4. 3
“And I’ve got the scars to prove it.”
Bob Wall
@bithead_bob BobWall23 /in/bobwall23
Former Chief Architect at Oracle Current CTO at IronCore Labs
Four Degrees Crypto Nerd Music Junkie
7. @ironcorelabs
Exploitability of Vulnerabilities
Source: National Vulnerability Database and IronCore Labs
40%
50%
60%
70%
80%
2010 2011 2012 2013 2014 2015
60%
66%
70%
68%
71%
75%
75%
OF HIGH SEVERITY VULNERABILITIES WERE
LOW COMPLEXITY (EASY TO EXPLOIT) IN 2015.
Up 25%
SINCE FROM 2010 LEVELS
Conclusion: Applications are
getting worse at basic security
measures.
High Severity
Low Complexity
11. @ironcorelabs
Privacy Is Dead (but hooray convenience!)
Your smartphone can know everything about you. Under the control of a hacker, it can relay your conversations, your
location, your communications and much more, which is why mobile malware is such a scary up and coming threat.
Sources: Consumer Reports, IDC and Symantec Internet Security Theft Report
$
1.4 billion
SOLD IN 2015
430 million
NEW MALWARE IN 2015
5.2 million
LOST OR STOLEN
IN THE U.S. IN 2014
Smartphones
Up 10%
Up 36%
Up 15% total,
but thefts
down 32%
12. @ironcorelabs
86%
of web applications tested had serious issues with
authentication, access control, and confidentiality.
Increased from 72% in 2014.
Source: HPE 2016 Cyber Risk Report
15. @ironcorelabs
News Coverage of Breaches
According to Google Trends
2010
←2011
←2012
←2013
←2014
Source: Google Trends
2015
16. @ironcorelabs
News Coverage of Breaches
Playstation Breach 1 Home Depot Hack Ashley Madison HackZappos Hack Target Hack
According to Google Trends
2010
←2011
←2012
←2013
←2014
Source: Google Trends
Evernote Hack
2015
18. @ironcorelabs
47 States with Breach Disclosure Laws
+ HIPAA
Breach disclosure only required when
unencrypted PII* data is accessed.
*PII = Personally Identifiable Information
23. @ironcorelabs
Web App Vulnerability Likelihood
Source: Whitehat Security Stats Report 2015
0%
25%
50%
75%
100%
InsufficientTransportLayer
InformationLeakage
CrossSiteScripting
BruteForce
ContentSpoofingCrossSiteRequestForgeryURLRedirectorAbuse
PredictableResourceLocation
SessionFixationInsufficientAuthorization
DirectoryIndexing
AbuseofFunctionality
SQLInjection
InsufficientPasswordRecovery
Fingerprinting
5%6%6%6%8%11%11%
15%16%
24%26%29%
47%
56%
70%
#1. Insufficient Transport = Poor SSL
#2. Info Leak = Dev Errors to User
#3. XSS = Poor Input Sanitization
#4. Brute Force = No rate limiting
#5. Content Spoofing = Poor Input Sanitization
24. @ironcorelabs
% of Web
Using
OpenSSL
66%
Does not include
IMAP and the many
other apps that use
OpenSSL
OpenSSL Vulnerabilities
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
0 10 20 30 40
Low Moderate High
FREAK, Logjam
HeartBleed, Poodle, Goto Fail
DROWN
OCSP Stapling
ASN1 Bio
Plaintext Recovery
** Through March 2016
25. @ironcorelabs
OpenSSL Unit Test Coverage
Not Covered
52%
Covered
48%
Code is poorly tested. Code is old, crusty, riddled with goto statements.
#1 crypto library ➫ #1 app problem ➫ Coincidence?
26. 23
Encryption Pitfalls
Single Key
One key is shared between all apps and
users. Anyone who gains access to the
system can access all of the data in the
system unchecked by encryption.
Unlocked in Memory
In typical transparent disk and database
systems, as long as the system is running,
the data is not encrypted. These systems
protect against stolen hard drives, but not
hackers in the system.
Key on Server
If you lock a desk drawer and put the key
on top of the desk or in the unlocked
drawer beside it, your physical security
would be as bad as most electronic
security.
Reliance on HTTPS
A surprising number of apps and
infrastructures think they are encrypted and
secure because they use https. https by
itself does almost nothing to secure a
system and can even be actively negative.
Typical implementations suffer these issues
“PLENTY OF COMPANIES brag that their communications app is encrypted. But that
marketing claim demands a followup question: Who has the key?
28. @ironcorelabs
% of Organizations with Serious Vulnerabilities
Finance/Insurance
Healthcare
Info Tech
Retail
Public Admin
0% 25% 50% 75% 100%
21%
10%
14%
12%
11%
9%
11%
11%
14%
64%
60%
38%
52%
39%
Every Day More Than 271 Days More Than 151 Days
Source: Whitehat Security Stats Report 2015
Out of the 2015 calendar year
64%
75%
63%
79%
85%
29. @ironcorelabs
Average Days To Fix by Industry
Source: Whitehat Security Stats Report 2015
0
62.5
125
187.5
250 Transportation
Arts&Entertainment
Accomodation
Professional&Scientific
PublicAdmin
OtherServices
Information
Education
Healthcare
Finance/Insurance
Manufacturing
Utilities
Retail
227
192191
160158
136132130
111108
9997
73
30. @ironcorelabs
Hard Breach Costs
%
9
Lloyd’s of London estimate of the
cost to the global economy
$400b
2014 increase in per-record cost
$3.8m per breach
Average cost per record (US)
Average cost of a breach
including notifications,
investigations, legal issues
and credit monitoring.
$201 per breached record
Source: Ponemon Institute
31. @ironcorelabs
Cyber-Insurance
Premiums up
32% in first half of 2015
83%
of claims paid out
78% Crisis Services
8% Legal Defense
9% Legal Settlements
5% Regulatory
Payout Breakdown
$15m
BIGGEST PAYOUT
$674k
AVERAGE PAYOUT
$77k
MEDIAN PAYOUT
32% of claims
due to third party breaches
Source: Netdiligence 2015 Cyber Claims Study
99% of exposed records
due to hackers and malware
32. @ironcorelabs 29
General stats aren’t known, but smaller companies get badly hurt
Sources: All Things D and NYTimes
CASE STUDY
2013
50 million
Database hacked (SQL injection?)
Customers affected
15-20% Revenue drop in subsequent months
-82% Employee reduction now vs. pre-breach
35. @ironcorelabs
Accomodation Point of Sale 91%
Education Crimeware 32%
Entertainment Point of Sale 73%
Financial
Services
Crimeware
Web App Attack
36%
31%
Healthcare
Misc. Errors
Insider Misuse
32%
26%
Information /
Tech
Cyber-Espionage
Web App Attack
36%
35%
Manufacturing Cyber-Espionage 60%
Public Crimeware 51%
Retail Point of Sale 70%
Top Threats
By Industry
Source: Verizon 2015 Data Breach Report
36. @ironcorelabs 33
66%
Two-thirds of cyber-espionage
attacks relied on targeted
phishing emails with malicious
links or attachments.
MarketingPhishing
27%
27% of victims were
Manufacturing corporations.
Public sector targets
accounted for 20%.
MarketingVictims
0.8%
Of all breaches resulting in data
loss, only 0.8% were due to
cyber-espionage.
MarketingSource
Cyber-Espionage
Spy vs. Computer
Source: Verizon 2015 Data Breach Report
39. @ironcorelabs
Of cars networked by
2020.3
More connected
devices than people
globally.2
Connected devices
by 2020.2
Vulnerable to attack.1 Collect personal
information.1
Average
vulnerabilities found
per device.1
Internet of Crap
90%70% 25
SOURCES:
1. HP Internet of things research study 2015
2. Cisco
3. Gartner
20% 2008 50b
40. Wall of Shame Highlights
• Aetna
• Alliance Health
• Anthem
• Blue Cross
• Cigna
• CVS
• Harvard Pilgrim
• Humana
• John Hopkins
• Kaiser
• Mayo Clinic
• Rite Aid
• University of
Colorado Health
• Walgreens
2772015 HEALTHCARE BREACHES
$10 / record
ON THE BLACK MARKET
112,832,082
RECORDS STOLEN
Source: Identity Theft Research Center
67%
OF STOLEN RECORDS
ACROSS INDUSTRIES
41. @ironcorelabs
Breach Detection
Source: Mandiant M-Trends 2015
67%33%229
DAYS BEFORE
DETECTION (MEDIAN)
32
DAYS TO RESPOND
TO BREACH (AVERAGE)
67%
LEARNED OF THEIR BREACH FROM AN
EXTERNAL ENTITY
42. @ironcorelabs
Summing Up So Far
Breaches
Through the roof.
Firewalls
Insufficient to
secure data.
Apps
Are the problem.
Trivial
Most vulnerabilities
are easy to exploit.
IOT
More insecure
devices every day.
Bad Security
Very costly and kills
companies.
43. @ironcorelabs
Summing Up So Far
Software Devs Need to Step Up
Breaches
Through the roof.
Firewalls
Insufficient to
secure data.
Apps
Are the problem.
Trivial
Most vulnerabilities
are easy to exploit.
IOT
More insecure
devices every day.
Bad Security
Very costly and kills
companies.
46. 42
0%
Source: IronCore Labs using US News Rankings
56,130 Bachelors
TOP 20 COMP. SCI.
UNDERGRAD PROGRAMS
REQUIRING SECURE CODING
University Shame List
1. Carnegie Mellon
1. MIT
1. Stanford
1. UC Berkeley
5. University of Illinois, Urbana-Champaigne
6. Cornell
6. University of Washington
8. Princeton
9. Georgia Institute of Technology
9. University of Texas, Austin
11. California Institute of Technology
11. University of Wisconsin, Madison
13. UCLA
13. University of Michigan, Ann-Arbor
15. Colombia
15. UC San Diego
15. University of Maryland, College Park
18. Harvard University
19. University of Pennsylvania
20. Brown University
20. Purdue University, West Lafayette
20. Rice University
20. University of Southern California
20. Yale University
20. Duke University
48. 44
PHASE ONE: TRAINING
Look at Coursera, SANS, ISC, CERT, securecoding.org, secureset.com and others for help.
49. @ironcorelabs
Internet Security First Aid
✓Product Managers should include
malicious users in their personas list.
✓Require security features up front. Ex:
• Account lockouts
• Form submission rate limits
PHASE TWO-A: REQUIREMENTS
50. @ironcorelabs
Did you know?
25
Number of accounts
for average web
user. 6.5
Number of passwords
for average web
user.
8.2b
Number of password
guesses per second
for a single desktop
computer.*
Source: Microsoft Research, Ars Technica
* Stat from 2012. Actual speed
depends on hardware and hashing
algorithm used.
62. @ironcorelabs 58
Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Harden
Least permissions,
separation of
concerns...
segmentation, uninstall
anything you don’t
need, …
63. @ironcorelabs 59
Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Encrypt
Encrypt all the things.
Use HTTPS, DB
encryption, disk
encryption, and add
extra crypto to your
most sensitive data.
Use password-less SSH
(key-based identity) and
two-factor authentication
everywhere.
64. @ironcorelabs 60
Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Update libs
Watch 3rd party
libraries and APIs
closely for security
updates (and
deprecations) and
adopt those
immediately.
This is going to
require some good
regression test suites
to maintain
confidence in system
functionality after
library upgrades.
65. @ironcorelabs 61
Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
And automate your
update process!
Make sure all your
systems are running
the same software,
and that they can be
kept that way with
minimal effort.
Update servers
Religiously update
operating systems,
server software
(Apache/whatever),
etc. across all
systems.
66. 62
Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Again, you are going
to need some
automation. Relying
on humans to
monitor logs and
notice problems is a
recipe for failure.
Monitor
Log everything,
have intrusion
detection systems,
monitor logs and
alerts and act on
them.
67. @ironcorelabs 63
Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Threat intelligence
Keep up on current
threats, major
vulnerabilities,
hacking techniques,
worms, etc. in order
to better counter
them.
68. @ironcorelabs 64
Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Scan / audit
Audit the production
environment in
addition to the app,
use port scanners
to find out what’s
running that you
didn’t know about.
69. @ironcorelabs 65
Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Respond
A process for
managing, escalating,
and responding to
events is critical. Agree
on risk thresholds for
emergency releases,
update software, don’t
lose track of work
items.
71. @ironcorelabs
Em
ployee Educ
ation
Training
All developers must be trained in the
writing of secure code. All QA must be
trained in basic security testing and fuzzing.
Architecture
Use secure coding checklists, verify
the security of 3rd party libraries,
model threats and design with
adversaries and best practices in mind.
Require
m
ents Desig
n
Dev
elop Veri
fy
Implementation
Develop and test, adding QA fuzzing
and security checks, automated static
code analysis, and before release,
an audit or pen-test (even automated).
Rel
ease M
o
nitor,Respond
Production and Maintenance
Release is not the end. Software has
bugs and security issues inevitably.
Ongoing security testing, monitoring
of logs, and most importantly,
responding to any issues and pushing
back to development.
Summary