Increasing Value Of Security Assessment Services
Download as PPTX, PDF2 likes927 views
The document discusses various aspects of security testing, assessment, and risk management within information security. It critiques traditional methods such as vulnerability assessments and penetration tests for their limitations, while promoting a more comprehensive approach to identifying and mitigating risks. It emphasizes the importance of understanding real-world threats and the value of conducting red team exercises to evaluate an organization's security posture against potential attackers.
Increasing Value Of Security Assessment Services
- 1. Of security testing and assessment
- 17. Pain in the arse Loudmouth Hacker Punk Tells lies (professionally) Is called all sorts of bad words.. That I will likely say throughout this talk Cant code well Talks $hit Drinks a LOT Is an overall J3rk
- 24. LARES
- 31. OSINT SIGINT TSCM/ Bug Sweeping Exploit Development Tool Creation Attack Planning Offensive Consultation Adversarial Intelligence Competitive Intelligence Attack Modeling Business Chain Vuln Assessments Custom Physical Bypass Tool Design Reverse Engineering Other stuff I can’t write down…
- 33. Traditional InfoSec • Typical services • Proposed value (Sales BS) • Set up for failure • WYSIWYG Enhancing Services Value • Doing services right • Mo’ value, less money • Eliminating failure • Custom Delivery New Skool InfoSec • Red Teaming (CAST:Converged Attack Surface Tesing) • Insider Threat Assessment • Adversarial Modeling • IDCa (interactive defense capability assessment) • BCVa(business chain vulnerability analysis)
- 34. Doing the same thing and expecting different results.
- 37. A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. http://en.wikipedia.org/wiki/Vulnerability_assessment
- 38. Reasons to Conduct Identify potential vulnerabilities Provide scoring of risk & prioritization of remediation Manage environment vulnerabilities over time to show security program improvement, defense capability increase and compliance with ongoing patch, system and vulnerability lifecycle How it’s usually done Run a bunch of scanners Generate a report **Sometimes** Generate a custom report consisting of copy/paste data from the Vulnerability scanners and TRY to make sure you delete the word Nessus, qualys… and/or the previous clients name
- 39. Do not run “Dangerous or Experimental Checks” *instant 30%+ reduction in results and overall accuracy* Do not perform Denial of Service Do not run thorough checks Do not run Web checks Only run ONE brand of scanner Limit only to known network checks Only scan once
- 41. A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source... The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. http://en.wikipedia.org/wiki/Penetration_test
- 43. Reasons to Conduct Identify if attackers can readily compromise the security of the business Identify potential impact to the business Confirm vulnerabilities identified Gain a “Real World” View of an attackers ability to “hack” the environment and resolve issues identified How it’s usually done Do all the steps in Vulnerability Assessment listed previously Run metasploit/Core/Canvas against hosts Try a few other automated tools Call it “SECURE” If those don’t work
- 44. Do not allow the exploitation of systems Restrict testing to non production systems Restrict the hours of testing Restrict the length of testing Improperly scope / fail to include ALL addresses Only perform externally Patch/fix BEFORE the test Only allow directed attacks ( no SE/ Phishing) Lack of focus on BUSINESS risk and increased focus on technical issue
- 46. The IT risk management is the application of risk management to Information technology context in order to manage IT risk. Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of information and information systems. In its simplest form, a risk assessment consists of the identification and valuation of assets and an analysis of those assets in relation to potential threats and vulnerabilities, resulting in a ranking of risks to mitigate. The resulting information should be used to develop strategies to mitigate those risks. http://laresconsulting.com/risk.php
- 48. Reasons to Conduct Compliance with regulations Overall health check of the InfoSec program Gain understanding of program Effectiveness Baseline discovery To show 3rd parties and customers they are “Secure” How it’s usually done Whip out a checklist Check stuff off on checklist Have a TON of interviews Believe every word Do a tick mark legend and ask people to provide “evidence” *which is usually faked* Only assess controls that are in scope of THAT specific assessment *often information centric*
- 49. Do not allow ACTUAL/TECHNICAL testing and validation Rely on all information provided as TRUE Minimize scope to only include assets and controls that are part of the selected compliance regulation and NOT the ENTIRE BUSINESS Allow for “Compensating Controls” to be an answer to most issues Expect to become compliant through outsourcing Expect to become compliant through product purchase/implementation Be unprepared LIE
- 50. Stop cutting off your own fingers
- 54. TESTING
- 55. Skip it! Do It yourself Use Scanners to identify Vulns Figure out a process to track them over time Manage the reduction of Vulns over time Manage the MTTP ( Mean Time To Patch) Do the rest and make your testers WORK hard.
- 56. DON’T RUSH IT PLAN FOR INTERACTION ALWAYS “Ride Along” Connect to the REAL impact (shells don’t matter) GO FULL SCOPE Don’t use firms that have “SECRET” processes or can not explain every step of the test and HOW they do it Attack like AN ATTACKER not like a script kiddie Use a repeatable methodology
- 57. IF THE TESTING TIME LOOKS LIKE THIS, GET A NEW TESTER Recon Scan Enumerate Exploit Post- Exploit Write Report
- 58. 1 • Pre-Engagement 2 • Intelligence Gathering 3 • Threat Modelling 4 • Vulnerability Analysis 5 • Exploitation 6 • Post-Exploitation 7 • Reporting
- 59. WWW.PENTEST- STANDARD.ORG HTTP://WWW.PENTEST- STANDARD.ORG/INDEX.P HP/PTES_TECHNICAL_GUI DELINES
- 60. Common misconceptions We will get owned, what's the point It will offend our users Doesn’t provide enough value How it’s usually done Send a 419 scam style email Track clicks Write a report to show who clicked
- 61. How it SHOULD be done to generate MAX value
- 62. MAKE IT BUSINESS FOCUSED NOT IT FOCUSED Use multiple standards Remove silo’s and scope restrictions TEST, TEST, TEST (PBC docs ARE NOT SUFFICENT) A sample set does not show the ability to secure. I crack in certain parts of the defense chain allow for the compromise of the ENTIRE COMPANY ALWAYS interview each and every executive to understand THEIR concerns and build the solutions to address THEM and not always “just for the audit” Discuss the VALUE of systems in relevance to the business and re-weight scores NEVER allow a compensating control on a BUSINESS critical system. EVER
- 63. THIS is what the BIG BOYS do, catch up.
- 68. The term originated within the military to describe a team whose purpose is to penetrate security of "friendly" installations, and thus test their security measures. The members are professionals who install evidence of their success, e.g. leave cardboard signs saying "bomb" in critical defense installations, hand-lettered notes saying that “your codebooks have been stolen" (they usually have not been) inside safes, etc. Sometimes, after a successful penetration, a high-ranking security person will show up later for a "security review," and "find" the evidence. Afterward, the term became popular in the computer industry, where the security of computer systems is often tested by tiger teams. How do you know you can put up a fight if you have never taken a punch?
- 69. Electronic • Network Pentesting • Surveillance/ plants Social • In Person Social Engineering • Phone Conversation • Social Profiling Physical • Lockpicking • Direct Attack EP Convergance • Attacks on physical systems that are network enabled ES Convergance • Blackmail • Phishing • Profiling • Creating moles PS Convergance • Tailgaiting • Impersonation RED TEAM
- 70. Reasons to Conduct Real world test to see how you will hold up against a highly skilled, motivated and funded attacker The only type of testing that will cover a fully converged attack surface Impact assessment is IMMEDIATE and built to show a maximum damage event This IS the FULL DR test of an InfoSec Program
- 72. Reasons to Conduct Exercises in evaluating WHO your top5 most likely attackers are Full OSINT profiling on the Attackers and their capabilities Scenarios which are highly focused at Detecting, Confirming, Mitigating and Resolving attacks that are the MOST likely to happen Testers are forced to use the capabilities of the likely attackers and train the team how to be cool under fire The most relevant attacks are dealt with FIRST, you are not defending against the pentester… you are prepping to the battle that WILL happen
- 74. What is it? Evaluate threat and risk from employee/staff/contractor/executive/etc.. Use company provisioned asset/standard access model (limited priv’s) Identify what data/assets can be accessed through authorized channels Identify elevation of privilege scenarios (exploit AND non-exploit methods)
- 75. Why do it? Provides visibility into “what could happen” A user WILL be compromised at some point Evaluate security posture of corporate asset External testing doesn’t always provide accurate measurement of internal sourced threats Identify insecure internal communication channels Evaluate covert channel resistance/prevention External assessments usually only measure (1) of these (if you’re lucky) Measure defense capabilities internally (beyond perimeter) System to system communication Level of “noise” detection Data leakage/exfil abilities Log/data correlation Incident response/forensics team’s level of knowledge/expertise
- 77. Reasons to Conduct Targeted at working BOTH sides of the test Active analysis on defense capability and impreovements / feedback can be real time Direct understanding of where process,policy and procedure break down in a REAL LIFE EVENT Identification of Defensive Technology effectiveness
- 79. Reasons to Conduct Targeted at working on identifying BUSINESS vulns How much can/do partners hurt you Where can you better defend against Partners and 3rd parties Who what where when and why…. Of how the business works and how it can be materially effected by relationships
Editor's Notes
- #5: Sorry ya had to wake up early
- #6: And sit there to pay atteention
- #7: To my stupid ppt
- #9: Got drunk last night
- #10: Will try not to puke while I am on stage
- #11: Ps.. I swear…deal with it
- #25: Who we are
- #26: Code review
- #27: Incident response
- #28: Risk Assessment
- #29: Physical security
- #30: PenTesting
- #31: Red Teaming
- #55: Mike Tyson : Prophet of Infosec “ Everyone has a plan until they get punched in the face”
- #59: I think people may THINK they do ll this and not understand how in depth we go without showing them
- #70: Converged attacking