Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes...
Transcript of Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes...
Eyes Wide Open
John Sawyer Senior Security Analyst
InGuardians, Inc.
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Agenda
• Who am I? • What is IT Security? • Penetration Testing
– (aka. Go Hack Yourself)
• Fun (and scary) Attacks – And, How to Protect Yourself
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Who, What, Where
• InGuardians Senior Security Analyst – Penetration Testing
• Web, Network, Smart Grid, Mobile, Physical
– Architecture Review – Incident Response & Forensics
• Dark Reading “Evil Bytes” author • 1@stplace - Retired CTF packet
monkey – winners DEFCON 14 & 15 CTF
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Eyes Wide Open
• Why this title? • What does it mean?
– Amazement – Fear – Naïve – Prepared
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
What is IT Security?
• Does it mean what you think it means?
• Many areas of focus • IT vs C-level
perspective • Public perspective
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
So Many Areas, So Little Time
• System hardening • Network security • Incident response • Forensics • Penetration Testing • Vulnerability
Assessments • Reverse Engineering • And, so much more!
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
C-Level Exec vs IT Practitioner
• What does security really do? – Costs money – ROI? – Invisible until a
problem arises
• Accuracy vs Speed • Secure vs Compliant
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Compliance = Security
• Being “compliant” often leads to a false sense of security
• Loads of money spent on security products but no focus on processes
/
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Public Perspective
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Reality
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
2012 Eye Openers
• Flashback OS X • Java Zero Days • Flame & Gauss • Android • LinkedIn, Last.fm,
Dropbox Passwords • Shamoon
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Penetration Testing
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
What is Pen Testing?
• Validation of vulnerability assessments
• Better measurement of risk • Can answer the “What If” questions • Can determine if the “worst case
scenario” can really happen
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
What can you do?
• First, what does your job description say?
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Network Scanning
• Nmap – network (vuln) scanner – Ndiff – compare scan results
• Vulnerability Scanning – Low hanging fruit – Don’t focus on HIGH (Low 2 Pwned) – Nessus, NeXpose, ZAP, Burp etc.
• Shodan
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Shodan (www.shodanhq.com)
• “Search engine for service banners of pre-scanned devices accessible via the public Internet”
• Created by John Matherly • Controversial?
– Has led to the exposure of many SCADA and ICS devices
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Many Ways to Shodan
• Web Interface • API • Metasploit • iPhone • Maltego
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Any Volunteers?
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Shodan Exposures
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Attacks, The News, & Reality
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Javapocalypse
• Java – A necessary evil for many – Business reporting applications – Security Tools
• Burp • Zap • Others
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Decaffeinating Java Exploits
• Uninstall Java • Install Java 7 Update 11 • Java only allowed special VMs • Decouple Java from Browsers • Use separate browsers
– Only one has Java enabled – “Security Zones”
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Publicly-Accessible Printers
• Weak/Default passwords • Jet-Direct vulnerabilities • Remote firmware update (FIRE) • Credential exposure?
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Printer Safety
• Network segmentation • Network scanning
– Know your network • Nmap • Shodan • Google
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Verizon’s Bob
• After reading 2012 DBIR, started monitoring logs from VPN.
• Regular connections from China. • “US critical infrastructure company” • Developer was
at his desk.
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Bob = Model Employee
• “Quarter after quarter, his performance review noted him as the best developer in the building.” – 9:00 a.m. – Arrive & surf Reddit. Watch cat videos – 11:30 a.m. – Take lunch – 1:00 p.m. – Ebay time. – 2:00 – ish p.m Facebook updates – LinkedIn – 4:30 p.m. – End of day update to management. – 5:00 p.m. – Go home
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Where’s Waldo…Bob?
• I’ll get there…
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Internal Detection
• VLAN Hopping – Tripwire monitoring switch configs
• Malware & Attacker Tools – Antivirus logs
• Exploitation of Vulnerable Services – Host Intrusion Prevention logs
• Nmap Scan – Server Performance Monitor
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
External Detection
• Nmap Scan – FW Logs via MSP
• Web Vuln Scan – User Experience
Monitor
• Attack Tool Scans – IDS via MSP
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Security Pro’s Dilemma
• The Defender has to get it right every time
• The Attacker only has to get it right once in order to win.
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Information Overload
• Everything logs – Do you know how to collect it?
• New threats emerge everyday – How do you keep track?
• More and more data to analyze – Do you look at it all or intelligently
narrow it down?
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Information Overload
• Too many logs • Too few hours in the day • Too many new threats • Too few security staff
• And, what should we focus on?!?
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Risk-Based Approach to Logs
• Identify high-value targets • Identify worst-case scenario
• How can they be attacked? • Do you have mechanisms in place
to monitor those areas?
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Start Small
• Syslog, Splunk, or ELSA – Firewall, VPN, Servers, Door Access
• Network monitoring (IDS, NetFlow) – Security Onion
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Takeaways
• Security – It’s more than you against the world
• Penetration Testing – There’s things you can do!
• Attacks (and prevention) – Monitor, monitor, MONITOR!
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Thank You
• Questions?
• Contact information: John Sawyer [email protected] 352-389-4704