Identifying Attack Surface in Budget Constrained …...© 2018 Denim Group –All Rights Reserved...

© 2018 Denim Group – All Rights Reserved

Building a world where technology is trusted.

Identifying Attack Surface in Budget Constrained Agencies

John B. Dickson, CISSP #4649@johnbdickson


My Background• Ex-Air Force Intel & Cyber Officer• 20+ Year Security Professional• Denim Group Principal• ISSA Distinguished Fellow & Past Chapter Prez• Security Conference Speaker• Blogger Dark Reading Columnist• Strategic Advisors to CSOs and CISOs


Denim Group | Company Background

• Trusted advisor on all matters of software risk• External application & network assessments• Web, mobile, and cloud• Software development lifecycle development (SDLC) consulting• Network and infrastructure where applications reside

• Managed security services• Developed


Increasing External Pressures & Threats

There are two types of organizations in the world…

1. Targeted

2. Targets of Opportunity

1. 2/3 of all attacks go undetected

2. Leading cause: inadvertent activity

If you are not #1, your challenge is to not become #2

4


Increasing External Pressures & Threats

Increasingly More Defined Threat Actors

• Nation states• Organized criminal syndicates• Hacktivists

5


Increasing External Pressures & ThreatsCommercialization and Specialization of the Threat

• Sophisticated marketplace of underground suppliers• Increased specialization of threat actors

• Malware developers• Call centers• Card scammers

• “Verticalization” of the Threat • Ability to adapt and capitalize on current events more quickly

6


Increasing External Pressures & ThreatsSophisticated Malware and Ransomeware

• Sophisticated marketplace drives more responsive attacks able to adapt and scale

• Ability to highly automate attacks expands attack footprint• Sophisticated attacks no longer the worry of the largest

organizations• Focus back on availability for the SMB, which has always

been a challenge

7


Breach Fixation8


Security Budgets: The Starting Point

• Some have lost the game before getting on the field

• Competing Against:• Agency head pet projects • Legacy support requirements• Current events

• Information security as the “silent service” –Rich Baich, Wells Fargo CISO

• Source: “Winning as a CISO,” Rich Baich


Getting Your Security Budget Approved Without FUD

• Exploit Pet Projects• Account for Culture• Tailor to Your Specific Vertical• Consciously Cultivate Credibility and Relationships• Capitalize on Timely Events• Capture Successes & Over-Communicate

Source: RSA 2014 “Getting Your Security Budget Approved Without FUD


Attack Surface: The Security Officer’s Journey

• Two Dimensions:• Perception of Software Attack Surface• Insight into Exposed Assets

11

Perception

Insi

ght



• As perception of the problem of attack surface widens the scope of the problem increases

12

Perception

Insi

ght

Web Applications




13

Perception

Insi

ght

Web Applications

Client-Server Applications




14

Perception

Insi

ght

Web Applications


Desktop Applications




15

Perception

Insi

ght

Web Applications



Cloud Applications and Services




16

Perception

Insi

ght

Web Applications



Cloud Applications and Services

Mobile Applications



• Discovery activities increase insight

17

Perception

Insi

ght

Web Applications




18

Perception

Insi

ght

Web Applications




19

Perception

Insi

ght

Web Applications



• Over time you end up with a progression

20

Perception

Insi

ght

Web Applications




21

Perception

Insi

ght

Web Applications



Desktop

Applications

Client-Server

Applications



22

Perception

Insig

ht

Web

Applications


Desktop

Applications

Client-Server

Applications



23

Perception

Insig

ht

Web

Applications

Cloud

Applications

and Services


Desktop

Applications

Client-Server

Applications



24

Perception

Insig

ht

Web

Applications

Cloud

Applications

and Services

Mobile

Applications



• When you reach this point it is called “enlightenment”

• You won’t reach this point

25

Perception

Insig

ht

Web

Applications

Client-Server

Applications

Desktop

Applications

Cloud

Applications

and Services

Mobile

Applications


26

• Understand your Attack Surface -General• …and where your agency’s most sensitive

client data lives• Tailor rigorous testing to agreed-upon threat• Don’t forget mobile/cloud/social media• Regularly conduct penetration tests mimicking

your most likely threat

Suggested Strategy #1


27

• Understand your Attack Surface - External• Conduct monthly (or quarterly) network and

application vulnerability tests to eliminate most obvious vulnerabilities

• Consider quarterly phishing campaigns using context from firm clients

• Review DNS registry & shared secret• Conduct social engineering exercise with firm

leadership buy-in• Identify 3rd-party network connections or

federated trust relationships

Suggested Strategy #1(Continued)


28

• Understand your Attack Surface - Internal• Conduct monthly automated scans to validate

patching program• Conduct annual security testing of key suppliers• Understand admin technical segregations of duty

• Move roles around is possible and without notice• Maintain and inventory of USBs in desktops and

laptops• Review policies on 3-party storage system (e.g.,

Dropbox)• Capture what existing sys log review processes exist

• Examples: alerting auth events

Suggested Strategy #1 (Continued)


29

• Protect Information at Rest and in Transit• Tailor DLP to agency’s needs

• Implement at desktop, gateway, or federated entry points• Disable USBs through technology acquisition or

Active Directory (AD) Group Policy Objects (GPO)• Example: IEEE 802.1X-authenticated wired connections

through Group Policy• Implement trusted sys logging for admins• Test portal authorization implementation with manual

testing• Secure 3rd-party FTP or mail service for most

sensitive documents (obviously)



30

• Protect Information at Rest and in Transit • Rollout mobile device management for all

mobile devices implementing:

• Remote wipe, OTA Updates, Containers etc.

• Deploy full disk encryption on ALL laptops

• Rollout next-generation anti-virus and

malware detection

• Enable alerting for key events

Suggested Strategy #2 (Continued)


31

• Protect Information at Rest and in Transit • Consider 2-factor authentication or tokens for:

• Administrative accounts• Particularly sensitive client documents

• And don’t forget! Implement encrypted email at all times!

Suggested Strategy #2 (Even more!)


32

• Reduce your External Attack Surface• Implement organization-wide patching• Understand risks of 3rd-party risks of CMS or

portal software• Catalog trusted entry points from 3rd parties• Ensure your web-facing sites are devoid of

SQL injections/XSS vulnerabilities• Start to build a “defense in depth” approach to

your organization



33

• Reduce your External Attack Surface

• Implement organization-wide patching• Not just for Microsoft products (Reference: Verizon

Data Breach Report)• Understand risks of 3rd-party risks of CMS or

portal software• Implement hardening configs for SharePoint,

Drupal, WordPress, others• Monitors security lists and quickly apply patches



34

• Reduce your External Attack Surface

• Monitor & reduce (possible) trusted entry points from 3rd parties

• Ensure your web-facing sites are devoid of SQL injections/XSS vulnerabilities

• Again, watch 3-party vulnerability notifications

Suggested Strategy #3(Continued)


35

• Be Able to Identify an Attack• Deeply understand your “base” network and

application operations tempo • Do you regularly monitor network stats?

• Build the competency to regularly review key events via logging

• IPS/IDS + SEM if you’re big enough to warrant capability

• Exfiltration logging for after the fact



36

• Don’t go it alone!• Gain and maintain a trusted relationship with

an organization that understands firm risk and can conduct knowledge transfer

• Particularly given the broad technology stack• Consider a Managed Security Services

Provider (MSSP) for 24/7 coverage• Have a relationship with an IR and crisis

communication firm.



Why Is this Important to You?

• Budget will remain constrained• Threats adapting and metastasizing faster than defenders

can respond• Attack surface is constantly in flux


John B. Dickson, CISSP@johnbdickson

www.denimgroup.com

Questions and Answers

Identifying Attack Surface in Budget Constrained …...© 2018 Denim Group –All Rights Reserved...

Documents

Transcript of Identifying Attack Surface in Budget Constrained …...© 2018 Denim Group –All Rights Reserved...