HACKERS & ATTACK ANATOMY

Transcription

1 HACKERS & ATTACK ANATOMY Geoff Gentry, Regional Director

2 Why is this important?

3 Attacks About ISE III. Security vs. Functionality I. Assets vs. Perimeters IV. Build In vs. Bolt On II. Black Box vs. White Box V. Ongoing vs. Periodic

4

5

6

7 Perspective White box Analysts About ISE Computer Scientists; Ethical Hackers Research Recent: Browsers; Routers; Hospital Customers Fortune 500 Enterprises

8

9

10 I. Secure Assets, Not Just Perimeters

11 I. Secure Assets, Not Just Perimeters Traditional Attacks Traditional Defenses 1 1

12 I. Secure Assets, Not Just Perimeters 1 2

13 I. Secure Assets, Not Just Perimeters 1 3

14

15 II. Black Box Penetration Tests == Good

16 II. Black Box Penetration Tests == Good White box vulnerability assessment == GOOD!

17 II. Black Box vs. White Box Access Level Black Box White Box Evaluation Types Penetration Test Vulnerability Assessment

18 II. Black Box vs. White Box Black Box Perspective

19 II. Black Box vs. White Box White Box Perspective

20 II. Black Box vs. White Box

21 II. Black Box vs. White Box Time/cost Severe issues Other issues Results Completeness/Confidence Cost/issue Cost/solution Black Box 2 mo. / 200 hrs. 4 potential issues 1 confirmed none no recommendations very low 200+ hrs. 8 White Box 2 mo. / 200 hrs. 11 confirmed 10 confirmed 21+ mitigation strategies high ~9 hrs. ~9 hrs.

22

23 SOHO Routers: Outcomes Models Attacks Compromise Goals Results Any Remote, Local, Both >30% 100% Broken

24

25

26

27 III. Security vs. Functionality

28 III. Security vs. Functionality EMBARRISNGLY OVERSIMPLIFIED CORPORATE STRUCTURE SALES IT HR... IT FUNCTIONALITY IT SECURITY

29 III. Security vs. Functionality EMBARRISINGLY OVERSIMPLIFIED CORPORATE STRUCTURE SALES IT HR SECURITY IT FUNCTIONALITY IT SECURITY

30 III. Security vs. Functionality CONFLICT IS GOOD!

31 III. Security vs. Functionality

32 I. Security Separated From Functionality ISE Confidential - not for distribution

33 I. Security Separated From Functionality ISE Confidential - not for distribution

34 I. Security Separated From Functionality ISE Confidential - not for distribution

35

36

37 ISE Confidential - not for distribution

38 ISE Confidential - not for distribution

39 IV. Build It In, Not Bolt It On

40 IV. Build It In, Not Bolt It On

41 IV. Build It In, Not Bolt It On REQUIREMENTS DESIGN IMPLEMENTATION TESTING DEPLOYMENT MAINTENANCE Determine business & user needs Define architecture Coding System testing Customer roll-out Resolve bugs Develop threat model Design defense in depth Audit code White box vulnerability assessment Configuration Guidance Iteration Hardening

42 IV. Build It In, Not Bolt It On Assessment cost Assessment overhead Mitigation cost / issue Built In 90% x Bolted On 100% x : application 300x : infrastructure

43

44 ISE Confidential - not for distribution

45 V. Security as Ongoing Process

46 V. Security as Ongoing Process

47 V. Security as Ongoing Process

48 V. Security as Ongoing Process

49 V. Security as Ongoing Process Yearly Bi-yearly Quarterly Initial assessment cost X X X Full scope reassessment cost 90-95% 35-45% 20-30% Full assessments / year Cost / year X (0.9) X (0.7) X (0.8)

50 ISE Confidential - not for distribution

51 ISE Confidential - not for distribution

52 ISE Confidential - not for distribution

53 Heartbleed Mitigations PROVIDERS Update to patched version of OpenSSL Revoke all SSL certificates Get new certificates Update all credentials USERS Test all providers, using a tool such as: Change passwords

54 Get Involved

55