SlideShare ist ein Scribd-Unternehmen logo

New Age Red Teaming - Enterprise Infilteration

Shritam Bhowmick
Shritam Bhowmick
1 von 28
Downloaden Sie, um offline zu lesen
2 About  Name: Shritam Bhowmick  Professional Career: o AVP, Labs @Lucideus Tech  Application Security Assessments  Research and Development @Lucideus Labs o Application Security Trainer @CTG Security Solutions  Application Security Trainer  Training Scheduler & Advisor o Red Team Lead, Security Specialist cum R&D @Defencely  Client SPOC  Penetration Tester  Application Security Team Lead  Red Team Coordinator and Engagement Specialist
3 And all of ‘em were my secret Hobbies too! P.S: I do not use memes into presentations.
4 Pointers 1. One 2. Two 3. Three 4. Four
5 Abstract Security Breaches (Statistical Analysis) Source:http://data-protection.safenet-inc.com/2015/02/2014-data-breaches-by-the-numbers-and-the-impact/
6 Abstract Security Breaches (Statistical Analysis) Source:http://data-protection.safenet-inc.com/2015/02/2014-data-breaches-by-the-numbers-and-the-impact/
7 Abstract Security Breaches (Statistical Analysis) Source:http://data-protection.safenet-inc.com/2015/02/2014-data-breaches-by-the-numbers-and-the-impact/
8 Abstract Security Breaches (Statistical Analysis) Source:http://data-protection.safenet-inc.com/2015/02/2014-data-breaches-by-the-numbers-and-the-impact/
9 Abstract Security Breaches (Reasoning Analysis) CRM, ERP, POS, etc. Servers, Desktops, Laptops, etc. Routers, switches, network admins, etc. IT Budget
10 Abstract Security Breaches (Reasoning Analysis) Application Code Review, training, testing Vulnerability Management, Policy Review, etc. VA/PT, Firewall, SNA, IDS, SSL. Etc. IT Security Budget
11 Abstract Security Breaches (Reasoning Analysis) IT Budget Priority
12 Abstract Security Breaches (Reasoning Analysis) 1. Code Maintainers unavailability 2. Developers do not understand vulnerabilities (Awareness factor) 3. Lack of IT Security Budget to cope up with current vulnerabilities 4. Affected codebase or part of code is owned by a third party 5. Applications deployed will be taken off n near future 6. Security solutions conflicts with business use cases 7. Compliance does not require fixing the issues 8. Feature enhancement is prioritized ahead of security fixes 9. Risk of exploitation and compromises are accepted
13 Security Assessment v/s Security Engagement Security Assessment – It’s a part of risk assessment or more particularly – IT Security Risk Assessment, and it’s also a “quantified” value of the risks to which an IT firm could be exposed. Some necessary ingredients are: 1. Threat Assessment 2. Risk Assessment 3. Security Compliances
14 Security Assessment v/s Security Engagement Security Engagement– The first phase of accessed risks could be verified by an ‘engagement’ procedure in place which gives “qualitative” results if the previously accessed risks were positive or negative, and this by default is either an ‘offensive’ or a ‘defensive’ engagement. This, again could be broken down to: 1. Code Review 2. Vulnerability Assessment 3. Penetration Testing 4. Red Team Engagement
15 Threat Assessment Threat Agents Particulars which can adversely affect business 1. Non Target Specific – Trojan Horses, Worm, Viruses, Logic Bombs, CnC Driven Botnets, etc. 2. Internal/External Association – Employees, Staff, Code Maintainers, Operational Personnel's, YOU! 3. Organized Crime – Finance driven, target driven blackhat entities, credit card information stealers. Reference:https://www.owasp.org/index.php/Category:Threat_Agent
16 Threat Agents 4. Corporation – Competitive Intelligence and Offensive Information Warfare. 5. Human – Insider/Outsider with Intentional & Un- Intentional threat agent behavior involved. 6. Natural – Earthquake, Thunderstorms, Flood, Fire, Physical calamities driven by nature obstructing electronic communications. Reference:https://www.owasp.org/index.php/Category:Threat_Agent Threat Assessment
17 Threat Modeling A process of identifying threats and to meet security objectives 1. External Dependencies – List of items which are external and not internal to the organization. 2. Entry Points – Interfaces through which potential threat agents can interact or supply data. Each entry point has a level of trust. 3. Assets – Items of interests to an attacker. Assets could be physical or abstract. Reference:https://www.owasp.org/index.php/Application_Threat_Modeling Threat Assessment
18 Threat Modeling 4. Trust Levels – Cross referenced between entry points and assets, these are access rights. 5. Data Flow Diagrams (DFD’s) – Logical connection for the data flow. It ensures the structural overview to clarify sub-systems and lover-level systems. 6. Threat Analysis – Accounting dependencies, entry points, assets, trust levels and DFD’s to identify design, functional or architectural threats. Reference:https://www.owasp.org/index.php/Application_Threat_Modeling Threat Assessment
19 Threat Assessment Results Threat Assessment Threat Agents + Threat Modeling = Threat Assessment 1. Do Nothing – hope for the best 2. Aware and Inform – warn threats and publicize 3. Accept the Threat – accept threat if cannot be remediated 4. Remediate Potential Threat – place technical countermeasures 5. Transfer the Threat risk factor – insurances against a certain threat 6. Terminate entirely the Threat – Pull off deployment or shutdown affected Mitigation Outcome
20 Risk Assessment Risk Assessment in security for an IT firm or any other retail, financial, health, private, or educational sector is a procedural process to reduce, control or eliminate business risks by performing an in-depth risk analysis and risk management. Risk Assessment and Threat Assessment are different and often confused. 1. Threats cannot be controlled – since they are always there and would always be external trying to put an organization into risk. STRIDE and DRIDE are models of accessing threats. 2. Risks can be controlled, reduced or eliminated since they are internal to the organization and could be accessed via rational reasoning keeping factors such as productivity, barriers, and costs associated by an Organization. This depends on size and complexity of the concerned Organization.
21 Risk Assessment Risk Assessment could be broken into considerable two parts: 1. Likelihood Assessment – where probability is determined. 2. Impact Assessment – if probability is true, the impact of the risk
22 Risk Assessment Risk Assessment – The Process 1. Identify Risks • Financial entities – such as transaction details • Informational entities – such as POS systems and HR • Private Confidential entities – such as contractual data • Technological entities: o Servers – Availability of services o Applications – Integrity interfaces for users o Hardware Devices – Confidentiality of physical security systems  Biometric security systems – elevated physical access systems  Secure Footage systems – CCTV, surveillance systems, etc  SCADA systems – Integrated machinery systems for Industries.
23 Risk Assessment Risk Assessment – The Process 2. Analyze Risks • perform security requirements and objectives study • Access system architecture and network infrastructure • Access interconnectivity of each previously accessed systems • Quantify hardware for networking resources used in the organization • Identify operating systems in use, software in use in both systems and servers • Quantify assets of the organization and relate them to resources quantified previously • Relate functional entities – DBMS and files • Network services open to external and supported protocols • Current Security systems in use, any access control mechanisms or firewalls
24 Risk Assessment Risk Assessment – The Process 3. Evaluate Risks • Likelihood of compromises • Impact of compromises based on likelihood • Business Outcome of the end compromises • Risk Rating dependent on Risk Scaling Factors: o Negligible Loss – non-sensitive data o Slight Loss – low level business loss o Significant Loss – sensitive business data loss o Major Loss – financial loss to business o Operational Loss – Patent loss, Data Loss, Strategy Loss o Critical Loss to Survival – Tier-A Confidentiality loss, Weapon classification data, military base locations, troop locations, agent list, life losses
25 Risk Assessment Results Risk Assessment Risk Identification + Risk Analysis + Risk Evaluation = Risk Assessment 1. Implement no security at all. 2. Implement basic AV software. 3. AV + Basic Browser security settings and basic filtering. 4. Implement spyware and regulate routine patches for each operational units. 5. Router Hardening, policy changes, IDS implementation, Acceptable Usage Policy 6. More Policy Enforcement, ports closing, data security, DMZ Placement, Packet level filter 7. Strict and regulatory compliance auditing, monthly patching updates, backup copy destruction, physical and hardware level security, host system level security, routine penetration testing, intranet controlled subnet security Mitigation Outcome
26 Security Compliance Personal identifiable information e.g. email addresses, names, residential addresses, etc. when transmitted from one system to another and stored should be protected and this information go through industrial regulations. Security Compliance is a formal process that helps an organization to demonstrate that it has a high level of IT security management. They are required as standards for the industry and in certain cases a continuous check by the government. Compliance is a complete process of: 1. Carrying out compliance exercise to audit what information the business holds. 2. Vulnerabilities of the IT systems involved to keep the business functionality. 3. Elements of the IT system which is vulnerable and which could be locked down.
27 Security Compliance Security compliance are for different areas: 1. Health care – HIPAA (Health Insurance Portability and Accountability Act) 2. Ecommerce – PCI-DSS (Payment Card Industry Data Security Standard) 3. Government – FISMA, DIACAP, FedRAMP 4. Financial – BITS Shared Assessment Program, NIST, ISO Reference:https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3/
28 …. Continuation End of 1st Chapter

Empfohlen

IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...AlienVault
 
Mitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksMitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksTripwire
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability AssesmentDedi Dwianto
 
Information risk management
Information risk managementInformation risk management
Information risk managementAkash Saraswat
 
Legal and ethical aspects
Legal and ethical aspectsLegal and ethical aspects
Legal and ethical aspectsCAS
 

Empfohlen

IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...AlienVault
 
Mitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksMitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksTripwire
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability AssesmentDedi Dwianto
 
Information risk management
Information risk managementInformation risk management
Information risk managementAkash Saraswat
 
Legal and ethical aspects
Legal and ethical aspectsLegal and ethical aspects
Legal and ethical aspectsCAS
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And SecurityConstantine Karbaliotis
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security madunix
 
Incident Response
Incident ResponseIncident Response
Incident ResponseMichaelRodriguesdosS1
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response FunctionResilient Systems
 
VAPT Infomagnum
VAPT InfomagnumVAPT Infomagnum
VAPT InfomagnumARUN REDDY M
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodFalgun Rathod
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksResilient Systems
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
NASA OIG Report
NASA OIG ReportNASA OIG Report
NASA OIG ReportPriyanka Aash
 
Network Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsNetwork Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsPivotPointSecurity
 
Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
Layered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsLayered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsMichael Kaishar, MSIA | CISSP
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentMarcelo Silva
 
Software Vulnerability management
Software Vulnerability management Software Vulnerability management
Software Vulnerability management Kishor Datta Gupta
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?John Gilligan
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteDamir Delija
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Smart Assessment
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016EnterpriseGRC Solutions, Inc.
 

Weitere ähnliche Inhalte

Was ist angesagt?

Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security madunix
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response FunctionResilient Systems
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodFalgun Rathod
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksResilient Systems
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Network Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsNetwork Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsPivotPointSecurity
 
Layered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsLayered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsMichael Kaishar, MSIA | CISSP
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentMarcelo Silva
 
Software Vulnerability management
Software Vulnerability management Software Vulnerability management
Software Vulnerability management Kishor Datta Gupta
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?John Gilligan
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteDamir Delija
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Smart Assessment
 

Was ist angesagt? (20)

Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
Incident Response
Incident ResponseIncident Response
Incident Response
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response Function
 
VAPT Infomagnum
VAPT InfomagnumVAPT Infomagnum
VAPT Infomagnum
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber Attacks
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
NASA OIG Report
NASA OIG ReportNASA OIG Report
NASA OIG Report
 
Network Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsNetwork Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision Points
 
Incident response
Incident responseIncident response
Incident response
 
Layered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsLayered Approach - Information Security Recommendations
Layered Approach - Information Security Recommendations
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability Assessment
 
Software Vulnerability management
Software Vulnerability management Software Vulnerability management
Software Vulnerability management
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidente
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
 

Ähnlich wie New Age Red Teaming - Enterprise Infilteration

Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniyaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeShawn Tuma
 
Penetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber SecurityPenetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber SecurityKaran Patel
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoMark John Lado, MIT
 
Laser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Conference 2017 - Sid Yenamandra, EntredaLaser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Conference 2017 - Sid Yenamandra, EntredaLaser App Software
 
Risk Management
Risk ManagementRisk Management
Risk Managementijtsrd
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise WorldKey Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise WorldTEWMAGAZINE
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitShawn Tuma
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for CybersecurityShawn Tuma
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hackamrutharam
 
Exploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity TestingExploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity Testingjatniwalafizza786
 

Ähnlich wie New Age Red Teaming - Enterprise Infilteration (20)

Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should Include
 
Penetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber SecurityPenetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber Security
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
 
Laser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Conference 2017 - Sid Yenamandra, EntredaLaser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Conference 2017 - Sid Yenamandra, Entreda
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise WorldKey Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
 
Backtrack manual Part1
Backtrack manual Part1Backtrack manual Part1
Backtrack manual Part1
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hack
 
Exploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity TestingExploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity Testing
 

New Age Red Teaming - Enterprise Infilteration

  • 1.
  • 2. 2 About  Name: Shritam Bhowmick  Professional Career: o AVP, Labs @Lucideus Tech  Application Security Assessments  Research and Development @Lucideus Labs o Application Security Trainer @CTG Security Solutions  Application Security Trainer  Training Scheduler & Advisor o Red Team Lead, Security Specialist cum R&D @Defencely  Client SPOC  Penetration Tester  Application Security Team Lead  Red Team Coordinator and Engagement Specialist
  • 3. 3 And all of ‘em were my secret Hobbies too! P.S: I do not use memes into presentations.
  • 4. 4 Pointers 1. One 2. Two 3. Three 4. Four
  • 5. 5 Abstract Security Breaches (Statistical Analysis) Source:http://data-protection.safenet-inc.com/2015/02/2014-data-breaches-by-the-numbers-and-the-impact/
  • 6. 6 Abstract Security Breaches (Statistical Analysis) Source:http://data-protection.safenet-inc.com/2015/02/2014-data-breaches-by-the-numbers-and-the-impact/
  • 7. 7 Abstract Security Breaches (Statistical Analysis) Source:http://data-protection.safenet-inc.com/2015/02/2014-data-breaches-by-the-numbers-and-the-impact/
  • 8. 8 Abstract Security Breaches (Statistical Analysis) Source:http://data-protection.safenet-inc.com/2015/02/2014-data-breaches-by-the-numbers-and-the-impact/
  • 9. 9 Abstract Security Breaches (Reasoning Analysis) CRM, ERP, POS, etc. Servers, Desktops, Laptops, etc. Routers, switches, network admins, etc. IT Budget
  • 10. 10 Abstract Security Breaches (Reasoning Analysis) Application Code Review, training, testing Vulnerability Management, Policy Review, etc. VA/PT, Firewall, SNA, IDS, SSL. Etc. IT Security Budget
  • 11. 11 Abstract Security Breaches (Reasoning Analysis) IT Budget Priority
  • 12. 12 Abstract Security Breaches (Reasoning Analysis) 1. Code Maintainers unavailability 2. Developers do not understand vulnerabilities (Awareness factor) 3. Lack of IT Security Budget to cope up with current vulnerabilities 4. Affected codebase or part of code is owned by a third party 5. Applications deployed will be taken off n near future 6. Security solutions conflicts with business use cases 7. Compliance does not require fixing the issues 8. Feature enhancement is prioritized ahead of security fixes 9. Risk of exploitation and compromises are accepted
  • 13. 13 Security Assessment v/s Security Engagement Security Assessment – It’s a part of risk assessment or more particularly – IT Security Risk Assessment, and it’s also a “quantified” value of the risks to which an IT firm could be exposed. Some necessary ingredients are: 1. Threat Assessment 2. Risk Assessment 3. Security Compliances
  • 14. 14 Security Assessment v/s Security Engagement Security Engagement– The first phase of accessed risks could be verified by an ‘engagement’ procedure in place which gives “qualitative” results if the previously accessed risks were positive or negative, and this by default is either an ‘offensive’ or a ‘defensive’ engagement. This, again could be broken down to: 1. Code Review 2. Vulnerability Assessment 3. Penetration Testing 4. Red Team Engagement
  • 15. 15 Threat Assessment Threat Agents Particulars which can adversely affect business 1. Non Target Specific – Trojan Horses, Worm, Viruses, Logic Bombs, CnC Driven Botnets, etc. 2. Internal/External Association – Employees, Staff, Code Maintainers, Operational Personnel's, YOU! 3. Organized Crime – Finance driven, target driven blackhat entities, credit card information stealers. Reference:https://www.owasp.org/index.php/Category:Threat_Agent
  • 16. 16 Threat Agents 4. Corporation – Competitive Intelligence and Offensive Information Warfare. 5. Human – Insider/Outsider with Intentional & Un- Intentional threat agent behavior involved. 6. Natural – Earthquake, Thunderstorms, Flood, Fire, Physical calamities driven by nature obstructing electronic communications. Reference:https://www.owasp.org/index.php/Category:Threat_Agent Threat Assessment
  • 17. 17 Threat Modeling A process of identifying threats and to meet security objectives 1. External Dependencies – List of items which are external and not internal to the organization. 2. Entry Points – Interfaces through which potential threat agents can interact or supply data. Each entry point has a level of trust. 3. Assets – Items of interests to an attacker. Assets could be physical or abstract. Reference:https://www.owasp.org/index.php/Application_Threat_Modeling Threat Assessment
  • 18. 18 Threat Modeling 4. Trust Levels – Cross referenced between entry points and assets, these are access rights. 5. Data Flow Diagrams (DFD’s) – Logical connection for the data flow. It ensures the structural overview to clarify sub-systems and lover-level systems. 6. Threat Analysis – Accounting dependencies, entry points, assets, trust levels and DFD’s to identify design, functional or architectural threats. Reference:https://www.owasp.org/index.php/Application_Threat_Modeling Threat Assessment
  • 19. 19 Threat Assessment Results Threat Assessment Threat Agents + Threat Modeling = Threat Assessment 1. Do Nothing – hope for the best 2. Aware and Inform – warn threats and publicize 3. Accept the Threat – accept threat if cannot be remediated 4. Remediate Potential Threat – place technical countermeasures 5. Transfer the Threat risk factor – insurances against a certain threat 6. Terminate entirely the Threat – Pull off deployment or shutdown affected Mitigation Outcome
  • 20. 20 Risk Assessment Risk Assessment in security for an IT firm or any other retail, financial, health, private, or educational sector is a procedural process to reduce, control or eliminate business risks by performing an in-depth risk analysis and risk management. Risk Assessment and Threat Assessment are different and often confused. 1. Threats cannot be controlled – since they are always there and would always be external trying to put an organization into risk. STRIDE and DRIDE are models of accessing threats. 2. Risks can be controlled, reduced or eliminated since they are internal to the organization and could be accessed via rational reasoning keeping factors such as productivity, barriers, and costs associated by an Organization. This depends on size and complexity of the concerned Organization.
  • 21. 21 Risk Assessment Risk Assessment could be broken into considerable two parts: 1. Likelihood Assessment – where probability is determined. 2. Impact Assessment – if probability is true, the impact of the risk
  • 22. 22 Risk Assessment Risk Assessment – The Process 1. Identify Risks • Financial entities – such as transaction details • Informational entities – such as POS systems and HR • Private Confidential entities – such as contractual data • Technological entities: o Servers – Availability of services o Applications – Integrity interfaces for users o Hardware Devices – Confidentiality of physical security systems  Biometric security systems – elevated physical access systems  Secure Footage systems – CCTV, surveillance systems, etc  SCADA systems – Integrated machinery systems for Industries.
  • 23. 23 Risk Assessment Risk Assessment – The Process 2. Analyze Risks • perform security requirements and objectives study • Access system architecture and network infrastructure • Access interconnectivity of each previously accessed systems • Quantify hardware for networking resources used in the organization • Identify operating systems in use, software in use in both systems and servers • Quantify assets of the organization and relate them to resources quantified previously • Relate functional entities – DBMS and files • Network services open to external and supported protocols • Current Security systems in use, any access control mechanisms or firewalls
  • 24. 24 Risk Assessment Risk Assessment – The Process 3. Evaluate Risks • Likelihood of compromises • Impact of compromises based on likelihood • Business Outcome of the end compromises • Risk Rating dependent on Risk Scaling Factors: o Negligible Loss – non-sensitive data o Slight Loss – low level business loss o Significant Loss – sensitive business data loss o Major Loss – financial loss to business o Operational Loss – Patent loss, Data Loss, Strategy Loss o Critical Loss to Survival – Tier-A Confidentiality loss, Weapon classification data, military base locations, troop locations, agent list, life losses
  • 25. 25 Risk Assessment Results Risk Assessment Risk Identification + Risk Analysis + Risk Evaluation = Risk Assessment 1. Implement no security at all. 2. Implement basic AV software. 3. AV + Basic Browser security settings and basic filtering. 4. Implement spyware and regulate routine patches for each operational units. 5. Router Hardening, policy changes, IDS implementation, Acceptable Usage Policy 6. More Policy Enforcement, ports closing, data security, DMZ Placement, Packet level filter 7. Strict and regulatory compliance auditing, monthly patching updates, backup copy destruction, physical and hardware level security, host system level security, routine penetration testing, intranet controlled subnet security Mitigation Outcome
  • 26. 26 Security Compliance Personal identifiable information e.g. email addresses, names, residential addresses, etc. when transmitted from one system to another and stored should be protected and this information go through industrial regulations. Security Compliance is a formal process that helps an organization to demonstrate that it has a high level of IT security management. They are required as standards for the industry and in certain cases a continuous check by the government. Compliance is a complete process of: 1. Carrying out compliance exercise to audit what information the business holds. 2. Vulnerabilities of the IT systems involved to keep the business functionality. 3. Elements of the IT system which is vulnerable and which could be locked down.
  • 27. 27 Security Compliance Security compliance are for different areas: 1. Health care – HIPAA (Health Insurance Portability and Accountability Act) 2. Ecommerce – PCI-DSS (Payment Card Industry Data Security Standard) 3. Government – FISMA, DIACAP, FedRAMP 4. Financial – BITS Shared Assessment Program, NIST, ISO Reference:https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3/