Post on 16-Apr-2017
7 Février 2017 - Lille
Best Practices to protect your business against
hackers
Vincent MalguyPentester
A R E H A C K E R S I N T E R E S T E D I NY O U R I N F R A S T R U C T U R E A N D I N F O R M A T I O N S Y S T E M ?
Why ?ARE HACKERS INTERESTED INYOUR INFRASTRUCTURE AND INFORMATION SYSTEM ?
FORM, 1990• Floppy boot sector• Clicking noise when using the keyboard on
the 18th
Malwares The Story so Far
FORM, 1990• Floppy boot sector• Clicking noise when using
the keyboard on the 18th
CHERNOBYL, 1998
• Explodes on April 26th• Erases BIOS• Erases hard drives• 1 billion $ loss
Malwares The Story so Far
CHERNOBYL, 1998• Explodes on the 26th
• Erases BIOS• Erases hard drives
ILOVEYOU, 2000
• By e-mail (using Outlook)
• By IRC (using mIRC)• Overwrites JPG, HTM...
FORM, 1990• Floppy boot sector• Clicking noise when using
the keyboard on the 18th
Malwares The Story so Far
BLASTER, 2003• WinXP vulnerability• Reboot after 60 sec• Scans the Internet
madly to propagate
ILOVEYOU, 2000• By e-mail (using Outlook)• By IRC (using mIRC)• Overwrites JPG, HTM...
Malwares The Story so Far
FORM, 1990• Floppy boot sector• Clicking noise when using
the keyboard on the 18th
CHERNOBYL, 1998• Explodes on the 26th
• Erases BIOS• Erases hard drives• 1 billion $ loss
ILOVEYOU, 2000• By e-mail (using Outlook)• By IRC (using mIRC)• Overwrites JPG, HTM...
BLASTER, 2003• WinXP vulnerability• Reboot after 60 sec• Scans the Internet
madly to propagate
Malwares The Story so Far
YESTERDAYTODAY
• Viruses for fun :
• Replicate and propagate
• Destroy your files
• Destroy your hardware
• Let you know you’re infected
• Don’t make any money
• Malwares as a Profit:
• Replicate and propagate
• Encrypt your files
• Use your hardware
• Stay stealth and hidden
• Makes sh*tloads of cash !
Malwares Something Has Changed
RANS0MWARE
• Remote takeover of servers and desktops
Computing power (mining BTC)
Impunity (phishing/malware hosting, ...)
Network strike force (DoS)
Botnets (card fraud, DDoS aaS, cloud spam aaS, ...)
Why It’s Profitable
• Theft and exploitation of your data
• Accounts hacking (social networks, e-mail accounts, ...)
• Selling e-mail addresses to spammers
• Competitors reaching out to your customers
• Brand reputation, exposure to bad buzz
• Industrial secrets made public or reselled to competitors
Why It’s Profitable
HOW TO MITIGATE L E T ’ S B E P R A G M A T I C …
• Most important is patching the weakest link• Access to management interfaces (customer account)• Infrastructure (servers and network)• Operating System• Applications
• Security is a process, not a project• The question is not « am I vulnerable ?* »,
but rather « how to mitigate the risks ? »
* Hint: the answer is « yes »
Security Key Concepts
Customer accountoInfrastructureoOperating SystemoApplications
Your OVH Customer Account• Entrypoint to your infrastructure management• Password
Unique• This way, database leaks don’t propagate to your other accounts• haveibeenpwned.com: 2,055,538,028 pwned accounts
• Complex, but that you can remember
Password Memorizing difficulty
Complexity Time
123456 Ultra easy ~1 zero
p4ssw0rd Ultra easy ~10000 ~seconds
P4ssw0rd1% Easy ~1000000 ~minutes
yCwrQT8Jvi Hard 839299365868340224 ~1 year
LzS~2Y8g\[h6w{Mz Very hard 4579937329576774398276408998492161 infinity
pourquoiPasCeMotDePaaS Easy 56503267085670146216220839069303701504 infinity
PimousseADesVibrissettes Easy 152784834199652075368661148843397208866816
Infinity
Password Complexity
• Entrypoint to your infrastructure management• Password
Unique Complex, but that you can remember Personal password manager (Keepass, ...)
• Works under Windows, Linux, MacOS, iOS, Android• You can drop your encrypted database on your favorite file
sharing service
Your OVH Customer Account
Keepass Overview
• Entrypoint to your infrastructure management• Password
Unique Complex, but that you can remember Personal password manager (Keepass, ...)
• Two-factor authentication• What I know (password)• What I have (smartphone, usb key, ...)• What I am (fingerprint scanner, retinal scanner, ...)
Your OVH Customer Account
TWO-FACTOR AUTH ConfigurationOTP by APP
OTP by SMSStatic OTP
• Entrypoint to your infrastructure management
• Password Unique Complex, but that you can remember Personal password manager (Keepass, ...)
• Two-factor authentication
• Restrict access by IP if you can
Your OVH Customer Account
Restrict Access by IP adresses
Your [Own application] Account• Password
www.cnil.fr/fr/les-conseils-de-la-cnil-pour-un-bon-mot-de-passe www.ssi.gouv.fr/guide/mot-de-passe/
• Two-factor authentication Use OVH SMS gateway (github.com/ovh/php-ovh-sms) Tutorial on www.twilio.com SaaS with authy.com/developers/
Customer accountInfrastructureoOperating SystemoApplications
Security at the core of conception
Security at the core of conception• Use private
networks (vRack)
VLAN WEB
VLAN APP
VLAN DB
Security at the core of conception• Use private
networks (vRack)• Allow mandatory
traffic only ... and don’t forget IPv6 !
VLAN WEB
VLAN APP
VLAN DB
HTTP /HTTPS
HTTP /HTTPS
Port Applicatif
Port SQL
Security at the core of conception• Use private
networks (vRack)• Allow mandatory
traffic only • filter admin access
VLAN WEB
VLAN APP
VLAN DB
SSH/RDP from
VPN Access (Beta)
Security at the core of conception• Use private
networks (vRack)• Allow mandatory
traffic only • filter admin access• High Availability
Roubaix Strasbourg
IP Failover
Security at the core of conception• Use private
networks (vRack)• Allow mandatory
traffic only • filter admin access• High Availability• OVH IPLB
protection (March)
VLAN WEB
VLAN APP
VLAN DB
OVH IPLB
Customer AccountInfrastructureOperating SystemoApplications
Operating System• Stable OS, still supported (LTS)• Stable OS, up to date (turn-on auto update)
• Reduce the attack surface• Install only needed services/daemons (check with netstat!)• Change the default port of system administration services (ssh, rdp…)• Configure Port knocking and/or Fail2Ban• Enforce password complexity • Enforce use of Certificat instead of password for admin access
Operating System• Stable OS, still supported (LTS) and up to date• Reduce the attack surface• Build a real backup policy
• Security-wise, protect your backups even more than your production data openssl aes-256-cbc -salt -in archive.zip -out archive.zip.aes
• A RAID1 array is not a backup• An untested backup is not a backup• Local backup is not a backup
https://about.gitlab.com/2017/02/01/gitlab-dot-com-database-incident/
Public Cloud Archive• 100% durability• Server-side configurable actions• Easy integration
• sftp, scp, rsync, https• SVFS https://github.com/ovh/svfs
Customer AccountInfrastructureOperating SystemApplications
• Reduce the attack surface• Change passwords of default accounts (SA)• Use TLS and Test it on ssllabs.com/ssltest/
Application
OVH IPLB : one click Free certificat and A+ Rating
• Reduce the attack surface• Change passwords of default accounts (SA)• Use TLS and Test it on ssllabs.com/ssltest/• Leak the least information possible (Apache, PHP, SQL...)
Application
Application• Principle of least rights
• 1 account per person• 1 account per app• 1 admin account only
• Use LXC / Docker where possible• Base system with almost nothing on it (CoreOS)• One container per app• No root inside containers !
Application• Use and abuse PaaS
• PaaS Log • PaaS Metrics• PaaS DataBase
• Use and abuse SaaS• DNS(SEC)• Mail• Cloud Desktop
Applications• CMS webapps
• Used a lot, hacked a lot• It’s mandatory to be strictly up to date
• CMS plugins• Don’t install seldom-used plugins• An apparently nice feature always comes
at a cost
• Libraries and programs on Github• Still supported ?• Has it been audited ?• Security vulnerabilities and fixes history ?• Check on secunia.com
Thanks you & be safe