Drupal as a full stackwebsite
Drupal as a headless datasource
![Page 21: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/21.jpg)
The two sides to Drupal 21
Drupal as a headless datasource
![Page 22: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/22.jpg)
22Top 10 things to take into account when building any site
OWASP Top 10 2017 (not final)● A1 - Injection● A2 - Authentication and Session Management● A3 - Cross-site Scripting● A4 - Access Control● A5 - Security Misconfiguration● A6 - Sensitive Information Disclosure● A7 - TBA (Insufficient Attack Protection?)● A8 - Cross-site Request Forgery● A9 - Using Components with Known Vulnerabilities● A10 - TBA (Underprotetcted APIs?)
![Page 23: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/23.jpg)
23Drupal as part of the larger ecosystem
Drupal as a Datasource
![Page 24: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/24.jpg)
24Drupal gives powerful tools for data modeling
Drupal as a Datasource
● Arguably the best open-source CMS for complex data modeling and distribution○ Entities in Drupal 7 led the way○ API first design of Drupal 8 continues to grow○ Inclusion of Media in core
● Tailoring the “Authoring experience” instead of the user experience
![Page 25: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/25.jpg)
25Multiple entry points for attack
An API Driven World
Payment Gateways
EmailMarketing
SMTP Relays Authentication
Shipping Cloud Providers Encryption APIs
![Page 26: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/26.jpg)
26Recent Secrets Based Attacks
Recent Attack
“...we know that a threat actor used one of our AWS keys to gain access to our AWS platform via API from an intermediate host with another, smaller
service provider in the US.”
![Page 27: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/27.jpg)
27Build in security as a team practice
Grow a team mentality of security in an ever changing online threat landscape
Security starts at the top
![Page 28: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/28.jpg)
28Security as an afterthought
A little humor…a lot of truth
![Page 29: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/29.jpg)
29Teams that secure together stay together
Team Security Best Practices● Don’t discount security concerns● Always ask: What if this information gets out?● Use tools and services to protect before an attack
○ Password vaults○ WAF/CDN
● If an incident occurs:○ Breath - staying calm avoids poor decisions○ Backup - You want to know why it occurred○ Post-Mortem - Don’t blame, learn
![Page 30: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/30.jpg)
30Just a sampling - many many more exist
Drupal Modules for Security
● Encrypt (Real AES)● Key● Password Policy● TFA (Two Factor Authentication)
![Page 31: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/31.jpg)
31Guardr a secure starting point to Drupal
Guardr - Secure Drupal Distribution
● Distribution with modules and settings
● Helps Drupal meet today’s enterprise and regulatory needs
● https://drupal.org/project/guardr
![Page 32: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/32.jpg)
“If your website is worth more than $5…
Pay more than $5 for hosting it.”
32Drew Gorton
The Price of DevOps
![Page 33: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/33.jpg)
33I get by with a little help from my friends
Don’t Do Security Alone● Open source does not
make software less secure○ Do update your
software● Focus on what you do best
as a team/company and let the experts do their job
● Continually re-evaluate your data decisions
![Page 34: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/34.jpg)
34Create the future you want to live in
Security Doesn’t Kill the Fun
● The future of the web, and Drupal, is an exciting new frontier
● Use Drupal to create the next generation of IoT and connected deviceS
![Page 35: The Future of Internet Security · IoT Turning into IoHT DDoS attack of orchestrated DVR and IoT devices took down Dyn ... we know that a threat actor used one of our AWS ... Use](https://reader034.vdocuments.us/reader034/viewer/2022050510/5f9aa6e1b230e13f39207c48/html5/thumbnails/35.jpg)
Slides will be up shortly
35
Drupalcon 2017
Thank You!