Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cedes.ba The art of security What is not security (what years of pen testing have shown us)

Published byJeremy Day Modified over 8 years ago

Similar presentations

Presentation on theme: "Cedes.ba The art of security What is not security (what years of pen testing have shown us)"— Presentation transcript:

1 cedes.ba The art of security What is not security (what years of pen testing have shown us)

2 Sadržaj Security in the region – what’s right and what’s terribly wrong 100% penetration rate – how we always hit the jackpot in 2 hours or less Viruses and windmills – what they have in common Structured and unstructured threats – why we fear poodles much more than lions Did someone just steal our confidential data? – why we may never know Running a secure installation – it will take management involvement weather you like it or not

3 Preduslovi None! Feel free to ask questions at any point

4 Where this informatino came from Penetration testing –Systematic simulation of an attack by a capable and motivated attacker –Serves to validate and verify security measures –(mostly used to scare management into action) –Exposes real threats, real vulnerabilities and real problems This presentation contains experiences gathered through years of pen testing and security consulting in the region

5 State of security Security is well funded Most large systems have impressive arsenals of: –Firewalls –IDS –IPS –Antivirus –Antitrojan –Monitoring systems Increased security awareness made funding available Projects are approved, budgets allocated

6 Approach to security Commonly handed off to IT IT does what IT knows how to do –Need firewalls –Need IDS –Need IPS –Need antivirus –Need cool gadgets… Bought, deployed, configured == security? No, not really. –100% penetration rate –Usually within hours

7 Why our approach doesn’t work Security product arsenals don’t automagicaly fix everything Vulnerabilities persist –Social Engineering –Custom vulnerabilities in internal software –Password reuse These three are plenty to compromise security

8 Security breach scenario Short, elegant, efficient, and very effective –Social engineering to gain access to internal network –Custom vulnerabilities to obtain access credentials and expand influence within internal network –Password reuse allows hijacking the rest of resources Days of instant remote root access are gone Vulnerability chaining defeats technical security measures

9 Why we stay vulnerable Commercial products are security controls Security controls are meant to mitigate specific risks They are pieces of the puzzle, tools of the trade They are NOT solutions – they are NOT security

10 Moat and castle Security products do nothing at all against –A clueless user –Custom written trojans (or slightly modified public ones) –Vulnerabilities you make yourself (sql injection, XSS, password reuse, code injection, weak authentication) Security either is, or isn’t – never something in between

11 What we protect against Two types of threats out there Unstructured –Attacks of opportunity –Low motivation –Low skill level –Generic attack, generic tools, generic vulnerabilities It’s very easy to defend against this type of attack Security arsenals are very good at protecting against the unmotivated, uninterested attacker with low skill level (a 486 will provide equivalent protection as the most expensive of security appliances)

12 What we don’t protect against Structured attacks –High skill level –High motivation –Specific goals These attacks don’t stop just because all your ports are filtered, or because there’s an up to date antivirus on every machine Path of least resistance never leads through multiple firewalls

13 Non-threats We spend all the resources protecting against non-threats Non threat examples –Viruses – Michelangelo anyone? –VPN – I’m scared someone will take over the internet to spy on me… –IPS – automatic defense, we’d have little to talk about if it worked I’ve never heard –IPS stopped me mid attack –I attacked the link but the data was encrypted –Firewall wouldn’t let me through

14 Why do we believe we’re safe I have no idea –System has never been tested by an expert –No one understands how it works –We don’t know if it works

15 What security IS Satisfactory guarantee of confidentiality, integrity, and availability of key resources Properly implemented security: –Is an investment, not an expense –Can prove it’s ROI –Reduces expenses of unnecessary and ineffective “security” spending –Is measurable

16 How to implement security I know what to protect (RA) I know what to protect it from (RA) I know how to protect it (Identification of controls) I’ve documented how to protect it and implemented controls to do so (Security policy, standards, procedures) I’ve exposed the organization to this information and trained them on the use of controls (user awareness training, specialized security education) I’ve tested the system (pen test + audit) I’ve corrected the system (Audit results) I’ve tested the system (pen test + audit)

17 Hvala! Pitanja? tarik@cedes.ba

18 Cedes.ba usluge Edukacija Penetracioni testovi Forenzička analiza sistema ISMS implementacije Implementacija sigurnosnih kontrola

Download ppt "Cedes.ba The art of security What is not security (what years of pen testing have shown us)"

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Social Engineering And You Steve Otto. Social Engineering n Social Engineering - Getting people to do things they ordinarily wouldn’t do for a stranger.

Social Engineering And You Steve Otto. Social Engineering n Social Engineering - Getting people to do things they ordinarily wouldn’t do for a stranger.
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
IDENTITY THEFT ARE YOU SAFE?. HOW DOES THIS HAPPEN TO ME? Internet “Security “ When using a public computer, never access any vital accounts like banking.

IDENTITY THEFT ARE YOU SAFE?. HOW DOES THIS HAPPEN TO ME? Internet “Security “ When using a public computer, never access any vital accounts like banking.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Protecting Yourself Online. VIRUSES, TROJANS, & WORMS Computer viruses are the common cold of modern technology. One e-mail in every 200 containing.

Protecting Yourself Online. VIRUSES, TROJANS, & WORMS Computer viruses are the "common cold" of modern technology. One in every 200 containing.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Introduction to Network Defense

Introduction to Network Defense
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) =.00625 * 5,349.44 = $33.434 What happens to the.004?.004+.004+.004=.012.004.

Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) = * 5, = $ What happens to the.004? =
That’s Really not the Point… haroon meer | charl van der walt SensePost.

That’s Really not the Point… haroon meer | charl van der walt SensePost.

Similar presentations

Ads by Google