2. Alison Gianotto (aka “snipe”)
WHO AM I?
•Former agency CTO/CSO
•CTO of Anysha.re
•Creator of Snipe-IT FOSS project
•Security & privacy advocate
•20 years in IT and software dev
•Co-author of a few PHP/MySQL books
•@snipeyhead on Twitter
2DomCode 2016 - Utrecht - #DomCode16
5. WHAT KINDS OF THREATS?
5DomCode 2016 - Utrecht - #DomCode16
•Not always hackers
•Physical threats: natural disasters, such as flood,
fire, earthquakes, etc
•Logical threats: bugs in hardware, power failures
•Human threats: non-malicious and malicious
threats, such as disgruntled employees and
hackers
7. ONE SIZE DOES NOT FIT ALL
7DomCode 2016 - Utrecht - #DomCode16
Risk looks different for each
organization.
8. IT IS IMPOSSIBLE TO
ANTICIPATE OR MITIGATE
EVERY RISK.
8DomCode 2016 - Utrecht - #DomCode16
9. WHY SHOULD YOU CARE?
9DomCode 2016 - Utrecht - #DomCode16
Security breaches cost a
company reputation,
money, time & trust.
10. WHY SHOULD YOU CARE?
10DomCode 2016 - Utrecht - #DomCode16
Identity theft and security
vulnerabilities affect the
lives of real people - your
users.
11. WHY SHOULD YOU CARE?
11DomCode 2016 - Utrecht - #DomCode16
Source: Forbes Magazine, Aug 3, 2013
12. WHY SHOULD YOU CARE?
12DomCode 2016 - Utrecht - #DomCode16
Source: BoingBoing - Nov 3, 2016
13. WHY SHOULD YOU CARE?
13DomCode 2016 - Utrecht - #DomCode16
Even if your product can’t
be weaponized, the data you
store and the trust your
users have in you can be.
15. In 2013, 61% of reported
attacks targeted small and
medium businesses, UP
from 50% in 2012.
15DomCode 2016 - Utrecht - #DomCode16
Source: Verizon Communications 2013 Data Breach Investigations Report
16. One study found that
compromises of mid-size
firms rose 64% from 2013
to 2014.
16DomCode 2016 - Utrecht - #DomCode16
Source: Global State of Information Security Survey 2015
19. WAYS THEY USE YOUR PRODUCT
19DomCode 2016 - Utrecht - #DomCode16
•Reflected XSS
•Persistent XSS
•CSRF
•SQL Injection
•Remote file inclusion
•Local file inclusion/
directory traversal
•Defacement for SEO
(pharma, etc)
•Privilege escalation
•Malware delivery
•Other stuff you know
from OWASP
20. WAYS THEY USE YOU
20DomCode 2016 - Utrecht - #DomCode16
•Stealing credentials from other websites, hoping
you re-use passwords across sensitive systems
•Spear-phishing
•Watering hole attacks
•Social engineering
•Malware
•Insecure third-party vendors
22. DEFENSE IN DEPTH CHALLENGES
22DomCode 2016 - Utrecht - #DomCode16
•Larger, more complicated systems can be harder to
maintain:
•Leads to more cracks for bad guys to poke at
•More surfaces that can get be overlooked
•The bad guys have nearly limitless resources. We don’t.
•Attacks are commoditized now. Botnets for < $2/hour
and Internet of Shit (Mirai DynDNS attack)
26. CONFIDENTIALITY RISKS
26DomCode 2016 - Utrecht - #DomCode16
• No brute-force detection
• No vetting of how third-
party vendors use/store
customer data
• Information leakage from
login messages (timing
attacks, etc.)
• SQL injection
• Privilege escalation leading
to admin access
• Passwords shared across
websites
• Improper disposal/
destruction of personal
data
• Lost/stolen devices
• Insider Threats
27. INTEGRITY IS THE ASSURANCE
THAT THE INFORMATION IS
TRUSTWORTHY & ACCURATE.
27DomCode 2016 - Utrecht - #DomCode16
35. 77% OF LEGITIMATE WEBSITES HAD
EXPLOITABLE VULNERABILITIES.
1-IN-8 HAD A CRITICAL
VULNERABILITY.
35DomCode 2016 - Utrecht - #DomCode16
Source: Symantec Internet Security Threat Report 2014 :: Volume 19, Published April 2014
36. BREACHGrowth • credit card info
• birth dates
• gov ID numbers
• home addresses
• medical records
• phone numbers
• financial information
• email addresses
• login
• passwords
Data Stolen
36DomCode 2016 - Utrecht - #DomCode16
Iden**es Stolen by Year (in Millions)
275
550
825
1100
2011 2012 2013 2014 2015 2016*
554
707
1,023
552
267
412
Source: Symantec Internet Security Threat Report 2014 / 2015
37. 2011 2012 2013 2014 2016
974,000
500,000
570,000
464,000
190,000
ATTACKS
37
Source: Symantec Internet Security Threat Report 2014/2016
Per Day
DomCode 2016 - Utrecht - #DomCode16
46. RISK MATRIX:
46DomCode 2016 - Utrecht - #DomCode16
• Type
• Third-Party
• Service Description
• Triggering Action
• Consequence of Service
Failure
• Risk of Failure
• Probability of Failure
• User Impact of Failure
• Method used for monitoring
this risk
• Efforts to Mitigate in Case of
Failure
• Contact info
Grab a starter template here!
http://snipe.ly/risk_matrix