Collaborative Security Audits

Editor's Notes

• #3: Validation of Collaborative Approach Customer is able to steer & participate in a lightweight manner -> higher customer satisfaction You are able to dynamically utilize several teams Your Seniors can participate in several engagements as a part of the virtual team You are able to leverage information instantly For example Social Engineers may utilize information gained from Web Application Testing in their Phishing
• #4: Two topics today: Collaboration (Process) Traffic Audits (Technical, practical example on how tools and people collaborate)
• #5: Infrastructure, tools and services for you to get more out from your security audits
• #6: Based on real observations from your customer’s network you will help them with Network related fact finding, network discovery and documentation and identifying weak spots Traffic audit will help you to pinpoint: Access control leaks, misconfigured hosts and real traffic profiles.
• #7: Tools will contribute: Tight integration: Clarified Analyzer Loose integration: Defensics, Nessus, Nmap, People: Your specialists, customer, customer’s contractors Infrastructure: A wiki-based environment, supporting XMLRPC interface for tool integration, graphingwiki for easy handling and visualization of semantic data
• #9: Complex Networks -> we need to understand them to give more valuable/accurate results A myriad of different audit methods: we need to synthesize the results
• #10: With Collab we are able to utilize larger teams with domain specific specialists.
• #11: Different specialists may collaborate: For example web application testers find XSS vulnerabilities -> Social Engineers will utilize
• #12: - We do not merely upload documents (e.g. Like in sharepoint...) - We chop the information to pieces and synthesize it in the Collab environment Analysts and customer sees the results from their viewpoint, not from the analysts viewpoint ‘Web Servers Applications were secured, however the web server runs a vulnerable FTP server, which is accessible from the proxy found in Traffic Audit’
• #13: This example shows how NMap results and Clarified Analyzer Traffic Audit results can be shown in the context of IP-addresses. Above is a list of devices and their addresses documented with Clarified Analyzer
• #14: Customer and your seniors can monitor the progress of the service deployment in ‘real-time’. RecentChanges RSS feeds Situational visualizations (GraphingWiki)
• #15: Analyst A does Open Source Reconnaissance (Intelligence) and uploads the information to the right Collab instance. Phisers will utilize this information and tag the status as they go. Senior Analyst sees how testing progresses. Customer is able to comment: ‘These addresses are admins, they should not be phished as that will blow our cover.’
• #16: Benefit: You’re understanding of Customer’s social/technical setting will grow significantly during the deployment: You are able to give more valuable results as you put them to the right context You are able to adjust your plans on the fly as you see the customer’s strong and weak spots
• #17: - Increase system performance by removing needless traffic - Eliminate potential vulnerabilities by removing unnecessary protocols - Discover violations in Access Control - Document, or eliminate ad hoc workarounds that bypass security policies - Find hosts and protocols which do not conform to organisation policy
• #18: It used to be simple: just servers and clients and simple protocol in between.
• #19: Then we evolved: messages are passed within a complex system, using several different types of protocols. It is hard to: Discover weak spots (‘You have build a lots of security features but did you know that the user input travels all the way to the core of your network. These inputs may exploit the vulnerabilities inside your net’.) When something really goes wrong, the path from symptoms to root cause is long.
• #20: A more practical example. The network in the bottom of the picture is considered totally isolated. In reality there is a number of traffic flows traveling in and out. (This example contains only few use cases: user joins to the network and updates his presence).
• #21: Still, our assumption is this: only one well guarded route in. (Dragons and soldiers are watching.)
• #22: Understanding complexity based on actual (and detailed) traffic has been hard.
• #23: Thanks to the tools we’ve build it is now considerable simpler.
• #24: Analyzer setup: Recorders collect traffic and do real-time indexing (flows vs packets) You may run the recorders on standard PC hardware with Linux-based OS (Centos distro recommended) Analyzer will give you easy access to the collected information Analyzer will transparently upload/download notes from Collab environment
• #45: Tunneling leaks.
• #46: Trivial vulnerabilities that were not discovered earlier due to complexity of the system under testing. The following picture is from hugely complex VoIP setup, which included a number of security features (VPNs, ACLs, etc) As we gained understanding of the target, we discoverd that forging the caller ID is simple, even when you are using standard mobile phones. As a side note: mobile phones happily showed the name even they were not in the address book. (Tarja Halonen is the president of Finland)
• #47: Compromised servers.
• #48: End-to-End testing. -This example runs Codenomicon Robustness Testing tools to test if SIP proxy can be bypassed with fuzzed packets
• #49: Detailed but understandable analysis for found issues. Here we use Clarified Analyzer’s Next Gen topology view for documenting a malware ‘topology’. Once you have the documentation, you have easy access for flows and packets from certain time and certain host(s)
• #52: Easy start: simple tool sales When you have gained experience using some of our tools, we can take the next step and deploy Infrastructure, Tools and Services for collaborative security audits.