Presentation is loading. Please wait.

Presentation is loading. Please wait.

That’s Really not the Point… haroon meer | charl van der walt SensePost.

Published byMavis Bradley Modified over 8 years ago

Similar presentations

Presentation on theme: "That’s Really not the Point… haroon meer | charl van der walt SensePost."— Presentation transcript:

1 That’s Really not the Point… haroon meer | charl van der walt SensePost

2 2 Who we are SensePost {charl|haroon} @ sensepost.com What we do… Time…

3 3 The industry is flooded with snake-oil How many blondes does it take to change a lightbulb? The Question of Incentives Who is this bad for? A market for lemons An informed customer is better for everyone Only one really – the rest is all just marketing…

4 4 Agenda Introduction A very funny joke This really isn’t the point –My scanner can beat up your scanner! –We have firewalls! –We have SSL / Encryption! –We have IPS / IDS ! –Im safe, I use Vista / OSX / Plan9! –0i-Wey its 0-Day. First time vulnerability release Conclusion. Questions ?

5 5 My scanner can beat up your scanner! Detect security vulnerabilities on your network !!!!!! makes use of of state of the art vulnerability check databases based on OVAL and SANS Top 20, providing over 15,000 vulnerability assessments when your network is scanned. !!!!!! gives you the information and tools you need to perform multi-platform scans across all … Detect security vulnerabilities on your network !!!!!! makes use of of state of the art vulnerability check databases based on OVAL and SANS Top 20, providing over 15,000 vulnerability assessments when your network is scanned. !!!!!! gives you the information and tools you need to perform multi-platform scans across all …

6 6 But that’s really not the point

7 7 My firewall is bigger than yours!

8 8 Watch how that’s done

9 9 Your firewall choice IS still important: –Management –Support –Performance –Etc Understand that the perimeter is actually already dead Remember defense in depth Remember the problem you’re actually solving –Alligators in the swamp So what is the point?

10 10 Luckily we have SSL… WITH WITHOUT

11 11 Luckily we have SSL… Another comment that just wont die.. Robert Morris (Snr.) on Encryption: –“If you think encryption will solve your problem, you probably don’t understand encryption or you don’t understand your problem”. The only difference between us attacking your HTTP server and your HTTPS server is that the 2nd option gives us privacy. We were going to do a demo for this, but decided not to insult you..

12 12 We are not saying: That you should stop buying certificates.. That SSL is pointless That you should run all your sensitive apps over HTTP We are saying: Make sure you know what it buys you Make sure you understand where it poses a threat Quoting Dr. Mudge: –“A security device isn't necessarily a secure device”. So what is the point?

13 13 IDS / IPS / *buzzword* will save us A very “human” problem By its nature reactive Our track record with IDS…

14 14 That’s really not the point

15 15 We are not saying: Its always useless –“always” is “always” incorrect We are saying: Is an IPS any better ? –A little. Is it a panacea? –Anyone? Anyone? A good solution (to 1994’s problems?) Does dismally against custom web applications In the end, its a case of man vs. machine.. –(hint: (till 2045) bet on the man) Know what it buys you.. Know its limitations.. So what is the point?

16 16 Vista / OSX / Plan9 will keep me safe Defenses are constantly evolving –Sadly so are the attackers.. “Nothing” is 100% secure.. –Should that be “SAID A LITTLE LOUDER” Vista / OSX –The non-admin / non-root user fallacy –Why its really not the point.. Ultimately.. –An improvement - sure! –A panacea  anyone? anyone?

17 17 THAT’s REALLY NOT THE POINT!!!

18 18 Defenses are constantly evolving –Sadly so are the attackers.. “Nothing” is 100% secure.. –Should that be “SAID A LITTLE LOUDER” Vista / OSX –The non-admin / non-root user fallacy Ultimately.. –An improvement - sure! –A panacea  anyone? anyone? So what is the point?

19 19 0i-Wey its an 0-Day! What is a 0-day? A threat that exposes undisclosed or unpatched computer application vulnerabilities All the cool kids are into it! Is it the end of the world as we know it?

20 20 Watch this 0- day attack in action!

21 21 1.LM-Hashes 2.“Weak passwords always trump strong security” 3.Shared passwords But do you want to know what really happened?

22 22 There will always be another 0-day You can’t stop the 0-day problem Understand where on the vulnerability life cycle you’ll burn 0-day is probably not how you will be owned Security is equal parts people, technology and process Make sure you have the basics covered Remember defense in depth So what is the point?

23 23 Pay attention to who is paying for the “independent research”.. Investigate the credentials of your experts.. Make sure that you are spending money solving problems you actually have.. Acknowledge that its not just the “sexy” problems that need fixing! The next time your vendor says “It does ”, ask yourself, if that is actually the point.. In conclusion…

24 Thank You Questions?

Download ppt "That’s Really not the Point… haroon meer | charl van der walt SensePost."

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Welcome Back to School!!! Mr. Sortina.

Welcome Back to School!!! Mr. Sortina.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
INTERNET SAFETY FOR EVERYONE A QUICK AND EASY CRASH COURSE.

INTERNET SAFETY FOR EVERYONE A QUICK AND EASY CRASH COURSE.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
What you don’t know CAN hurt you!

What you don’t know CAN hurt you!
Security for Internet Every Day Use Standard Security Practices and New Threats.

Security for Internet Every Day Use Standard Security Practices and New Threats.
Managing A Secure Infrastructure – Tales From the Trenches November 6, 2003.

Managing A Secure Infrastructure – Tales From the Trenches November 6, 2003.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.

Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.
INTERNET SAFETY FOR EVERYONE

INTERNET SAFETY FOR EVERYONE
“Airlines and Technology” By: The Webmasters. WEB MASTERS Section 1 Stephen Cooper –Team Captain Rosmini Winfrey –DQ Leader Jason Wallace –Team Member.

“Airlines and Technology” By: The Webmasters. WEB MASTERS Section 1 Stephen Cooper –Team Captain Rosmini Winfrey –DQ Leader Jason Wallace –Team Member.
E-Safety Quiz Keeping safe online! A guide for parents & children.

E-Safety Quiz Keeping safe online! A guide for parents & children.
SiteLock Internet Security: Big Threats for Small Business.

SiteLock Internet Security: Big Threats for Small Business.
Securing your IP based Phone System By Kevin Moroz VP Technology Snom Inc.

Securing your IP based Phone System By Kevin Moroz VP Technology Snom Inc.
In 1998 I was looking for a way to make money, so that I could start a business. I backed into Network Marketing. Like most of you, I had no idea what.

In 1998 I was looking for a way to make money, so that I could start a business. I backed into Network Marketing. Like most of you, I had no idea what.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
The Study of Security and Privacy in Mobile Applications Name: Liang Wei

The Study of Security and Privacy in Mobile Applications Name: Liang Wei
Cedes.ba The art of security What is not security (what years of pen testing have shown us)

Cedes.ba The art of security What is not security (what years of pen testing have shown us)
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Similar presentations

Ads by Google