cedes.ba The art of security What is not security (what years of pen testing have shown us)

Sadržaj Security in the region – what’s right and what’s terribly wrong 100% penetration rate – how we always hit the jackpot in 2 hours or less Viruses and windmills – what they have in common Structured and unstructured threats – why we fear poodles much more than lions Did someone just steal our confidential data? – why we may never know Running a secure installation – it will take management involvement weather you like it or not

Preduslovi None! Feel free to ask questions at any point

Where this informatino came from Penetration testing –Systematic simulation of an attack by a capable and motivated attacker –Serves to validate and verify security measures –(mostly used to scare management into action) –Exposes real threats, real vulnerabilities and real problems This presentation contains experiences gathered through years of pen testing and security consulting in the region

State of security Security is well funded Most large systems have impressive arsenals of: –Firewalls –IDS –IPS –Antivirus –Antitrojan –Monitoring systems Increased security awareness made funding available Projects are approved, budgets allocated

Approach to security Commonly handed off to IT IT does what IT knows how to do –Need firewalls –Need IDS –Need IPS –Need antivirus –Need cool gadgets… Bought, deployed, configured == security? No, not really. –100% penetration rate –Usually within hours

Why our approach doesn’t work Security product arsenals don’t automagicaly fix everything Vulnerabilities persist –Social Engineering –Custom vulnerabilities in internal software –Password reuse These three are plenty to compromise security

Security breach scenario Short, elegant, efficient, and very effective –Social engineering to gain access to internal network –Custom vulnerabilities to obtain access credentials and expand influence within internal network –Password reuse allows hijacking the rest of resources Days of instant remote root access are gone Vulnerability chaining defeats technical security measures

Why we stay vulnerable Commercial products are security controls Security controls are meant to mitigate specific risks They are pieces of the puzzle, tools of the trade They are NOT solutions – they are NOT security

Moat and castle Security products do nothing at all against –A clueless user –Custom written trojans (or slightly modified public ones) –Vulnerabilities you make yourself (sql injection, XSS, password reuse, code injection, weak authentication) Security either is, or isn’t – never something in between

What we protect against Two types of threats out there Unstructured –Attacks of opportunity –Low motivation –Low skill level –Generic attack, generic tools, generic vulnerabilities It’s very easy to defend against this type of attack Security arsenals are very good at protecting against the unmotivated, uninterested attacker with low skill level (a 486 will provide equivalent protection as the most expensive of security appliances)

What we don’t protect against Structured attacks –High skill level –High motivation –Specific goals These attacks don’t stop just because all your ports are filtered, or because there’s an up to date antivirus on every machine Path of least resistance never leads through multiple firewalls

Non-threats We spend all the resources protecting against non-threats Non threat examples –Viruses – Michelangelo anyone? –VPN – I’m scared someone will take over the internet to spy on me… –IPS – automatic defense, we’d have little to talk about if it worked I’ve never heard –IPS stopped me mid attack –I attacked the link but the data was encrypted –Firewall wouldn’t let me through

Why do we believe we’re safe I have no idea –System has never been tested by an expert –No one understands how it works –We don’t know if it works

What security IS Satisfactory guarantee of confidentiality, integrity, and availability of key resources Properly implemented security: –Is an investment, not an expense –Can prove it’s ROI –Reduces expenses of unnecessary and ineffective “security” spending –Is measurable

How to implement security I know what to protect (RA) I know what to protect it from (RA) I know how to protect it (Identification of controls) I’ve documented how to protect it and implemented controls to do so (Security policy, standards, procedures) I’ve exposed the organization to this information and trained them on the use of controls (user awareness training, specialized security education) I’ve tested the system (pen test + audit) I’ve corrected the system (Audit results) I’ve tested the system (pen test + audit)

Hvala! Pitanja?

Cedes.ba usluge Edukacija Penetracioni testovi Forenzička analiza sistema ISMS implementacije Implementacija sigurnosnih kontrola