Eyes Wide Open. John Sawyer Senior Security Analyst InGuardians, Inc.

Transcription

1 Eyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc.

2 Agenda Who am I? What is IT Security? Penetration Testing (aka. Go Hack Yourself) Fun (and scary) Attacks And, How to Protect Yourself

3 Who, What, Where InGuardians Senior Security Analyst Penetration Testing Web, Network, Smart Grid, Mobile, Physical Architecture Review Incident Response & Forensics Dark Reading Evil Bytes author - Retired CTF packet monkey winners DEFCON 14 & 15 CTF

4 Eyes Wide Open Why this title? What does it mean? Amazement Fear Naïve Prepared

5 What is IT Security? Does it mean what you think it means? Many areas of focus IT vs C-level perspective Public perspective

6 So Many Areas, So Little Time System hardening Network security Incident response Forensics Penetration Testing Vulnerability Assessments Reverse Engineering And, so much more!

7 C-Level Exec vs IT Practitioner What does security really do? Costs money ROI? Invisible until a problem arises Accuracy vs Speed Secure vs Compliant

8 Compliance = / Security Being compliant often leads to a false sense of security Loads of money spent on security products but no focus on processes

9 Public Perspective

10 Reality

11 Penetration Testing

12 What is Pen Testing? Validation of vulnerability assessments Better measurement of risk Can answer the What If questions Can determine if the worst case scenario can really happen

13 What can you do? First, what does your job description say?

14 Network Scanning Nmap network (vuln) scanner Ndiff compare scan results Vulnerability Scanning Low hanging fruit Don t focus on HIGH (Low 2 Pwned) Nessus, NeXpose, ZAP, Burp etc. Shodan

15 Shodan ( Search engine for service banners of pre-scanned devices accessible via the public Internet Created by John Matherly Controversial? Has led to the exposure of many SCADA and ICS devices

16 Many Ways to Shodan Web Interface API Metasploit iphone Maltego

17 Any Volunteers?

18 Shodan Exposures

19 Attacks, The News, & Reality

20 Javapocalypse Java A necessary evil for many Business reporting applications Security Tools Burp Zap Others

21 Decaffeinating Java Exploits Uninstall Java Install Java 7 Update 11 Java only allowed special VMs Decouple Java from Browsers Use separate browsers Only one has Java enabled Security Zones

22 Publicly-Accessible Printers Jet-Direct vulnerabilities Remote firmware update (FIRE) Credential exposure?

23 Printer Safety Network segmentation Network scanning Know your network Nmap Shodan Google

24 Verizon s Bob After reading 2012 DBIR, started monitoring logs from VPN. Regular connections from China. US critical infrastructure company Developer was at his desk.

25 Bob = Model Employee Quarter after quarter, his performance review noted him as the best developer in the building. 9:00 a.m. Arrive & surf Reddit. Watch cat videos 11:30 a.m. Take lunch 1:00 p.m. Ebay time. 2:00 ish p.m Facebook updates LinkedIn 4:30 p.m. End of day update to management. 5:00 p.m. Go home

26 Where s Waldo Bob? I ll get there

27 Internal Detection VLAN Hopping Tripwire monitoring switch configs Malware & Attacker Tools Antivirus logs Exploitation of Vulnerable Services Host Intrusion Prevention logs Nmap Scan Server Performance Monitor

28 External Detection Nmap Scan FW Logs via MSP Web Vuln Scan User Experience Monitor Attack Tool Scans IDS via MSP

29 Security Pro s Dilemma The Defender has to get it right every time The Attacker only has to get it right once in order to win.

30 Information Overload Everything logs Do you know how to collect it? New threats emerge everyday How do you keep track? More and more data to analyze Do you look at it all or intelligently narrow it down?

31 Information Overload Too many logs Too few hours in the day Too many new threats Too few security staff And, what should we focus on?!?

32 Risk-Based Approach to Logs Identify high-value targets Identify worst-case scenario How can they be attacked? Do you have mechanisms in place to monitor those areas?

33 Start Small Syslog, Splunk, or ELSA Firewall, VPN, Servers, Door Access Network monitoring (IDS, NetFlow) Security Onion

34 Takeaways Security It s more than you against the world Penetration Testing There s things you can do! Attacks (and prevention) Monitor, monitor, MONITOR!

35 Thank You Questions? Contact information: John Sawyer