The Boring Security Talk

Hello!
I am Kieran Jacobsen
Head of Information Technology @ Readify
Microsoft MVP, Cloud and Datacenter Management
You can find me at:
◇ @kjacobsen
◇ Poshsecurity.com

CI/CD
Pushing code around and around and around and around and …

Publicly Exposed
◇ Internet accessible
◇ Limited or no firewall rules

Weak
Authentication
◇ No SSL/TLS
◇ Shared accounts
◇ Stale accounts
◇ No MFA

Significant
Privileges
◇ Operating System privileges
◇ Cloud privileges

Patching
◇ Operating System
◇ CI/CD Tools
◇ Dependencies (Git)

Attacks Happen
“Hackers exploit Jenkins servers, make $3 million by
mining Monero”, CSO Online, 2018-02-20.

Restricting Access
◇ Does it need Internet access?
◇ Can we lock down by source IP address?
◇ Can we lock down to specific destination port
numbers?

Using SSO and MFA
◇ Enable and enforce HTTPS
◇ Enable SSO – Each user has an account
◇ MFA should be enabled for Internet exposed systems

Least Privilege
◇ Ensure CI/CD agents and processes run with least
privilege as possible
◇ Restrict who has admin access to CI/CD
◇ Audit privileges regularly

Patching
◇ Ensure servers are in regular patching process
◇ Plan for CI/CD patching and dependency tool
patching

DNS
The Internet street directory.

Change Control
◇ Who made a change?
◇ When did they make the change?
◇ Why did they do it?
◇ What was it pointing to?

Speed
◇ How long does it take to make a
change?
◇ Manual changes

Visibility
◇ Do those impacted have visibility into
changes?

Bad GUIs
◇ No standardization across vendors
◇ Confusing terminology

Attacks Happen
◇ “Microsoft Resnet - DNS Configuration Web
Vulnerability”, Vulnerability Lab, 2017-08-16
◇ “DNS Squatting with Azure App Services”, Posh
Security, 2017-08-27

DNS Control
◇ Open Source Software
◇ Developed and maintained by Stack Overflow
◇ Supports multiple registrars and DNS providers
◇ Can preview changes before pushing them
◇ https://stackexchange.github.io/dnscontrol/

A Recognisable
Format
◇ JavaScript configuration file
◇ Comments to help describe zone
contents

Version Control
◇ Branches
◇ Log
◇ Blame

Pull Requests
◇ Review changes
◇ Include impacted teams

CI/CD
◇ Humans don’t change DNS
◇ CI = DNSControl Preview
◇ CD = DNSControl Push

https://www.dell.com/content/topics/topic.aspx/us/segments/biz/odg/dmlp_dell_security_card

Email
The service we all have but don’t want

The Issues With
Email
◇ SPAM
◇ Phishing
◇ Spear Phishing
◇ Whaling
◇ Impersonation

Received: from DM6PR17MB2266.namprd17.prod.outlook.com (2603:10b6:4:ae::32) by
DM6PR17MB2266.namprd17.prod.outlook.com with HTTPS via
DM5PR07CA0103.NAMPRD07.PROD.OUTLOOK.COM; Tue, 4 Sep 2018 05:43:05 +0000
Received: from BN6PR1701CA0008.namprd17.prod.outlook.com
(2603:10b6:405:15::18) by DM6PR17MB2266.namprd17.prod.outlook.com
(2603:10b6:5:b9::24) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1080.16; Tue, 4 Sep
2018 05:43:04 +0000
Received: from SN1NAM02FT009.eop-nam02.prod.protection.outlook.com
(2a01:111:f400:7e44::208) by BN6PR1701CA0008.outlook.office365.com
(2603:10b6:405:15::18) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1101.13 via Frontend
Transport; Tue, 4 Sep 2018 05:43:04 +0000
Authentication-Results: spf=pass (sender IP is 167.89.85.8)
smtp.mailfrom=mail.haveibeenpwned.com; mydomain.com; dkim=pass (signature
was verified) header.d=haveibeenpwned.com;mydomain.com; dmarc=pass
action=none header.from=haveibeenpwned.com;
Received-SPF: Pass (protection.outlook.com: domain of mail.haveibeenpwned.com
designates 167.89.85.8 as permitted sender) receiver=protection.outlook.com;
client-ip=167.89.85.8; helo=o1.mail.haveibeenpwned.com;
Received: from o1.mail.haveibeenpwned.com (167.89.85.8) by
SN1NAM02FT009.mail.protection.outlook.com (10.152.73.32) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
15.20.1101.10 via Frontend Transport; Tue, 4 Sep 2018 05:43:03 +0000
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;
d=haveibeenpwned.com;
h=list-unsubscribe:mime-version:from:to:subject:content-type;
s=s1; bh=mFx0zhuzDsGoIla8aGV2t+ISE1M=; b=MT6P3xrFdv+WhFes4+EM7fO
x//qsAcniNiv4B4hKTVsJ6Pnp+g4Kkb3o/BRQ1TjP9sMvwP/OePTdexGxujPdZzB
LOt6wAEJBMn0h8tPtAgVEzGtdQM2lHCeS1DQrnG35rzQMN3LhRra17sOKvbLLoUC
7F+6Op43i+2BoS4SYvMw=
Received: by filter0977p1las1.sendgrid.net with SMTP id filter0977p1las1-2529-5B8E1B66-6
2018-09-04 05:43:02.610378772 +0000 UTC m=+366954.998771853
Received: from RD00155D44C230 (unknown [137.117.9.67])
by ismtpd0003p1maa1.sendgrid.net (SG) with ESMTP id txkzLJa4SO6B0qzdI0m5JQ
for <kieran@mydomain.com>; Tue, 04 Sep 2018 05:43:02.037 +0000 (UTC)
List-Unsubscribe: <https://urlremoved>
MIME-Version: 1.0
From: "Have I Been Pwned" <noreply@haveibeenpwned.com>
To: kieran@mydomain.com
Date: Tue, 4 Sep 2018 05:43:02 +0000
Subject: Your Have I Been Pwned multi-domain search
Content-Type: multipart/alternative;
boundary=--boundary_2710_ddf525f8-32df-4a8d-a6f4-ab5741489b1e
Message-ID: <txkzLJa4SO6B0qzdI0m5JQ@ismtpd0003p1maa1.sendgrid.net>
X-SG-EID:
+hTzZUFBwwi5yR2OMYXnaQJFW8TOSIir+ZvRtvyXczg2YNwtGFNGQYcU8wudo+ZrCqjUGTE1K7nSBP
5oomozYC/01sK+uie2ApKprETt/vO2Lv+TNL7s1gJmvfwaj0BFNwjD/9u6tP91Vz860+gV2/p/NEen
0ZxTiNi3a8SzmZDMOG0bY4Z59/7RDY7gbSLD+VS8N1NczjWiQH9jdwSx3M7pXbC0RF6ipIy1zZ8x2l
avbHIGsYYRAxxwQGVVHd21
Return-Path: bounces+3489673-b289-kieran=mydomain.com@mail.haveibeenpwned.com
X-MS-Exchange-Organization-ExpirationStartTime: 04 Sep 2018 05:43:03.4300 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: Original Submit
X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: Original Submit
X-MS-Exchange-Organization-Network-Message-Id: 4c8ae022-303a-41ec-2ca2-08d61229483b
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 17455d0b-6bc6-4378-b0ac-3b058ee8070f:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-Forefront-Antispam-Report:
CIP:167.89.85.8;IPV:NLI;CTRY:US;EFV:NLI;SFV:NSPM;SFS:(8156002)(2980300002)(1060300004)(43800
2)(596005)(189003)(199004)(84326002)(2361001)(110436001)(146002)(1096003)(106466001)(2351001)(1
6003)(10126004)(606006)(7596002)(4290100001)(7636002)(14444005)(54206008)(8676002)(6916009)(35
6003)(246002)(336012)(79686004)(486006)(956004)(26005)(126002)(236005)(980100002)(6306002)(4760
03)(733005)(22756006)(104016004)(22746007)(9686003)(16586007)(106002)(63394003)(567944001)(966
005);DIR:INB;SFP:;SCL:1;SRVR:DM6PR17MB2266;H:o1.mail.haveibeenpwned.com;FPR:;SPF:Pass;LAN
G:en;PTR:o1.mail.haveibeenpwned.com;MX:1;A:0;
X-Microsoft-Exchange-Diagnostics:
1;SN1NAM02FT009;1:wi11LpUFTWFp0gb5YlNIGEaNEGU2rna36xyH4a5AJiz9gjzxQqGtHlppXPTEvGiVCO
JR3Sj+4HjNSfjNUjLLtmvzGSOoRFNm855+VJ6+3JLbQksYX3oKTSPGc+8EMyLK
X-MS-Exchange-Organization-AuthSource:
SN1NAM02FT009.eop-nam02.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4c8ae022-303a-41ec-2ca2-08d61229483b
X-Microsoft-Antispam:
BCL:1;PCL:0;RULEID:(7020095)(4652040)(5600074)(711020)(4605076)(4608076)(4614076)(1401180)(800
1031)(1402068)(71702078);SRVR:DM6PR17MB2266;
1;DM6PR17MB2266;3:ej9TbMdL0OIw4mKtiDVFPLiUpkwROW5rswXXfsDaUJwFnd1h/QAPCLxyFrjzTYlJL/
TWhrsMIYmWK82QKP/tbN+QrnK4LApcJ9GwDffU9h8/PHuxj21XRraxdUYm7VKsQIawnBVWoaaYvf2qWXe
+rHnR2a6Qk4MyO7JtnggRL+33Mcf1USvtY8rCwResamsGQvZjr+vK18b8DAnCN8xq2TQPBd36xG2XOAIM
xP6M0oHZ31nhNJf4nQvrBBJcO7fDb8a50UdBjUyUN5xN0YiDRNBFeMTkGRlZlXlbCVybepxEp3lF/6nWwQ8
ZxHj9iOOYLVNToU7/qBZghVX8YbPhFw==;25:EcoRo5mofseoCxCAbj6wjDMds1YwpRfvVuujsciCdQxBCEP
YXY0H0NLSGw78SdiLtHHWMTZ4udmGL6LxQyaqWmlpNqCp9aorSUMEfzq8tIOmkNq69P3FnEsNFH2sDZ
2mYwtTDAhKcoOkI+AECosW0x7+RU/TYRlwyeyN5qyllJDDt2Q44qodQafv6l8XKua3l9Fa/bxsK3eKsJGiYMe
ktKG1W+04N3gZHOPSUFZmIJTVJjSmb+Lgp6xHL+DTJjFwb571ZgHmfuZflnRzat3NWrNFCJgAJcivxhvGS
+z8F/gXoCOuppUKuGRGY/a7NtEWqgjnfcchidJk6c5TXpPeqw==;31:aDiAsMKcn0ByGkWTPDzn6rgbT4eRq
GmJAZInmz4VG5G9y3ulpKh0Msp3ZXd8+qgBqHZQXEtJR5kaC8wAPDuT8XveMEgbyiDQSUtzXEretXUAQ
bSXOL/7dDfJbEbI3ll80tNGhWFZ5hj+t5+k873eJ6PqAUeamXlQf61Il4HMBdhKLP9k6rik/88lDPwVW6R3Xad/
NdWHYPYdJ0xIqCT40q+ifvKHDYxZYrRxOfz4ANA=
X-MS-TrafficTypeDiagnostic: DM6PR17MB2266:
X-MS-Exchange-AtpMessageProperties: sap=1;slp=1;
1;DM6PR17MB2266;20:LGeJPMtgY60vAq9/uY3vwo/5ter8iXlSLBWvZQngLpcAdxLrz/CW8WP9Snx/TlHpqz
XlEiTbpG4Ir7MbE8iBS1Qw4E6BTl2c0/EiMw07dQDqcgolDIXVvx+yyyqUV4HyhXnFocGBGLlgt+kHu2WvuE+
kzJZ7N4V7+dqCWmo9SJHxkbqxm3eQF1larU1bKSPQwRrF56KLa0DUlnQGcLssoeCMgD5bjnlNEpaZyvGq
c6BQVaSle198H+MDJeD7J0VJ;4:ReU99nAyCONI4wQ9uixj6fZz4OMfS7iOjg7vpcgfIaNBQrkSVCafktPFBw4
3l3X41ysDtZ+O3nV7++jurtW0MTegiHfTXmazzw92FsKz5yKWVQ0hh+kjxvy1+6AfVic8L5SpbZNPaZ0k2sSW
4V/LNFO9+zwtWnja9DVNXpu1Z1x1zVd2KhflqGonDnmDltLLapdtE1hdnLdc50vloOkfKV9IW0n7FQZB8L9txd
e4n4JPiHO5PC5PjmAa5OCG9dEA6z4KOYLtYOUzZY93jLVvT1WbJjVXrXiwOZC8gJxWxJuWHwQ6iR53IyL
KpaA8iqjUKW8o15TRbVy7OZ2B5/DDfMr1BC5fDtvWKY1xZu8thWfS99yrqPFh691DsPstzwMZOr74e7qcu7s
RSOSOo8smr6bvoRfQClG9pSmahkycjJsyWk63dhJ4u1AaOx0D6uFg7m2mKktF7io0muku/KDnytfNeC/waB
elMP4qj1Fz4T4K6PQZSBXxlt5li2tiTHth3uAb6+ebQpy7fmQXRSgyXGr0F/1fGRhnHeLDBDCE0Lq1hcQgEd9
1+xigWroFlrW2aiNXQFa/ZeRZrXbyh8C5sYzmdv2OO85aWkuEPxLffy9qdoPko0nzF3jOO/Lyo/XE
X-Exchange-Antispam-Report-Test:
UriScan:(148322886591682)(31418570063057)(116415991822766)(128460861657000)(211936372134217
)(80641642340047)(86561027422486)(81227570615382)(81160342030619)(64217206974132);
X-Exchange-Antispam-Report-CFA-Test:
=?us-ascii?Q?BCL:1;PCL:0;RULEID:(8211001083)(2018021200217)(2018011200283?=
=?us-ascii?Q?)(2401047)(701105)(8121501046)(2018021201217)(2018011210174)?=
=?us-ascii?Q?(2018011211064)(2018011212028)(2018011213028)(2018011214028)?=
=?us-ascii?Q?(2018011215028)(2018011216028)(2018011217028)(2018011218028)?=
=?us-ascii?Q?(2018011219092)(2018011220252)(2018011221063)(2018011222027)?=
=?us-ascii?Q?(2018011223027)(2018011224027)(2018011225035)(2018011229035)?=
=?us-ascii?Q?(2018011232269)(2018011233052)(2018021202149)(98810176)(2018?=
=?us-ascii?Q?021203149)(98815176)(2018021210244)(2018011240279)(1430482)(?=
=?us-ascii?Q?1431068)(1432130)(1551054)(823301075)(823300264)(823311075)(?=
=?us-ascii?Q?9101536074)(93006095)(93005095)(88839001)(10201501046)(30020?=
=?us-ascii?Q?01)(3231311)(901025)(902075)(913088)(7045084)(944501410)(930?=
=?us-ascii?Q?0000166)(9301004277)(52103095)(52102095)(73117211)(111716171?=
=?us-ascii?Q?)(52105095)(52106170)(88801588)(2018021211244)(2018011241182?=
=?us-ascii?Q?)(2018020100189)(2018021213027)(52408095)(98821027)(98822027?=
=?us-ascii?Q?)(52401380)(52505095)(52406095)(52305095)(52206095)(88860193?=
=?us-ascii?Q?)(52409095)(88380075)(88381075)(1610001)(8301001075)(8301003?=
=?us-ascii?Q?183)(201708071742011)(7699016);SRVR:DM6PR17MB2266;BCL:1;PCL:?=
=?us-ascii?Q?0;RULEID:;SRVR:DM6PR17MB2266;?=
X-MS-Exchange-Organization-SCL: 1
=?us-ascii?Q?1;DM6PR17MB2266;23:MjijHHSymIpa4daDMcu27pBFpHW3Wgkpy6a/BdxZ5?=
=?us-ascii?Q?iVP+5gu9obK7CFhZItAqUIkGqvw14v1FNoBZ/fmfOpE79poZiBwGAyNi8yRZ?=
=?us-ascii?Q?tsgAkAYMIpFjfTgojMicSzMbSJydeEeY3H08wwoLgH19c9HVte8sXgJ1WfA4?=
=?us-ascii?Q?yXCZk3COdvARMN24Co5J7yPkAWpDn4HxFftiuP5Hl3y1LIu1JBYwbfktpv6U?=
=?us-ascii?Q?795QWsEGNxqIZSYxpkOxO/g1RMJhrzehVKVFfjyxvEbOL7775yXBKZ5csyGX?=
=?us-ascii?Q?y8UVRYOHca8O6zMqTUd1cyZXIphUSDUDLKsB326zlWyEZK82OelVIwDrPq03?=
=?us-ascii?Q?tJn70hOavlsd+RAE7QnD/EuFHGmNKVfZo6MftpjApR7HsP5sanLRv9pHu4p4?=
=?us-ascii?Q?MiMh4rsW2hNnc7DuodokiPFYxeX5MtftlJi9dCQf4woTFYfcfg0HUWcMk8VB?=
=?us-ascii?Q?rFEP7aGJyQjFLgxgL4VTvmansBok5R0u6UFG6YU88OPyxIOaC1Et0LgjKb79?=
=?us-ascii?Q?pD5W5aDi+jnElY48OExP3QXVmMVm8DD9wA2yQ8LN4z4Z8DQ0NMJamxRyIM4l?=
=?us-ascii?Q?dNNv4JZjXt9cSKsHOd7IPq727ASvEW9cbPZBq7WUM2rz/YceWNzCs4qoN0ZL?=
=?us-ascii?Q?PN4S92TwvzAakZPLHCPDbp5YnGk9Ph1wP6ZzNE/a7GT+j9uXrr7MEtMtk+7d?=
=?us-ascii?Q?H3NOTSKg5Schy+iofxpTJ/Lntuy94IWPoGiWej36zzIXuzYw3d4riRZ5pjOZ?=
=?us-ascii?Q?hXG5HQ03Tea9zVbwDj1rFz9+vU/qqQ0c0snBITS0RLzDrgks8W1ymFI2DgIN?=
=?us-ascii?Q?Ro60tMFtQoW0gcsF7rnvHowrSpY5gmLcx+02vvFi1M7ml5wHuxcFmot4wVUF?=
=?us-ascii?Q?HjB4mPkZmafQyloAs2Z8ZxIGeevluby5t+ZnZbesx/rbI9+/Bp7Zy1P0veDc?=
=?us-ascii?Q?8o=3D?=
1;DM6PR17MB2266;6:uz9p8W0bG2kbLAYtAtf7xqoKMw1yOARNVewWdUoyAdqSmbyDIR0HMBR2W3/k2g
i6X3IDcEGMD7Fpvo08EMJ+SfmOddzWlEiwFP76Bqmi5AsqgnJznKO+GF69X9rhZJxraGpmbKDUTEuaTmt
pw093K/S35GHbb5tNwFNjIg2f8qdMx4s/e9oIlA//uyNxRDpD6JNMUwrS/p3IYXkjvcORBKhiuYWphsRQBiiesg
yp7kZdzKMKQ5CWzFyqV2ZwuiDM1/F3obSWn6egqNBE4HOkDmrfoW1euN4zlpOiadFosO1T4gH4ATSM9
VeGjGW/fGU/detf66gEVwQKDfzPeVhb9OVsGKPvKuBhjzA+X05yHhTc1sFH5+cXTKkgCS0rwKzvMahD3yt
ZyIpiwV5VL7RDKF08keH7vHTUFXVWgAhxoWHOIHFyTT7l6AcpXlgH4gwiXqBOg+xnyqUw0XoZr+GF5A==
;5:uAJiceBBbrE/6tAICnHu85ZpJXj9yFvM0sqc2IzTnHyTswjWHO/db+mpypw4ivwX6dYA+qMtG3kHvBqsgXlj
m0drHfmk8TMfAjkgRDWoeDDmY5bCPfvgAIto+knYoMKjV7fCcw8/niID0BsNmiYJfg7n0aoxpx+2wqjLAvjBZv
4=;7:LI0Y7zughzYIPqr/gGmm1xKNj3LZTFmybLhNkdbTlLeHsR4l54uONyOGZvwUoMGgks2PjIbp8SokAtLH
aKbS/eyICoo4iuyEopDB3j1eHvCwxYUo8VtVkRR+d3mxE95aBNO1XtjGmsB1bnF2KVGTgrGi897Ss2MNaR
GOsUckTXDLFqQxbOJ5hyWLpkuU/eIM2b4gQUNPihv38eTvKldBq1n+39phSRzZA1RFg4d/khjVIMxebyNPN
ItFu/P0fe0J
X-MS-Exchange-Safelinks-Url-KeyVer: 1
X-MS-Exchange-ATPSafeLinks-Stat: 0
SpamDiagnosticOutput: 1:5
SpamDiagnosticMetadata: Default:1
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Sep 2018 05:43:03.1488
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 4c8ae022-303a-41ec-2ca2-08d61229483b
X-MS-Exchange-CrossTenant-Id: 17455d0b-6bc6-4378-b0ac-3b058ee8070f
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR17MB2266
X-MS-Exchange-Transport-EndToEndLatency: 00:00:02.6667033
X-MS-Exchange-Processed-By-BccFoldering: 15.20.1080.019
1;DM6PR17MB2266;9:dPIAHVEnRkG2VjM7ZpQkOq2wgKeR3tACewk0Bvz58pmNg6QRgjyivTMx188PP
XuS4m56I3YF1yEh7nKgp7fLnxk8lbou5TCmf8Eh7pcDL3PkfYZPD5GXFb5gmudpViM7
X-Microsoft-Antispam-Mailbox-Delivery:
dwl:1;ucf:1;jmr:0;ex:0;auth:0;dest:C;OFR:CustomRules;ENG:(20160514016)(750119)(520011016)(52000
8050)(702028);
X-Microsoft-Antispam-Message-Info:
zpAbROfcZWD78p80tevS/LMz9QHOS4d2LlTO+682yaNvILO8H16wYMWkoBjUGTcQDlj7zFspHhpdOEk
YDFZTFnamfzVu2o2Kp/OCpfZ9v4Cyp7K2nWWmlblRxh5fsI9+/lWgm08J6rCDyzTM9NN7uJzOiXs43qV6Q0
y7KcST0ckU7Sp0Hgyo/nkl+UAkyef12IR+7dkxH/ind0ZxOADQuqDLQbU+PvtEjRAvKGXS7loSU0yGhRjGyn
ZHOb8j+FMCQANWCAFM1dTxKlYl9HP0YaWaGk6HB8BlcL3MoKGRcALS5THCqRGD/zac7ZAxDI/J/e2Ow
tlEjf1uFh/nBQkCgfDCr2X8RqtAikIbEFsJPVGPJBi+k8aAUPUPZGkSlt0B2AMrhtwdV32bYQCXk4UaksJzLDv
4wDgLi8lGUV/y5pEtOVz99wNBWQ5OpCHE3pgFjkxb5zIYhFM5ZJXet8nv/ulFC9onQ+mdCiFLs4SH4rOkRA
pPFHpFAuVu/vKst6TSMnH5pTVglVMp3b8C7Gc4WgKXC8Tdzast0DIJ6/zUMY4P1kHveamSlhBwGy0PGtxa
2wuRczLGYdag78CtYgmeYvYjXUiu6tohofpGNAmxT7uMldb2seQUe+b4uDujggRTHkpWi3S5RyHO6/sp3M
YfA8l0UETuUjL1kzCV7Q8/4UacZH/bjdPcLskr2AxqFXCY8ZY3KM5S+BYcQTX/MKkpu3KAV0zmCpHgSKdi
OIpHhj+GS8Gtg4N1RjyMZzw3EYz4F6cZoZNnwBPvj2TI3uIrjVGuVwxn8OoHacRFEYQ1tfx8rat1xAo6aFe6C
HvKnEUglW5tvrRvT+tmabuYvgrIMWSUsl9FncxEbclYyg76YTUupKFP+gAL6S2/wZYd0A/eVqvioKIFBkmRm
CSAlHPsgPorcsUyi/hiTMD26/lDkjY0kP+ISTuT6w2Pyl1tfRDYpf5nTF20FdG/cEN2Z0FFeQ==
1;DM6PR17MB2266;27:Iscb/jTS4lE7U+vmRoRlVrfharBAzO5uTWBmzTJGhqmtVSWSp1LnahQKSFCSQ
EciBzrWWFLdjfEI17TmwcW4jrMfbV/O/RQevvFLSzGxqsQTPDrC7DeBAPsmhpEnK1sChyTZ3wdUUOohba
VLstcRBHdS3smjjm76fJHln9UqqlmC5ll2Rty3qs5qwwX/32xfDpMXpZnqB2pevPGLfL8z5fMI82S7LSfrIk+jJtg1
lX/gWM4Jk1OvLAKrotZdeXBPo9ocnIAFDEfDIAR+9vpP4S1vQ3j18m1Y/QfQMe9M5YatrSJq27O/6lR9+4jtnl
LFgL1kEAjOfZ5cYOs8sl76sAwpUzrDXtGMw2zyfVsw8lGyiXjoa7WJdzUgFE1FJeBqjjMZ7WwR47KzTry7y6w
afIOace9kBZ+jivG8U0Bv4QhX0pbVp2QkDwIRp1K3vhhyWUjfeXXWr1iZU+A7dvJb6A==

From: "Have I Been Pwned“
<noreply@haveibeenpwned.com>
Return-Path: bounces+3489673-
b289-
myuser=mydomain.com@mail.haveibe
enpwned.com

Identifying Sources
◇ Your mail servers
◇ Applications
◇ Marketing campaign servers
◇ Bulk email services
◇ SaaS products

“
We can’t use SPF, DKIM or DMARC
because we don’t know who is
legitimately sending email as our
organisation‽

SPF
◇ Validates mail is coming from authorised IP
addresses
◇ Information stored in DNS
◇ Validates envelope-from address
◇ Can include other SPF records – Office 365 etc
◇ DNS query limitations

DKIM
◇ Uses digital signatures to validate mail
◇ Validates Message-From header address
◇ Public key(s) stored in DNS

DMARC
◇ SPF and/or DKIM
◇ Alignment checks
◇ Allows domains to specify action if checks fail
◇ Reporting
◇ Policy stored in DNS

No DMARC
61%
None
35%
Reject
4%
https://phishingscorecard.com/

Packages &
Dependencies
Turtles all the way down

Docker Images
“Malicious Docker Containers Earn Cryptomining
Criminals $90K”, Threat Post, 2018-06-13

Browsealoud
“UK ICO, USCourts.gov... Thousands of websites
hijacked by hidden crypto-mining code after popular
plugin pwned”, The Register, 2018-02-11

Eslint
“Postmortem for Malicious Packages Published on July
12th, 2018”, ESLint, 2018-07

“
The maintainer whose account was
compromised had reused their npm
password on several other sites and
did not have two-factor authentication
enabled on their npm account.

Thanks!
Any questions?
You can find me at:
◇ @kjacobsen
◇ Poshsecurity.com

The Boring Security Talk

More Related Content

What's hot (20)

Similar to The Boring Security Talk (20)

More from kieranjacobsen (19)

Recently uploaded (20)

The Boring Security Talk