Presentation is loading. Please wait.

Presentation is loading. Please wait.

THE TRUTH ABOUT SECURING NETWORKS AND SYSTEMS Robert Bigman 2BSecure LLC 2BSecurellc.VPWeb.com PRESENTATION TO THE INFORMATION SECURITY ASSOCIATION 22.

Published byJocelyn Doyle Modified over 8 years ago

Similar presentations

Presentation on theme: "THE TRUTH ABOUT SECURING NETWORKS AND SYSTEMS Robert Bigman 2BSecure LLC 2BSecurellc.VPWeb.com PRESENTATION TO THE INFORMATION SECURITY ASSOCIATION 22."— Presentation transcript:

1 THE TRUTH ABOUT SECURING NETWORKS AND SYSTEMS Robert Bigman 2BSecure LLC 2BSecurellc.VPWeb.com PRESENTATION TO THE INFORMATION SECURITY ASSOCIATION 22 OCTOBER 2014 1

2 AGENDA: 1. Why Computer Systems/Networks Cannot be Secured 2. What do the Hackers Know (That you may not know) 3. The Elderwood Platform 5. A Hacking Story - A Funeral in Connecticut 6. The Cyber Security Industry Response 7. Why Organizations Continue to be Easy Targets 8. Thinking Differently About Securing Your Systems/Networks 9. Example: Internet Isolation with Internet Access PRESENTATION TO THE INFORMATION SECURITY ASSOCIATION 22 OCTOBER 2014 2

3 Why Computer System/Networks Cannot be Secured: 1. Current Microsoft Windows kernel first released in 1991 as Windows NT. 2.Unix first edition released in 1971, compiled in “C” in 1973 and the kernel extensively modified in 1979. 3.Linux began as a small number of “C” modules (about 73MB), release in 2009 up to 370 MB (GNU). 4.C first commercially released in 1973/Java first released in 1996 4.TCP/IP was first made commercially “usable” in 1982. 5.All memory management and security reference decisions rely on operating system design decisions made 22/40 years ago. 6.Internet communication protocol sessions rely on decisions made 21 years ago. PRESENTATION TO THE INFORMATION SECURITY ASSOCIATION 22 OCTOBER 2014 3

4 Why Computer Systems/Networks Cannot be Secured (Continued): 1.BIOS and master boot records cannot inhibit manipulation. 2.Operating systems lack a “trustable” execution space 3.Operating system kernels were never designed to authenticate service requests. 4.Operating systems were never designed to validate code integrity. 5.Operating systems were never designed to validate memory. 6.Operating systems were never designed to securely handle exceptions/interrupts. 7.TCP/IP networks were never designed to validate all message/message payloads within a session. 4 PRESENTATION TO THE INFORMATION SECURITY ASSOCIATION 22 OCTOBER 2014

5 What do the Hackers Know (That you may not know): 1.The hackers have all the source code/reverse engineered compiled code. 2.Some (preferred) hacking organizations have the support of nation-state intelligence services. 3.The hackers have broken almost all trust association protocols/systems (e.g., PKI, Kerberos, EAP-AKA). 4.The hackers have broken (see above) many vendor firmware update protocols. 5.Embedding /obfuscating malware in web services outpaces almost every security measures. 6.Supply chain attacks are actually underway. 7.Hackers have spoofed the cloud. 8.Hackers are contributing cyber intelligence (for all the wrong reasons). PRESENTATION TO THE INFORMATION SECURITY ASSOCIATION 22 OCTOBER 2014 5

6 PAUNCH Author of BlackHole Exploit Kit

7 PRESENTATION TO THE INFORMATION SECURITY ASSOCIATION 22 OCTOBER 2014 Roman Seleznov – “Track 2” Author of POS/Carder Hacks

8 The Elderwood Platform: 1.First truly commoditized effort to deliver zero-days as packaged exploit kits. Believed to be Chinese (private cyber) organizations. 2.Exploit kits mostly use spear phish/water hole attacks with malware injected IFRAMEs. Returned web pages point back to exploit kit console. 3.Since 2009 total number of zero-days believed to be 8-10. some U.S. G. analysts believe this number to be very low. 4.Common vector is a Shockwave file (SWF) that ensures correct memory conditions. 5.Targets included defense contractors, NGOs, financials. 6.Competitors have jumped on-board and the industry is now thriving. PRESENTATION TO THE INFORMATION SECURITY ASSOCIATION 22 OCTOBER 2014 8

9 The Elderwood Platform: PRESENTATION TO THE INFORMATION SECURITY ASSOCIATION 22 OCTOBER 2014 9

10 A Hacking Story-A Funeral in Connecticut: 1.Hacker collects intelligence on high value targets (e.g., use cyber targeting service). 2.Identify Connecticut banker who was provisioned corporate PC with VPN software and split-tunnel access to the Internet. 3.Monitor banker’s email activity for possible “phising” opportunity. 4.Banker’s best friend passed away and the next day he receives an email with an MS Word (RTF format) attachment detailing the funeral arrangements 5.Banker opens MS Word attachment and installs a “weaponized” attachment (malware) that monitors his computer use. One day later hackers replace the corporate VPN software with their own version via exploit kit. 6.Hackers collect Banker’s logon credentials (including a copy of the device certificate) and replay it (including MAC address) to access bank and redirect funds transfers. 7.Next day banker receives genuine funeral invitation and becomes suspicious. 8.MS issues critical advisory (2953095) PRESENTATION TO THE INFORMATION SECURITY ASSOCIATION 22 OCTOBER 2014 10

11 The Cyber Security Industry Response: 1.Solving the symptoms but not the problem. 2.Securing the OS with application software. 3.With a few exceptions, industry has made little progress in detecting zero-days (before they execute) and less progress in preventing their damage. 4.Best answer-to date-is for you to buy cyber intelligence services and minimize the damage. 5.Cyber security software often has the same vulnerabilities as the system software it is protecting. 6.Reality reflects the current state of cyber defense. PRESENTATION TO THE INFORMATION SECURITY ASSOCIATION 22 OCTOBER 2014 11

12 Why Organizations Continue To Be Easy Targets: 1.Organizations have become overly comfortable with current “employee-friendly” IT services model. 2.Most organizations decentralize all/some parts of their IT services to various business elements without central network management. 3.The “can’t happen here,” philosophy. 4.The “vendor promised me,” philosophy. 5.The “risk management” philosophy. 6.The “Internet of Things” philosophy. 7.The “lets outsource IT” philosophy. 8.The “compliance high-bar” philosophy. PRESENTATION TO THE INFORMATION SECURITY ASSOCIATION 22 OCTOBER 2014 12

13 Thinking Differently About Securing Your Systems/Networks: 1.The right architecture can be a better investment than next “can’t be beat” product:  - Isolate internet access (see next slide).  - Limit external access to DMZ.  - Isolate sensitive data on subnets with sandboxed RDP client access.  - Limit removable media access. 2.The right IT governance processes can limit cyber security exposures:  - Ruthless IT configurations management (especially at the endpoints).  - Elevate CISO to parallel level with CIO  - Security Situational Awareness.  - Security participation/approval in all IT acquisition. PRESENTATION TO THE INFORMATION SECURITY ASSOCIATION 22 OCTOBER 2014 13

14 PRESENTATION TO THE INFORMATION SECURITY ASSOCIATION 22 OCTOBER, 2014 14

15 QUESTIONS PRESENTATION TO THE INFORMATION SECURITY ASSOCIATION 22 OCTOBER, 2014 15

Download ppt "THE TRUTH ABOUT SECURING NETWORKS AND SYSTEMS Robert Bigman 2BSecure LLC 2BSecurellc.VPWeb.com PRESENTATION TO THE INFORMATION SECURITY ASSOCIATION 22."

Similar presentations

7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Section 3.2: Operating Systems Security

Section 3.2: Operating Systems Security
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Leveraging WinPE and Linux Preboot for Effective Provisioning Jonathan Richey | Director of Development | Altiris, Inc.

Leveraging WinPE and Linux Preboot for Effective Provisioning Jonathan Richey | Director of Development | Altiris, Inc.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Summary Notes TERM TWO BASIC SEVEN 7 Prepared by Sir Lexis Oppong Prepared by Sir Lexis Oppong ACADEMIC YEAR 2013/2014 ACADEMIC YEAR 2013/2014.

Summary Notes TERM TWO BASIC SEVEN 7 Prepared by Sir Lexis Oppong Prepared by Sir Lexis Oppong ACADEMIC YEAR 2013/2014 ACADEMIC YEAR 2013/2014.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,
Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.

Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Operating Systems Operating System

Operating Systems Operating System
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

Similar presentations

Ads by Google