“Cybersecurity by the Numbers”

Eoin Keary
CTO/Founder edgescan.com
OWASP Leader/Member/Ireland Founder
(ex)OWASP Global Board Member
@eoinkeary
eoin@bccriskadvisory.com

Why am I here??
“Doing” security for quite a while….
Before SAST, DAST, IAST, CI, CD were “things”;
Was a Software Developer & Moved to Software Breaking;
Was a Leader of Global Penetration Engagements Team for EY;
Wrote/Contributed to the OWASP Testing Guide, OWASP Code Review Guide, OWASP
CISO Guide, OWASP SAMM….
Responsible for some of the most impactful security breaches* against Irish financial
institutions in the last 10 years. *ethical security assessments

What we do….
Effective, Scalable #Fullstack Vulnerability Management 4
#fullstack vulnerability management
Web Applications, API and Host
Managed Service
Continuous Assessment
False-Positive free
Manages over 100,000 systems
globally.
Professional Services
Penetration Testing
Software Security
Red Teaming
DdoS
System Hardening
Security Architecture
Compliance

edgescan™…basis for measurement
• edgescan™ is a sophisticated,
enterprise-grade vulnerability assessment and
management solution that gives you the tools
you need to control and manage
IT security risk
• edgescan™ helps from small &
medium-sized to large enterprises identify and
remediate known vulnerabilities in any platform
or web application
• edgescan™ is a cloud based
SaaS which provides a unique combination of
technology and human expertise to assist you
with maintaining a strong
security posture
Effective, Scalable #Fullstack Vulnerability Management 5

2017 – so far
• Lloyds 48hr DDoS – 20,000,000
• Trump – administration details leaked
• Clash of Clans – 1,000,000
• Cellebrite – 900 GB of Data
• SWIFT – Fake Trade Documents - 3 banks – India
• CoPilot – GPS – 220,000 Records
• Sentara HealthCare – 5,000 Patient records
Globally, every second, 18 adults
become victims of cybercrime
- Symantec
“The loss of industrial information and intellectual property
through cyber espionage constitutes the greatest transfer of
wealth in history” - Gen. Keith Alexander
“One hundred
BILLION
dollars” -
Dr Evil
Eoin, I didn’t click it – My Mam

Attack Vectors & Threat Actors
Malware/Ransomware
Phishing
Hacking
CEO Fraud
Human Error / Insiders
DdoS
 Organised Crime – Dedicated. Motivated by profit
 Hacktivisim – political, social motivations
 “Script kiddies” - curious
 Automated scanners/worms – systems used to
identify “soft targets”
 Cyber Terrorism – Political motivations
 Nation States: Cyber Espionage/APT
 Insiders

Two weeks of ethical
hacking
Ten man-years of
development

Agile Risk Model
Fail Early – Fail Often
“Push Left”
Spread-Risk

Make this more difficult: Lets change the application code once a month.
Continuous Testing:
Keeping Pace with: Development
New Vulnerabilities
Continuous patching requirements
New Deployments (Services, Systems)

#FullStack Security

Measure “Attack Surface” & Improvement
Measure Attack Surface / Asset Classification
Continuous Asset Profiling and Alerting
Vulnerability Type & Stack Location
Time to Fix a vulnerability
Most Common Vuln
Areas of focus…
Doing things right != Doing the right things.

Context

GPDR EU directive:
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
is a Regulation by which the European Commission intends to strengthen
and unify data protection for individuals within the European Union (EU).
• a fine up to 20,000,000 EUR or up to 4% of the annual worldwide
turnover of the preceding financial year in case of an enterprise,
whichever is greater (Article 83, Paragraph 5 & 6[16])
Box ticking

Article 32, Security of Processing:
“…the controller and the processor shall implement appropriate technical
and organisational measures to ensure a level of security appropriate to the
risk, …”
Recital (78)
“The protection of the rights and freedoms of natural persons with regard to the
processing of personal data require that appropriate technical and
organisational measures be taken to ensure that the requirements of this
regulation are met.”
”… to demonstrate compliance with this Regulation, the controller should adopt
internal policies and implement measures which meet in particular the principles
of data protection by design and data protection by default.....”
“…enabling the data subject to monitor the data processing, enabling the
controller to create and improve security features.”

Recital (49)
“The processing of personal data to the extent strictly necessary and
proportionate for the purposes of ensuring network and information
security, i.e. the ability of a network or an information system to resist,…. unlawful
or malicious actions…”
Recital (81)
“…the controller should use only processors providing sufficient
guarantees…including for the security of processing.”
#ProTip: Scope GDPR compliance from Data Classification upwards….

Playing Catchup
Legal is pushing cyber
Goal: GDPR compliant by May 25th 2018
GDPR = Legal + Privacy + IT + Cyber
#Fullstack Continuous Assessment is Important
Visibility, Metrics and continuous improvement
GDPR VendorsClients

So….
Lets Dig a Little Deeper……..

Deeper Look….
Based on 1000’s of continuous assessments using edgescan.com
Both Host, WebServer and Web application assessed - #fullstack
See: https://edgescan.com/resources.php

Vulnerability Breakdown - #fullstack

Most Common Vulnerability - WebApps
Majority of Vulnerabilities are
”Browser security” issues – Attack
the user!!
XSS is still very common and old.
First discovered in the mid 90’s

Most Common Vulnerability - Infrastructure
Configuration Vulnerabilities common
Majority are TLS/SSL Crypto
7 Systems in every 100– are
“unsupported”

Risk Dispersion
More Network Issues
discovered
- BUT –
Most Risk is on App Layer
(95% of Critical Risk)
(82% of High Risk)

Time-2-Fix
Average Time to Fix

Oldest Critical Vulnerabilities
Oldest “Known” vulnerability discovered in 2016 by edgescan;
CVE-2007-6420 - Cross-site request forgery (CSRF)
CVE-2007-3847 - Apache 2.3.0 DoS
CVE-2007-5000 - Apache HTTP Server XSS
CVE-2007-6388 - Apache HTTP Server XSS
9 year old vulnerabilities exist in the wild on live servers. Poor/Non existent patching is
the major root cause.
Good News is the frequency of occurrence is between 1.5% and 3%
What else happened in 2007?
First iPhone was launched…

Conclusion
Consider Infosec impact from GDPR
Constant assessment is important as everything changes
“Push Left” – Use SAST and Review before deployment
Measure Improvement and Weakness

Thank YOU!
eoin@bccriskadvisory.com
@edgescan
www.edgescan.com