Security the Wrong Way

Transcript

1. @miscsecurity Security: We’re Doing It Wrong Brett Hardin @miscsecurity

2. @miscsecurity /bin/whoami • SourceNinja • Penetration Tester • Developer •

   Author • Good Looking

3. @miscsecurity What Are We Doing Wrong?

4. @miscsecurity InfoSec: Science or Art?

5. @miscsecurity • Scientific Method • Measuring? • Hypothesizing (and stating

   such) • Soft Language? Often, Most, etc. Assumption: Science

6. @miscsecurity Rule 1: Don’t offer opinion

7. @miscsecurity Verizon Data Breach Report 2010 • There wasn’t a

   single confirmed intrusion that exploited a patchable vulnerability • Based on evidence collected over the last six years [Verizon] wonders if we’re going about [security programs] in the most efficient and effective manner.

8. @miscsecurity 38% + 29% = 67% Malware

9. @miscsecurity • [The] malware infection vector is installation or injection

   by a remote attacker. This is often accomplished through SQL injection or after the attacker has root access to a system. (51%) • Drive-By Downloads (Auto Executed) 19% • User Executed (9%)

10. @miscsecurity Rule 2: Find the Root Cause

11. @miscsecurity Verizon Data Breach Report 2011 • CVE-2009-3547, CVE-2007-5156, CVE-2009-2629,

    CVE-2010-0738, CVE-2007-1036 • hackers prefer other vectors or organizations are patching well. Most likely, it’s a little of both.

12. @miscsecurity

13. @miscsecurity Pro Tip: Don’t come to a conclusion where data

    supports the opposite

14. @miscsecurity Robert Carr CEO Heartland 13 pieces of malware c

    a p i t a l i z e d o n w e a k n e s s e s i n Microsoft software infiltrated one or more network servers. http://www.businessweek.com/technology/content/jul2009/tc2009076_891369.htm

15. @miscsecurity Dr. Gene Spafford Purdue University Sony was running outdated

    and obsolete software on the PlayStation and Online Entertainment Networks, leaving the systems extremely vulnerable to the kind of attack that subsequently led to the breach of over 100 million customer records.

16. @miscsecurity Lee Morgan on Citi They simply logged on to

    the part of the group's site reserved for credit card customers and substituted their account numbers which appeared in the browser's address bar with other numbers.

17. @miscsecurity Vulnerability Management

18. @miscsecurity VMs are not to be used to identify assets

19. @miscsecurity Comparing VMs • False Positive Rate • False Negative

    Rate • Application - Spidering Ability • Aid in Remediation

20. @miscsecurity Reducing False Positives • Authenticated Scans • Backported Fixes

    • Won’t happen • Lost “Startup” mentality

21. @miscsecurity What makes a good VM? • Vulnerability Discovery •

    Vulnerability Classification • Vulnerability Remediation • Vulnerability Mitigation

22. @miscsecurity Vulnerability Management Isn’t Helping

23. @miscsecurity 5 Whys

24. @miscsecurity

25. @miscsecurity Audience Participation • Who has a security program? •

    Does it consist of running a vulnerability scanner against an asset and then flag FPs? • What does it consist of?

26. @miscsecurity Rule 3: Stop trying to “solve” impossible problems.

27. @miscsecurity Security Programs Are Too Complex

28. @miscsecurity Vulnerabilities Will Always Exist

29. @miscsecurity The Term “Hacker”

30. @miscsecurity Quick Check: Do your developers code securely?

31. @miscsecurity Security Programs are not Mature • Afterthought. • Get

    used to it. • MetaSploit

32. @miscsecurity Advanced Persistent Threats • “Advanced” • There is no

    patch

33. @miscsecurity Threat Addressed By: Known Security Program Unknown Mitigating Technology

    Custom Penetration Testers

34. @miscsecurity Penetration Testing • Is not a security process •

    Should be used only after having a security process.

35. @miscsecurity Threat Surface 50% 25% 10% 5% 1% What %

    of your threat surface does penetration testing cover?

36. @miscsecurity What to Measure? Do Stuff Check Metrics Did it

    improve? Yes No

37. @miscsecurity Small Steps • Code Review? • VM? • Security

    Process? • Security is Cultural

38. @miscsecurity Rule 3a: Don’t Teach Developers Security

39. @miscsecurity _____ Developers make _____ Products

40. @miscsecurity Rule 4: Don’t Pretend Your Something Your Not

41. @miscsecurity Don’t Get Frustrated • 62% of FSI think time-to-market

    and the need to release products with shorter development cycles was their #1 issue. • Security is a Cost Center

42. @miscsecurity Most Important People • Security • Developers • Executives

    • Sales • Business Development

43. @miscsecurity Most Important People • Security (Increase Expenses) • Developers

    (Increase Profits) • Executives (Increase Profits) • Sales (Increase Profits) • Business Development (Increase Profits)

44. @miscsecurity Questions? [email protected]