HACKERS & ATTACK ANATOMY - SNIA · ISE Proprietary HACKERS & ATTACK ANATOMY Geoff Gentry, Regional...

ISE Proprietary

H A C K E R S & A T T A C K A N A T O M Y

Geoff Gentry, Regional Director | [email protected]

mailto:[email protected]

Why is this important?

ISE Proprietary

Attacks

III. Security vs. Functionality

ISE Proprietary

I. Assets vs. Perimeters

About ISE

II. Black Box vs. White Box V. Ongoing vs. Periodic

IV. Build In vs. Bolt On

ISE Proprietary

About ISE

ISE Proprietary

Analysts

• Fortune 500 Enterprises Customers

• White box

Perspective

• Computer Scientists; Ethical Hackers Research

• Recent: Browsers; Routers; Hospital

ISE Proprietary

I. Secure Assets, Not Just Perimeters

ISE Proprietary


Traditional Attacks Traditional Defenses

11

ISE Proprietary


12

ISE Proprietary


13

ISE Proprietary

ISE Proprietary

II. Black Box Penetration Tests == Good

ISE Proprietary

II. Black Box Penetration Tests == Good

ISE Proprietary

White box vulnerability assessment == GOOD!

II. Black Box vs. White Box

ISE Proprietary

• Access Level

• Black Box

• White Box

• Evaluation Types

• Penetration Test

• Vulnerability Assessment


ISE Proprietary

Black Box Perspective


ISE Proprietary

White Box Perspective


ISE Proprietary


ISE Proprietary

Black Box

2 mo. / 200 hrs.

4 potential issues

1 confirmed

none

no recommendations

very low

200+ hrs.

White Box

2 mo. / 200 hrs.

11 confirmed

10 confirmed

21+ mitigation strategies

high

~9 hrs.

~9 hrs.

Time/cost

Severe issues

Other issues

Results

Completeness/Confidence

Cost/issue

Cost/solution

8

ISE Proprietary

SOHO Routers: Outcomes

ISE Proprietary

Goals Results 10 13 Any Remote, Local, Both >30% 100% Broken

Models Attacks

Compromise

ISE Proprietary


ISE Proprietary

EMBARRISNGLY OVERSIMPLIFIED CORPORATE STRUCTURE

SALES IT HR ...

IT FUNCTIONALITY IT SECURITY


ISE Proprietary

EMBARRISINGLY OVERSIMPLIFIED CORPORATE STRUCTURE

SALES IT HR SECURITY

IT FUNCTIONALITY IT SECURITY

…


ISE Proprietary

CONFLICT IS GOOD!


ISE Proprietary

I. Security Separated From Functionality

ISE Confidential - not for distribution

ISE Proprietary

IV. “Build It In,” Not “Bolt It On”

ISE Proprietary


ISE Proprietary

REQUIREMENTS

DESIGN

IMPLEMENTATION

TESTING

DEPLOYMENT

MAINTENANCE

Determine business & user needs

Define architecture

Coding

System testing

Customer roll-out

Resolve bugs

Develop threat model

Design defense in depth

Audit code

White box vulnerability assessment

Configuration Guidance

Iteration Hardening


ISE Proprietary

Built In

90%

- - -

1x

Bolted On

100%

- - -

25x : application

300x : infrastructure

Assessment cost

Assessment overhead

Mitigation cost / issue

ISE Proprietary

V. Security as Ongoing Process

ISE Proprietary

V. Security as Ongoing Process

ISE Proprietary

Yearly

X

90-95%

1

X (0.9)

Quarterly

X

20-30%

4

X (0.8)

Initial assessment cost

Full scope reassessment cost

Full assessments / year

Cost / year

Bi-yearly

X

35-45%

2

X (0.7)

Heartbleed Mitigations

PROVIDERS

• Update to patched version of OpenSSL

• Revoke all SSL certificates

• Get new certificates

• Update all credentials

USERS

• Test all providers, using a tool such as:

https://demo.securityevaluators.com/Heartbleed/

• Change passwords

ISE Proprietary

https://demo.securityevaluators.com/Heartbleed/

Get Involved

ISE Proprietary

[email protected]

ISE Proprietary

HACKERS & ATTACK ANATOMY - SNIA · ISE Proprietary HACKERS & ATTACK ANATOMY Geoff Gentry, Regional...

Documents

Transcript of HACKERS & ATTACK ANATOMY - SNIA · ISE Proprietary HACKERS & ATTACK ANATOMY Geoff Gentry, Regional...