Tweet
Tweet

Slide 1

Slide 1 text

@miscsecurity Security: We’re Doing It Wrong Brett Hardin @miscsecurity

Slide 2

Slide 2 text

@miscsecurity /bin/whoami • SourceNinja • Penetration Tester • Developer • Author • Good Looking

Slide 3

Slide 3 text

@miscsecurity What Are We Doing Wrong?

Slide 4

Slide 4 text

@miscsecurity InfoSec: Science or Art?

Slide 5

Slide 5 text

@miscsecurity • Scientific Method • Measuring? • Hypothesizing (and stating such) • Soft Language? Often, Most, etc. Assumption: Science

Slide 6

Slide 6 text

@miscsecurity Rule 1: Don’t offer opinion

Slide 7

Slide 7 text

@miscsecurity Verizon Data Breach Report 2010 • There wasn’t a single confirmed intrusion that exploited a patchable vulnerability • Based on evidence collected over the last six years [Verizon] wonders if we’re going about [security programs] in the most efficient and effective manner.

Slide 8

Slide 8 text

@miscsecurity 38% + 29% = 67% Malware

Slide 9

Slide 9 text

@miscsecurity • [The] malware infection vector is installation or injection by a remote attacker. This is often accomplished through SQL injection or after the attacker has root access to a system. (51%) • Drive-By Downloads (Auto Executed) 19% • User Executed (9%)

Slide 10

Slide 10 text

@miscsecurity Rule 2: Find the Root Cause

Slide 11

Slide 11 text

@miscsecurity Verizon Data Breach Report 2011 • CVE-2009-3547, CVE-2007-5156, CVE-2009-2629, CVE-2010-0738, CVE-2007-1036 • hackers prefer other vectors or organizations are patching well. Most likely, it’s a little of both.

Slide 12

Slide 12 text

@miscsecurity

Slide 13

Slide 13 text

@miscsecurity Pro Tip: Don’t come to a conclusion where data supports the opposite

Slide 14

Slide 14 text

@miscsecurity Robert Carr CEO Heartland 13 pieces of malware c a p i t a l i z e d o n w e a k n e s s e s i n Microsoft software infiltrated one or more network servers. http://www.businessweek.com/technology/content/jul2009/tc2009076_891369.htm

Slide 15

Slide 15 text

@miscsecurity Dr. Gene Spafford Purdue University Sony was running outdated and obsolete software on the PlayStation and Online Entertainment Networks, leaving the systems extremely vulnerable to the kind of attack that subsequently led to the breach of over 100 million customer records.

Slide 16

Slide 16 text

@miscsecurity Lee Morgan on Citi They simply logged on to the part of the group's site reserved for credit card customers and substituted their account numbers which appeared in the browser's address bar with other numbers.

Slide 17

Slide 17 text

@miscsecurity Vulnerability Management

Slide 18

Slide 18 text

@miscsecurity VMs are not to be used to identify assets

Slide 19

Slide 19 text

@miscsecurity Comparing VMs • False Positive Rate • False Negative Rate • Application - Spidering Ability • Aid in Remediation

Slide 20

Slide 20 text

@miscsecurity Reducing False Positives • Authenticated Scans • Backported Fixes • Won’t happen • Lost “Startup” mentality

Slide 21

Slide 21 text

@miscsecurity What makes a good VM? • Vulnerability Discovery • Vulnerability Classification • Vulnerability Remediation • Vulnerability Mitigation

Slide 22

Slide 22 text

@miscsecurity Vulnerability Management Isn’t Helping

Slide 23

Slide 23 text

@miscsecurity 5 Whys

Slide 24

Slide 24 text

@miscsecurity

Slide 25

Slide 25 text

@miscsecurity Audience Participation • Who has a security program? • Does it consist of running a vulnerability scanner against an asset and then flag FPs? • What does it consist of?

Slide 26

Slide 26 text

@miscsecurity Rule 3: Stop trying to “solve” impossible problems.

Slide 27

Slide 27 text

@miscsecurity Security Programs Are Too Complex

Slide 28

Slide 28 text

@miscsecurity Vulnerabilities Will Always Exist

Slide 29

Slide 29 text

@miscsecurity The Term “Hacker”

Slide 30

Slide 30 text

@miscsecurity Quick Check: Do your developers code securely?

Slide 31

Slide 31 text

@miscsecurity Security Programs are not Mature • Afterthought. • Get used to it. • MetaSploit

Slide 32

Slide 32 text

@miscsecurity Advanced Persistent Threats • “Advanced” • There is no patch

Slide 33

Slide 33 text

@miscsecurity Threat Addressed By: Known Security Program Unknown Mitigating Technology Custom Penetration Testers

Slide 34

Slide 34 text

@miscsecurity Penetration Testing • Is not a security process • Should be used only after having a security process.

Slide 35

Slide 35 text

@miscsecurity Threat Surface 50% 25% 10% 5% 1% What % of your threat surface does penetration testing cover?

Slide 36

Slide 36 text

@miscsecurity What to Measure? Do Stuff Check Metrics Did it improve? Yes No

Slide 37

Slide 37 text

@miscsecurity Small Steps • Code Review? • VM? • Security Process? • Security is Cultural

Slide 38

Slide 38 text

@miscsecurity Rule 3a: Don’t Teach Developers Security

Slide 39

Slide 39 text

@miscsecurity _____ Developers make _____ Products

Slide 40

Slide 40 text

@miscsecurity Rule 4: Don’t Pretend Your Something Your Not

Slide 41

Slide 41 text

@miscsecurity Don’t Get Frustrated • 62% of FSI think time-to-market and the need to release products with shorter development cycles was their #1 issue. • Security is a Cost Center

Slide 42

Slide 42 text

@miscsecurity Most Important People • Security • Developers • Executives • Sales • Business Development

Slide 43

Slide 43 text

@miscsecurity Most Important People • Security (Increase Expenses) • Developers (Increase Profits) • Executives (Increase Profits) • Sales (Increase Profits) • Business Development (Increase Profits)

Slide 44

Slide 44 text

@miscsecurity Questions? [email protected]