2. 2
About
Name: Shritam Bhowmick
Professional Career:
o AVP, Labs @Lucideus Tech
Application Security Assessments
Research and Development @Lucideus Labs
o Application Security Trainer @CTG Security Solutions
Application Security Trainer
Training Scheduler & Advisor
o Red Team Lead, Security Specialist cum R&D @Defencely
Client SPOC
Penetration Tester
Application Security Team Lead
Red Team Coordinator and Engagement Specialist
3. 3
And all of ‘em were my secret Hobbies too!
P.S: I do not use memes into presentations.
12. 12
Abstract
Security Breaches (Reasoning Analysis)
1. Code Maintainers unavailability
2. Developers do not understand vulnerabilities (Awareness factor)
3. Lack of IT Security Budget to cope up with current vulnerabilities
4. Affected codebase or part of code is owned by a third party
5. Applications deployed will be taken off n near future
6. Security solutions conflicts with business use cases
7. Compliance does not require fixing the issues
8. Feature enhancement is prioritized ahead of security fixes
9. Risk of exploitation and compromises are accepted
13. 13
Security Assessment v/s Security Engagement
Security Assessment – It’s a part of risk assessment or more
particularly – IT Security Risk Assessment, and it’s also a
“quantified” value of the risks to which an IT firm could be
exposed. Some necessary ingredients are:
1. Threat Assessment
2. Risk Assessment
3. Security Compliances
14. 14
Security Assessment v/s Security Engagement
Security Engagement– The first phase of accessed risks could be
verified by an ‘engagement’ procedure in place which gives
“qualitative” results if the previously accessed risks were positive or
negative, and this by default is either an ‘offensive’ or a
‘defensive’ engagement. This, again could be broken down to:
1. Code Review
2. Vulnerability Assessment
3. Penetration Testing
4. Red Team Engagement
15. 15
Threat Assessment
Threat Agents
Particulars which can adversely affect business
1. Non Target Specific – Trojan Horses, Worm, Viruses,
Logic Bombs, CnC Driven Botnets, etc.
2. Internal/External Association – Employees, Staff,
Code Maintainers, Operational Personnel's, YOU!
3. Organized Crime – Finance driven, target driven
blackhat entities, credit card information stealers.
Reference:https://www.owasp.org/index.php/Category:Threat_Agent
16. 16
Threat Agents
4. Corporation – Competitive Intelligence and
Offensive Information Warfare.
5. Human – Insider/Outsider with Intentional & Un-
Intentional threat agent behavior involved.
6. Natural – Earthquake, Thunderstorms, Flood, Fire,
Physical calamities driven by nature obstructing
electronic communications.
Reference:https://www.owasp.org/index.php/Category:Threat_Agent
Threat Assessment
17. 17
Threat Modeling
A process of identifying threats and to meet security objectives
1. External Dependencies – List of items which are
external and not internal to the organization.
2. Entry Points – Interfaces through which potential
threat agents can interact or supply data. Each
entry point has a level of trust.
3. Assets – Items of interests to an attacker. Assets
could be physical or abstract.
Reference:https://www.owasp.org/index.php/Application_Threat_Modeling
Threat Assessment
18. 18
Threat Modeling
4. Trust Levels – Cross referenced between entry
points and assets, these are access rights.
5. Data Flow Diagrams (DFD’s) – Logical connection
for the data flow. It ensures the structural overview
to clarify sub-systems and lover-level systems.
6. Threat Analysis – Accounting dependencies, entry
points, assets, trust levels and DFD’s to identify
design, functional or architectural threats.
Reference:https://www.owasp.org/index.php/Application_Threat_Modeling
Threat Assessment
19. 19
Threat Assessment Results
Threat Assessment
Threat Agents + Threat Modeling = Threat Assessment
1. Do Nothing – hope for the best
2. Aware and Inform – warn threats and publicize
3. Accept the Threat – accept threat if cannot be remediated
4. Remediate Potential Threat – place technical countermeasures
5. Transfer the Threat risk factor – insurances against a certain threat
6. Terminate entirely the Threat – Pull off deployment or shutdown affected
Mitigation Outcome
20. 20
Risk Assessment
Risk Assessment in security for an IT firm or any other retail, financial,
health, private, or educational sector is a procedural process to
reduce, control or eliminate business risks by performing an in-depth risk
analysis and risk management.
Risk Assessment and Threat Assessment are different and often confused.
1. Threats cannot be controlled – since they are always there and would
always be external trying to put an organization into risk. STRIDE and
DRIDE are models of accessing threats.
2. Risks can be controlled, reduced or eliminated since they are internal to
the organization and could be accessed via rational reasoning keeping
factors such as productivity, barriers, and costs associated by an
Organization. This depends on size and complexity of the concerned
Organization.
21. 21
Risk Assessment
Risk Assessment could be broken into considerable two parts:
1. Likelihood Assessment – where probability is determined.
2. Impact Assessment – if probability is true, the impact of the risk
22. 22
Risk Assessment
Risk Assessment – The Process
1. Identify Risks
• Financial entities – such as transaction details
• Informational entities – such as POS systems and HR
• Private Confidential entities – such as contractual data
• Technological entities:
o Servers – Availability of services
o Applications – Integrity interfaces for users
o Hardware Devices – Confidentiality of physical security systems
Biometric security systems – elevated physical access systems
Secure Footage systems – CCTV, surveillance systems, etc
SCADA systems – Integrated machinery systems for Industries.
23. 23
Risk Assessment
Risk Assessment – The Process
2. Analyze Risks
• perform security requirements and objectives study
• Access system architecture and network infrastructure
• Access interconnectivity of each previously accessed systems
• Quantify hardware for networking resources used in the organization
• Identify operating systems in use, software in use in both systems and servers
• Quantify assets of the organization and relate them to resources quantified
previously
• Relate functional entities – DBMS and files
• Network services open to external and supported protocols
• Current Security systems in use, any access control mechanisms or firewalls
24. 24
Risk Assessment
Risk Assessment – The Process
3. Evaluate Risks
• Likelihood of compromises
• Impact of compromises based on likelihood
• Business Outcome of the end compromises
• Risk Rating dependent on Risk Scaling Factors:
o Negligible Loss – non-sensitive data
o Slight Loss – low level business loss
o Significant Loss – sensitive business data loss
o Major Loss – financial loss to business
o Operational Loss – Patent loss, Data Loss, Strategy Loss
o Critical Loss to Survival – Tier-A Confidentiality loss, Weapon classification
data, military base locations, troop locations, agent list, life losses
25. 25
Risk Assessment Results
Risk Assessment
Risk Identification + Risk Analysis + Risk Evaluation = Risk Assessment
1. Implement no security at all.
2. Implement basic AV software.
3. AV + Basic Browser security settings and basic filtering.
4. Implement spyware and regulate routine patches for each operational units.
5. Router Hardening, policy changes, IDS implementation, Acceptable Usage Policy
6. More Policy Enforcement, ports closing, data security, DMZ Placement, Packet level filter
7. Strict and regulatory compliance auditing, monthly patching updates, backup copy
destruction, physical and hardware level security, host system level security, routine
penetration testing, intranet controlled subnet security
Mitigation Outcome
26. 26
Security Compliance
Personal identifiable information e.g. email addresses, names, residential addresses,
etc. when transmitted from one system to another and stored should be protected
and this information go through industrial regulations.
Security Compliance is a formal process that helps an organization to demonstrate
that it has a high level of IT security management. They are required as standards for
the industry and in certain cases a continuous check by the government.
Compliance is a complete process of:
1. Carrying out compliance exercise to audit what information the business holds.
2. Vulnerabilities of the IT systems involved to keep the business functionality.
3. Elements of the IT system which is vulnerable and which could be locked down.
27. 27
Security Compliance
Security compliance are for different areas:
1. Health care – HIPAA (Health Insurance Portability and Accountability Act)
2. Ecommerce – PCI-DSS (Payment Card Industry Data Security Standard)
3. Government – FISMA, DIACAP, FedRAMP
4. Financial – BITS Shared Assessment Program, NIST, ISO
Reference:https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3/