Increasing Value Of Security Assessment Services
-
Upload
chris-nickerson -
Category
Technology
-
view
411 -
download
2
description
Transcript of Increasing Value Of Security Assessment Services
INCREASING VALUEOf security testing and assessment
HI. =)
THANKS
ANYWAY...
I’M CHRIS
MY CREDENTIALS?
-ME
Pain in the arseLoudmouth Hacker PunkTells lies (professionally) Is called all sorts of bad words.. That I will likely say throughout this talk
Cant code wellTalks $hitDrinks a LOT Is an overall J3rk
LARES
CUSTOM SERVICESOSINT
SIGINT
TSCM/ Bug Sweeping
Exploit Development
Tool Creation
Attack Planning
Offensive Consultation
Adversarial Intelligence
Competitive Intelligence
Attack Modeling
Business Chain Vuln Assessments
Custom Physical Bypass Tool Design
Reverse Engineering
Other stuff I can’t write down…
Traditional InfoSec• Typical services• Proposed value (Sales BS)• Set up for failure• WYSIWYG
Enhancing Services Value• Doing services right• Mo’ value, less money• Eliminating failure• Custom Delivery
New Skool InfoSec• Red Teaming (CAST:Converged Attack Surface Tesing)• Insider Threat Assessment• Adversarial Modeling• IDCa (interactive defense capability assessment)• BCVa(business chain vulnerability analysis)
TRADITIONAL INFOSECDoing the same thing and expecting different results.
VULNERABILITY ASSESSMENT
WHAT IS A VULNERABILITY ASSESSMENT? A vulnerability assessment is the process of identifying,
quantifying, and prioritizing (or ranking) the vulnerabilities in a system. http://en.wikipedia.org/wiki/Vulnerability_assessment
VULNERABILITY ASSESSMENTReasons to Conduct
Identify potential vulnerabilities
Provide scoring of risk & prioritization of remediation
Manage environment vulnerabilities over time to show security program improvement, defense capability increase and compliance with ongoing patch, system and vulnerability lifecycle
How it’s usually done
Run a bunch of scanners
Generate a report
**Sometimes** Generate a custom report consisting of copy/paste data from the Vulnerability scanners and TRY to make sure you delete the word Nessus, qualys… and/or the previous clients name
SETTING A VULNERABILITY ASSESSMENT UP TO FAIL Do not run “Dangerous or Experimental Checks” *instant 30%+ reduction
in results and overall accuracy*
Do not perform Denial of Service
Do not run thorough checks
Do not run Web checks
Only run ONE brand of scanner
Limit only to known network checks
Only scan once
PENETRATION TESTING
WHAT IS A PENETRATION TEST? A penetration test is a method of evaluating the security of a computer
system or network by simulating an attack from a malicious source... The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. http://en.wikipedia.org/wiki/Penetration_test
PENETRATION TESTINGReasons to Conduct
Identify if attackers can readily compromise the security of the business
Identify potential impact to the business
Confirm vulnerabilities identified
Gain a “Real World” View of an attackers ability to “hack” the environment and resolve issues identified
How it’s usually done
Do all the steps in Vulnerability Assessment listed previously
Run metasploit/Core/Canvas against hosts
Try a few other automated tools
Call it “SECURE” If those don’t work
SETTING A PENETRATION TEST UP TO FAIL Do not allow the exploitation of systems
Restrict testing to non production systems
Restrict the hours of testing
Restrict the length of testing
Improperly scope / fail to include ALL addresses
Only perform externally
Patch/fix BEFORE the test
Only allow directed attacks ( no SE/ Phishing)
Lack of focus on BUSINESS risk and increased focus on technical issue
RISK/COMPLIANCE
ASSESSMENTS
WHAT IS A RISK ASSESSMENT?The IT risk management is the application of risk management to Information technology context in order to manage IT risk.
Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of information and information systems. In its simplest form, a risk assessment consists of the identification and valuation of assets and an analysis of those assets in relation to potential threats and vulnerabilities, resulting in a ranking of risks to mitigate. The resulting information should be used to develop strategies to mitigate those risks.
http://laresconsulting.com/risk.php
RISK ASSESSMENTReasons to Conduct
Compliance with regulations
Overall health check of the InfoSec program
Gain understanding of program Effectiveness
Baseline discovery
To show 3rd parties and customers they are “Secure”
How it’s usually done
Whip out a checklist
Check stuff off on checklist
Have a TON of interviews
Believe every word
Do a tick mark legend and ask people to provide “evidence” *which is usually faked*
Only assess controls that are in scope of THAT specific assessment *often information centric*
SETTING A RISK ASSESSMENT UP TO FAIL Do not allow ACTUAL/TECHNICAL testing and validation
Rely on all information provided as TRUE
Minimize scope to only include assets and controls that are part of the selected compliance regulation and NOT the ENTIRE BUSINESS
Allow for “Compensating Controls” to be an answer to most issues
Expect to become compliant through outsourcing
Expect to become compliant through product purchase/implementation
Be unprepared
LIE
ENHANCING SERVICES
VALUEStop cutting off your own fingers
BUDGET (I WANT A BRAIN SURGEON FOR THE PRICE OF A NURSE)
SCOPING
TIMING
TESTING
VULNERABILITY ASSESSMENT Skip it! Do It yourself Use Scanners to identify Vulns Figure out a process to track them over time
Manage the reduction of Vulns over time
Manage the MTTP ( Mean Time To Patch)
Do the rest and make your testers WORK hard.
PENETRATION TESTINGDON’T RUSH ITPLAN FOR INTERACTIONALWAYS “Ride Along”Connect to the REAL impact (shells don’t matter)GO FULL SCOPEDon’t use firms that have “SECRET” processes or can not explain every step of the test and HOW they do it
Attack like AN ATTACKER not like a script kiddieUse a repeatable methodology
IF THE TESTING TIME LOOKS LIKE THIS, GET A NEW TESTER
Recon Scan Enumerate Exploit Post-Exploit
WriteReport
PTES METHODOLOGY1
• Pre-Engagement
2• Intelligence Gathering
3• Threat Modelling
4• Vulnerability Analysis
5• Exploitation
6• Post-Exploitation
7• Reporting
WWW.PENTEST-STANDARD.ORG
AND THE GUIDE AT:HTTP://WWW.PENTEST-STANDARD.ORG/INDEX.PHP/PTES_TECHNICAL_GUIDELINES
SPECIFIC EXAMPLE (PHISHING)Common misconceptions
We will get owned, what's the point
It will offend our usersDoesn’t provide enough value
How it’s usually done
Send a 419 scam style email
Track clicksWrite a report to show who clicked
Intelligence Leakage
Spam/Proxy
Filtering
SMTP Configuratio
n
Malicious Content
Program/ Incident Response
Effectiveness
Ingress/Egress Traffic
Filtering
User Awarene
ss Training & Policy
Data loss Prevention/Protecti
on
Patch Management& Server Hardening
How it SHOULD be done to generate MAX value
RISK/COMPLIANCE ASSESSMENT
MAKE IT BUSINESS FOCUSED NOT IT FOCUSED
Use multiple standards
Remove silo’s and scope restrictions
TEST, TEST, TEST (PBC docs ARE NOT SUFFICENT)
A sample set does not show the ability to secure. I crack in certain parts of the defense chain allow for the compromise of the ENTIRE COMPANY
ALWAYS interview each and every executive to understand THEIR concerns and build the solutions to address THEM and not always “just for the audit”
Discuss the VALUE of systems in relevance to the business and re-weight scores
NEVER allow a compensating control on a BUSINESS critical system. EVER
NEW SKOOL INFOSECTHIS is what the BIG BOYS do, catch up.
RED TEAMING
RED TEAM TESTINGThe term originated within the military to describe a team whose purpose is to penetrate security of "friendly" installations, and thus test their security measures. The members are professionals who install evidence of their success, e.g. leave cardboard signs saying "bomb" in critical defense installations, hand-lettered notes saying that “your codebooks have been stolen" (they usually have not been) inside safes, etc. Sometimes, after a successful penetration, a high-ranking security person will show up later for a "security review," and "find" the evidence. Afterward, the term became popular in the computer industry, where the security of computer systems is often tested by tiger teams.
How do you know you can put up a fight if you have never taken a punch?
Electronic• Network Pentesting• Surveillance/ plants
Social• In Person Social
Engineering• Phone Conversation• Social Profiling
Physical• Lockpicking• Direct Attack
EP Convergance• Attacks on physical
systems that are network enabled
ES Convergance• Blackmail• Phishing• Profiling• Creating moles
PS Convergance• Tailgaiting• Impersonation
RED TEAM
RED TEAMINGReasons to Conduct
Real world test to see how you will hold up against a highly skilled, motivated and funded attacker
The only type of testing that will cover a fully converged attack surface
Impact assessment is IMMEDIATE and built to show a maximum damage event
This IS the FULL DR test of an InfoSec Program
ADVERSARIAL MODELING
TESTING TO SEE IF YOUR MOST LIKELY ATTACKERS WILL SUCCEED IN ATTACKING YOUReasons to Conduct
Exercises in evaluating WHO your top5 most likely attackers are
Full OSINT profiling on the Attackers and their capabilities
Scenarios which are highly focused at Detecting, Confirming, Mitigating and Resolving attacks that are the MOST likely to happen
Testers are forced to use the capabilities of the likely attackers and train the team how to be cool under fire
The most relevant attacks are dealt with FIRST, you are not defending against the pentester… you are prepping to the battle that WILL happen
INSIDER THREAT ASSESSMENT
INSIDER THREAT ASSESSMENT
What is it? Evaluate threat and risk from
employee/staff/contractor/executive/etc..
Use company provisioned asset/standard access model (limited priv’s)
Identify what data/assets can be accessed through authorized channels
Identify elevation of privilege scenarios (exploit AND non-exploit methods)
INSIDER THREAT ASSESSMENT
Why do it? Provides visibility into “what could happen”
A user WILL be compromised at some point
Evaluate security posture of corporate asset External testing doesn’t always provide accurate measurement
of internal sourced threats Identify insecure internal communication channels Evaluate covert channel resistance/prevention
External assessments usually only measure (1) of these (if you’re lucky)
Measure defense capabilities internally (beyond perimeter) System to system communication Level of “noise” detection Data leakage/exfil abilities Log/data correlation Incident response/forensics team’s level of knowledge/expertise
INTERACTIVE DEFENSE ASSESSMENT
RED VS BLUEReasons to Conduct
Targeted at working BOTH sides of the test
Active analysis on defense capability and impreovements / feedback can be real time
Direct understanding of where process,policy and procedure break down in a REAL LIFE EVENT
Identification of Defensive Technology effectiveness
BUSINESS CHAIN ANALYSIS
NO MOAR IT!Reasons to Conduct
Targeted at working on identifying BUSINESS vulns
How much can/do partners hurt you
Where can you better defend against Partners and 3rd parties
Who what where when and why…. Of how the business works and how it can be materially effected by relationships