More Related Content Similar to Top 5 myths of it security in the light of current events tisa pro talk 4 2554 Similar to Top 5 myths of it security in the light of current events tisa pro talk 4 2554 (20) Top 5 myths of it security in the light of current events tisa pro talk 4 25541. Top 5 Myths of IT Security
in the Light of Current Events
Advisor for your information security.
Version: 1.0
Author: S.Streichsbier
Responsible: S.Streichsbier
Date: 05.10.2011
Confidentiality: Public
2. Agenda
• Introduction
• Top 5 IT Security Myths
• Reality Check – Current Events
• Conclusion
2 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
3. SEC Consult – Who we are
Since foundation in 2002
SEC Consult delivered more
Lithuania
Canada Germany
Austria Central and Easter Europe
than 1000 IT security projects. United States of
America
Offices in Austria (HQ), Singapore
Germany, Lithuania, Canada
and Singapore since 2011
25+ Security Professionals
Well established in Central and Eastern Europe
SEC Consult Headquarter
SEC Consult Office
SEC Consult Clients
3 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
4. SEC Consult - Overview
• Team of highly skilled, internationally recognized security experts
• Regular speakers on international conferences
• Publish security advisories, whitepapers
• Awards (e.g. “PWNIE” Award 2009)
• Internal Vulnerability Lab
○ Responsible Disclosure Policy
• Holistic approach to cover all facets of information security
• Diverse experience in technical and organizational IT security
• Independent from vendors
• No off-the-shelf products
• Tailor-made solutions
• Confidentiality and data security is guaranteed
4 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
5. Agenda - Workshop Day I:
• Introduction
• Top 5 IT Security Myths
• Reality Check – Current Events
• Conclusion
5 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
6. Top 5 IT Security Myths
5 - Hackers=Geniuses
„Only a genius can break into my network“
6 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
7. Top 5 IT Security Myths – Hackers=Geniuses (1)
• The Myth: Hacking requires secret Ninja skills
• True 20 years ago
• Today, knowledge and tools are out there
• Huge security community
• Exploits and hacking tools released every day
• Commercial exploit kits
• Hacking can be learned (CEH, university,...)
7 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
8. Top 5 IT Security Myths – Hackers=Geniuses (2)
Anybody can launch a tool!
8 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
9. Top 5 IT Security Myths – Hackers=Geniuses (3)
Hackers are:
• Hacking for fun / hacktivism
• Anonymous / LulzSec
• Kids looking for attention
• Hacking for profit
• Huge underground economy
• Exploit Kits, Phishing Kits, etc.
• Botnets
• Cyber warfare
• Stuxnet (admittedly very advanced)
• Shady RAT
• Operation Aurora
9 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
10. Top 5 IT Security Myths
4 – Updates and AV
„Software Updates and Anti Virus are enough to keep
a system safe“
10 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
11. Top 5 IT Security Myths – 4. Updates and AV
Myth: I am safe my AV will protect me from trojans, viruses and
worms.
• Facts
• Timeliness (delay)
• Completeness
• Protection against known security issues, vulnerabilities in proprietary applications are
not covered
• Important part of client security (user still has to be responsible)
• AV also have flaws
• Detection rate / Effectiveness heavily discussed
• False positives: Chrome browser is a virus?
11 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
12. Excerpt of “disclosed” vulnerabilities on 24.6.2011
• 8.562 new vulnerabilities were disclosed in 2010 (27% more than 2009).
• 49 percent of all vulnerabilities affect web applications.
• 44 percent of vulnerabilities remained un-patched by the end of 2010.
Source: X-Force Trend und Risk Report 2010
Sources: http://www.securityfocus.com/
12 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
13. Top 5 IT Security Myths
3. Easy solutions
„Product X solves all my security problems“
13 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
14. Top 5 IT Security Myths – Easy solutions (1)
• The Myth: Product X solves all security problems out of the box
• IPS X will block all attacks on my network automatically
• If I just install webapp firewall Y it will protect my web application
• Fact: Security products are useless without careful configuration and
maintenance
• Off-the-shelf-solutions do not work!
• Vendor marketing sometimes adds to the myth:
14 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
15. Top 5 IT Security Myths – Easy solutions (2)
• Web application firewalls are usually easily bypassed
• Bypassing preconfigured signatures
• There are unlimited ways to formulate and encode an attack
• Web applications have unique vulnerabilities
• Bypassing behaviour based analysis
• May detect some anomalies, but attacks can look like normal traffic
• Application logic attacks
• To make a WAF work, configuration has to be tailored to the web
application in question
15 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
16. Top 5 IT Security Myths – Easy solutions (3)
• IDS / IPS should be added as part of an defense-in-depth approach
• WAF can be used in certain situations
• If its impossible or too expensive to fix the web application
• For compliance (PCI DSS)
• It is always preferable to apply preventive controls at the core!
• Secure configuration
• Secure development practices
16 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
17. Top 5 IT Security Myths
2 - Encryption
„My server is secure because it uses SSL.“
17 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
18. Top 5 IT Security Myths – Encryption
• The Myth: Something that is encrypted is automatically secure
• Hackers first have to break the encryption to break in
• Fact: Encryption ensures confidentiality & integrity in some scenarios
• Needed for secure network traffic, file storage, proof of identity
• Hackers find ways around the encryption!
• Breaking the keys is practically impossible anyway in most cases
• Attacks on the public key infrastructure (CAs)
• Attacks on the algorithm / implementation (BEAST)
• Attacks on users (Man-in-the-Middle w/ spoofed Certificate)
• Application vulnerabilities
• A webserver that uses HTTPS is NOT automatically secure!
18 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
19. Top 5 IT Security Myths
1 – The Firewall
„A device that protects against hackers“
19 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
20. Top 5 IT Security Myths – The Firewall (2)
Myth: In order to attack servers behind the firewall hackers need
to “break through” the firewall
• Facts
• Firewall provide a very small attacking surface
for hackers
• Usually straight forward to configure
• Normally a hacker does not have to bypass a firewall
• A hacker would target the low hanging fruits, which are in almost all cases vulnerable
applications
• HTTP = UFBP (universal firewall bypass protocol)
20 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
21. Web applications – the weakest link
AD
Attacker
Web server
with vulnerable
applications
DB
File-
Share
Internet
Public (Extern) DMZ LAN (Intern)
86% of all attacks are carried out over the application layer
21 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
22. Top 5 IT Security Myths – The Firewall (3)
Myth: The firewall will block attacks and make sure that
everything that passes through is safe/secure
• Facts
• Traditionally a firewall is only a packet filter
• Packets can be blocked up to a level where the
Firewall understands it
• A firewall does not have an understanding of the
Application layer
• A firewall can not verify if communication
to an exposed service is malicious
22 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
23. Application Security
• ”In 86% of all attacks, a weakness in a web interface was exploited (vs.
14% infrastructure) and the attackers were predominately external
(80%)”
Source: UK Security Breach Investigations Report 2010
23 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
24. Web Security 1998-2010
• Web application
related vulnerabilities
have increased
rapidly in the last
years
• Reasons:
• New technologies
• More applications
• More information
Source: IBM X-Force® 2010 Trend and Risk Report
24 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
25. Attacks on Web Applications
• Organized crime focuses on web
applications
”You will see less shotgun types of attacks and
more stealthy kinds of attacks going after
financial information because there are whole
new sets of ways to make money”
--- Amrit Williams, Resarch Director at Gartner - Source: Web Hacking Incident Database 2010
Reuters 13.2.2006 Semi Annual Report – 2 (July-December)
25 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
26. Myths – Summary
• Off the shelf solutions:
• Security products are useful for specific areas
• Level your expectations (strength/weakness)
• Security is a continuous process, be doubtful of miracles
• Prevention/Detection
• Necessary to have good detection mechanisms
• Continuous Monitoring of the results
• Planning
• IT Security can only be achieved by a holistic approach
• ISM is essential to implement the right processes
• It is always preferable to apply preventive controls at the core!
26 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved
27. Contact Details
SEC Consult Singapore Pte. Ltd.
Singapore Austria
4 Battery Road Mooslackengasse 17
#25-01 Bank of China Building A-1190 Vienna
Singapore (049908) Austria
Tel: +65 31080365 Tel: +43-(0)1-890 30 43-0
Fax: +43-(0)1-890 30 43-15
Email: office@sec-consult.sg Email: office@sec-consult.com
www.sec-consult.sg www.sec-consult.com
49 © 2011 SEC Consult Unternehmensberatung GmbH – All rights reserved