cedes.ba

The art of security

What is not security(what years of pen testing have shown us)

What is not security(what years of pen testing have shown us)

Sadržaj• Security in the region – what’s right and what’s

terribly wrong• 100% penetration rate – how we always hit the

jackpot in 2 hours or less• Viruses and windmills – what they have in common• Structured and unstructured threats – why we fear

poodles much more than lions• Did someone just steal our confidential data? – why

we may never know• Running a secure installation – it will take

management involvement weather you like it or not

Preduslovi

• None!

• Feel free to ask questions at any point

Where this informatino came from

• Penetration testing– Systematic simulation of an attack by a capable

and motivated attacker– Serves to validate and verify security measures– (mostly used to scare management into action)– Exposes real threats, real vulnerabilities and real

problems

• This presentation contains experiences gathered through years of pen testing and security consulting in the region

State of security• Security is well funded• Most large systems have impressive

arsenals of:– Firewalls– IDS– IPS– Antivirus– Antitrojan– Monitoring systems

• Increased security awareness made funding available

• Projects are approved, budgets allocated

Approach to security• Commonly handed off to IT• IT does what IT knows how to do

– Need firewalls– Need IDS– Need IPS– Need antivirus– Need cool gadgets…

• Bought, deployed, configured == security?

• No, not really.– 100% penetration rate– Usually within hours

Why our approach doesn’t work

• Security product arsenals don’t automagicaly fix everything

• Vulnerabilities persist– Social Engineering– Custom vulnerabilities in internal software– Password reuse

• These three are plenty to compromise security

Security breach scenario

• Short, elegant, efficient, and very effective– Social engineering to gain access to internal

network– Custom vulnerabilities to obtain access

credentials and expand influence within internal network

– Password reuse allows hijacking the rest of resources

• Days of instant remote root access are gone• Vulnerability chaining defeats technical

security measures

Why we stay vulnerable

• Commercial products are security controls

• Security controls are meant to mitigate specific risks

• They are pieces of the puzzle, tools of the trade

• They are NOT solutions – they are NOT security

Moat and castle

• Security products do nothing at all against– A clueless user– Custom written trojans (or slightly modified public

ones)– Vulnerabilities you make yourself (sql injection,

XSS, password reuse, code injection, weak authentication)

• Security either is, or isn’t – never something in between

What we protect against• Two types of threats out there• Unstructured

– Attacks of opportunity– Low motivation– Low skill level– Generic attack, generic tools, generic vulnerabilities

• It’s very easy to defend against this type of attack• Security arsenals are very good at protecting

against the unmotivated, uninterested attacker with low skill level

• (a 486 will provide equivalent protection as the most expensive of security appliances)

What we don’t protect against

• Structured attacks– High skill level– High motivation– Specific goals

• These attacks don’t stop just because all your ports are filtered, or because there’s an up to date antivirus on every machine

• Path of least resistance never leads through multiple firewalls

Non-threats• We spend all the resources protecting

against non-threats• Non threat examples

– Viruses – Michelangelo anyone?– VPN – I’m scared someone will take over the

internet to spy on me…– IPS – automatic defense, we’d have little to talk

about if it worked

• I’ve never heard– IPS stopped me mid attack– I attacked the link but the data was encrypted– Firewall wouldn’t let me through

Why do we believe we’re safe

• I have no idea– System has never been tested by an

expert– No one understands how it works– We don’t know if it works

What security IS

• Satisfactory guarantee of confidentiality, integrity, and availability of key resources

• Properly implemented security:– Is an investment, not an expense– Can prove it’s ROI– Reduces expenses of unnecessary and

ineffective “security” spending– Is measurable

How to implement security• I know what to protect (RA)• I know what to protect it from (RA)• I know how to protect it (Identification of controls)• I’ve documented how to protect it and implemented

controls to do so (Security policy, standards, procedures)

• I’ve exposed the organization to this information and trained them on the use of controls (user awareness training, specialized security education)

• I’ve tested the system (pen test + audit)• I’ve corrected the system (Audit results)• I’ve tested the system (pen test + audit)

Hvala!

• Pitanja?

• tarik@cedes.ba

Cedes.ba usluge

Edukacija

Penetracioni testovi

Forenzička analiza sistema

ISMS implementacije

Implementacija sigurnosnih kontrola