SlideShare ist ein Scribd-Unternehmen logo

Top Security Challenges Facing Credit Unions Today

Chris Gates
Chris Gates

talk given at CUNA Sep 2013 Top threats facing Credit Unions but was written to apply to pretty much all verticals

Technologie
1 von 58
Top Security Challenges Facing Credit Unions Today Chris Gates Lares Consulting 24 September 2013
Chris Gates Employment History: • Partner, Lares • Senior Security Consultant-Rapid7 • Network Attack Team Lead-Applied Security Inc. • Penetration Tester-Booz Allen Hamilton • Computer Exploitation Technician-US Army Red Team • Signal Officer-US Army • Professional Certifications: • CISSP • CISA • SANS GCIH, GPEN • CEH • Security Stuff: • Member of Metasploit Project • Contributor to Ethical Hacker.net • Active security blogger/twitter/community/Infosec Mentors • Penetration Testing Execution Standard Core Member (PTES) A Little About Me…
Chris Previous Talks • Evolution of Pentesting High Security Environments • ColdFusion for Pentesters • From LOW to PWNED • Information Operations for MGMT • Dirty Little Secrets(pt 1/pt 2) • Attacking Oracle (via TNS & web) • Open Source Information Gathering • Client-Side Attacks @carnal0wnage carnal0wnage.attackresearch.com
• Minimum of 10 years Infosec Experience per consultant (35+ combined) • Penetration Testing Execution Standard Core Members • Publications • Aggressive Network Self Defense • Contributing writer to COBIT • Contributing writer to ISO17799, and one of less than 1000 certified auditors of the ISO17799 (international standards for security best practices) • Author of multiple national / international security awareness training programs • Speaking Engagements all over the world Who Is Lares?
Figure Out What is Important to the Company Steal It !
TOP THREATS FACING YOUR ENTERPRISE
Karate Kid Ruined Us! Shouts to Haroon Meer: http://repo.staticsafe.ca/presentations/hitbsecconf2012/D1T2%20-%20Haroon%20Meer%20-%20You%20and%20Your%20Research.pdf
Karate Kid Ruined Us!
Karate Kid Ruined Us!
Karate Kid Ruined Us!
Having No Security Policies
Having No Security Policies • All security testing is based on YOUR adherence to YOUR security policies • If you have none, what are you testing?
Having No Security Policies
Having No Security Policies • For this audience you most likely have policies due to compliance reasons. • Do they document what you actually do? Or did you download them from the internet and change the logo? • How do we test your policies? – Risk Assessments (design) – Penetration Tests (effectiveness)
Risk Assessment • Performing Risk Assessments is the single best way to get a snapshot of the state of your policies. • You can then begin testing the EFFECTIVENESS of your policies via security testing
What is a Risk Assessment? “Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of information and information systems. In its simplest form, a risk assessment consists of the identification and valuation of assets and an analysis of those assets in relation to potential threats and vulnerabilities, resulting in a ranking of risks to mitigate. The resulting information should be used to develop strategies to mitigate those risks.” http://laresconsulting.com/risk.php
Risk Assessment Reasons to Conduct • Compliance with regulations • Overall health check of the InfoSec program • Gain understanding of program Effectiveness • Baseline discovery • To show 3rd parties and customers they are “Secure” How it’s usually done • Whip out a checklist • Check stuff off on checklist • Have a TON of interviews • Believe every word • Do a tick mark legend and ask people to provide “evidence” *which is usually biased* • Only assess controls that are in scope of THAT specific assessment *often information centric*
Setting a Risk Assessment Up to Fail • Do not allow ACTUAL/TECHNICAL testing and validation • Rely on all information provided as TRUE • Minimize scope to only include assets and controls that are part of the selected compliance regulation and NOT the ENTIRE BUSINESS • Allow for “Compensating Controls” to be an answer to most issues • Expect to become compliant through outsourcing • Expect to become compliant through product purchase/implementation • Business “accepts the risk” and accepts forever • Be unprepared • LIE
Compliance Vs. Security • Compliance audits are designed to capture the state of an org at a point in time • Security requires constant interaction between management, the business and the assets • Example: PCI Compliance Assessments – Only focuses on “card holder” environment – (De)Scoping increases your risk and impacts accuracy of risk measurement • Compliance allows you to legally operate the business • Security provides you peace of mind knowing your business can sustain a real attack
Compliance Vs. bad Guys
Self Assessments
Passwords
Passwords • In general people’s passwords and password policy are horrible. • Passwords recently used to compromise organizations: -kiosk/kiosk -mailman/mailman -besadmin/blackberry -$username/Password1 -$username/Company1 -$username/password <-!!!
Setting Password Policies Up to Fail • Not educating users on creating good passwords • Not regularly auditing passwords • Not regularly auditing/rotating default/service accounts • Weak Password GPO because users “cant remember longer passwords” • Adding administrative privileges to user accounts instead of separate admin accounts (joeuser is domain admin instead of joeuser- admin) • Static local admin passwords
Remote Access
Remote Access • Single Factor webmail solutions – OWA, Squirrelmail, etc – Grab address book, repeat brute forcing – Search public folders – Search for (default) passwords • Single Factor VPN solutions – Cisco SSL VPN, Juniper SSL VPN, Citrix – Typically puts you right on the internal network with no restrictions
Setting Remote Access Up to Fail • Not putting everything behind the VPN (OWA) • Single Factor • Not monitoring/configuring allowed users/groups • Not segmenting VPN access from rest of network • No Citrix Hardening • Multiple Remote Access Solutions
People Clicking Stuff
People Clicking Stuff • It happens… • Education vs. Technical Controls • Spam Gateways • Web Proxies • Workstation Baselines
People Clicking Stuff • How to Test/Train? • Social Engineering Assessments – Start with obvious work your way up to targeted attacks • Turn Phish spotting into a game – Reward first employee to spot/report a phish with a gift card.
Setting Social Engineering Testing Up to Fail Common Misconceptions • We will get owned, what's the point • It will offend our users • Doesn’t provide enough value How its usually done • Send a 419 scam style email • Track clicks • Write a report to show who clicked
Ingress/Egress Filtering
Ingress/Egress Filtering • Usually not that good • Relying on router ACLs or network proxies • Default settings • No Email = No Problem
Setting Ingress/Egress Filtering Up to Fail • Not exhaustively testing outbound ports protocols • WCCP • Open web proxy policy • Not blocking uncategorized sites • Critical servers can talk to the Internet
Patching/Workstation/Server Hardening • Patching – Windows usually handled, 3rd party not so much • Secure Deployment Builds – Workstations and Servers – Create them, update them, use them • NIST, NSA, Vendor – NIST: http://web.nvd.nist.gov/view/ncp/repository – NSA: http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/op erating_systems.shtml
Setting Patching/Workstation/Server Hardening up to Fail • Not doing any of it • No “gold” image • No credentialed scanning • No 3rd Party Patching • Waiting for an email to tell you something is wrong
Internal Visibility
Internal Visibility
Know Where Your Sensitive Data is and Protect It
Know Where Your Sensitive Data is and Protect It • DLP Solutions /OpenDLP • Scan for it with scripts or vulnerability scanners
How to Test the Previous Slides • Vulnerability Assessments • Penetration Testing
Vulnerability Assessments • A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. – http://en.wikipedia.org/wiki/Vulnerability_assessment
Vulnerability Assessments Reasons to Conduct • Identify potential vulnerabilities • Provide scoring of risk & prioritization of remediation • Manage environment vulnerabilities over time to show security program improvement, defense capability increase and compliance with ongoing patch, system and vulnerability lifecycle How it’s usually done • Run a bunch of scanners • Generate a report • **Sometimes** Generate a custom report consisting of copy/paste data from the Vulnerability scanners and TRY to make sure you delete the word Nessus, qualys… and/or the previous clients name
Setting Vulnerability Assessments Up to Fail • Do not run “Dangerous or Experimental Checks” *instant 30%+ reduction in results and overall accuracy* • Do not run thorough checks • Do not run Web checks • Limit IP/Ports to scan • Only run ONE brand of scanner • Limit only to known network checks • Only scan once
Penetration Testing • A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source... The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. – http://en.wikipedia.org/wiki/Penetration_test
Penetration Testing Reasons to Conduct • Identify if attackers can readily compromise the security of the business • Identify potential impact to the business • Confirm vulnerabilities identified • Gain a “Real World” View of an attackers ability to “hack” the environment and resolve issues identified How it’s usually done • Do all the steps in Vulnerability Assessment listed previously • Run metasploit/Core/Canvas against hosts • Try a few other automated tools • Call it “SECURE” If those don’t work
Setting Penetration Testing Up to Fail • Do not allow the exploitation of systems • Restrict testing to non production systems • Restrict the hours of testing • Restrict the length of testing • Improperly scope / fail to include ALL addresses • Only perform externally • Patch/fix BEFORE the test • Only allow directed attacks ( no SE/ Phishing) • Lack of focus on BUSINESS risk and increased focus on technical issue • Not impact or goal oriented
Distributed Denial Of Service (DDOS) • Mostly Solved – Pay for protection. – Akamai, Prolexic, cloudfare, etc
Web Applications/Mobile Applications Have to pick the right test for the right job
Web Applications/Mobile Applications • Mostly solved – Just have to put in the effort/pay for the assessments • Outsourced vs. In House • In-House – SDLC & Security Testing – Your RA should tell you how this is doing  • Outsourced – Security reviews in contracts – Require vendor to perform testing prior to deployment (on their $$)
Red Team Testing The term originated within the military to describe a team whose purpose is to penetrate security of "friendly" installations, and thus test their security measures. The members are professionals who install evidence of their success, e.g. leave cardboard signs saying "bomb" in critical defense installations, hand-lettered notes saying that “your codebooks have been stolen" (they usually have not been) inside safes, etc. Sometimes, after a successful penetration, a high-ranking security person will show up later for a "security review," and "find" the evidence. Afterward, the term became popular in the computer industry, where the security of computer systems is often tested by tiger teams. How do you know you can put up a fight if you have never taken a punch?
Red Team Testing
Red Team Testing Reasons to Conduct • Real world test to see how you will hold up against a highly skilled, motivated and funded attacker • The only type of testing that will cover a fully converged attack surface • Impact assessment is IMMEDIATE and built to show a maximum damage event • This IS the FULL DR test of an InfoSec Program
Questions?
Thank You! Chris Gates cgates@laresconsulting.com www.lares.com

Empfohlen

Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
Chris Gates
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
EC-Council
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOps
Zane Lackey
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
Zane Lackey
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
CODE BLUE
 

Empfohlen

Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
Chris Gates
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
EC-Council
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOps
Zane Lackey
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
Zane Lackey
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
CODE BLUE
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
Michael Gough
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
Andrew McNicol
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
Michael Gough
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
jasonhaddix
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
Michael Gough
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshot
jstnkndy
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
Michael Gough
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?
Tiago Mendo
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
Michael Gough
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
Sunny Neo
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
Alex Davies
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
Michael Gough
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
Introduction to LavaPasswordFactory
Introduction to LavaPasswordFactoryIntroduction to LavaPasswordFactory
Introduction to LavaPasswordFactory
Christopher Grayson
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felch
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops
Chris Gates
 
B wapp – bee bug – installation
B wapp – bee bug – installationB wapp – bee bug – installation
B wapp – bee bug – installation
Ronan Dunne, CEH, SSCP
 

Weitere ähnliche Inhalte

Was ist angesagt?

Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshot
jstnkndy
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felch
 

Was ist angesagt? (20)

Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshot
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
 
Introduction to LavaPasswordFactory
Introduction to LavaPasswordFactoryIntroduction to LavaPasswordFactory
Introduction to LavaPasswordFactory
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 

Andere mochten auch

LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops
Chris Gates
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Chris Gates
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Chris Gates
 

Andere mochten auch (17)

LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops
 
B wapp – bee bug – installation
B wapp – bee bug – installationB wapp – bee bug – installation
B wapp – bee bug – installation
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
MSF Auxiliary Modules
MSF Auxiliary ModulesMSF Auxiliary Modules
MSF Auxiliary Modules
 
Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
 
Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 

Ähnlich wie Top Security Challenges Facing Credit Unions Today

Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Security Innovation
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptxthreat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
ImXaib
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Cyber security series vulnerability assessments
Cyber security series vulnerability assessmentsCyber security series vulnerability assessments
Cyber security series vulnerability assessments
Jim Kaplan CIA CFE
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?
PECB
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Intergen
 

Ähnlich wie Top Security Challenges Facing Credit Unions Today (20)

Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptxthreat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Cyber security series vulnerability assessments
Cyber security series vulnerability assessmentsCyber security series vulnerability assessments
Cyber security series vulnerability assessments
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
 
It security cognic_systems
It security cognic_systemsIt security cognic_systems
It security cognic_systems
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
Module 6.pptx
Module 6.pptxModule 6.pptx
Module 6.pptx
 
Secure Iowa Oct 2016
Secure Iowa Oct 2016Secure Iowa Oct 2016
Secure Iowa Oct 2016
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
 

Mehr von Chris Gates

Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Chris Gates
 
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfSOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
Chris Gates
 
Hacking Oracle Web Applications With Metasploit
Hacking Oracle Web Applications With MetasploitHacking Oracle Web Applications With Metasploit
Hacking Oracle Web Applications With Metasploit
Chris Gates
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
Chris Gates
 

Mehr von Chris Gates (10)

Reiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHVReiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHV
 
WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018
 
WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library)
 
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
 
Open Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon EditionOpen Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon Edition
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security Environments
 
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfSOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
 
Hacking Oracle Web Applications With Metasploit
Hacking Oracle Web Applications With MetasploitHacking Oracle Web Applications With Metasploit
Hacking Oracle Web Applications With Metasploit
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 

Kürzlich hochgeladen

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Kürzlich hochgeladen (20)

Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 

Top Security Challenges Facing Credit Unions Today

  • 1. Top Security Challenges Facing Credit Unions Today Chris Gates Lares Consulting 24 September 2013
  • 2. Chris Gates Employment History: • Partner, Lares • Senior Security Consultant-Rapid7 • Network Attack Team Lead-Applied Security Inc. • Penetration Tester-Booz Allen Hamilton • Computer Exploitation Technician-US Army Red Team • Signal Officer-US Army • Professional Certifications: • CISSP • CISA • SANS GCIH, GPEN • CEH • Security Stuff: • Member of Metasploit Project • Contributor to Ethical Hacker.net • Active security blogger/twitter/community/Infosec Mentors • Penetration Testing Execution Standard Core Member (PTES) A Little About Me…
  • 3. Chris Previous Talks • Evolution of Pentesting High Security Environments • ColdFusion for Pentesters • From LOW to PWNED • Information Operations for MGMT • Dirty Little Secrets(pt 1/pt 2) • Attacking Oracle (via TNS & web) • Open Source Information Gathering • Client-Side Attacks @carnal0wnage carnal0wnage.attackresearch.com
  • 4. • Minimum of 10 years Infosec Experience per consultant (35+ combined) • Penetration Testing Execution Standard Core Members • Publications • Aggressive Network Self Defense • Contributing writer to COBIT • Contributing writer to ISO17799, and one of less than 1000 certified auditors of the ISO17799 (international standards for security best practices) • Author of multiple national / international security awareness training programs • Speaking Engagements all over the world Who Is Lares?
  • 5. Figure Out What is Important to the Company Steal It !
  • 6. TOP THREATS FACING YOUR ENTERPRISE
  • 7. Karate Kid Ruined Us! Shouts to Haroon Meer: http://repo.staticsafe.ca/presentations/hitbsecconf2012/D1T2%20-%20Haroon%20Meer%20-%20You%20and%20Your%20Research.pdf
  • 11. Having No Security Policies
  • 12. Having No Security Policies • All security testing is based on YOUR adherence to YOUR security policies • If you have none, what are you testing?
  • 13. Having No Security Policies
  • 14. Having No Security Policies • For this audience you most likely have policies due to compliance reasons. • Do they document what you actually do? Or did you download them from the internet and change the logo? • How do we test your policies? – Risk Assessments (design) – Penetration Tests (effectiveness)
  • 15. Risk Assessment • Performing Risk Assessments is the single best way to get a snapshot of the state of your policies. • You can then begin testing the EFFECTIVENESS of your policies via security testing
  • 16. What is a Risk Assessment? “Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of information and information systems. In its simplest form, a risk assessment consists of the identification and valuation of assets and an analysis of those assets in relation to potential threats and vulnerabilities, resulting in a ranking of risks to mitigate. The resulting information should be used to develop strategies to mitigate those risks.” http://laresconsulting.com/risk.php
  • 17.
  • 18. Risk Assessment Reasons to Conduct • Compliance with regulations • Overall health check of the InfoSec program • Gain understanding of program Effectiveness • Baseline discovery • To show 3rd parties and customers they are “Secure” How it’s usually done • Whip out a checklist • Check stuff off on checklist • Have a TON of interviews • Believe every word • Do a tick mark legend and ask people to provide “evidence” *which is usually biased* • Only assess controls that are in scope of THAT specific assessment *often information centric*
  • 19. Setting a Risk Assessment Up to Fail • Do not allow ACTUAL/TECHNICAL testing and validation • Rely on all information provided as TRUE • Minimize scope to only include assets and controls that are part of the selected compliance regulation and NOT the ENTIRE BUSINESS • Allow for “Compensating Controls” to be an answer to most issues • Expect to become compliant through outsourcing • Expect to become compliant through product purchase/implementation • Business “accepts the risk” and accepts forever • Be unprepared • LIE
  • 20. Compliance Vs. Security • Compliance audits are designed to capture the state of an org at a point in time • Security requires constant interaction between management, the business and the assets • Example: PCI Compliance Assessments – Only focuses on “card holder” environment – (De)Scoping increases your risk and impacts accuracy of risk measurement • Compliance allows you to legally operate the business • Security provides you peace of mind knowing your business can sustain a real attack
  • 24. Passwords • In general people’s passwords and password policy are horrible. • Passwords recently used to compromise organizations: -kiosk/kiosk -mailman/mailman -besadmin/blackberry -$username/Password1 -$username/Company1 -$username/password <-!!!
  • 25. Setting Password Policies Up to Fail • Not educating users on creating good passwords • Not regularly auditing passwords • Not regularly auditing/rotating default/service accounts • Weak Password GPO because users “cant remember longer passwords” • Adding administrative privileges to user accounts instead of separate admin accounts (joeuser is domain admin instead of joeuser- admin) • Static local admin passwords
  • 27. Remote Access • Single Factor webmail solutions – OWA, Squirrelmail, etc – Grab address book, repeat brute forcing – Search public folders – Search for (default) passwords • Single Factor VPN solutions – Cisco SSL VPN, Juniper SSL VPN, Citrix – Typically puts you right on the internal network with no restrictions
  • 28. Setting Remote Access Up to Fail • Not putting everything behind the VPN (OWA) • Single Factor • Not monitoring/configuring allowed users/groups • Not segmenting VPN access from rest of network • No Citrix Hardening • Multiple Remote Access Solutions
  • 30. People Clicking Stuff • It happens… • Education vs. Technical Controls • Spam Gateways • Web Proxies • Workstation Baselines
  • 31. People Clicking Stuff • How to Test/Train? • Social Engineering Assessments – Start with obvious work your way up to targeted attacks • Turn Phish spotting into a game – Reward first employee to spot/report a phish with a gift card.
  • 32. Setting Social Engineering Testing Up to Fail Common Misconceptions • We will get owned, what's the point • It will offend our users • Doesn’t provide enough value How its usually done • Send a 419 scam style email • Track clicks • Write a report to show who clicked
  • 33.
  • 35. Ingress/Egress Filtering • Usually not that good • Relying on router ACLs or network proxies • Default settings • No Email = No Problem
  • 36. Setting Ingress/Egress Filtering Up to Fail • Not exhaustively testing outbound ports protocols • WCCP • Open web proxy policy • Not blocking uncategorized sites • Critical servers can talk to the Internet
  • 37. Patching/Workstation/Server Hardening • Patching – Windows usually handled, 3rd party not so much • Secure Deployment Builds – Workstations and Servers – Create them, update them, use them • NIST, NSA, Vendor – NIST: http://web.nvd.nist.gov/view/ncp/repository – NSA: http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/op erating_systems.shtml
  • 38. Setting Patching/Workstation/Server Hardening up to Fail • Not doing any of it • No “gold” image • No credentialed scanning • No 3rd Party Patching • Waiting for an email to tell you something is wrong
  • 41. Know Where Your Sensitive Data is and Protect It
  • 42. Know Where Your Sensitive Data is and Protect It • DLP Solutions /OpenDLP • Scan for it with scripts or vulnerability scanners
  • 43. How to Test the Previous Slides • Vulnerability Assessments • Penetration Testing
  • 44. Vulnerability Assessments • A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. – http://en.wikipedia.org/wiki/Vulnerability_assessment
  • 45. Vulnerability Assessments Reasons to Conduct • Identify potential vulnerabilities • Provide scoring of risk & prioritization of remediation • Manage environment vulnerabilities over time to show security program improvement, defense capability increase and compliance with ongoing patch, system and vulnerability lifecycle How it’s usually done • Run a bunch of scanners • Generate a report • **Sometimes** Generate a custom report consisting of copy/paste data from the Vulnerability scanners and TRY to make sure you delete the word Nessus, qualys… and/or the previous clients name
  • 46. Setting Vulnerability Assessments Up to Fail • Do not run “Dangerous or Experimental Checks” *instant 30%+ reduction in results and overall accuracy* • Do not run thorough checks • Do not run Web checks • Limit IP/Ports to scan • Only run ONE brand of scanner • Limit only to known network checks • Only scan once
  • 47. Penetration Testing • A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source... The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. – http://en.wikipedia.org/wiki/Penetration_test
  • 48.
  • 49. Penetration Testing Reasons to Conduct • Identify if attackers can readily compromise the security of the business • Identify potential impact to the business • Confirm vulnerabilities identified • Gain a “Real World” View of an attackers ability to “hack” the environment and resolve issues identified How it’s usually done • Do all the steps in Vulnerability Assessment listed previously • Run metasploit/Core/Canvas against hosts • Try a few other automated tools • Call it “SECURE” If those don’t work
  • 50. Setting Penetration Testing Up to Fail • Do not allow the exploitation of systems • Restrict testing to non production systems • Restrict the hours of testing • Restrict the length of testing • Improperly scope / fail to include ALL addresses • Only perform externally • Patch/fix BEFORE the test • Only allow directed attacks ( no SE/ Phishing) • Lack of focus on BUSINESS risk and increased focus on technical issue • Not impact or goal oriented
  • 51. Distributed Denial Of Service (DDOS) • Mostly Solved – Pay for protection. – Akamai, Prolexic, cloudfare, etc
  • 52. Web Applications/Mobile Applications Have to pick the right test for the right job
  • 53. Web Applications/Mobile Applications • Mostly solved – Just have to put in the effort/pay for the assessments • Outsourced vs. In House • In-House – SDLC & Security Testing – Your RA should tell you how this is doing  • Outsourced – Security reviews in contracts – Require vendor to perform testing prior to deployment (on their $$)
  • 54. Red Team Testing The term originated within the military to describe a team whose purpose is to penetrate security of "friendly" installations, and thus test their security measures. The members are professionals who install evidence of their success, e.g. leave cardboard signs saying "bomb" in critical defense installations, hand-lettered notes saying that “your codebooks have been stolen" (they usually have not been) inside safes, etc. Sometimes, after a successful penetration, a high-ranking security person will show up later for a "security review," and "find" the evidence. Afterward, the term became popular in the computer industry, where the security of computer systems is often tested by tiger teams. How do you know you can put up a fight if you have never taken a punch?
  • 56. Red Team Testing Reasons to Conduct • Real world test to see how you will hold up against a highly skilled, motivated and funded attacker • The only type of testing that will cover a fully converged attack surface • Impact assessment is IMMEDIATE and built to show a maximum damage event • This IS the FULL DR test of an InfoSec Program