The insider Automation: threat you didnt know Cyber

The insider Automation: threat  you didnt know Cyber

The insider Automation: threat

you didnt know Cyber Wars Day 2 (Technical) 2018

John Gleason DevOps Engineer you had

About ISE Perspective White box Analysts Hackers; Cryptographers; RE Exploits iPhone; Android; Ford; Exxon; Diebold

Research Routers; NAS; Healthcare Customers Companies with high value assets About Me ISE for 6 months

Previously with Accenture I write lots of PowerShell Spend lots of time designing, building, and maintaining cloud environments Introduction Automation is everywhere

I leveraged my experience scripting games to automate IT systems My experience comes from: Automated compliance audit tools Automated orchestration systems CI/CD systems leveraging industry standard toolchains

Goals Describe common automation patterns / problems Classify these issues Pose questions for use in audits Development Automation

GIT Subversion TFVC

Source and Version control systems automate the Business Logic of maintaining source code Source control through a telescope Central system tracks all changes or modifications Keeps full history of changes Allows for simultaneous edits, coordinates conflict resolution

Source code copied to developer machines for edit Secrets in Source If you dont have ANY go get yourself some refreshment But, for the rest of us Whats the Threat?

One compromised development machine = Credentials to production systems exposed Which credentials? 1. 2. 3.

4. Database Admin/Debug functionality Encryption JWT Secrets, etc

Questions Does the problem exist in your organization? Do you know how to fix it if it does occur?* *Each system has their own way of handling this, I have included links to official documentation in the references

IT Operations Example Architecture Web Tier App Tier

Example Architecture Web Tier App Tier

Example Architecture Web Tier App Tier IT Operations

Automated Process 1. Identify Patch Levels Example Assumptions 1. Infrastructure in place

2. Download Patches 3. Remove from load balancer 4. Maintain Proper sequence 5. Patch and Reboot 6. Test for Success 7. Return to load balancer

2. Actions require elevated rights Approach Web Tier

App Tier Approach Approach ?

Whats the threat? Hard to maintain Hard to teach Application account with admin creds Sustained or Recurring Outages

Resolution? Separate Application and Admin Identities Questions Are independent systems within the application stack running with unique credentials, which

only have the necessary rights to perform that systems tasks? Are there any accounts being used to programmatically manage or manipulate multiple layers of the application stack? Infrastructure Automation

Automation tools can cause outages But as systems scale, tools are necessary Example Tool Server1

Server3 Server2 Server4 Web Tier

App Tier Needs tools at scale! Example Tool Fixed

Tenants Always commit to source control Always peer review Always test in non-production environments Questions Are scripts and tools, as well as the processes and procedures to leverage them, maintained in a

version control system? Are scripts and tools, as well as the management processes, peer reviewed and each capability tested before it is implemented and used against production systems? Security Auditing

? Security Auditing Application scanning tool reported source code disclosure of JavaScript files.

Code runs on the client What happened? Maybe a default configuration? The report wasnt reviewed Auditing Tools

Required component of security audits Must be interpreted by a human Otherwise, potential for disillusionment that could let vulnerabilities to go unresolved Questions Were you involved in the process of interpreting

results of an application security assessment to vet and corroborate issues discovered, and were any issues and their respective resolutions documented Wrap Up Automation systems are software too

Even small scripts count Defensive coding Teams and Tools Our Links https://securityevaluators.com https://iotvillage.com

https://blog.securityevaluators.com/ https://blog.securityevaluators.com/iselabs/home Contact Me Twitter: @johnnygtech Email: [email protected]

Resources https://arstechnica.com/information-technology/2016/04/hacking-slack-accounts -as-easy-as-searching-github/ https://help.github.com/articles/removing-sensitive-data-from-a-repository/ https://subversion.apache.org/faq.html#removal Proprietary Icons

https://svn.apache.org/repos/asf/subversion/svn-logos/logo.html https://git-scm.com/images/logos/downloads/Git-Icon-1788C.png https://visualstudio.microsoft.com/team-services/ T H A N K YO U !

Recently Viewed Presentations

  • Distribution and Properties of the ISM

    Distribution and Properties of the ISM

    Maximum energy: tacc ~ 4 Vs/c2 (k1/ u1 + k2/ u2) kB = Eb2/3qB E acceleration rate is inversely proportional to E… A supernova shock lives for ~ 105 years Emax ~ 1014 eV Assignments MHD Exercise get as far...
  • Common Persuasive Techniques - Bedford Public Schools

    Common Persuasive Techniques - Bedford Public Schools

    Persuasion What is persuasion? A means of convincing people: to buy a certain product to believe something or act in a certain way to agree with a point of view Common persuasive techniques often used in advertising Slogan Bandwagon Card...
  • Introducton to Non-Catalog Ordering

    Introducton to Non-Catalog Ordering

    APE Interface, 1099, etc. Vendor . Management. Ariba Strategy Overview. Goal: Utilize Ariba to manage all procurement functions creating a streamlined, single point of entry for all purchases. This should standardize the process and reduce costs.
  • Access Project 1 - Brooklyn College

    Access Project 1 - Brooklyn College

    Access Project 1 Creating and Using a Database Objectives Describe databases and database management systems Start Access Describe the features of the Access desktop Create a database Create a table and add records Objectives Close a table Close a database...
  • Vilken hjälp finns att få?

    Vilken hjälp finns att få?

    Måste ha ett intyg - läkarintyg, utredning. GU hjälper inte till med detta. Det finns andra lärosäten där man kan få denna hjälp. Exempel på hjälp: Anpassad examen - dator, förlängd tid. Anteckningsstöd - klasskamrat som antecknar, så man ska...
  • Umdrehungssynchrone Abtastung I - Discom

    Umdrehungssynchrone Abtastung I - Discom

    Measurement Statistics and Bench Comparison Over 300 individual measurement results can be evaluated. ... Mobile system with USB power for 5 ICP sensors BKS03 Accelerometer The BKS03 has a linear frequency range of up to 10 kHz and can be...
  • CS206 --- Electronic Commerce

    CS206 --- Electronic Commerce

    We can use cross validation to find k * Minutiae (Galton Details) Ridge Ending Enclosure Bifurcation Island Sir Francis Galton 1822-1911 Galton's mathematical conclusions predicted the possible existence of some 64 billion different fingerprint patterns * 1 1 1 1...
  • Stochastic Techno-economic Evaluation of Cellulosic Biofuel ...

    Stochastic Techno-economic Evaluation of Cellulosic Biofuel ...

    Many TEA have been conducted to measure the economic feasibility of those pathways. We cannot make comparisons based on their results because they used different technical and economic assumptions. Also, most of previous studies are deterministic analyses, which means uncertainties...