hackers & attack anatomy - snia · ise proprietary hackers & attack anatomy geoff gentry,...
Post on 07-Jun-2020
8 Views
Preview:
TRANSCRIPT
ISE Proprietary
H A C K E R S & A T T A C K A N A T O M Y
Geoff Gentry, Regional Director | ggentry@securityevaluators.com
Why is this important?
ISE Proprietary
Attacks
III. Security vs. Functionality
ISE Proprietary
I. Assets vs. Perimeters
About ISE
II. Black Box vs. White Box V. Ongoing vs. Periodic
IV. Build In vs. Bolt On
ISE Proprietary
ISE Proprietary
ISE Proprietary
About ISE
ISE Proprietary
Analysts
• Fortune 500 Enterprises Customers
• White box
Perspective
• Computer Scientists; Ethical Hackers Research
• Recent: Browsers; Routers; Hospital
ISE Proprietary
ISE Proprietary
I. Secure Assets, Not Just Perimeters
ISE Proprietary
I. Secure Assets, Not Just Perimeters
Traditional Attacks Traditional Defenses
11
ISE Proprietary
I. Secure Assets, Not Just Perimeters
12
ISE Proprietary
I. Secure Assets, Not Just Perimeters
13
ISE Proprietary
ISE Proprietary
II. Black Box Penetration Tests == Good
ISE Proprietary
II. Black Box Penetration Tests == Good
ISE Proprietary
White box vulnerability assessment == GOOD!
II. Black Box vs. White Box
ISE Proprietary
• Access Level
• Black Box
• White Box
• Evaluation Types
• Penetration Test
• Vulnerability Assessment
II. Black Box vs. White Box
ISE Proprietary
Black Box Perspective
II. Black Box vs. White Box
ISE Proprietary
White Box Perspective
II. Black Box vs. White Box
ISE Proprietary
II. Black Box vs. White Box
ISE Proprietary
Black Box
2 mo. / 200 hrs.
4 potential issues
1 confirmed
none
no recommendations
very low
200+ hrs.
White Box
2 mo. / 200 hrs.
11 confirmed
10 confirmed
21+ mitigation strategies
high
~9 hrs.
~9 hrs.
Time/cost
Severe issues
Other issues
Results
Completeness/Confidence
Cost/issue
Cost/solution
8
ISE Proprietary
SOHO Routers: Outcomes
ISE Proprietary
Goals Results 10 13 Any Remote, Local, Both >30% 100% Broken
Models Attacks
Compromise
ISE Proprietary
ISE Proprietary
ISE Proprietary
III. Security vs. Functionality
ISE Proprietary
III. Security vs. Functionality
ISE Proprietary
EMBARRISNGLY OVERSIMPLIFIED CORPORATE STRUCTURE
SALES IT HR ...
IT FUNCTIONALITY IT SECURITY
III. Security vs. Functionality
ISE Proprietary
EMBARRISINGLY OVERSIMPLIFIED CORPORATE STRUCTURE
SALES IT HR SECURITY
IT FUNCTIONALITY IT SECURITY
…
III. Security vs. Functionality
ISE Proprietary
CONFLICT IS GOOD!
III. Security vs. Functionality
ISE Proprietary
I. Security Separated From Functionality
ISE Confidential - not for distribution
I. Security Separated From Functionality
ISE Confidential - not for distribution
I. Security Separated From Functionality
ISE Confidential - not for distribution
ISE Proprietary
ISE Proprietary
ISE Confidential - not for distribution
ISE Confidential - not for distribution
IV. “Build It In,” Not “Bolt It On”
ISE Proprietary
IV. “Build It In,” Not “Bolt It On”
ISE Proprietary
IV. “Build It In,” Not “Bolt It On”
ISE Proprietary
REQUIREMENTS
DESIGN
IMPLEMENTATION
TESTING
DEPLOYMENT
MAINTENANCE
Determine business & user needs
Define architecture
Coding
System testing
Customer roll-out
Resolve bugs
Develop threat model
Design defense in depth
Audit code
White box vulnerability assessment
Configuration Guidance
Iteration Hardening
IV. “Build It In,” Not “Bolt It On”
ISE Proprietary
Built In
90%
- - -
1x
Bolted On
100%
- - -
25x : application
300x : infrastructure
Assessment cost
Assessment overhead
Mitigation cost / issue
ISE Proprietary
ISE Confidential - not for distribution
V. Security as Ongoing Process
ISE Proprietary
V. Security as Ongoing Process
ISE Proprietary
V. Security as Ongoing Process
ISE Proprietary
V. Security as Ongoing Process
ISE Proprietary
V. Security as Ongoing Process
ISE Proprietary
Yearly
X
90-95%
1
X (0.9)
Quarterly
X
20-30%
4
X (0.8)
Initial assessment cost
Full scope reassessment cost
Full assessments / year
Cost / year
Bi-yearly
X
35-45%
2
X (0.7)
ISE Confidential - not for distribution
ISE Confidential - not for distribution
ISE Confidential - not for distribution
Heartbleed Mitigations
PROVIDERS
• Update to patched version of OpenSSL
• Revoke all SSL certificates
• Get new certificates
• Update all credentials
USERS
• Test all providers, using a tool such as:
https://demo.securityevaluators.com/Heartbleed/
• Change passwords
ISE Proprietary
Get Involved
ISE Proprietary
ggentry@securityevaluators.com
ISE Proprietary
top related