SlideShare une entreprise Scribd logo
1  sur  72
Télécharger pour lire hors ligne
The Internet is a
dog-eat-dog
world, and your
app is clad in Milk
Bone underwear.
-Bob Wall
@ironcorelabs@ironcorelabs
The Internet is a
dog-eat-dog
world, and your
app is clad in Milk
Bone underwear.
-Bob Wall
Yum
@ironcorelabs@ironcorelabs
@ironcorelabs
‘Cause hackers aren’t going to
rush your foxhole. They’re going to
sneak in under cover of night.
3
“And I’ve got the scars to prove it.”
Bob Wall
@bithead_bob BobWall23 /in/bobwall23
Former Chief Architect at Oracle Current CTO at IronCore Labs
Four Degrees Crypto Nerd Music Junkie
@ironcorelabs
47%
43%
of U.S. adults hacked in one year (May 2014)
of U.S. corporations hacked in one year (Sep 2014)
Sources: CNN and USA Today
@ironcorelabs Source: Breach Level Index Annual Report 2014
1,023,108,267
Records Stolen in 2014
Billion!!
@ironcorelabs
Exploitability of Vulnerabilities
Source: National Vulnerability Database and IronCore Labs
40%
50%
60%
70%
80%
2010 2011 2012 2013 2014 2015
60%
66%
70%
68%
71%
75%
75%
OF HIGH SEVERITY VULNERABILITIES WERE
LOW COMPLEXITY (EASY TO EXPLOIT) IN 2015.
Up 25%
SINCE FROM 2010 LEVELS
Conclusion: Applications are
getting worse at basic security
measures.
High Severity
Low Complexity
@ironcorelabs
More
Ransomware
in 2015
35%
84%
35%
23%
More bots in
China
More spear
phishing in
2015
More identities
stolen
Source: Symantec Internet Security Threat Report 2016
Malware in 2015
@ironcorelabs
Global Malware Infection Rates
32%
desktop/laptop
0.03%
mobile
Sources: Verizon 2015 Data Breach Report and Panda Labs
@ironcorelabs
2015 Malware Breakdown
1%
1%
3%
95%
Windows
Android
Documents
MSIL
PHP (0)
MacOS (0)
Linux (0)
Perl (0)
UNIX (0)
iOS (0)
FreeBSD (0)
Breakdown of malware samples discovered in 2015

Source: HPE 2016 Cyber Risk Report

Excludes annoyance-ware
@ironcorelabs
Privacy Is Dead (but hooray convenience!)
Your smartphone can know everything about you. Under the control of a hacker, it can relay your conversations, your
location, your communications and much more, which is why mobile malware is such a scary up and coming threat.
Sources: Consumer Reports, IDC and Symantec Internet Security Theft Report
$
1.4 billion
SOLD IN 2015
430 million
NEW MALWARE IN 2015
5.2 million
LOST OR STOLEN
IN THE U.S. IN 2014
Smartphones
Up 10%
Up 36%
Up 15% total,
but thefts
down 32%
@ironcorelabs
86%
of web applications tested had serious issues with
authentication, access control, and confidentiality.
Increased from 72% in 2014.
Source: HPE 2016 Cyber Risk Report
Breached Companies
Data Was Not Encrypted
Breached Companies
Unencrypted Data
Breached Companies
Data Was Not Encrypted
Breached Companies
Unencrypted Data
@ironcorelabs
News Coverage of Breaches
According to Google Trends
2010
←2011
←2012
←2013
←2014
Source: Google Trends
2015
@ironcorelabs
News Coverage of Breaches
Playstation Breach 1 Home Depot Hack Ashley Madison HackZappos Hack Target Hack
According to Google Trends
2010
←2011
←2012
←2013
←2014
Source: Google Trends
Evernote Hack
2015
@ironcorelabs
47 States with Breach Disclosure Laws
+ HIPAA
@ironcorelabs
47 States with Breach Disclosure Laws
+ HIPAA
Breach disclosure only required when
unencrypted PII* data is accessed.
*PII = Personally Identifiable Information
@ironcorelabs
Data is Distributed
Cloud Services
Mobile Devices
Internet of Things
Partners
Employee Laptops
Uncontrolled and with minimal security
@ironcorelabs
Perimeter Security Pierced
APP
@ironcorelabs
Security Incidents
Network-layer
App-layer
90% due to defects at the
application layer. -DHS
Source: Department of Homeland Security
@ironcorelabs
Web App Vulnerability Likelihood
Source: Whitehat Security Stats Report 2015
0%
25%
50%
75%
100%
InsufficientTransportLayer
InformationLeakage
CrossSiteScripting
BruteForce
ContentSpoofingCrossSiteRequestForgeryURLRedirectorAbuse
PredictableResourceLocation
SessionFixationInsufficientAuthorization
DirectoryIndexing
AbuseofFunctionality
SQLInjection
InsufficientPasswordRecovery
Fingerprinting
5%6%6%6%8%11%11%
15%16%
24%26%29%
47%
56%
70%
@ironcorelabs
Web App Vulnerability Likelihood
Source: Whitehat Security Stats Report 2015
0%
25%
50%
75%
100%
InsufficientTransportLayer
InformationLeakage
CrossSiteScripting
BruteForce
ContentSpoofingCrossSiteRequestForgeryURLRedirectorAbuse
PredictableResourceLocation
SessionFixationInsufficientAuthorization
DirectoryIndexing
AbuseofFunctionality
SQLInjection
InsufficientPasswordRecovery
Fingerprinting
5%6%6%6%8%11%11%
15%16%
24%26%29%
47%
56%
70%
#1. Insufficient Transport = Poor SSL
#2. Info Leak = Dev Errors to User
#3. XSS = Poor Input Sanitization
#4. Brute Force = No rate limiting
#5. Content Spoofing = Poor Input Sanitization
@ironcorelabs
% of Web
Using
OpenSSL
66%
Does not include
IMAP and the many
other apps that use
OpenSSL
OpenSSL Vulnerabilities
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
0 10 20 30 40
Low Moderate High
FREAK, Logjam
HeartBleed, Poodle, Goto Fail
DROWN
OCSP Stapling
ASN1 Bio
Plaintext Recovery
** Through March 2016
@ironcorelabs
OpenSSL Unit Test Coverage
Not Covered
52%
Covered
48%
Code is poorly tested. Code is old, crusty, riddled with goto statements.
#1 crypto library ➫ #1 app problem ➫ Coincidence?
23
Encryption Pitfalls
Single Key
One key is shared between all apps and
users. Anyone who gains access to the
system can access all of the data in the
system unchecked by encryption.
Unlocked in Memory
In typical transparent disk and database
systems, as long as the system is running,
the data is not encrypted. These systems
protect against stolen hard drives, but not
hackers in the system.
Key on Server
If you lock a desk drawer and put the key
on top of the desk or in the unlocked
drawer beside it, your physical security
would be as bad as most electronic
security.
Reliance on HTTPS
A surprising number of apps and
infrastructures think they are encrypted and
secure because they use https. https by
itself does almost nothing to secure a
system and can even be actively negative.
Typical implementations suffer these issues
“PLENTY OF COMPANIES brag that their communications app is encrypted. But that
marketing claim demands a followup question: Who has the key?
@ironcorelabs
A locked drawer is useless when the key is RIGHT THERE.
@ironcorelabs
% of Organizations with Serious Vulnerabilities
Finance/Insurance
Healthcare
Info Tech
Retail
Public Admin
0% 25% 50% 75% 100%
21%
10%
14%
12%
11%
9%
11%
11%
14%
64%
60%
38%
52%
39%
Every Day More Than 271 Days More Than 151 Days
Source: Whitehat Security Stats Report 2015
Out of the 2015 calendar year
64%
75%
63%
79%
85%
@ironcorelabs
Average Days To Fix by Industry
Source: Whitehat Security Stats Report 2015
0
62.5
125
187.5
250 Transportation
Arts&Entertainment
Accomodation
Professional&Scientific
PublicAdmin
OtherServices
Information
Education
Healthcare
Finance/Insurance
Manufacturing
Utilities
Retail
227
192191
160158
136132130
111108
9997
73
@ironcorelabs
Hard Breach Costs
%
9
Lloyd’s of London estimate of the
cost to the global economy
$400b
2014 increase in per-record cost
$3.8m per breach
Average cost per record (US)
Average cost of a breach
including notifications,
investigations, legal issues
and credit monitoring.
$201 per breached record
Source: Ponemon Institute
@ironcorelabs
Cyber-Insurance
Premiums up
32% in first half of 2015
83%
of claims paid out
78% Crisis Services
8% Legal Defense
9% Legal Settlements
5% Regulatory
Payout Breakdown
$15m
BIGGEST PAYOUT
$674k
AVERAGE PAYOUT
$77k
MEDIAN PAYOUT
32% of claims
due to third party breaches
Source: Netdiligence 2015 Cyber Claims Study
99% of exposed records
due to hackers and malware
@ironcorelabs 29
General stats aren’t known, but smaller companies get badly hurt
Sources: All Things D and NYTimes
CASE STUDY
2013
50 million
Database hacked (SQL injection?)
Customers affected
15-20% Revenue drop in subsequent months
-82% Employee reduction now vs. pre-breach
@ironcorelabs
Network security
App security
Almost triple the spending
goes to network security.
Security Spending
Source: Lumension 2015 State of the Endpoint
@ironcorelabs
31%
of all security
breaches at banks in
2015 involved web
app attacks
Source: Verizon 2015 Data Breach Report
@ironcorelabs
Accomodation Point of Sale 91%
Education Crimeware 32%
Entertainment Point of Sale 73%
Financial
Services
Crimeware

Web App Attack
36%

31%
Healthcare
Misc. Errors
Insider Misuse
32%
26%
Information /
Tech
Cyber-Espionage

Web App Attack
36%

35%
Manufacturing Cyber-Espionage 60%
Public Crimeware 51%
Retail Point of Sale 70%
Top Threats
By Industry
Source: Verizon 2015 Data Breach Report
@ironcorelabs 33
66%
Two-thirds of cyber-espionage
attacks relied on targeted
phishing emails with malicious
links or attachments.
MarketingPhishing
27%
27% of victims were
Manufacturing corporations.
Public sector targets
accounted for 20%.
MarketingVictims
0.8%
Of all breaches resulting in data
loss, only 0.8% were due to
cyber-espionage.
MarketingSource
Cyber-Espionage
Spy vs. Computer
Source: Verizon 2015 Data Breach Report
@ironcorelabs
23%
of recipients open phishing emails
11%
open the attachments
Phishing
Source: Verizon 2015 Data Breach Report
@ironcorelabs
Scarier than a
Presidential Election?
It Gets Worse
@ironcorelabs
Of cars networked by
2020.3
More connected
devices than people
globally.2
Connected devices
by 2020.2
Vulnerable to attack.1 Collect personal
information.1
Average
vulnerabilities found
per device.1
Internet of Crap
90%70% 25
SOURCES:
1. HP Internet of things research study 2015
2. Cisco
3. Gartner
20% 2008 50b
Wall of Shame Highlights
• Aetna
• Alliance Health
• Anthem
• Blue Cross
• Cigna
• CVS
• Harvard Pilgrim
• Humana
• John Hopkins
• Kaiser
• Mayo Clinic
• Rite Aid
• University of
Colorado Health
• Walgreens
2772015 HEALTHCARE BREACHES
$10 / record
ON THE BLACK MARKET
112,832,082
RECORDS STOLEN
Source: Identity Theft Research Center
67%
OF STOLEN RECORDS
ACROSS INDUSTRIES
@ironcorelabs
Breach Detection
Source: Mandiant M-Trends 2015
67%33%229
DAYS BEFORE
DETECTION (MEDIAN)
32
DAYS TO RESPOND
TO BREACH (AVERAGE)
67%
LEARNED OF THEIR BREACH FROM AN
EXTERNAL ENTITY
@ironcorelabs
Summing Up So Far
Breaches
Through the roof.
Firewalls
Insufficient to
secure data.
Apps
Are the problem.
Trivial
Most vulnerabilities
are easy to exploit.
IOT
More insecure
devices every day.
Bad Security
Very costly and kills
companies.
@ironcorelabs
Summing Up So Far
Software Devs Need to Step Up
Breaches
Through the roof.
Firewalls
Insufficient to
secure data.
Apps
Are the problem.
Trivial
Most vulnerabilities
are easy to exploit.
IOT
More insecure
devices every day.
Bad Security
Very costly and kills
companies.
40
We can fix this
41Source: National Science Foundation WebCASPAR Database
0
15000
30000
45000
60000
1966 1970 1974 1978 1982 1986 1990 1994 1998 2002 2006 2010 2014
Associate's Degrees Bachelor's Degrees Advanced Degrees
56,130 Bachelors
37,643 Associates
26,618 Advanced
2004
1986
120,391 Grads 2014
42
0%
Source: IronCore Labs using US News Rankings
56,130 Bachelors
TOP 20 COMP. SCI.
UNDERGRAD PROGRAMS
REQUIRING SECURE CODING
University Shame List
1. Carnegie Mellon
1. MIT
1. Stanford
1. UC Berkeley
5. University of Illinois, Urbana-Champaigne
6. Cornell
6. University of Washington
8. Princeton
9. Georgia Institute of Technology
9. University of Texas, Austin
11. California Institute of Technology
11. University of Wisconsin, Madison
13. UCLA
13. University of Michigan, Ann-Arbor
15. Colombia
15. UC San Diego
15. University of Maryland, College Park
18. Harvard University
19. University of Pennsylvania
20. Brown University
20. Purdue University, West Lafayette
20. Rice University
20. University of Southern California
20. Yale University
20. Duke University
@ironcorelabs
Em
ployee Educ
ation
Require
m
ents Desig
n
Dev
elop Veri
fy
Rel
ease M
o
nitor,Respond
Software Development Phases
44
PHASE ONE: TRAINING
Look at Coursera, SANS, ISC, CERT, securecoding.org, secureset.com and others for help.
@ironcorelabs
Internet Security First Aid
✓Product Managers should include
malicious users in their personas list.
✓Require security features up front. Ex:

• Account lockouts

• Form submission rate limits
PHASE TWO-A: REQUIREMENTS
@ironcorelabs
Did you know?
25
Number of accounts
for average web
user. 6.5
Number of passwords
for average web
user.
8.2b
Number of password
guesses per second
for a single desktop
computer.*
Source: Microsoft Research, Ars Technica
* Stat from 2012. Actual speed
depends on hardware and hashing
algorithm used.
47
PHASE TWO-B: DESIGN
@ironcorelabs
Work Item
(Feature/Defect)
Release
(Deliver to Ops)
UNIT TESTSCODE CI
MANUAL QA3RD PARTY AUDIT
Internet Security First Aid
PHASE THREE: IMPLEMENTATION
@ironcorelabs
Work Item
(Feature/Defect) Developer grabs a work item as usual.
@ironcorelabs
Work Item
(Feature/Defect)
Normal
Developer codes a solution.
Secure
Developer uses secure code training to

write bullet-proof code (we hope).
CODE
@ironcorelabs
Work Item
(Feature/Defect)
Normal
Developer writes automated tests.
Secure
Developer adds randomized inputs to
each function or functional test.
UNIT TESTSCODE
@ironcorelabs
Work Item
(Feature/Defect)
Normal
Runs unit tests.
Secure
Also runs static code analysis looking for
security errors and common code errors.
UNIT TESTSCODE CI
@ironcorelabs
Work Item
(Feature/Defect)
Normal
Verify work item is correctly working.
Secure
Also try to break it using hacking techniques
and tools like manual cookie and parameter
changes.
UNIT TESTSCODE CI
MANUAL QA
54
Work Item
(Feature/Defect)
Normal
N/A
Secure
External 3rd party pen-test or audit. Automated
(such as Whitehat Sec.) is okay.
UNIT TESTSCODE CI
3RD PARTY AUDIT MANUAL QA
@ironcorelabs
Work Item
(Feature/Defect)
Release
(Deliver to Ops)
Release
(Deliver to Ops)
Work Item
(Feature/Defect)
UNIT TESTSCODE CI
3RD PARTY AUDIT MANUAL QA
Add Security at Every Step
Fix problems before release
@ironcorelabs 56
We aren’t done yet
@ironcorelabs 57
PHASE FOUR: PRODUCTION AND MAINTENANCE
Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
@ironcorelabs 58
Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Harden
Least permissions,
separation of
concerns...
segmentation, uninstall
anything you don’t
need, …
@ironcorelabs 59
Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Encrypt
Encrypt all the things.
Use HTTPS, DB
encryption, disk
encryption, and add
extra crypto to your
most sensitive data.
Use password-less SSH
(key-based identity) and
two-factor authentication
everywhere.
@ironcorelabs 60
Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Update libs
Watch 3rd party
libraries and APIs
closely for security
updates (and
deprecations) and
adopt those
immediately.
This is going to
require some good
regression test suites
to maintain
confidence in system
functionality after
library upgrades.
@ironcorelabs 61
Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
And automate your
update process!
Make sure all your
systems are running
the same software,
and that they can be
kept that way with
minimal effort.
Update servers
Religiously update
operating systems,
server software
(Apache/whatever),
etc. across all
systems.
62
Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Again, you are going
to need some
automation. Relying
on humans to
monitor logs and
notice problems is a
recipe for failure.
Monitor
Log everything,
have intrusion
detection systems,
monitor logs and
alerts and act on
them.
@ironcorelabs 63
Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Threat intelligence
Keep up on current
threats, major
vulnerabilities,
hacking techniques,
worms, etc. in order
to better counter
them.
@ironcorelabs 64
Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Scan / audit
Audit the production
environment in
addition to the app,
use port scanners
to find out what’s
running that you
didn’t know about.
@ironcorelabs 65
Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Respond
A process for
managing, escalating,
and responding to
events is critical. Agree
on risk thresholds for
emergency releases,
update software, don’t
lose track of work
items.
@ironcorelabs 66
Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
@ironcorelabs
Em
ployee Educ
ation
Training
All developers must be trained in the
writing of secure code. All QA must be
trained in basic security testing and fuzzing.
Architecture
Use secure coding checklists, verify
the security of 3rd party libraries,
model threats and design with
adversaries and best practices in mind.
Require
m
ents Desig
n
Dev
elop Veri
fy
Implementation
Develop and test, adding QA fuzzing
and security checks, automated static
code analysis, and before release,
an audit or pen-test (even automated).
Rel
ease M
o
nitor,Respond
Production and Maintenance
Release is not the end. Software has
bugs and security issues inevitably.
Ongoing security testing, monitoring
of logs, and most importantly,
responding to any issues and pushing
back to development.
Summary
Simply secure data
@ironcorelabs
bob.wall@ironcorelabs.com
We build encryption solutions for
developers including end-to-end
PKI and drop-in key management.

Talk to us if you need better data
security for your app.
Learn More

Contenu connexe

Tendances

Mobile malware and enterprise security v 1.2_0
Mobile malware and enterprise security v 1.2_0Mobile malware and enterprise security v 1.2_0
Mobile malware and enterprise security v 1.2_0Javier Gonzalez
 
Deepfake anyone, the ai synthetic media industry enters a dangerous phase
Deepfake anyone, the ai synthetic media industry enters a dangerous phaseDeepfake anyone, the ai synthetic media industry enters a dangerous phase
Deepfake anyone, the ai synthetic media industry enters a dangerous phaseaditi agarwal
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentationBradford Bach
 
Symantec Internet Security Threat Report 2014 - Volume 19
Symantec Internet Security Threat Report 2014 - Volume 19Symantec Internet Security Threat Report 2014 - Volume 19
Symantec Internet Security Threat Report 2014 - Volume 19Symantec
 
Enabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMSEnabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMSPaul Walsh
 
Threat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates NewsThreat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates NewsBlack Duck by Synopsys
 
Dev Secops Software Supply Chain
Dev Secops Software Supply ChainDev Secops Software Supply Chain
Dev Secops Software Supply ChainCameron Townshend
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security ProtectionShawn Crimson
 
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
Open Source Insight:  Equifax, Apache Struts, & CVE-2017-5638 VulnerabilityOpen Source Insight:  Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 VulnerabilityBlack Duck by Synopsys
 
Security weekly september 28 october 4, 2021
Security weekly september 28   october 4, 2021 Security weekly september 28   october 4, 2021
Security weekly september 28 october 4, 2021 Roen Branham
 
Digital Gen: Security Infographic
Digital Gen: Security InfographicDigital Gen: Security Infographic
Digital Gen: Security InfographicUnisys Corporation
 
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source LicensesOpen Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source LicensesBlack Duck by Synopsys
 
Data Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicData Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicUlf Mattsson
 
Symantec Website Security Threat Report 2014 - RapidSSLOnline
Symantec Website Security Threat Report 2014 - RapidSSLOnlineSymantec Website Security Threat Report 2014 - RapidSSLOnline
Symantec Website Security Threat Report 2014 - RapidSSLOnlineRapidSSLOnline.com
 
2019 04-18 -DevSecOps-software supply chain
2019 04-18 -DevSecOps-software supply chain2019 04-18 -DevSecOps-software supply chain
2019 04-18 -DevSecOps-software supply chainCameron Townshend
 
Updated Cyber Security and Fraud Prevention Tools Tactics
Updated Cyber Security and Fraud Prevention Tools TacticsUpdated Cyber Security and Fraud Prevention Tools Tactics
Updated Cyber Security and Fraud Prevention Tools TacticsBen Graybar
 
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019Cameron Townshend
 
Can you predict who will win the US election?
Can you predict who will win the US election?Can you predict who will win the US election?
Can you predict who will win the US election?Samvel Gevorgyan
 
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...MZERMA Amine
 

Tendances (20)

Mobile malware and enterprise security v 1.2_0
Mobile malware and enterprise security v 1.2_0Mobile malware and enterprise security v 1.2_0
Mobile malware and enterprise security v 1.2_0
 
Deepfake anyone, the ai synthetic media industry enters a dangerous phase
Deepfake anyone, the ai synthetic media industry enters a dangerous phaseDeepfake anyone, the ai synthetic media industry enters a dangerous phase
Deepfake anyone, the ai synthetic media industry enters a dangerous phase
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentation
 
Symantec Internet Security Threat Report 2014 - Volume 19
Symantec Internet Security Threat Report 2014 - Volume 19Symantec Internet Security Threat Report 2014 - Volume 19
Symantec Internet Security Threat Report 2014 - Volume 19
 
Enabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMSEnabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMS
 
Threat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates NewsThreat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates News
 
Dev Secops Software Supply Chain
Dev Secops Software Supply ChainDev Secops Software Supply Chain
Dev Secops Software Supply Chain
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security Protection
 
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
Open Source Insight:  Equifax, Apache Struts, & CVE-2017-5638 VulnerabilityOpen Source Insight:  Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
 
Security weekly september 28 october 4, 2021
Security weekly september 28   october 4, 2021 Security weekly september 28   october 4, 2021
Security weekly september 28 october 4, 2021
 
Digital Gen: Security Infographic
Digital Gen: Security InfographicDigital Gen: Security Infographic
Digital Gen: Security Infographic
 
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source LicensesOpen Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
 
Data Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicData Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus Pandemic
 
Symantec Website Security Threat Report 2014 - RapidSSLOnline
Symantec Website Security Threat Report 2014 - RapidSSLOnlineSymantec Website Security Threat Report 2014 - RapidSSLOnline
Symantec Website Security Threat Report 2014 - RapidSSLOnline
 
2019 04-18 -DevSecOps-software supply chain
2019 04-18 -DevSecOps-software supply chain2019 04-18 -DevSecOps-software supply chain
2019 04-18 -DevSecOps-software supply chain
 
Updated Cyber Security and Fraud Prevention Tools Tactics
Updated Cyber Security and Fraud Prevention Tools TacticsUpdated Cyber Security and Fraud Prevention Tools Tactics
Updated Cyber Security and Fraud Prevention Tools Tactics
 
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
 
Can you predict who will win the US election?
Can you predict who will win the US election?Can you predict who will win the US election?
Can you predict who will win the US election?
 
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
 
INTSUM
INTSUMINTSUM
INTSUM
 

Similaire à The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear

The Internet of Security Things (A Story about Change)
The Internet of Security Things (A Story about Change) The Internet of Security Things (A Story about Change)
The Internet of Security Things (A Story about Change) Lori MacVittie
 
5 Technology Trends Construction Contractors Can't Afford To Ignore
5 Technology Trends Construction Contractors Can't Afford To Ignore5 Technology Trends Construction Contractors Can't Afford To Ignore
5 Technology Trends Construction Contractors Can't Afford To IgnoreGross, Mendelsohn & Associates
 
The CISO’s Guide to Being Human
The CISO’s Guide to Being HumanThe CISO’s Guide to Being Human
The CISO’s Guide to Being HumanClearswift
 
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...Alisha Deboer
 
Fall2015SecurityShow
Fall2015SecurityShowFall2015SecurityShow
Fall2015SecurityShowAdam Heller
 
Digital Generation: Security Infographic
Digital Generation: Security InfographicDigital Generation: Security Infographic
Digital Generation: Security InfographicUnisys Corporation
 
Overcoming Cyber Attacks
Overcoming Cyber AttacksOvercoming Cyber Attacks
Overcoming Cyber AttacksInuit AB
 
Info Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsInfo Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsGDSCCVR
 
An Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and LibrariesAn Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and LibrariesBlake Carver
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationPECB
 
Most notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictionsMost notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictionsCyphort
 
Top 5 it security threats for 2015
Top 5 it security threats for 2015Top 5 it security threats for 2015
Top 5 it security threats for 2015Bev Robb
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3Lumension
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3Lumension
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3Lumension
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party  Cyb...Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party  Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Rishi Singh
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
 
10 IT Security Trends to Watch for in 2016
10 IT Security Trends to Watch for in 201610 IT Security Trends to Watch for in 2016
10 IT Security Trends to Watch for in 2016Core Security
 

Similaire à The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear (20)

The Internet of Security Things (A Story about Change)
The Internet of Security Things (A Story about Change) The Internet of Security Things (A Story about Change)
The Internet of Security Things (A Story about Change)
 
Data breach
Data breachData breach
Data breach
 
5 Technology Trends Construction Contractors Can't Afford To Ignore
5 Technology Trends Construction Contractors Can't Afford To Ignore5 Technology Trends Construction Contractors Can't Afford To Ignore
5 Technology Trends Construction Contractors Can't Afford To Ignore
 
10 things you should know about cybersecurity
10 things you should know about cybersecurity10 things you should know about cybersecurity
10 things you should know about cybersecurity
 
The CISO’s Guide to Being Human
The CISO’s Guide to Being HumanThe CISO’s Guide to Being Human
The CISO’s Guide to Being Human
 
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
 
Fall2015SecurityShow
Fall2015SecurityShowFall2015SecurityShow
Fall2015SecurityShow
 
Digital Generation: Security Infographic
Digital Generation: Security InfographicDigital Generation: Security Infographic
Digital Generation: Security Infographic
 
Overcoming Cyber Attacks
Overcoming Cyber AttacksOvercoming Cyber Attacks
Overcoming Cyber Attacks
 
Info Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsInfo Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study Jams
 
An Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and LibrariesAn Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and Libraries
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
 
Most notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictionsMost notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictions
 
Top 5 it security threats for 2015
Top 5 it security threats for 2015Top 5 it security threats for 2015
Top 5 it security threats for 2015
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party  Cyb...Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party  Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
 
10 IT Security Trends to Watch for in 2016
10 IT Security Trends to Watch for in 201610 IT Security Trends to Watch for in 2016
10 IT Security Trends to Watch for in 2016
 

Plus de IronCore Labs

Rethinking the Enterprise Perimeter | SnowFROC Presentation
Rethinking the Enterprise Perimeter | SnowFROC PresentationRethinking the Enterprise Perimeter | SnowFROC Presentation
Rethinking the Enterprise Perimeter | SnowFROC PresentationIronCore Labs
 
How to Eat the Privacy and Security Elephant One Bite at a Time
How to Eat the Privacy and Security Elephant One Bite at a TimeHow to Eat the Privacy and Security Elephant One Bite at a Time
How to Eat the Privacy and Security Elephant One Bite at a TimeIronCore Labs
 
CCPA: What You Need to Know
CCPA: What You Need to KnowCCPA: What You Need to Know
CCPA: What You Need to KnowIronCore Labs
 
How to Add Data Privacy to Your Angular Application
How to Add Data Privacy to Your Angular ApplicationHow to Add Data Privacy to Your Angular Application
How to Add Data Privacy to Your Angular ApplicationIronCore Labs
 
How to Add End-to-End Encryption to Your React App
How to Add End-to-End Encryption to Your React AppHow to Add End-to-End Encryption to Your React App
How to Add End-to-End Encryption to Your React AppIronCore Labs
 
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)IronCore Labs
 
2018 acm-scc-presentation
2018 acm-scc-presentation2018 acm-scc-presentation
2018 acm-scc-presentationIronCore Labs
 

Plus de IronCore Labs (7)

Rethinking the Enterprise Perimeter | SnowFROC Presentation
Rethinking the Enterprise Perimeter | SnowFROC PresentationRethinking the Enterprise Perimeter | SnowFROC Presentation
Rethinking the Enterprise Perimeter | SnowFROC Presentation
 
How to Eat the Privacy and Security Elephant One Bite at a Time
How to Eat the Privacy and Security Elephant One Bite at a TimeHow to Eat the Privacy and Security Elephant One Bite at a Time
How to Eat the Privacy and Security Elephant One Bite at a Time
 
CCPA: What You Need to Know
CCPA: What You Need to KnowCCPA: What You Need to Know
CCPA: What You Need to Know
 
How to Add Data Privacy to Your Angular Application
How to Add Data Privacy to Your Angular ApplicationHow to Add Data Privacy to Your Angular Application
How to Add Data Privacy to Your Angular Application
 
How to Add End-to-End Encryption to Your React App
How to Add End-to-End Encryption to Your React AppHow to Add End-to-End Encryption to Your React App
How to Add End-to-End Encryption to Your React App
 
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)
 
2018 acm-scc-presentation
2018 acm-scc-presentation2018 acm-scc-presentation
2018 acm-scc-presentation
 

Dernier

How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServiceRenan Moreira de Oliveira
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 

Dernier (20)

How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 

The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear

  • 1. The Internet is a dog-eat-dog world, and your app is clad in Milk Bone underwear. -Bob Wall @ironcorelabs@ironcorelabs
  • 2. The Internet is a dog-eat-dog world, and your app is clad in Milk Bone underwear. -Bob Wall Yum @ironcorelabs@ironcorelabs
  • 3. @ironcorelabs ‘Cause hackers aren’t going to rush your foxhole. They’re going to sneak in under cover of night.
  • 4. 3 “And I’ve got the scars to prove it.” Bob Wall @bithead_bob BobWall23 /in/bobwall23 Former Chief Architect at Oracle Current CTO at IronCore Labs Four Degrees Crypto Nerd Music Junkie
  • 5. @ironcorelabs 47% 43% of U.S. adults hacked in one year (May 2014) of U.S. corporations hacked in one year (Sep 2014) Sources: CNN and USA Today
  • 6. @ironcorelabs Source: Breach Level Index Annual Report 2014 1,023,108,267 Records Stolen in 2014 Billion!!
  • 7. @ironcorelabs Exploitability of Vulnerabilities Source: National Vulnerability Database and IronCore Labs 40% 50% 60% 70% 80% 2010 2011 2012 2013 2014 2015 60% 66% 70% 68% 71% 75% 75% OF HIGH SEVERITY VULNERABILITIES WERE LOW COMPLEXITY (EASY TO EXPLOIT) IN 2015. Up 25% SINCE FROM 2010 LEVELS Conclusion: Applications are getting worse at basic security measures. High Severity Low Complexity
  • 8. @ironcorelabs More Ransomware in 2015 35% 84% 35% 23% More bots in China More spear phishing in 2015 More identities stolen Source: Symantec Internet Security Threat Report 2016 Malware in 2015
  • 9. @ironcorelabs Global Malware Infection Rates 32% desktop/laptop 0.03% mobile Sources: Verizon 2015 Data Breach Report and Panda Labs
  • 10. @ironcorelabs 2015 Malware Breakdown 1% 1% 3% 95% Windows Android Documents MSIL PHP (0) MacOS (0) Linux (0) Perl (0) UNIX (0) iOS (0) FreeBSD (0) Breakdown of malware samples discovered in 2015 Source: HPE 2016 Cyber Risk Report Excludes annoyance-ware
  • 11. @ironcorelabs Privacy Is Dead (but hooray convenience!) Your smartphone can know everything about you. Under the control of a hacker, it can relay your conversations, your location, your communications and much more, which is why mobile malware is such a scary up and coming threat. Sources: Consumer Reports, IDC and Symantec Internet Security Theft Report $ 1.4 billion SOLD IN 2015 430 million NEW MALWARE IN 2015 5.2 million LOST OR STOLEN IN THE U.S. IN 2014 Smartphones Up 10% Up 36% Up 15% total, but thefts down 32%
  • 12. @ironcorelabs 86% of web applications tested had serious issues with authentication, access control, and confidentiality. Increased from 72% in 2014. Source: HPE 2016 Cyber Risk Report
  • 13. Breached Companies Data Was Not Encrypted Breached Companies Unencrypted Data
  • 14. Breached Companies Data Was Not Encrypted Breached Companies Unencrypted Data
  • 15. @ironcorelabs News Coverage of Breaches According to Google Trends 2010 ←2011 ←2012 ←2013 ←2014 Source: Google Trends 2015
  • 16. @ironcorelabs News Coverage of Breaches Playstation Breach 1 Home Depot Hack Ashley Madison HackZappos Hack Target Hack According to Google Trends 2010 ←2011 ←2012 ←2013 ←2014 Source: Google Trends Evernote Hack 2015
  • 17. @ironcorelabs 47 States with Breach Disclosure Laws + HIPAA
  • 18. @ironcorelabs 47 States with Breach Disclosure Laws + HIPAA Breach disclosure only required when unencrypted PII* data is accessed. *PII = Personally Identifiable Information
  • 19. @ironcorelabs Data is Distributed Cloud Services Mobile Devices Internet of Things Partners Employee Laptops Uncontrolled and with minimal security
  • 21. @ironcorelabs Security Incidents Network-layer App-layer 90% due to defects at the application layer. -DHS Source: Department of Homeland Security
  • 22. @ironcorelabs Web App Vulnerability Likelihood Source: Whitehat Security Stats Report 2015 0% 25% 50% 75% 100% InsufficientTransportLayer InformationLeakage CrossSiteScripting BruteForce ContentSpoofingCrossSiteRequestForgeryURLRedirectorAbuse PredictableResourceLocation SessionFixationInsufficientAuthorization DirectoryIndexing AbuseofFunctionality SQLInjection InsufficientPasswordRecovery Fingerprinting 5%6%6%6%8%11%11% 15%16% 24%26%29% 47% 56% 70%
  • 23. @ironcorelabs Web App Vulnerability Likelihood Source: Whitehat Security Stats Report 2015 0% 25% 50% 75% 100% InsufficientTransportLayer InformationLeakage CrossSiteScripting BruteForce ContentSpoofingCrossSiteRequestForgeryURLRedirectorAbuse PredictableResourceLocation SessionFixationInsufficientAuthorization DirectoryIndexing AbuseofFunctionality SQLInjection InsufficientPasswordRecovery Fingerprinting 5%6%6%6%8%11%11% 15%16% 24%26%29% 47% 56% 70% #1. Insufficient Transport = Poor SSL #2. Info Leak = Dev Errors to User #3. XSS = Poor Input Sanitization #4. Brute Force = No rate limiting #5. Content Spoofing = Poor Input Sanitization
  • 24. @ironcorelabs % of Web Using OpenSSL 66% Does not include IMAP and the many other apps that use OpenSSL OpenSSL Vulnerabilities 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 0 10 20 30 40 Low Moderate High FREAK, Logjam HeartBleed, Poodle, Goto Fail DROWN OCSP Stapling ASN1 Bio Plaintext Recovery ** Through March 2016
  • 25. @ironcorelabs OpenSSL Unit Test Coverage Not Covered 52% Covered 48% Code is poorly tested. Code is old, crusty, riddled with goto statements. #1 crypto library ➫ #1 app problem ➫ Coincidence?
  • 26. 23 Encryption Pitfalls Single Key One key is shared between all apps and users. Anyone who gains access to the system can access all of the data in the system unchecked by encryption. Unlocked in Memory In typical transparent disk and database systems, as long as the system is running, the data is not encrypted. These systems protect against stolen hard drives, but not hackers in the system. Key on Server If you lock a desk drawer and put the key on top of the desk or in the unlocked drawer beside it, your physical security would be as bad as most electronic security. Reliance on HTTPS A surprising number of apps and infrastructures think they are encrypted and secure because they use https. https by itself does almost nothing to secure a system and can even be actively negative. Typical implementations suffer these issues “PLENTY OF COMPANIES brag that their communications app is encrypted. But that marketing claim demands a followup question: Who has the key?
  • 27. @ironcorelabs A locked drawer is useless when the key is RIGHT THERE.
  • 28. @ironcorelabs % of Organizations with Serious Vulnerabilities Finance/Insurance Healthcare Info Tech Retail Public Admin 0% 25% 50% 75% 100% 21% 10% 14% 12% 11% 9% 11% 11% 14% 64% 60% 38% 52% 39% Every Day More Than 271 Days More Than 151 Days Source: Whitehat Security Stats Report 2015 Out of the 2015 calendar year 64% 75% 63% 79% 85%
  • 29. @ironcorelabs Average Days To Fix by Industry Source: Whitehat Security Stats Report 2015 0 62.5 125 187.5 250 Transportation Arts&Entertainment Accomodation Professional&Scientific PublicAdmin OtherServices Information Education Healthcare Finance/Insurance Manufacturing Utilities Retail 227 192191 160158 136132130 111108 9997 73
  • 30. @ironcorelabs Hard Breach Costs % 9 Lloyd’s of London estimate of the cost to the global economy $400b 2014 increase in per-record cost $3.8m per breach Average cost per record (US) Average cost of a breach including notifications, investigations, legal issues and credit monitoring. $201 per breached record Source: Ponemon Institute
  • 31. @ironcorelabs Cyber-Insurance Premiums up 32% in first half of 2015 83% of claims paid out 78% Crisis Services 8% Legal Defense 9% Legal Settlements 5% Regulatory Payout Breakdown $15m BIGGEST PAYOUT $674k AVERAGE PAYOUT $77k MEDIAN PAYOUT 32% of claims due to third party breaches Source: Netdiligence 2015 Cyber Claims Study 99% of exposed records due to hackers and malware
  • 32. @ironcorelabs 29 General stats aren’t known, but smaller companies get badly hurt Sources: All Things D and NYTimes CASE STUDY 2013 50 million Database hacked (SQL injection?) Customers affected 15-20% Revenue drop in subsequent months -82% Employee reduction now vs. pre-breach
  • 33. @ironcorelabs Network security App security Almost triple the spending goes to network security. Security Spending Source: Lumension 2015 State of the Endpoint
  • 34. @ironcorelabs 31% of all security breaches at banks in 2015 involved web app attacks Source: Verizon 2015 Data Breach Report
  • 35. @ironcorelabs Accomodation Point of Sale 91% Education Crimeware 32% Entertainment Point of Sale 73% Financial Services Crimeware Web App Attack 36% 31% Healthcare Misc. Errors Insider Misuse 32% 26% Information / Tech Cyber-Espionage Web App Attack 36% 35% Manufacturing Cyber-Espionage 60% Public Crimeware 51% Retail Point of Sale 70% Top Threats By Industry Source: Verizon 2015 Data Breach Report
  • 36. @ironcorelabs 33 66% Two-thirds of cyber-espionage attacks relied on targeted phishing emails with malicious links or attachments. MarketingPhishing 27% 27% of victims were Manufacturing corporations. Public sector targets accounted for 20%. MarketingVictims 0.8% Of all breaches resulting in data loss, only 0.8% were due to cyber-espionage. MarketingSource Cyber-Espionage Spy vs. Computer Source: Verizon 2015 Data Breach Report
  • 37. @ironcorelabs 23% of recipients open phishing emails 11% open the attachments Phishing Source: Verizon 2015 Data Breach Report
  • 38. @ironcorelabs Scarier than a Presidential Election? It Gets Worse
  • 39. @ironcorelabs Of cars networked by 2020.3 More connected devices than people globally.2 Connected devices by 2020.2 Vulnerable to attack.1 Collect personal information.1 Average vulnerabilities found per device.1 Internet of Crap 90%70% 25 SOURCES: 1. HP Internet of things research study 2015 2. Cisco 3. Gartner 20% 2008 50b
  • 40. Wall of Shame Highlights • Aetna • Alliance Health • Anthem • Blue Cross • Cigna • CVS • Harvard Pilgrim • Humana • John Hopkins • Kaiser • Mayo Clinic • Rite Aid • University of Colorado Health • Walgreens 2772015 HEALTHCARE BREACHES $10 / record ON THE BLACK MARKET 112,832,082 RECORDS STOLEN Source: Identity Theft Research Center 67% OF STOLEN RECORDS ACROSS INDUSTRIES
  • 41. @ironcorelabs Breach Detection Source: Mandiant M-Trends 2015 67%33%229 DAYS BEFORE DETECTION (MEDIAN) 32 DAYS TO RESPOND TO BREACH (AVERAGE) 67% LEARNED OF THEIR BREACH FROM AN EXTERNAL ENTITY
  • 42. @ironcorelabs Summing Up So Far Breaches Through the roof. Firewalls Insufficient to secure data. Apps Are the problem. Trivial Most vulnerabilities are easy to exploit. IOT More insecure devices every day. Bad Security Very costly and kills companies.
  • 43. @ironcorelabs Summing Up So Far Software Devs Need to Step Up Breaches Through the roof. Firewalls Insufficient to secure data. Apps Are the problem. Trivial Most vulnerabilities are easy to exploit. IOT More insecure devices every day. Bad Security Very costly and kills companies.
  • 45. 41Source: National Science Foundation WebCASPAR Database 0 15000 30000 45000 60000 1966 1970 1974 1978 1982 1986 1990 1994 1998 2002 2006 2010 2014 Associate's Degrees Bachelor's Degrees Advanced Degrees 56,130 Bachelors 37,643 Associates 26,618 Advanced 2004 1986 120,391 Grads 2014
  • 46. 42 0% Source: IronCore Labs using US News Rankings 56,130 Bachelors TOP 20 COMP. SCI. UNDERGRAD PROGRAMS REQUIRING SECURE CODING University Shame List 1. Carnegie Mellon 1. MIT 1. Stanford 1. UC Berkeley 5. University of Illinois, Urbana-Champaigne 6. Cornell 6. University of Washington 8. Princeton 9. Georgia Institute of Technology 9. University of Texas, Austin 11. California Institute of Technology 11. University of Wisconsin, Madison 13. UCLA 13. University of Michigan, Ann-Arbor 15. Colombia 15. UC San Diego 15. University of Maryland, College Park 18. Harvard University 19. University of Pennsylvania 20. Brown University 20. Purdue University, West Lafayette 20. Rice University 20. University of Southern California 20. Yale University 20. Duke University
  • 47. @ironcorelabs Em ployee Educ ation Require m ents Desig n Dev elop Veri fy Rel ease M o nitor,Respond Software Development Phases
  • 48. 44 PHASE ONE: TRAINING Look at Coursera, SANS, ISC, CERT, securecoding.org, secureset.com and others for help.
  • 49. @ironcorelabs Internet Security First Aid ✓Product Managers should include malicious users in their personas list. ✓Require security features up front. Ex:
 • Account lockouts
 • Form submission rate limits PHASE TWO-A: REQUIREMENTS
  • 50. @ironcorelabs Did you know? 25 Number of accounts for average web user. 6.5 Number of passwords for average web user. 8.2b Number of password guesses per second for a single desktop computer.* Source: Microsoft Research, Ars Technica * Stat from 2012. Actual speed depends on hardware and hashing algorithm used.
  • 52. @ironcorelabs Work Item (Feature/Defect) Release (Deliver to Ops) UNIT TESTSCODE CI MANUAL QA3RD PARTY AUDIT Internet Security First Aid PHASE THREE: IMPLEMENTATION
  • 54. @ironcorelabs Work Item (Feature/Defect) Normal Developer codes a solution. Secure Developer uses secure code training to
 write bullet-proof code (we hope). CODE
  • 55. @ironcorelabs Work Item (Feature/Defect) Normal Developer writes automated tests. Secure Developer adds randomized inputs to each function or functional test. UNIT TESTSCODE
  • 56. @ironcorelabs Work Item (Feature/Defect) Normal Runs unit tests. Secure Also runs static code analysis looking for security errors and common code errors. UNIT TESTSCODE CI
  • 57. @ironcorelabs Work Item (Feature/Defect) Normal Verify work item is correctly working. Secure Also try to break it using hacking techniques and tools like manual cookie and parameter changes. UNIT TESTSCODE CI MANUAL QA
  • 58. 54 Work Item (Feature/Defect) Normal N/A Secure External 3rd party pen-test or audit. Automated (such as Whitehat Sec.) is okay. UNIT TESTSCODE CI 3RD PARTY AUDIT MANUAL QA
  • 59. @ironcorelabs Work Item (Feature/Defect) Release (Deliver to Ops) Release (Deliver to Ops) Work Item (Feature/Defect) UNIT TESTSCODE CI 3RD PARTY AUDIT MANUAL QA Add Security at Every Step Fix problems before release
  • 61. @ironcorelabs 57 PHASE FOUR: PRODUCTION AND MAINTENANCE Respond Harden Scan / audit Encrypt Update libs Update servers Threat intelligence Monitor
  • 62. @ironcorelabs 58 Respond Harden Scan / audit Encrypt Update libs Update servers Threat intelligence Monitor Harden Least permissions, separation of concerns... segmentation, uninstall anything you don’t need, …
  • 63. @ironcorelabs 59 Respond Harden Scan / audit Encrypt Update libs Update servers Threat intelligence Monitor Encrypt Encrypt all the things. Use HTTPS, DB encryption, disk encryption, and add extra crypto to your most sensitive data. Use password-less SSH (key-based identity) and two-factor authentication everywhere.
  • 64. @ironcorelabs 60 Respond Harden Scan / audit Encrypt Update libs Update servers Threat intelligence Monitor Update libs Watch 3rd party libraries and APIs closely for security updates (and deprecations) and adopt those immediately. This is going to require some good regression test suites to maintain confidence in system functionality after library upgrades.
  • 65. @ironcorelabs 61 Respond Harden Scan / audit Encrypt Update libs Update servers Threat intelligence Monitor And automate your update process! Make sure all your systems are running the same software, and that they can be kept that way with minimal effort. Update servers Religiously update operating systems, server software (Apache/whatever), etc. across all systems.
  • 66. 62 Respond Harden Scan / audit Encrypt Update libs Update servers Threat intelligence Monitor Again, you are going to need some automation. Relying on humans to monitor logs and notice problems is a recipe for failure. Monitor Log everything, have intrusion detection systems, monitor logs and alerts and act on them.
  • 67. @ironcorelabs 63 Respond Harden Scan / audit Encrypt Update libs Update servers Threat intelligence Monitor Threat intelligence Keep up on current threats, major vulnerabilities, hacking techniques, worms, etc. in order to better counter them.
  • 68. @ironcorelabs 64 Respond Harden Scan / audit Encrypt Update libs Update servers Threat intelligence Monitor Scan / audit Audit the production environment in addition to the app, use port scanners to find out what’s running that you didn’t know about.
  • 69. @ironcorelabs 65 Respond Harden Scan / audit Encrypt Update libs Update servers Threat intelligence Monitor Respond A process for managing, escalating, and responding to events is critical. Agree on risk thresholds for emergency releases, update software, don’t lose track of work items.
  • 70. @ironcorelabs 66 Respond Harden Scan / audit Encrypt Update libs Update servers Threat intelligence Monitor
  • 71. @ironcorelabs Em ployee Educ ation Training All developers must be trained in the writing of secure code. All QA must be trained in basic security testing and fuzzing. Architecture Use secure coding checklists, verify the security of 3rd party libraries, model threats and design with adversaries and best practices in mind. Require m ents Desig n Dev elop Veri fy Implementation Develop and test, adding QA fuzzing and security checks, automated static code analysis, and before release, an audit or pen-test (even automated). Rel ease M o nitor,Respond Production and Maintenance Release is not the end. Software has bugs and security issues inevitably. Ongoing security testing, monitoring of logs, and most importantly, responding to any issues and pushing back to development. Summary
  • 72. Simply secure data @ironcorelabs bob.wall@ironcorelabs.com We build encryption solutions for developers including end-to-end PKI and drop-in key management. Talk to us if you need better data security for your app. Learn More