ISE Proprietary

H A C K E R S & A T T A C K A N A T O M Y

Geoff Gentry, Regional Director | ggentry@securityevaluators.com

Why is this important?

ISE Proprietary

Attacks

III. Security vs. Functionality

ISE Proprietary

I. Assets vs. Perimeters

About ISE

II. Black Box vs. White Box V. Ongoing vs. Periodic

IV. Build In vs. Bolt On

ISE Proprietary

ISE Proprietary

ISE Proprietary

About ISE

ISE Proprietary

Analysts

• Fortune 500 Enterprises Customers

• White box

Perspective

• Computer Scientists; Ethical Hackers Research

• Recent: Browsers; Routers; Hospital

ISE Proprietary

ISE Proprietary

I. Secure Assets, Not Just Perimeters

ISE Proprietary

I. Secure Assets, Not Just Perimeters

Traditional Attacks Traditional Defenses

11

ISE Proprietary

I. Secure Assets, Not Just Perimeters

12

ISE Proprietary

I. Secure Assets, Not Just Perimeters

13

ISE Proprietary

ISE Proprietary

II. Black Box Penetration Tests == Good

ISE Proprietary

II. Black Box Penetration Tests == Good

ISE Proprietary

White box vulnerability assessment == GOOD!

II. Black Box vs. White Box

ISE Proprietary

• Access Level

• Black Box

• White Box

• Evaluation Types

• Penetration Test

• Vulnerability Assessment

II. Black Box vs. White Box

ISE Proprietary

Black Box Perspective

II. Black Box vs. White Box

ISE Proprietary

White Box Perspective

II. Black Box vs. White Box

ISE Proprietary

II. Black Box vs. White Box

ISE Proprietary

Black Box

2 mo. / 200 hrs.

4 potential issues

1 confirmed

none

no recommendations

very low

200+ hrs.

White Box

2 mo. / 200 hrs.

11 confirmed

10 confirmed

21+ mitigation strategies

high

~9 hrs.

~9 hrs.

Time/cost

Severe issues

Other issues

Results

Completeness/Confidence

Cost/issue

Cost/solution

8

ISE Proprietary

SOHO Routers: Outcomes

ISE Proprietary

Goals Results 10 13 Any Remote, Local, Both >30% 100% Broken

Models Attacks

Compromise

ISE Proprietary

ISE Proprietary

ISE Proprietary

III. Security vs. Functionality

ISE Proprietary

III. Security vs. Functionality

ISE Proprietary

EMBARRISNGLY OVERSIMPLIFIED CORPORATE STRUCTURE

SALES IT HR ...

IT FUNCTIONALITY IT SECURITY

III. Security vs. Functionality

ISE Proprietary

EMBARRISINGLY OVERSIMPLIFIED CORPORATE STRUCTURE

SALES IT HR SECURITY

IT FUNCTIONALITY IT SECURITY

…

III. Security vs. Functionality

ISE Proprietary

CONFLICT IS GOOD!

III. Security vs. Functionality

ISE Proprietary

I. Security Separated From Functionality

ISE Confidential - not for distribution

I. Security Separated From Functionality

ISE Confidential - not for distribution

I. Security Separated From Functionality

ISE Confidential - not for distribution

ISE Proprietary

ISE Proprietary

ISE Confidential - not for distribution

ISE Confidential - not for distribution

IV. “Build It In,” Not “Bolt It On”

ISE Proprietary

IV. “Build It In,” Not “Bolt It On”

ISE Proprietary

IV. “Build It In,” Not “Bolt It On”

ISE Proprietary

REQUIREMENTS

DESIGN

IMPLEMENTATION

TESTING

DEPLOYMENT

MAINTENANCE

Determine business & user needs

Define architecture

Coding

System testing

Customer roll-out

Resolve bugs

Develop threat model

Design defense in depth

Audit code

White box vulnerability assessment

Configuration Guidance

Iteration Hardening

IV. “Build It In,” Not “Bolt It On”

ISE Proprietary

Built In

90%

- - -

1x

Bolted On

100%

- - -

25x : application

300x : infrastructure

Assessment cost

Assessment overhead

Mitigation cost / issue

ISE Proprietary

ISE Confidential - not for distribution

V. Security as Ongoing Process

ISE Proprietary

V. Security as Ongoing Process

ISE Proprietary

V. Security as Ongoing Process

ISE Proprietary

V. Security as Ongoing Process

ISE Proprietary

V. Security as Ongoing Process

ISE Proprietary

Yearly

X

90-95%

1

X (0.9)

Quarterly

X

20-30%

4

X (0.8)

Initial assessment cost

Full scope reassessment cost

Full assessments / year

Cost / year

Bi-yearly

X

35-45%

2

X (0.7)

ISE Confidential - not for distribution

ISE Confidential - not for distribution

ISE Confidential - not for distribution

Heartbleed Mitigations

PROVIDERS

• Update to patched version of OpenSSL

• Revoke all SSL certificates

• Get new certificates

• Update all credentials

USERS

• Test all providers, using a tool such as:

https://demo.securityevaluators.com/Heartbleed/

• Change passwords

ISE Proprietary

Get Involved

ISE Proprietary

ggentry@securityevaluators.com

ISE Proprietary