Mais conteúdo relacionado

Apresentações para você(20)

Similar a Cybersecurity by the numbers(20)




Cybersecurity by the numbers

  1. “Cybersecurity by the Numbers”
  2. Eoin Keary CTO/Founder OWASP Leader/Member/Ireland Founder (ex)OWASP Global Board Member @eoinkeary
  3. Why am I here?? “Doing” security for quite a while…. Before SAST, DAST, IAST, CI, CD were “things”; Was a Software Developer & Moved to Software Breaking; Was a Leader of Global Penetration Engagements Team for EY; Wrote/Contributed to the OWASP Testing Guide, OWASP Code Review Guide, OWASP CISO Guide, OWASP SAMM…. Responsible for some of the most impactful security breaches* against Irish financial institutions in the last 10 years. *ethical security assessments
  4. What we do…. Effective, Scalable #Fullstack Vulnerability Management 4 #fullstack vulnerability management Web Applications, API and Host Managed Service Continuous Assessment False-Positive free Manages over 100,000 systems globally. Professional Services Penetration Testing Software Security Red Teaming DdoS System Hardening Security Architecture Compliance
  5. edgescan™…basis for measurement • edgescan™ is a sophisticated, enterprise-grade vulnerability assessment and management solution that gives you the tools you need to control and manage IT security risk • edgescan™ helps from small & medium-sized to large enterprises identify and remediate known vulnerabilities in any platform or web application • edgescan™ is a cloud based SaaS which provides a unique combination of technology and human expertise to assist you with maintaining a strong security posture Effective, Scalable #Fullstack Vulnerability Management 5
  6. 2017 – so far • Lloyds 48hr DDoS – 20,000,000 • Trump – administration details leaked • Clash of Clans – 1,000,000 • Cellebrite – 900 GB of Data • SWIFT – Fake Trade Documents - 3 banks – India • CoPilot – GPS – 220,000 Records • Sentara HealthCare – 5,000 Patient records Globally, every second, 18 adults become victims of cybercrime - Symantec “The loss of industrial information and intellectual property through cyber espionage constitutes the greatest transfer of wealth in history” - Gen. Keith Alexander “One hundred BILLION dollars” - Dr Evil Eoin, I didn’t click it – My Mam
  7. Attack Vectors & Threat Actors Malware/Ransomware Phishing Hacking CEO Fraud Human Error / Insiders DdoS  Organised Crime – Dedicated. Motivated by profit  Hacktivisim – political, social motivations  “Script kiddies” - curious  Automated scanners/worms – systems used to identify “soft targets”  Cyber Terrorism – Political motivations  Nation States: Cyber Espionage/APT  Insiders
  8. Two weeks of ethical hacking Ten man-years of development
  9. Agile Risk Model Fail Early – Fail Often “Push Left” Spread-Risk
  10. Make this more difficult: Lets change the application code once a month. Continuous Testing: Keeping Pace with: Development New Vulnerabilities Continuous patching requirements New Deployments (Services, Systems)
  11. #FullStack Security
  12. Measure “Attack Surface” & Improvement Measure Attack Surface / Asset Classification Continuous Asset Profiling and Alerting Vulnerability Type & Stack Location Time to Fix a vulnerability Most Common Vuln Areas of focus… Doing things right != Doing the right things.
  13. Context
  14. GPDR EU directive: The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU). • a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 5 & 6[16]) Box ticking
  15. Article 32, Security of Processing: “…the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, …” Recital (78) “The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this regulation are met.” ”… to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.....” “…enabling the data subject to monitor the data processing, enabling the controller to create and improve security features.”
  16. Recital (49) “The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist,…. unlawful or malicious actions…” Recital (81) “…the controller should use only processors providing sufficient guarantees…including for the security of processing.” #ProTip: Scope GDPR compliance from Data Classification upwards….
  17. Playing Catchup Legal is pushing cyber Goal: GDPR compliant by May 25th 2018 GDPR = Legal + Privacy + IT + Cyber #Fullstack Continuous Assessment is Important Visibility, Metrics and continuous improvement GDPR VendorsClients
  18. So…. Lets Dig a Little Deeper……..
  19. Deeper Look…. Based on 1000’s of continuous assessments using Both Host, WebServer and Web application assessed - #fullstack See:
  20. Vulnerability Breakdown - #fullstack
  21. Most Common Vulnerability - WebApps Majority of Vulnerabilities are ”Browser security” issues – Attack the user!! XSS is still very common and old. First discovered in the mid 90’s
  22. Most Common Vulnerability - Infrastructure Configuration Vulnerabilities common Majority are TLS/SSL Crypto 7 Systems in every 100– are “unsupported”
  23. Risk Dispersion More Network Issues discovered - BUT – Most Risk is on App Layer (95% of Critical Risk) (82% of High Risk)
  24. Time-2-Fix Average Time to Fix
  25. Oldest Critical Vulnerabilities Oldest “Known” vulnerability discovered in 2016 by edgescan; CVE-2007-6420 - Cross-site request forgery (CSRF) CVE-2007-3847 - Apache 2.3.0 DoS CVE-2007-5000 - Apache HTTP Server XSS CVE-2007-6388 - Apache HTTP Server XSS 9 year old vulnerabilities exist in the wild on live servers. Poor/Non existent patching is the major root cause. Good News is the frequency of occurrence is between 1.5% and 3% What else happened in 2007? First iPhone was launched…
  26. Conclusion Consider Infosec impact from GDPR Constant assessment is important as everything changes “Push Left” – Use SAST and Review before deployment Measure Improvement and Weakness
  27. Thank YOU! @edgescan

Notas do Editor

  1. -Problems with relying on automation alone…. - Automation (application security) doesn’t understand context – cant make risk judgments (sqli example) - Automation does not equal security - Automation alone should not be relied upon for security - Compliance - Automation is used a lot for compliance but compliance does not necessarily equal security
  2. More high risk in app layer, but higher numbers in the network layer.
  3. “Web Application vulnerabilities take longer to fix. They are also more likely to be of higher risk (95% of critical risk issues are in the web layer). Continuous assessment and preventative activities such as SDLC security can assist in reducing risk density and lower time-2-fix”