3. WHO IS DC970
DEF CON is one of the world’s largest hacker
conferences
Occurs annually in Las Vegas
16,000+ attended in 2014; 20,000+ in 2015
DC970 is a local meet up with similar interest
Meets the 3rd Thursday of the month at Wild Boar Café – 7pm
One of a handful of groups around Northern Colorado
Not on Meetup.com --- Should we be?
4. DEFENSE – IN – DEPTH
Full scope: Personnel, Procedural, Technical and Physical
Expect any single layer to fail/be defeated (e.g. 0-day)
Add layers to mitigate impact of any single layer failing
Could be 3 or 30 layers
Medieval Castle, Military base
Warcraft/AOE/CnC strategy – e.g. All zergs
Again: Expect and Accept losses at any layer
10. STATE OF THE UNION
Industry reports from multiple
vendors
Microsoft – Security Intelligence
Report
Symantec – Internet Security Threat
Report
Verizon – Data Breach Investigations
Report
11. SYMANTEC – 2012
From DC970’s first presentation in 2013…
31% of attacks targeted at businesses with fewer than 250
employees
32% of mobile threats are designed to steal information
69% of all email is spam
5291 new vulnerabilities discovered in 2012 (14.5/daily)
One ‘watering hole’ attack infected 500 orgs in one day
12. DBIR 2015 - PATCHING
99.9% exploits were compromised more
than a year after the CVE released
2008 number was 71%
E.g. MS08-067 = CVE-2008-4250
DBIR 2015, p19
13. DBIR 2015 – PHISHING
23% of recipients open messages
11% click on attachments
First click: Average 82 seconds
Overall: 50% of ‘clickers’ click within one
hour of the attack
DBIR 2015 p.12
14. DBIR 2015 - OTHER
Mobile devices NOT a preferred vector in data breaches
No ‘one size fits all’ approach to security
Size
Industry
Sector
15. DBIR 2015 – OOPS!
Accidental C-I-A breach
30% - Misdelivery of sensitive info to incorrect
recipients
17% - Published to public web server
12% - Improper disposal of info (personal, medical,
etc…)
Total of 60% attributed to sysadmin error
35% of systems are vulnerable to USB-initiated
attacks
DBIR 2015 p51
16. E-COMMERCE WEB APP HACK
Why?—Because the threat actor
made changes in the payment
application code to capture and
send data when processed.
Why?—They bypassed
authentication to upload a
backdoor to the server via
Remote File Inclusion (RFI)
Why?—Because the JBoss
version was outdated and
vulnerable to a widely known
attack.
Why?—Because the server
software hadn’t been updated in
years.
Why?—This is where it gets
tricky.
Because...they thought their
third-party vendor would do it?
Because...they thought they had,
but failed to check
implementation? Because...they
had insufficient processes in
place to manage their risk?
DBIR 2015 p55