Upload
jeremy-day
View
215
Download
0
Embed Size (px)
Citation preview
cedes.ba
The art of security
What is not security(what years of pen testing have shown us)
What is not security(what years of pen testing have shown us)
Sadržaj• Security in the region – what’s right and what’s
terribly wrong• 100% penetration rate – how we always hit the
jackpot in 2 hours or less• Viruses and windmills – what they have in common• Structured and unstructured threats – why we fear
poodles much more than lions• Did someone just steal our confidential data? – why
we may never know• Running a secure installation – it will take
management involvement weather you like it or not
Where this informatino came from
• Penetration testing– Systematic simulation of an attack by a capable
and motivated attacker– Serves to validate and verify security measures– (mostly used to scare management into action)– Exposes real threats, real vulnerabilities and real
problems
• This presentation contains experiences gathered through years of pen testing and security consulting in the region
State of security• Security is well funded• Most large systems have impressive
arsenals of:– Firewalls– IDS– IPS– Antivirus– Antitrojan– Monitoring systems
• Increased security awareness made funding available
• Projects are approved, budgets allocated
Approach to security• Commonly handed off to IT• IT does what IT knows how to do
– Need firewalls– Need IDS– Need IPS– Need antivirus– Need cool gadgets…
• Bought, deployed, configured == security?
• No, not really.– 100% penetration rate– Usually within hours
Why our approach doesn’t work
• Security product arsenals don’t automagicaly fix everything
• Vulnerabilities persist– Social Engineering– Custom vulnerabilities in internal software– Password reuse
• These three are plenty to compromise security
Security breach scenario
• Short, elegant, efficient, and very effective– Social engineering to gain access to internal
network– Custom vulnerabilities to obtain access
credentials and expand influence within internal network
– Password reuse allows hijacking the rest of resources
• Days of instant remote root access are gone• Vulnerability chaining defeats technical
security measures
Why we stay vulnerable
• Commercial products are security controls
• Security controls are meant to mitigate specific risks
• They are pieces of the puzzle, tools of the trade
• They are NOT solutions – they are NOT security
Moat and castle
• Security products do nothing at all against– A clueless user– Custom written trojans (or slightly modified public
ones)– Vulnerabilities you make yourself (sql injection,
XSS, password reuse, code injection, weak authentication)
• Security either is, or isn’t – never something in between
What we protect against• Two types of threats out there• Unstructured
– Attacks of opportunity– Low motivation– Low skill level– Generic attack, generic tools, generic vulnerabilities
• It’s very easy to defend against this type of attack• Security arsenals are very good at protecting
against the unmotivated, uninterested attacker with low skill level
• (a 486 will provide equivalent protection as the most expensive of security appliances)
What we don’t protect against
• Structured attacks– High skill level– High motivation– Specific goals
• These attacks don’t stop just because all your ports are filtered, or because there’s an up to date antivirus on every machine
• Path of least resistance never leads through multiple firewalls
Non-threats• We spend all the resources protecting
against non-threats• Non threat examples
– Viruses – Michelangelo anyone?– VPN – I’m scared someone will take over the
internet to spy on me…– IPS – automatic defense, we’d have little to talk
about if it worked
• I’ve never heard– IPS stopped me mid attack– I attacked the link but the data was encrypted– Firewall wouldn’t let me through
Why do we believe we’re safe
• I have no idea– System has never been tested by an
expert– No one understands how it works– We don’t know if it works
What security IS
• Satisfactory guarantee of confidentiality, integrity, and availability of key resources
• Properly implemented security:– Is an investment, not an expense– Can prove it’s ROI– Reduces expenses of unnecessary and
ineffective “security” spending– Is measurable
How to implement security• I know what to protect (RA)• I know what to protect it from (RA)• I know how to protect it (Identification of controls)• I’ve documented how to protect it and implemented
controls to do so (Security policy, standards, procedures)
• I’ve exposed the organization to this information and trained them on the use of controls (user awareness training, specialized security education)
• I’ve tested the system (pen test + audit)• I’ve corrected the system (Audit results)• I’ve tested the system (pen test + audit)