The Seven Axioms of Security - ITWeb 2017
7 likes2,698 views
Saumil Shah, CEO of Net Square, discusses the evolution of security threats and defensive measures from 2001 to 2017, emphasizing the transition from reactive to proactive security strategies. He outlines seven axioms of security, advocating for comprehensive data collection, realistic testing, and the importance of metrics to drive decision-making in cybersecurity. The document underscores the need for creative defenses and the evolving role of the CISO in a landscape where attackers operate outside of compliance standards.
The Seven Axioms of Security - ITWeb 2017
- 1. #ITWebSS2017NETSQUARENETSQUARE The Seven Axioms Of Security SAUMIL SHAH CEO, NET SQUARE @therealsaumil ITWeb Security Summit 2017 Johannesburg, South Africa PhotoCredit:MukeshAcharya
- 4. #ITWebSS2017NETSQUARE About Me Saumil Shah CEO, Net Square @therealsaumil hacker, trainer, speaker, photographer, rebel educating, entertaining and exasperating audiences since 1999
- 5. #ITWebSS2017NETSQUARE The Evolution of Attacks: 2001-17
- 6. #ITWebSS2017NETSQUARE Servers Applications Desktops Browsers Pockets Populations The Evolution of Targets: 2001-17
- 7. #ITWebSS2017NETSQUARE ...Defense: 2001-17 Firewalls IDS/IPS Antivirus WAF DLP, EPS DEP, ASLR Sandbox One-way Attacks FragRouter Obfuscation Char Encoding DNS Exfil ROP, Infoleak Jailbreak Different.... but Same Same
- 9. #ITWebSS2017NETSQUARE Strange Targets: ROWHAMMER By Dsimic https://commons.wikimedia.org/w/index.php?curid=38868341
- 10. #ITWebSS2017NETSQUARE IMAJS STEGO- DECODER JAVASCRIPT TARGET BROWSER POLYGLOT PIXEL ENCODER EXPLOIT CODE IMAGE ENCODED IMAGE Strange Techniques: STEGOSPLOIT http://stegosploit.info
- 12. #ITWebSS2017NETSQUARE wherein buildings reveal near- infinite interiors, capable of being traversed through all manner of non-architectural means http://www.bldgblog.com/2010/01/nakatomi-space/ Nakatomi Space
- 14. #ITWebSS2017NETSQUARE Exploit Development - 2002 Individual effort. 1 week dev time. 3-6 months shelf life. Hundreds of public domain exploits. "We did it for the LOLs."
- 16. #ITWebSS2017NETSQUARE Evolution of a new species MitiGator RaiseBar-us Myopus Discovered by @halvarflake SafeSEH DEP ASLR CFG Isolated Heap NOZZLE /GS SEHOP RelRO
- 17. #ITWebSS2017NETSQUARE MitiGator raises the bar... ...until it sees no more exploits Credit @halvarflake
- 18. #ITWebSS2017NETSQUARE A long time ago in a galaxy far, far away... MICROSOFT STRIKES BACK
- 20. #ITWebSS2017NETSQUARE 2005: Ciscogate – Michael Lynn https://www.schneier.com/blog/archives/2005/07/cisco_harasses.html
- 22. #ITWebSS2017NETSQUARE Exploit Development - 2012 2-12 month dev time. 24h to 10d shelf life. Public domain exploits = zero. Cost,value of exploits has significantly risen. • COMMERCIALIZED • WEAPONIZED • POLITICIZED
- 23. #ITWebSS2017NETSQUARE The defenders tried to buy back their bugs...
- 24. #ITWebSS2017NETSQUARE Bug Bounties: high stakes game Chris Evans – Pwnium: Element 1337
- 25. #ITWebSS2017NETSQUARE Bug Bounties tried to fill a REACTIVE need.
- 31. #ITWebSS2017NETSQUARE Security = "RISK REDUCTION" Rules Signatures Updates Machine Learning
- 33. #ITWebSS2017NETSQUARE Existing defense measures do not match attacker tactics.
- 36. #ITWebSS2017NETSQUARE In 2001... CIO CIO INFOTECH = BUSINESS ENABLER CISO INFOSEC = RISK REDUCTION $$$ C.Y.A.
- 37. #ITWebSS2017NETSQUARE Dear CISO, Who are Scarier ATTACKERS or AUDITORS?
- 38. #ITWebSS2017NETSQUARE It is time we ...not by building firewalls...
- 40. #ITWebSS2017NETSQUARE Intelligence Driven Defense From REACTIVE to PROACTIVE
- 43. #ITWebSS2017NETSQUARE Compliance is NOT the CISO's job "Not my circus, Not my monkeys" http://rafeeqrehman.com/2016/10/07/announcing-ciso-mindmap-2016/ 90% TIME SPENT ON COMPLIANCE!
- 44. #ITWebSS2017NETSQUARE In 2017... CISO CISO INFOSEC = DEFENSE CCO CHIEF COMPLIANCE OFFICER DEFEND AGAINST ATTACKERS DEFEND AGAINST AUDITORS
- 46. #ITWebSS2017NETSQUARE Collect Everything! • Security Data Warehouse: first step towards proactive security. • Retention is CHEAPER than Deletion. • Importance of HISTORICAL DATA increases exponentially with time.
- 47. #ITWebSS2017NETSQUARE Sources of Security Intelligence?
- 48. #ITWebSS2017NETSQUARE "The Universe tells you everything you need to know about it, as long as you are prepared to watch, to listen, to smell, in short to OBSERVE." Sources of Security Intelligence
- 49. #ITWebSS2017NETSQUARE Get CREATIVE, Get ORGANIC ORGANIC SECURITY = Grow It Yourself!
- 50. #ITWebSS2017NETSQUARE Schrödinger's Hack: Systems exist in both SECURE and HACKED states at the same time. Axiom 3
- 51. #ITWebSS2017NETSQUARE TEST REALISTICALLY Axiom 3 – what it means
- 52. #ITWebSS2017NETSQUARE Forgone Conclusion: "My System Is SECURE" Test Strategy that will lead you this conclusion • Wait for a new production build. • Don't test on production only UAT. • Perform Non-intrusive testing. • X,Y,Z,.. are all out of Scope. • Test during off-peak hours only.
- 54. #ITWebSS2017NETSQUARE Why Keep Metrics? • To show you are succeeding – Corollary: to show you are failing • To justify your existence and/or budget • To argue for change • For fun! Marcus Ranum Security Metrics: The Quest For Meaning IT Defense 2016, Mainz
- 55. #ITWebSS2017NETSQUARE How to Establish Metrics • Look at your process and make a list of what is quantifiable • Ask yourself what quantities you are interested in – Once things are quantified they go up, or down – which is about the only convenient thing of metrics: they don't go sideways, too • Which is a "good" direction: up or down? • Do you know what constitutes a significant movement? • Measure and iterate Marcus Ranum Security Metrics: The Quest For Meaning IT Defense 2016, Mainz
- 56. #ITWebSS2017NETSQUARE Alberto Brandolini @ziobrando (The Bullshit Asymmetry)
- 57. #ITWebSS2017NETSQUARE Why Metrics Win • Often information security becomes what I call a "battle of two narratives" – Your opponent has the advantage of lying: – "moving this to the cloud will save us $500,000/year!" – To defend your narrative you need facts (from metrics) and credible extrapolations (based on metrics) or your opponent controls the narrative! * * Plan B is to respond with lies of your own Marcus Ranum Security Metrics: The Quest For Meaning IT Defense 2016, Mainz
- 59. #ITWebSS2017NETSQUARE The user's going to pick dancing pigs over security every time. Bruce Schneier
- 60. #ITWebSS2017NETSQUARE Technology in the hands of users @needadebitcard
- 62. #ITWebSS2017NETSQUARE NUMBEROFUSERS INFOSEC MATURITY HOPELESS UNINFORMED PROACTIVE ROCK STARS Identify your target users... ALWAYS GOING TO BE AN ENIGMA IF PROPERLY GUIDED THESE USERS ARE WILLING TO IMPROVE THEIR USAGE HABITS THE NEXT ROCK STAR USERS LEAVE THEM ALONE AND POSSIBLY LEARN FROM THEM
- 63. #ITWebSS2017NETSQUARE ...and improve their maturity HOPELESS UNINFORMED PROACTIVE ROCK STARS NUMBEROFUSERS INFOSEC MATURITY
- 64. #ITWebSS2017NETSQUARE The Best Defense is a CREATIVE Defense. Axiom 6
- 65. #ITWebSS2017NETSQUARE A Creative Defense is an UNEXPECTED Defense. Axiom 6 – attacker's view
- 68. #ITWebSS2017NETSQUARE Visible Defense • Improve the User Maturity Curve. • Reduce Blue Team's Response Time. • Money Saved = Money Earned Consistent Reduction in Frauds. • Produce Creative Defense Tools. • Attract Smarter Talent in Infosec. • Weekly fitness check...
- 69. #ITWebSS2017NETSQUARE ASSET INVENTORY REAL-TIME VISIBILITY OF EVENTS DETECT UNAUTHORIZED ACTIVITY CLASSIFY UNAUTHORIZED ACTIVITY ATTACKER CAPABILITY DETECT INTRUSIONS UNCOVER ATTACKERS TRACK ATTACKERS DEFEND & RECOVER ...The CISO Strength Test https://github.com/swannman/ircapabilities
- 70. #ITWebSS2017NETSQUARE Is your Infosec team doing something creative every day?