Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security the Wrong Way

Brett Hardin
February 27, 2012

Security the Wrong Way

Brett Hardin

February 27, 2012
Tweet

More Decks by Brett Hardin

Other Decks in Technology

Transcript

  1. @miscsecurity • Scientific Method • Measuring? • Hypothesizing (and stating

    such) • Soft Language? Often, Most, etc. Assumption: Science
  2. @miscsecurity Verizon Data Breach Report 2010 • There wasn’t a

    single confirmed intrusion that exploited a patchable vulnerability • Based on evidence collected over the last six years [Verizon] wonders if we’re going about [security programs] in the most efficient and effective manner.
  3. @miscsecurity • [The] malware infection vector is installation or injection

    by a remote attacker. This is often accomplished through SQL injection or after the attacker has root access to a system. (51%) • Drive-By Downloads (Auto Executed) 19% • User Executed (9%)
  4. @miscsecurity Verizon Data Breach Report 2011 • CVE-2009-3547, CVE-2007-5156, CVE-2009-2629,

    CVE-2010-0738, CVE-2007-1036 • hackers prefer other vectors or organizations are patching well. Most likely, it’s a little of both.
  5. @miscsecurity Robert Carr CEO Heartland 13 pieces of malware c

    a p i t a l i z e d o n w e a k n e s s e s i n Microsoft software infiltrated one or more network servers. http://www.businessweek.com/technology/content/jul2009/tc2009076_891369.htm
  6. @miscsecurity Dr. Gene Spafford Purdue University Sony was running outdated

    and obsolete software on the PlayStation and Online Entertainment Networks, leaving the systems extremely vulnerable to the kind of attack that subsequently led to the breach of over 100 million customer records.
  7. @miscsecurity Lee Morgan on Citi They simply logged on to

    the part of the group's site reserved for credit card customers and substituted their account numbers which appeared in the browser's address bar with other numbers.
  8. @miscsecurity Comparing VMs • False Positive Rate • False Negative

    Rate • Application - Spidering Ability • Aid in Remediation
  9. @miscsecurity What makes a good VM? • Vulnerability Discovery •

    Vulnerability Classification • Vulnerability Remediation • Vulnerability Mitigation
  10. @miscsecurity Audience Participation • Who has a security program? •

    Does it consist of running a vulnerability scanner against an asset and then flag FPs? • What does it consist of?
  11. @miscsecurity Penetration Testing • Is not a security process •

    Should be used only after having a security process.
  12. @miscsecurity Threat Surface 50% 25% 10% 5% 1% What %

    of your threat surface does penetration testing cover?
  13. @miscsecurity Don’t Get Frustrated • 62% of FSI think time-to-market

    and the need to release products with shorter development cycles was their #1 issue. • Security is a Cost Center
  14. @miscsecurity Most Important People • Security (Increase Expenses) • Developers

    (Increase Profits) • Executives (Increase Profits) • Sales (Increase Profits) • Business Development (Increase Profits)