7 Février 2017 - Lille

Best Practices to protect your business against

hackers

Vincent MalguyPentester

A R E H A C K E R S I N T E R E S T E D I NY O U R I N F R A S T R U C T U R E A N D I N F O R M A T I O N S Y S T E M ?

Why ?ARE HACKERS INTERESTED INYOUR INFRASTRUCTURE AND INFORMATION SYSTEM ?

FORM, 1990• Floppy boot sector• Clicking noise when using the keyboard on

the 18th

Malwares The Story so Far

FORM, 1990• Floppy boot sector• Clicking noise when using

the keyboard on the 18th

CHERNOBYL, 1998

• Explodes on April 26th• Erases BIOS• Erases hard drives• 1 billion $ loss

Malwares The Story so Far

CHERNOBYL, 1998• Explodes on the 26th

• Erases BIOS• Erases hard drives

ILOVEYOU, 2000

• By e-mail (using Outlook)

• By IRC (using mIRC)• Overwrites JPG, HTM...

FORM, 1990• Floppy boot sector• Clicking noise when using

the keyboard on the 18th

Malwares The Story so Far

BLASTER, 2003• WinXP vulnerability• Reboot after 60 sec• Scans the Internet

madly to propagate

ILOVEYOU, 2000• By e-mail (using Outlook)• By IRC (using mIRC)• Overwrites JPG, HTM...

Malwares The Story so Far

FORM, 1990• Floppy boot sector• Clicking noise when using

the keyboard on the 18th

CHERNOBYL, 1998• Explodes on the 26th

• Erases BIOS• Erases hard drives• 1 billion $ loss

ILOVEYOU, 2000• By e-mail (using Outlook)• By IRC (using mIRC)• Overwrites JPG, HTM...

BLASTER, 2003• WinXP vulnerability• Reboot after 60 sec• Scans the Internet

madly to propagate

Malwares The Story so Far

YESTERDAYTODAY

• Viruses for fun :

• Replicate and propagate

• Destroy your files

• Destroy your hardware

• Let you know you’re infected

• Don’t make any money

• Malwares as a Profit:

• Replicate and propagate

• Encrypt your files

• Use your hardware

• Stay stealth and hidden

• Makes sh*tloads of cash !

Malwares Something Has Changed

RANS0MWARE

• Remote takeover of servers and desktops

Computing power (mining BTC)

Impunity (phishing/malware hosting, ...)

Network strike force (DoS)

Botnets (card fraud, DDoS aaS, cloud spam aaS, ...)

Why It’s Profitable

• Theft and exploitation of your data

• Accounts hacking (social networks, e-mail accounts, ...)

• Selling e-mail addresses to spammers

• Competitors reaching out to your customers

• Brand reputation, exposure to bad buzz

• Industrial secrets made public or reselled to competitors

Why It’s Profitable

HOW TO MITIGATE L E T ’ S B E P R A G M A T I C …

• Most important is patching the weakest link• Access to management interfaces (customer account)• Infrastructure (servers and network)• Operating System• Applications

• Security is a process, not a project• The question is not « am I vulnerable ?* »,

but rather « how to mitigate the risks ? »

* Hint: the answer is « yes »

Security Key Concepts

Customer accountoInfrastructureoOperating SystemoApplications

Your OVH Customer Account• Entrypoint to your infrastructure management• Password

Unique• This way, database leaks don’t propagate to your other accounts• haveibeenpwned.com: 2,055,538,028 pwned accounts

• Complex, but that you can remember

Password Memorizing difficulty

Complexity Time

123456 Ultra easy ~1 zero

p4ssw0rd Ultra easy ~10000 ~seconds

P4ssw0rd1% Easy ~1000000 ~minutes

yCwrQT8Jvi Hard 839299365868340224 ~1 year

LzS~2Y8g\[h6w{Mz Very hard 4579937329576774398276408998492161 infinity

pourquoiPasCeMotDePaaS Easy 56503267085670146216220839069303701504 infinity

PimousseADesVibrissettes Easy 152784834199652075368661148843397208866816

Infinity

Password Complexity

• Entrypoint to your infrastructure management• Password

Unique Complex, but that you can remember Personal password manager (Keepass, ...)

• Works under Windows, Linux, MacOS, iOS, Android• You can drop your encrypted database on your favorite file

sharing service

Your OVH Customer Account

Keepass Overview

• Entrypoint to your infrastructure management• Password

Unique Complex, but that you can remember Personal password manager (Keepass, ...)

• Two-factor authentication• What I know (password)• What I have (smartphone, usb key, ...)• What I am (fingerprint scanner, retinal scanner, ...)

Your OVH Customer Account

TWO-FACTOR AUTH ConfigurationOTP by APP

OTP by SMSStatic OTP

• Entrypoint to your infrastructure management

• Password Unique Complex, but that you can remember Personal password manager (Keepass, ...)

• Two-factor authentication

• Restrict access by IP if you can

Your OVH Customer Account

Restrict Access by IP adresses

Your [Own application] Account• Password

www.cnil.fr/fr/les-conseils-de-la-cnil-pour-un-bon-mot-de-passe www.ssi.gouv.fr/guide/mot-de-passe/

• Two-factor authentication Use OVH SMS gateway (github.com/ovh/php-ovh-sms) Tutorial on www.twilio.com SaaS with authy.com/developers/

Customer accountInfrastructureoOperating SystemoApplications

Security at the core of conception

Security at the core of conception• Use private

networks (vRack)

VLAN WEB

VLAN APP

VLAN DB

Security at the core of conception• Use private

networks (vRack)• Allow mandatory

traffic only ... and don’t forget IPv6 !

VLAN WEB

VLAN APP

VLAN DB

HTTP /HTTPS

HTTP /HTTPS

Port Applicatif

Port SQL

Security at the core of conception• Use private

networks (vRack)• Allow mandatory

traffic only • filter admin access

VLAN WEB

VLAN APP

VLAN DB

SSH/RDP from

VPN Access (Beta)

Security at the core of conception• Use private

networks (vRack)• Allow mandatory

traffic only • filter admin access• High Availability

Roubaix Strasbourg

IP Failover

Security at the core of conception• Use private

networks (vRack)• Allow mandatory

traffic only • filter admin access• High Availability• OVH IPLB

protection (March)

VLAN WEB

VLAN APP

VLAN DB

OVH IPLB

Customer AccountInfrastructureOperating SystemoApplications

Operating System• Stable OS, still supported (LTS)• Stable OS, up to date (turn-on auto update)

• Reduce the attack surface• Install only needed services/daemons (check with netstat!)• Change the default port of system administration services (ssh, rdp…)• Configure Port knocking and/or Fail2Ban• Enforce password complexity • Enforce use of Certificat instead of password for admin access

Operating System• Stable OS, still supported (LTS) and up to date• Reduce the attack surface• Build a real backup policy

• Security-wise, protect your backups even more than your production data openssl aes-256-cbc -salt -in archive.zip -out archive.zip.aes

• A RAID1 array is not a backup• An untested backup is not a backup• Local backup is not a backup

https://about.gitlab.com/2017/02/01/gitlab-dot-com-database-incident/

Public Cloud Archive• 100% durability• Server-side configurable actions• Easy integration

• sftp, scp, rsync, https• SVFS https://github.com/ovh/svfs

Customer AccountInfrastructureOperating SystemApplications

• Reduce the attack surface• Change passwords of default accounts (SA)• Use TLS and Test it on ssllabs.com/ssltest/

Application

OVH IPLB : one click Free certificat and A+ Rating

• Reduce the attack surface• Change passwords of default accounts (SA)• Use TLS and Test it on ssllabs.com/ssltest/• Leak the least information possible (Apache, PHP, SQL...)

Application

Application• Principle of least rights

• 1 account per person• 1 account per app• 1 admin account only

• Use LXC / Docker where possible• Base system with almost nothing on it (CoreOS)• One container per app• No root inside containers !

Application• Use and abuse PaaS

• PaaS Log • PaaS Metrics• PaaS DataBase

• Use and abuse SaaS• DNS(SEC)• Mail• Cloud Desktop

Applications• CMS webapps

• Used a lot, hacked a lot• It’s mandatory to be strictly up to date

• CMS plugins• Don’t install seldom-used plugins• An apparently nice feature always comes

at a cost

• Libraries and programs on Github• Still supported ?• Has it been audited ?• Security vulnerabilities and fixes history ?• Check on secunia.com

Thanks you & be safe