Security Pitfalls. A review of recurring failures. Dr. Dominik Herrmann. Download slides at https://dhgo.to/pitfalls

Similar documents
716 West Ave Austin, TX USA

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

2014 TRANSIT CEOs SEMINAR. Cybersecurity What Every CEO Should Know to Help Secure the System

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Cyber Risks in the Boardroom Conference

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Legal Issues Surrounding the Internet of Things and Other Emerging Technology

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Vulnerabilities in online banking applications

Troubleshooting and Cyber Protection Josh Wheeler

Business White Paper. Healthcare IT In The Cloud: Predicting Threats, Protecting Patient Data

Gujarat Forensic Sciences University

Effective Strategies for Managing Cybersecurity Risks

Cyber Security Audit & Roadmap Business Process and

About The Presentation 11/3/2017. Hacker HiJinx-Human Ways to Steal Data. Who We Are? Ethical Hackers & Security Consultants

Intelligent Building and Cybersecurity 2016

Governance Ideas Exchange

Cyber security for digital substations. IEC Europe Conference 2017

Cyberspace : Privacy and Security Issues

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Security Standardization and Regulation An Industry Perspective

Keys to a more secure data environment

Cybersecurity, safety and resilience - Airline perspective

CYBER SECURITY AND MITIGATING RISKS

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

CITADEL INFORMATION GROUP, INC.

Train employees to avoid inadvertent cyber security breaches

Managing an Active Incident Response Case. Paul Underwood, COO

Take Risks in Life, Not with Your Security

Cybersecurity Today Avoid Becoming a News Headline

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

10 FOCUS AREAS FOR BREACH PREVENTION

Restech. User Security AVOIDING LOSS GAINING CONFIDENCE IN THE FACE OF TODAY S THREATS

Monthly Cyber Threat Briefing

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Protect Yourself Against VPN-Based Attacks: Five Do s and Don ts

Cyber Security in the Maritime Sector Threats, Trends and Reality

The Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It

Heavy Vehicle Cyber Security Bulletin

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS


Caribbean Cyber Security: Not Only Government s Responsibility

Information Security in Corporation

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

ANATOMY OF AN ATTACK!

Top Ten IT Security Risks CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES

The Road to Industry 4.0

CISO Success Strategies: On Becoming a Security Business Leader

Cybersecurity Auditing in an Unsecure World

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Cybersecurity. Overview. Define Cyber Security Importance of Cyber Security 2017 Cyber Trends Top 10 Cyber Security Controls

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Ensuring System Protection throughout the Operational Lifecycle

2017 Annual Meeting of Members and Board of Directors Meeting

God is in the Small Stuff and it all matters. .In the Small Stuff. Security and Ethical Challenges. Introduction to Information Systems Chapter 11

NIST Cybersecurity Framework Protect / Maintenance and Protective Technology

European Union Agency for Network and Information Security

Cyber Security. Building and assuring defence in depth

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

C1: Define Security Requirements

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Cybersecurity for Health Care Providers

Personal Cybersecurity

Methods for Reducing Cybersecurity Vulnerabilities of Power Substations Using Multi-Vendor Smart Devices in a Smart Grid Environment

CHAPTER 8 SECURING INFORMATION SYSTEMS

Where Does Your Firm Fall?

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

Industrial Security - Protecting productivity IEC INDA

CYBERSECURITY PENETRATION TESTING - INTRODUCTION

Lookout's cybersecurity predictions

Certified Cyber Security Analyst VS-1160

ADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI. Adaptive Authentication in IBM Tivoli Environments. Solution Brief

Cyber Risk in the Marine Transportation System

Are You Avoiding These Top 10 File Transfer Risks?

What It Takes to be a CISO in 2017

ELECTRONIC BANKING & ONLINE AUTHENTICATION

SHA-1 to SHA-2. Migration Guide

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

Fraud and Social Engineering in Community Banks

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

The Internet of Things. Steven M. Bellovin November 24,

Designing Secure Medical Devices

Data Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.

Cyber Resilience Solution for Smart Buildings

Agenda. Security essentials. Year in review. College/university challenges. Recommendations. Agenda RSM US LLP. All Rights Reserved.

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Department of Management Services REQUEST FOR INFORMATION

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

Will you be PCI DSS Compliant by September 2010?

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

2015 Online Trust Audit & Honor Roll Methodology

Cyber fraud and its impact on the NHS: How organisations can manage the risk

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

Securing Information Systems

Penetration Testing! The Nitty Gritty. Jeremy Conway Partner/CTO

Express Monitoring 2019

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

Transcription:

Security Pitfalls A review of recurring failures Dr. Dominik Herrmann Download slides at https://dhgo.to/pitfalls

Research on security, privacy, online tracking, forensics. Postdoc researcher University of Hamburg Temporary professor University of Siegen Junior Fellow German Informatics Society For common Internet Crime Schemes see http://www.ic3.gov/crimeschemes.aspx 2

Media reports about security revolve around fear, uncertainty, and doubt. 3

Many vulnerabilities could be avoided, if vendors followed best practices and security management standards. https://www.enisa.europa.eu/activities/resilience-and-ciip/smart-infrastructures/intelligent-public-transport/goodpractices-recommendations/at_download/fullreport 4

Problem: Best practices are often abstract and of organizational nature. OPERATORS integrate cybersecurity in corporate governance implement a strategy addressing holistically cyber security & safety risks implement risk mgmt. for cybersecurity in multi-stakeholder environments incl. contractors and dependencies clearly and routinely specify their cyber security requirements annually review cybersecurity processes, practices and infrastructures MANUFACTURERS create products/solutions that match the cybersecurity requirements of endusers collaborate in the development of IPTspecific standards and apply them to IPT solutions develop a trusted information sharing platform on risks and vulnerabilities provide security guidance for systems, products and solutions https://www.enisa.europa.eu/activities/resilience-and-ciip/smart-infrastructures/intelligent-public-transport/goodpractices-recommendations/at_download/fullreport 5

As more and more data is stored and processed, securing data against attacks becomes more important. DATA MANIPULATION integrity confidentiality DATA LEAKS availability RANSOMWARE ORGANIZATIONAL DOXING https://www.schneier.com/blog/archives/2016/09/organizational_1.html 6

The Classical Engineering Perspective PROACTIVE SECURITY 7

Weakness 1: Out of sight, out of mind 8

Exploiting known vulnerabilities is still a very successful attack vector. Vendors and users fail to patch their software in a timely manner. MossackFonseca ran old Outlook Web Access (2009), Drupal (2013, 25 vulns) Heartbleed (2014) 128k vulnerable devices in 9/2016 http://www.wired.co.uk/news/archive/2016-04/06/panama-papers-mossack-fonseca-website-security-problems 9

UltraReset attack on MiFare Ultralight (New Jersey & San Francisco, 2012) still works in 2016 (Vancouver) http://bc.ctvnews.ca/security-flaw-lets-smartphone-users-hack-transit-gates-1.2852464 10

Weakness 2: Fools with tools don t know their trade 11

Due to unawareness, carelessness, and haste, vendors ship products with embarrassing security holes, for instance in user authentication. ABUS, Blaupunkt, Lupus alarm systems (2016): insecure default passwords can be disabled without the PIN also: Loxone Smart Home (2016) http://heise.de/-3248831 and http://heise.de/-3308004 12

Many industries are currently learning how to do security properly. Vaillant heatings (2015): authentication and password check performed by a Java applet in the user s browser http://www.hotforsecurity.com/blog/vulnerability-in-vaillant-heating-systems-allows-unauthorized-access-5926.html 13

Weakness 3: Underestimating the adversary 14

Insecure designs result from software developers making poor decisions because of wrong assumptions. BMW ConnectedDrive (2015) all cars used the same cryptographic key communication with BMW servers was not protected Impact: car doors could be unlocked by sending a faked SMS to the car http://www.forbes.com/sites/thomasbrewster/2015/02/02/bmw-door-hacking/ 15

Insecure designs result from software developers making poor decisions because of wrong assumptions. BMW ConnectedDrive (2015) all cars used the same cryptographic key communication with BMW servers was not protected No one is able to reverse engineer the hardware where the key is stored set up a fake GSM network to send an SMS to the car Impact: car doors could be unlocked by sending a faked SMS to the car 16

Insecure designs result from software developers making poor decisions because of wrong assumptions. BMW ConnectedDrive (2015) all cars used the same cryptographic key communication with BMW servers was not protected Researchers just did it. reverse engineer the hardware where the key is stored set up a fake GSM network to send an SMS to the car Impact: car doors could be unlocked by sending a faked SMS to the car 17

Insecure designs result from software developers making poor decisions because of wrong assumptions. http://fortune.com/2016/08/11/volkswagen-car-remote-warning/ 18

Weakness 4: Outsourcing security to vendors can get out of hand quickly 19

The RFID tickets used for public transport in Berlin stored the last 10 waypoints, which could be used to create personal location profiles of commuters. operators denied the leak until proven wrong claimed that tracking was enabled by vendor without their knowledge http://glm.io/118226 20

Weakness 5: Social Engineering 21

High-profile frauds heavily rely on social engineering. Fake President Fraud also: Spear Phishing http://www.securityweek.com/austrian-firm-fires-ceo-after-56-million-cyber-scam https://www.leoni.com/en/press/releases/details/leoni-targeted-by-criminals/ 22

Consumers have privacy rights, e.g. to access and delete their personal data. Handling requests is very frustrating for consumers and vendors. We conducted a field study with 150 apps and 120 websites. Even after the second mail only 1 in 2 vendors complied. 1 in 4 website owners could be tricked into sending the data to a different e-mail address. Most vendors deleted our accounts without prior confirmation. http://arxiv.org/abs/1602.01804 23

The Classical Engineering Perspective PROACTIVE SECURITY A More Recent Approach REACTIVE SECURITY 24

It is difficult to track down proficient adversaries. anonymized communications cryptographic currencies https://bitcoin.org, https://torproject.org 25

intrusion detection find anomalies (logging & audits) emergency protocols operations and communications not all hackers are equal blackhats vs. whitehats 3 CONSIDERATIONS FOR REACTIVE SECURITY 26

Vendors often miss the opportunity to collaborate with security researchers. opportunity for vendors bugs uncovered by the security community https://www.schneier.com/blog/archives/2013/08/scientists_bann.html 27

Vendors often miss the opportunity to collaborate with security researchers. opportunity for vendors bugs uncovered by the security community https://www.cnet.com/news/judge-orders-halt-to-defcon-speech-on-subway-card-hacking/ 28

As a result there is a flourishing black market for security vulnerabilities. In response, the software industry has started to set up bug bounty programs. black market for zero-day exploits white market bug bounty programs opportunity for vendors bugs uncovered by the security community 29

Security Pitfalls TAKE-AWAY MESSAGES 1 2 3 Consider attacks on confidentiality, integrity, and available of your (customers ) data. Learn from attacks on others and avoid common mistakes in proactive measures. Prepare to react to security incidents and collaborate with the security community. Dr. Dominik Herrmann dh@exomail.to Slides: https://dhgo.to/pitfalls

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback