the road to hell
play

The road to Hell is paved with best practices Image: Caution, a - PowerPoint PPT Presentation

Sep 13, 2023 •464 likes •1.19k views

The road to Hell is paved with best practices Image: Caution, a Creative Commons Attribution Non- Commercial Share-Alike (2.0) image from zippy'sphotostream Warning <RANT> Why Not all best practices seem to make us more

  1. The road to Hell… … is paved with best practices

  2. Image: Caution, a Creative Commons Attribution Non- Commercial Share-Alike (2.0) image from zippy'sphotostream Warning <RANT>

  3. Why… Not all “best practices” seem to make us more secure. Often overlooked: “…when applied to a particular condition or circumstance.”

  4. Who are we? Frank Breedijk » Security Officer at Schuberg Philis » Author of Seccubus » Blogging for CupFighter.net Email: fbreedijk@ schubergphilis.com Twitter: @ seccubus Blog: http://www.cupfighter.net Project: http://www.seccubus.com Company: http://www.schubergphilis.com

  5. Who are we? Ian Southam » Mission Critical Engineer at Schuberg Philis Email: isoutham@ schubergphilis.com Company: http://www.schubergphilis.com

  6. We look after the systems that matter… » Online banking » Public websites » Energy Trading » Portfolio and Risk management » Mobility Banking » Online retail » Enterprise Risk services » Asset management

  7. Image: Vicious Circle, a CC NC SA image from metamerist'sFlickr stream http://www.flickr.com/photos/94494883@ N00/974742/ The rules… » We will pick a “best practice” » One of will argue “Pro” the other will argue “Con” » A game of Rock, Paper, Scissors will determine who gets to choose » A raise of hands will determine the “winner” 17 juni 2011

  8. Image from: http://searchnetworking.techtarget.com.au/articles/16554- Choosing-the-right-firewall-topology?topic_id=891 Firewalls from two different vendors… Reasoning: » If one vendor has a serious flaw, there will not be a total compromise.

  9. Image: sessionsbeer bottlecaps, a CC NC SA image from C_Knaus' Flickr stream http://www.flickr.com/photos/40732569106@ N01/942653401/ Rock, Paper, Scissors Ian Frank

  10. Image: safe safer safest, a Creative Commons Attribution (2.0) image from 20918261@ N00's photostream It’slike two locks on a bicycle Most bicycle thieves in Amsterdam only know how to quickly open one type of lock

  11. Image: history of missing circles, a Creative Commons Attribution Non-Commercial Share-Alike (2.0) image from camil_t's photostream But just two locks isn’t enough… Like every technology you need to know how to apply it to benefit from it.

  12. Image from: http://searchnetworking.techtarget.com.au/articles/16554- Choosing-the-right-firewall-topology?topic_id=891 Firewalls from two different vendors… Reasoning: » If one vendor has a serious flaw, there will not be a total compromise. Reality: » Firewall bypass bugs are rare » Two rule bases » Two different technologies » Most likely outside firewall will pass anything nat-ed behind inside firewall » Most firewall brand use the same IP stack anyway

  13. Source: http://www.networkworld.com/news/2011/041211- hacker-exploit-firewalls.html Hacker ‘handshake’ hole found in common firewalls In Februari 2011 NSS Labs tested 6 high end firewalls of 6 different brands 5 out of 6 did not correctly handle the “TCP Split Handshake Attack” 17 juni 2011

  14. Polling Station a CC iamge from James Cridland’s Flickr stream http://www.flickr.com/photos/18378655@ N00/4567600547/ Your votes please… 17 juni 2011

  15. Image: Cypher Disk, a CC NC ND image from Goodimages' Flickr stream http://www.flickr.com/photos/48734911@ N00/798553392/ Cryptography 17 juni 2011

  16. Image: sessionsbeer bottlecaps, a CC NC SA image from C_Knaus' Flickr stream http://www.flickr.com/photos/40732569106@ N01/942653401/ Rock, Paper, Scissors Ian Frank

  17. Cryptography just works… » Do you use the wireless here? » What do you prefer, telnet or SSH? » Do you do any online banking?

  18. Image: silver bullet, a Creative Commons Attribution Share-Alike (2.0) image from eschipul'sphotostream Encryption is not a silver bullet… Many attacks: » Key theft » Brute force » Social engineering » End point compromise » Man in the browser attack » Man in the Middle attack » Downgrade attack » Rubber hose cryptology » Side channel attack » Cache timing attack » Replay attacks

  19. Image: Security, cartoon #538 from xkcd.com What about encryption…

  20. Old School Voting. The way it should be. a CC NC imsge from Just Us 3’s Flickr stream http://www.flickr.com/photos/73835037@ N00/292239798/ Your votes please… 17 juni 2011

  21. A password key? A CC ND image from Dev.Arka’s Flickr stream http://www.flickr.com/photos/70417422@ N00/808187848/ Passwords A password must have: » A least 8 characters » At least three of the following: • Uppercase • Lowercase • Numeral • Special character » Expire every 90 days » Not be equal to the last 12 passwords 17 juni 2011

  22. Image: sessionsbeer bottlecaps, a CC NC SA image from C_Knaus' Flickr stream http://www.flickr.com/photos/40732569106@ N01/942653401/ Rock, Paper, Scissors Ian Frank

  23. http://twitter.com/#!/melvin2001/status/72648791949443073 They prevent this…

  24. If a “security measure” is too hard… it will more likely hurt Password requirements: Likely password: 7 characters welcome 1 capital Welcome 1 numeral W3lc0m3 W3lc0m3! 1 special 10 characters W3lc0m3!!! 30 days max – cannot use last 12 Welcome01! The predictability of human behavior can aid in password cracking attempts. See the work of Matt Weir: "Using Probabilistic Techniques to Aid in Password Cracking Attacks“ http://tinyurl.com/RTHpasswd

  25. Image: S wing time, a Creative Commons Attribution (2.0) image from Dave-F’s photostream Password expiration… Changing passwords frequently narrows the window within which an account is usable to an attacker before he has to take additional steps to maintain access. ... Password expiration does not offer any benefit when an attacker wants to do all of the damage that he’s going to do right now. It does offer a benefit when the attacker intends to continue accessing a system for an extended period of time. S. Alexander, Jr. In defense of password expiration. Post to LOPSA blog, April 2006. http://lopsa.org/node/295 as of March 28, 2010.

  26. The reality The Security of Modern Password Expiration: » Using this framework, we confirm previous An Algorithmic Framework en Empirical conjectures that the effectiveness of Analysis. Y Zhang, F. Monrose and M. K. Reiter, expiration in meeting its intended goal is University of North Carolina at Chapel Hill weak. » …susceptibility of accounts to our search techniques even when passwords in those » Using a dataset of over 7700 accounts, we accounts are individually strong, assess the extent to which passwords that users choose to replace expired ones pose » and the extent to which use of particular an obstacle to the attacker’s continued types of transforms predicts the transforms access. the same user might employ in the future. » » We believe our study calls into question the … framework by which an attacker can search for a user’s new password from an continued use of expiration and, in the longer term, provides one more piece of old one. evidence to facilitate a move away from passwords altogether. [http://tinyurl.com/RTHpasswd2]

  27. Image: Hangmand, A Creative Commons, Attribution, Non- Commercial, Share-Alike images from iwinatcookie’sphotostream Complex passwords… Assumption: a ‘complex’ password is harder to crack then a ‘simple’ one… Objectif Sécurité offers online password cracking demo based on rainbow tables and SSD… » Empty password – 2 seconds » 72@ Fee4S@ mura! – 5 seconds » (689!!!<>”QTHp – 8 seconds » *mZ?9%^ jS743:! – 5 seconds » T&p/E$v-O6,1@ } – 11 seconds http://tinyurl.com/RTHpasswd3 http://tinyurl.com/RTHpasswd4

  28. a tribute to all who helped make this day wonderful! A CC NC ND image from nathij’s Flickr stream http://www.flickr.com/photos/8458705@ N04/2983707616/ No voting necessary… 17 juni 2011

  29. Image: Never useeasy –to-guessPINsa Creative Commons, Attribution, Non-commercial No Derivative Works image from kioan’sphotostream Our (personal/honest) opinion about passwords… » Should not be able to predictable • Birthday • Mothers maiden name • Name of you cat » Expiring a password regularly does not add much » You account should be blocked if somebody is guessing you password » If ‘they’ have the hashes you are toast » PIN numbers: • 4 digits • Non-complex • Never expire

  30. Image by Frank Breedijk There is strength in numbers… “Limit the number of system administrators”

  31. Image: sessionsbeer bottlecaps, a CC NC SA image from C_Knaus' Flickr stream http://www.flickr.com/photos/40732569106@ N01/942653401/ Rock, Paper, Scissors Ian Frank

  32. Image by Frank Breedijk There is strength in numbers… “Limit the number of system administrators” » You can prove a computer system is secure » You cannot prove a human is secure » Ergo: The less ‘insecure’ super users have, the more secure my system is…

  33. What is the right number of administrators… 5 25 20 47 35 50 18 35 53 17 42 15 6 19 120 33 11 28

  34. Images by Frank Breedijk Does this consider the level of the system administrators? But, are all animals equal…

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hell Defeated The Harrowing of Hell Figure: The harrowing of hell, s. xv (cc0: source) Biblical

Hell Defeated The Harrowing of Hell Figure: The harrowing of hell, s. xv (cc0: source) Biblical

Hell Defeated The Harrowing of Hell Figure: The harrowing of hell, s. xv (cc0: source) Biblical Basis signs, which God did by him, in the midst of you, as you also 2) hell, as it was impossible that he should be holden by it. (Acts have

824 views • 7 slides
THE REALITY OF HELL How We Sometimes See Hell As Something Not Real The Unbelieving and

THE REALITY OF HELL How We Sometimes See Hell As Something Not Real The Unbelieving and

THE REALITY OF HELL How We Sometimes See Hell As Something Not Real The Unbelieving and the Doubting sins are just natural human traits punishing unbelievers is unbelievable cruelty eternal punishment cannot be

217 views • 20 slides
Only a year ago Retail Rocks 2013 Stairway to Heaven or Road to Hell? Great

Only a year ago Retail Rocks 2013 Stairway to Heaven or Road to Hell? Great

Only a year ago Retail Rocks 2013 Stairway to Heaven or Road to Hell? Great scepticism about secondary assets and especially retail Panellists and speakers concluded: Markets always over-correct. Timing is absolutely right

1.16k views • 68 slides
To hell or heaven? sanitisation of records in apartheid and democratic South Africa:

To hell or heaven? sanitisation of records in apartheid and democratic South Africa:

To hell or heaven? sanitisation of records in apartheid and democratic South Africa: implications on social memory Mpho Ngoepe Department of Information Science, UNISA 12-14 February 2014 Road map Historical background of archival

457 views • 26 slides
Spreadsheet from hell preadsheet from hell What I learned in 18 months of tracking my health

Spreadsheet from hell preadsheet from hell What I learned in 18 months of tracking my health

Spreadsheet from hell preadsheet from hell What I learned in 18 months of tracking my health Katie McCurdy @katiemccurdy Ive got some autoimmune stuff Ive got some autoimmune stuff leading to symptom soup leading to

519 views • 30 slides
How can a loving god send people to hell? Let me say at the outset that I consider the concept

How can a loving god send people to hell? Let me say at the outset that I consider the concept

How can a loving god send people to hell? Let me say at the outset that I consider the concept of hell as endless torment in body and mind an outrageous doctrine, a theological and moral enormity, a bad doctrine of the tradition which needs to

258 views • 23 slides
Hashimotos Go To Hell-Part II Diving Deeper Into The Underlying Cause Keri Topouzian,

Hashimotos Go To Hell-Part II Diving Deeper Into The Underlying Cause Keri Topouzian,

Hashimotos Go To Hell-Part II Diving Deeper Into The Underlying Cause Keri Topouzian, D.O., FACOEP, FAAAM In Part I you learned: How you can reverse Hashimotos &amp; Graves Disease and tell them to go to Hell. What Hashimotos &amp;

765 views • 29 slides
Microservices and the art of taming the Dependency Hell Monster Michael Bryzek Cofounder &amp;

Microservices and the art of taming the Dependency Hell Monster Michael Bryzek Cofounder &amp;

Microservices and the art of taming the Dependency Hell Monster Michael Bryzek Cofounder &amp; ex-CTO Gilt @mbryzek mbryzek@alum.mit.edu Dependency Hell What is it and how does it happen? How do we mitigate? API design must be

972 views • 47 slides
Fluoreszenz-Mikroskopie Stefan W. Hell MPI Biophys. Chemie, Gttingen, Germany NP Chemie 2014

Fluoreszenz-Mikroskopie Stefan W. Hell MPI Biophys. Chemie, Gttingen, Germany NP Chemie 2014

Fluoreszenz-Mikroskopie Stefan W. Hell MPI Biophys. Chemie, Gttingen, Germany NP Chemie 2014 mit E. Betzig und W. Moerner Pictures/Movies of the S. W. Hell group: www.nanoscopy.de

531 views • 14 slides
So what the hell is an enzyme anyway? Whats an enzyme Where do they come from

So what the hell is an enzyme anyway? Whats an enzyme Where do they come from

So what the hell is an enzyme anyway? Whats an enzyme Where do they come from How do they work Adrian Dinsdale PhD National Olive Conference, 2017 What is an enzyme? Enzymes are biological catalysts They make

102 views • 6 slides
the subject of hell a concept that comes from the same source as all the other lies about

the subject of hell a concept that comes from the same source as all the other lies about

Pathway of Responsibility We are going to continue to look at the subject of hell a concept that comes from the same source as all the other lies about God from the deceiver who originally fooled Adam We will find that the

1.01k views • 78 slides
Manufacturing in China, what the hell! The problem is we dont understand the problem

Manufacturing in China, what the hell! The problem is we dont understand the problem

Introduction My experience And despite that! Credits Manufacturing in China, what the hell! The problem is we dont understand the problem Yoann Sculo ParisEmbedded Jan 07, 2014 Yoann Sculo Manufacturing in China, what the hell! 1

576 views • 21 slides
Programming in C Soon I will control the world! Hell llo o World ld! 1 Introduction to C

Programming in C Soon I will control the world! Hell llo o World ld! 1 Introduction to C

Programming in C Soon I will control the world! Hell llo o World ld! 1 Introduction to C C language Facilitates a structured and disciplined approach to computer program design Provides low-level access Highly portable 2

899 views • 26 slides
THE ORIGINS OF CAMP VIEW ROAD The road meets Sutton Road and Cambridge Road at a small three-way

THE ORIGINS OF CAMP VIEW ROAD The road meets Sutton Road and Cambridge Road at a small three-way

A History of Camp View Road Below is text extracted from the second Right Up My Street project presented by Romayne Hutchison and Anne Marie Kelly to Fleetville Diaries members in October 2017. THE ORIGINS OF CAMP VIEW ROAD The road

82 views • 7 slides
2013 2013 Welcome to Road Transport David Thibodeaux RTA Permian Basin Shell February 2013 1

2013 2013 Welcome to Road Transport David Thibodeaux RTA Permian Basin Shell February 2013 1

SHE HELL PERMIAN BASIN RT RT FORUM F FEB 2013 2013 Welcome to Road Transport David Thibodeaux RTA Permian Basin Shell February 2013 1 Safety Emergency exits In case of fire emergency: Remain calm Walk Use stairs; DO NOT use elevator

1.26k views • 96 slides
What the hell do business majors do all day? A serious question What does a business degree

What the hell do business majors do all day? A serious question What does a business degree

What the hell do business majors do all day? A serious question What does a business degree allow you to do? Understand how organizations operate financially, operationally, etc Figure out how people work and behave Analyze

553 views • 44 slides
H OW T O S A Y N O (W IT H OU T A C T U A LLY S A Y IN G N O)

H OW T O S A Y N O (W IT H OU T A C T U A LLY S A Y IN G N O)

H OW T O S A Y N O (W IT H OU T A C T U A LLY S A Y IN G N O) An overview of practical steps and phases in effectively growing an organisation's technical competency. Peter Brownell @greenman

417 views • 18 slides
who am I? Lead researcher at Possible Security, Latvia Hacking and breaking things

who am I? Lead researcher at Possible Security, Latvia Hacking and breaking things

who am I? Lead researcher at Possible Security, Latvia Hacking and breaking things Network flow analysis Reverse engineering Social engineering Legal dimension https://kirils.org/ twitter / @KirilsSolovjovs who

1.09k views • 79 slides
How to make package managers cry (or) How to piss off package managers (pick one) Kenneth Hoste

How to make package managers cry (or) How to piss off package managers (pick one) Kenneth Hoste

How to make package managers cry (or) How to piss off package managers (pick one) Kenneth Hoste kenneth.hoste@ugent.be GitHub: @boegel Twitter: @kehoste FOSDEM 2018 Package Management devroom Feb 3rd 2018, Brussels

796 views • 31 slides
Computational Health at UNIPI Corrado Priami corrado.priami@unipi.it Alina Srbu

Computational Health at UNIPI Corrado Priami corrado.priami@unipi.it Alina Srbu

Computational Health at UNIPI Corrado Priami corrado.priami@unipi.it Alina Srbu alina.sirbu@unipi.it Health and computer science Mathematics Health Systems informatics biology Medicine Computer Physics Science Bioinformatics

112 views • 8 slides
Mac OS X for Unix Geeks Hit The Ground Running Overview 1. System Architecture 2. System

Mac OS X for Unix Geeks Hit The Ground Running Overview 1. System Architecture 2. System

Mac OS X for Unix Geeks Hit The Ground Running Overview 1. System Architecture 2. System Administration 3. GUI Tricks 4. Command line tricks 5. Docs &amp; Resources Architecture - 1 - Directory Layout / /Applications and

648 views • 38 slides
Session 1: Concepts P . S. Langeslag 18 October 2018 Power User Someone who uses advanced

Session 1: Concepts P . S. Langeslag 18 October 2018 Power User Someone who uses advanced

Session 1: Concepts P . S. Langeslag 18 October 2018 Power User Someone who uses advanced functionality Example: regular expressions Does a Power User Need Linux? No; but it helps to have a terminal and a range of POSIX-compliant tools.

565 views • 35 slides
Informatics 1 Computation and Logic Lecture 1: Communication Michael Fourman @mp4man 1

Informatics 1 Computation and Logic Lecture 1: Communication Michael Fourman @mp4man 1

Informatics 1 Computation and Logic Lecture 1: Communication Michael Fourman @mp4man 1 Informatics The science of systems that sense, store, process, communicate, or act on information 2 software, hardware, people, &amp; things 3 4

551 views • 30 slides
CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 17: Web Security Slide credits:

CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 17: Web Security Slide credits:

CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 17: Web Security Slide credits: Prof. Vitaly Shmatikov, UT-Austin. Browser and Network request website Browser reply Network OS Hardware February 12, 2002 Microsoft Issues

834 views • 62 slides

More recommend