Anúncio
Check these out next
Nothing is secure.pdf
20 de Mar de 2023•0 gostou•417 visualizações
0 gostaram
Seja o primeiro a gostar disto
mostrar mais
visualizações
Vistos totais
0
No Slideshare
0
De incorporações
0
Número de incorporações
0
Baixar para ler offline
Denunciar
Tecnologia
Cybersecurity is hard. Nothing is secure, but we need to manage risks.
Bozhidar BozhanovSeguir
Senior Software Engineer em Questers GroupAnúncio
Anúncio
Anúncio
Recomendados
IoT – Breaking BadInstitute of Systems Science, National University of Singapore
Io t slides_iotvillageagmoneyy
Iot Security: Smart... or haunted home?NaLUG
Refugees on Rails Berlin - #2 Tech Talk on SecurityGianluca Varisco
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
IoT Security, Threats and Challenges By V.P.PrabhakaranKoenig Solutions Ltd.
Nothing is secure.pdf
- Nothing is secure Bozhidar Bozhanov
- About me ● Software engineer and architect ● Founder of a cybersecurity startup ● Minister of electronic governance of Bulgaria (2021-2022) ● Member of Bulgarian parliament ● https://techblog.bozho.net ● Twitter: @bozhobg
- Network security is hard ● What is “network security” anyway? ● Network firewall, WAF ● Network segmentation, DMZ ● IDS? ● VPN / ZTNA ● DNS securuty ● DDoS ● Email security (in & out) ● Honeypots ● ….
- Endpoint security is hard ● AV/NGAV/EPP/EDR/XDR? ● DLP ● BYOD policies ● USB policies ● AD/Azure AD ● Mobile security, MDM ● IoT ● Printers (example: Bangladesh bank)
- Cloud security is hard ● IaaS configurations ● IAM, API access ● Container management ● Cloud monitoring, security centers, agents ● SaaS - MFA ● SaaS - “trust us” ● SaaS - shadow IT
- Custom development is hard ● OWASP ● Configuring =CSP, CSRF tokens ● Upload filters ● XSS - input & output ● Access control per HTTP endpoint ● Dependency management, hot patching ● SDLC ● Regular pentests
- Off-the-shelf security is hard ● “Custom software is hard, I’ll get something off-the-shelf” ● Same problems, but outside our control ● Which ports does it use? ● How do we collect the ogs (example: SAP security audit log) ● How to hide problems behind the firewall? ● Virtual pathing ● Vendor goes bankrupt/acquired/stops support
- "No problem, we’ll get the best security tools and that will fix things"
- Security tools are hard ● Sometimes missing exactly the thing that we need ● Blocks normal usage, but lets the bad guys in (example: downloading binaries as base64 text files) ● Expensive ● Allegedly integrated, but you need many tools which hardly talk to each other ● Data sheet (only) functionality ● False positives
- Attacks abound ● Supply chain (solorigate) ● Pseudo-airgapped (Jeep hack, VLAN-”airgapped”) ● Unvetted companies and experts (“where did this backdoor come from?”) ● Physical access compromise (MIFARE classic, HRM integration) ● Social engineering (“weakest link”, example: “not my job to care”) ● 0days (example: Pegasus iPhone 0day)
- All of that is hard even if we have qualified people
- Many organizations don’t have them. The public sector doesn’t have them.
- We’ve built something overly complex on a bunch of silicon, “mirrors” in a tube and 0s and 1s. There’s no built-in security, it’s always added later. That makes things very, very hard.
- Nothing is secure… ...but we have to manage risk
- Government at the moment
- Long-term policies Trained people Standardization Responsibility of vendors Limiting 0day stashing
- Nothing is secure… …but it has to become less and less insecure.
- Thank you!
Anúncio