increasing value of security assessment services

INCREASING VALUEOf security testing and assessment

HI. =)

THANKS

ANYWAY...

I’M CHRIS

MY CREDENTIALS?

-ME

Pain in the arseLoudmouth Hacker PunkTells lies (professionally) Is called all sorts of bad words.. That I will likely say throughout this talk

Cant code wellTalks $hitDrinks a LOT Is an overall J3rk

LARES

CUSTOM SERVICESOSINT

SIGINT

TSCM/ Bug Sweeping

Exploit Development

Tool Creation

Attack Planning

Offensive Consultation

Adversarial Intelligence

Competitive Intelligence

Attack Modeling

Business Chain Vuln Assessments

Custom Physical Bypass Tool Design

Reverse Engineering

Other stuff I can’t write down…

Traditional InfoSec• Typical services• Proposed value (Sales BS)• Set up for failure• WYSIWYG

Enhancing Services Value• Doing services right• Mo’ value, less money• Eliminating failure• Custom Delivery

New Skool InfoSec• Red Teaming (CAST:Converged Attack Surface Tesing)• Insider Threat Assessment• Adversarial Modeling• IDCa (interactive defense capability assessment)• BCVa(business chain vulnerability analysis)

TRADITIONAL INFOSECDoing the same thing and expecting different results.

VULNERABILITY ASSESSMENT

WHAT IS A VULNERABILITY ASSESSMENT? A vulnerability assessment is the process of identifying,

quantifying, and prioritizing (or ranking) the vulnerabilities in a system. http://en.wikipedia.org/wiki/Vulnerability_assessment

VULNERABILITY ASSESSMENTReasons to Conduct

Identify potential vulnerabilities

Provide scoring of risk & prioritization of remediation

Manage environment vulnerabilities over time to show security program improvement, defense capability increase and compliance with ongoing patch, system and vulnerability lifecycle

How it’s usually done

Run a bunch of scanners

Generate a report

**Sometimes** Generate a custom report consisting of copy/paste data from the Vulnerability scanners and TRY to make sure you delete the word Nessus, qualys… and/or the previous clients name

SETTING A VULNERABILITY ASSESSMENT UP TO FAIL Do not run “Dangerous or Experimental Checks” *instant 30%+ reduction

in results and overall accuracy*

Do not perform Denial of Service

Do not run thorough checks

Do not run Web checks

Only run ONE brand of scanner

Limit only to known network checks

Only scan once

PENETRATION TESTING

WHAT IS A PENETRATION TEST? A penetration test is a method of evaluating the security of a computer

system or network by simulating an attack from a malicious source... The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. http://en.wikipedia.org/wiki/Penetration_test

PENETRATION TESTINGReasons to Conduct

Identify if attackers can readily compromise the security of the business

Identify potential impact to the business

Confirm vulnerabilities identified

Gain a “Real World” View of an attackers ability to “hack” the environment and resolve issues identified

How it’s usually done

Do all the steps in Vulnerability Assessment listed previously

Run metasploit/Core/Canvas against hosts

Try a few other automated tools

Call it “SECURE” If those don’t work

SETTING A PENETRATION TEST UP TO FAIL Do not allow the exploitation of systems

Restrict testing to non production systems

Restrict the hours of testing

Restrict the length of testing

Improperly scope / fail to include ALL addresses

Only perform externally

Patch/fix BEFORE the test

Only allow directed attacks ( no SE/ Phishing)

Lack of focus on BUSINESS risk and increased focus on technical issue

RISK/COMPLIANCE

ASSESSMENTS

WHAT IS A RISK ASSESSMENT?The IT risk management is the application of risk management to Information technology context in order to manage IT risk.

Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of information and information systems. In its simplest form, a risk assessment consists of the identification and valuation of assets and an analysis of those assets in relation to potential threats and vulnerabilities, resulting in a ranking of risks to mitigate. The resulting information should be used to develop strategies to mitigate those risks.

http://laresconsulting.com/risk.php

RISK ASSESSMENTReasons to Conduct

Compliance with regulations

Overall health check of the InfoSec program

Gain understanding of program Effectiveness

Baseline discovery

To show 3rd parties and customers they are “Secure”

How it’s usually done

Whip out a checklist

Check stuff off on checklist

Have a TON of interviews

Believe every word

Do a tick mark legend and ask people to provide “evidence” *which is usually faked*

Only assess controls that are in scope of THAT specific assessment *often information centric*

SETTING A RISK ASSESSMENT UP TO FAIL Do not allow ACTUAL/TECHNICAL testing and validation

Rely on all information provided as TRUE

Minimize scope to only include assets and controls that are part of the selected compliance regulation and NOT the ENTIRE BUSINESS

Allow for “Compensating Controls” to be an answer to most issues

Expect to become compliant through outsourcing

Expect to become compliant through product purchase/implementation

Be unprepared

LIE

ENHANCING SERVICES

VALUEStop cutting off your own fingers

BUDGET (I WANT A BRAIN SURGEON FOR THE PRICE OF A NURSE)

SCOPING

TIMING

TESTING

VULNERABILITY ASSESSMENT Skip it! Do It yourself Use Scanners to identify Vulns Figure out a process to track them over time

Manage the reduction of Vulns over time

Manage the MTTP ( Mean Time To Patch)

Do the rest and make your testers WORK hard.

PENETRATION TESTINGDON’T RUSH ITPLAN FOR INTERACTIONALWAYS “Ride Along”Connect to the REAL impact (shells don’t matter)GO FULL SCOPEDon’t use firms that have “SECRET” processes or can not explain every step of the test and HOW they do it

Attack like AN ATTACKER not like a script kiddieUse a repeatable methodology

IF THE TESTING TIME LOOKS LIKE THIS, GET A NEW TESTER

Recon Scan Enumerate Exploit Post-Exploit

WriteReport

PTES METHODOLOGY1

• Pre-Engagement

2• Intelligence Gathering

3• Threat Modelling

4• Vulnerability Analysis

5• Exploitation

6• Post-Exploitation

7• Reporting

WWW.PENTEST-STANDARD.ORG

AND THE GUIDE AT:HTTP://WWW.PENTEST-STANDARD.ORG/INDEX.PHP/PTES_TECHNICAL_GUIDELINES

SPECIFIC EXAMPLE (PHISHING)Common misconceptions

We will get owned, what's the point

It will offend our usersDoesn’t provide enough value

How it’s usually done

Send a 419 scam style email

Track clicksWrite a report to show who clicked

Intelligence Leakage

Spam/Proxy

Filtering

SMTP Configuratio

n

Malicious Content

Program/ Incident Response

Effectiveness

Ingress/Egress Traffic

Filtering

User Awarene

ss Training & Policy

Data loss Prevention/Protecti

on

Patch Management& Server Hardening

How it SHOULD be done to generate MAX value

RISK/COMPLIANCE ASSESSMENT

MAKE IT BUSINESS FOCUSED NOT IT FOCUSED

Use multiple standards

Remove silo’s and scope restrictions

TEST, TEST, TEST (PBC docs ARE NOT SUFFICENT)

A sample set does not show the ability to secure. I crack in certain parts of the defense chain allow for the compromise of the ENTIRE COMPANY

ALWAYS interview each and every executive to understand THEIR concerns and build the solutions to address THEM and not always “just for the audit”

Discuss the VALUE of systems in relevance to the business and re-weight scores

NEVER allow a compensating control on a BUSINESS critical system. EVER

NEW SKOOL INFOSECTHIS is what the BIG BOYS do, catch up.

RED TEAMING

RED TEAM TESTINGThe term originated within the military to describe a team whose purpose is to penetrate security of "friendly" installations, and thus test their security measures. The members are professionals who install evidence of their success, e.g. leave cardboard signs saying "bomb" in critical defense installations, hand-lettered notes saying that “your codebooks have been stolen" (they usually have not been) inside safes, etc. Sometimes, after a successful penetration, a high-ranking security person will show up later for a "security review," and "find" the evidence. Afterward, the term became popular in the computer industry, where the security of computer systems is often tested by tiger teams.

How do you know you can put up a fight if you have never taken a punch?

Electronic• Network Pentesting• Surveillance/ plants

Social• In Person Social

Engineering• Phone Conversation• Social Profiling

Physical• Lockpicking• Direct Attack

EP Convergance• Attacks on physical

systems that are network enabled

ES Convergance• Blackmail• Phishing• Profiling• Creating moles

PS Convergance• Tailgaiting• Impersonation

RED TEAM

RED TEAMINGReasons to Conduct

Real world test to see how you will hold up against a highly skilled, motivated and funded attacker

The only type of testing that will cover a fully converged attack surface

Impact assessment is IMMEDIATE and built to show a maximum damage event

This IS the FULL DR test of an InfoSec Program

ADVERSARIAL MODELING

TESTING TO SEE IF YOUR MOST LIKELY ATTACKERS WILL SUCCEED IN ATTACKING YOUReasons to Conduct

Exercises in evaluating WHO your top5 most likely attackers are

Full OSINT profiling on the Attackers and their capabilities

Scenarios which are highly focused at Detecting, Confirming, Mitigating and Resolving attacks that are the MOST likely to happen

Testers are forced to use the capabilities of the likely attackers and train the team how to be cool under fire

The most relevant attacks are dealt with FIRST, you are not defending against the pentester… you are prepping to the battle that WILL happen

INSIDER THREAT ASSESSMENT

INSIDER THREAT ASSESSMENT

What is it? Evaluate threat and risk from

employee/staff/contractor/executive/etc..

Use company provisioned asset/standard access model (limited priv’s)

Identify what data/assets can be accessed through authorized channels

Identify elevation of privilege scenarios (exploit AND non-exploit methods)

INSIDER THREAT ASSESSMENT

Why do it? Provides visibility into “what could happen”

A user WILL be compromised at some point

Evaluate security posture of corporate asset External testing doesn’t always provide accurate measurement

of internal sourced threats Identify insecure internal communication channels Evaluate covert channel resistance/prevention

External assessments usually only measure (1) of these (if you’re lucky)

Measure defense capabilities internally (beyond perimeter) System to system communication Level of “noise” detection Data leakage/exfil abilities Log/data correlation Incident response/forensics team’s level of knowledge/expertise

INTERACTIVE DEFENSE ASSESSMENT

RED VS BLUEReasons to Conduct

Targeted at working BOTH sides of the test

Active analysis on defense capability and impreovements / feedback can be real time

Direct understanding of where process,policy and procedure break down in a REAL LIFE EVENT

Identification of Defensive Technology effectiveness

BUSINESS CHAIN ANALYSIS

NO MOAR IT!Reasons to Conduct

Targeted at working on identifying BUSINESS vulns

How much can/do partners hurt you

Where can you better defend against Partners and 3rd parties

Who what where when and why…. Of how the business works and how it can be materially effected by relationships

IF YA NEED ANYTHING OR HAVE QUESTIONS?Cnickerson@laresconsulting.com

WWW.LARES.COM