RSA 2013 Presentation: Stacking the Security Deck in your Favor
•Als PPTX, PDF herunterladen•
1 gefällt mir•416 views
Lamar Bailey, nCircle's director of security research and development, walks you through how deal yourself a winning hand with your security products. A YouTube video of Lamar's presentation is available through the link below: http://youtu.be/ogTBB7w1XyM
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Empfohlen
Empfohlen (20)
RSA 2013 Presentation: Stacking the Security Deck in your Favor
- 1. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential Stacking the Security Deck in your Favor Deal yourself a winning hand
- 2. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential • Operating Systems • Databases • Office Applications • Networking Gear • Browsers Your hand
- 3. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential The Vulnerability Deck is Increasing 0 1000 2000 3000 4000 5000 6000 7000 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
- 4. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential Aces
- 5. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential • Custom Apps • Legacy • 0-Day Wild Cards
- 6. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential • Rule: RegistryQuery GetKey[HKLM] THEN CHECK Exists • Explanation: Request the HKLM registry key and check to see if it exists. Custom ASPL - Basics
- 7. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential • Rule: SEND String[GET / HTTP/1.0x0dx0ax0dx0a] THEN CHECK Contains/HTTP/1.[01] 200/ WITH Offset[0], Length[12] • Explanation: Send data (in this case an HTTP 1.0 request) to a host and check that the response matches a typical HTTP response pattern in the first 12 bytes of the response data. Custom ASPL - Basics
- 8. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential • Rule: EXECUTE { rule.CIFSGetFile('C$:WindowsWIN.INI') if not rule.success: rule.STOP(False) transcript = rule.buffer transcriptIsFull = True } • Details: Get the contents of C:WindowsWIN.INI and store them to the rule instance data. Custom ASPL – Now with Python
- 9. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential • Rule: EXECUTE { import aspl_sshcore aspl_sshcore.startSSH(rule) rule.SEND('cat /etc/resolv.conf') rule.waitForData() if '8.8.8.8' not in rule.buffer and '8.8.4.4' not in rule.buffer: rule.STOP(True) rule.STOP(False) } • Details: Here we’re connecting via SSH to a host to check the /etc/resolv.conf file to determine if we’re using Google’s DNS servers or not. If we aren’t, we fire the rule to inform us of that fact. Custom Rules – Now with Python
- 10. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential Stack the Odds in Your Favor Heuristic Scoring Using: • Time • Risk Factors • Skill Scores form 0 - 55,000+
- 11. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential • Vulnerability Date Modifiers • Risk Modifiers • Vulnerability Class Modifiers Adjusting Scores
Hinweis der Redaktion
- EWEEK ARTICLCE The report found that the number of vulnerabilities grew to 5,225 in 2012, an increase of 26 percent year-over-year, as counted by their common vulnerabilities and exposures (CVE) identifiers.
- Going back to day 1 here is a sampling of our coverage for popular products.
- Areas of concerned that are not always covered
- Examples of Rules
- Examples of Rules
- The date when a vulnerability was discovered plays a large role in the nCircle Scoring Algorithm, which bases score calculation on the idea that the longer a vulnerability exists, the more likely it is to be exploited. This leads to a disparity in scoring when date isn’t a concern and with newer vulnerabilities that have just been discovered. The risk component of the nCircle Scoring Algorithm represents the vector of the attack (remote or local) and the outcome of the attack (Denial of Service (availability), User Access (access), Privileged Access (privileged)). These configuration options allow you to make changes to the importance of the 6 vulnerability risk levels. VERT has identified seven classes of products that customers may wish to label as remote instead of local on their network. When these modifications are applied, the risk is changed from ‘Local N’ to ‘Remote N’ for all vulnerabilities in that class. The classes are:Web Browsers (SCORE_BROWSERS)Java (SCORE_JAVA)Web Technologies [Flash, Shockwave] (SCORE_WEB_TECHNOLOGY)PDF Readers [Adobe, Foxit] (SCORE_PDF_READERS)Media Players (SCORE_MEDIA_PLAYERS)Mail Clients (SCORE_MAIL_CLIENTS)Office Products (SCORE_OFFICE_PRODUCTS)