RSA 2013 Presentation: Stacking the Security Deck in your Favor
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

RSA 2013 Presentation: Stacking the Security Deck in your Favor

on

  • 253 views

Lamar Bailey, nCircle's director of security research and development, walks you through how deal yourself a winning hand with your security products. ...

Lamar Bailey, nCircle's director of security research and development, walks you through how deal yourself a winning hand with your security products.

A YouTube video of Lamar's presentation is available through the link below:
http://youtu.be/ogTBB7w1XyM

Statistics

Views

Total Views
253
Views on SlideShare
253
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • EWEEK ARTICLCE The report found that the number of vulnerabilities grew to 5,225 in 2012, an increase of 26 percent year-over-year, as counted by their common vulnerabilities and exposures (CVE) identifiers.
  • Going back to day 1 here is a sampling of our coverage for popular products.
  • Areas of concerned that are not always covered
  • Examples of Rules
  • Examples of Rules
  • The date when a vulnerability was discovered plays a large role in the nCircle Scoring Algorithm, which bases score calculation on the idea that the longer a vulnerability exists, the more likely it is to be exploited. This leads to a disparity in scoring when date isn’t a concern and with newer vulnerabilities that have just been discovered.  The risk component of the nCircle Scoring Algorithm represents the vector of the attack (remote or local) and the outcome of the attack (Denial of Service (availability), User Access (access), Privileged Access (privileged)). These configuration options allow you to make changes to the importance of the 6 vulnerability risk levels. VERT has identified seven classes of products that customers may wish to label as remote instead of local on their network. When these modifications are applied, the risk is changed from ‘Local N’ to ‘Remote N’ for all vulnerabilities in that class.  The classes are:Web Browsers (SCORE_BROWSERS)Java (SCORE_JAVA)Web Technologies [Flash, Shockwave] (SCORE_WEB_TECHNOLOGY)PDF Readers [Adobe, Foxit] (SCORE_PDF_READERS)Media Players (SCORE_MEDIA_PLAYERS)Mail Clients (SCORE_MAIL_CLIENTS)Office Products (SCORE_OFFICE_PRODUCTS)

RSA 2013 Presentation: Stacking the Security Deck in your Favor Presentation Transcript

  • 1. © 2013 nCircle. All Rights Reserved.nCircle Company ConfidentialStacking the Security Deck in yourFavorDeal yourself a winning hand
  • 2. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential• Operating Systems• Databases• Office Applications• Networking Gear• BrowsersYour hand
  • 3. © 2013 nCircle. All Rights Reserved.nCircle Company ConfidentialThe Vulnerability Deck is Increasing010002000300040005000600070002002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
  • 4. © 2013 nCircle. All Rights Reserved.nCircle Company ConfidentialAces
  • 5. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential• Custom Apps• Legacy• 0-DayWild Cards
  • 6. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential• Rule:RegistryQuery GetKey[HKLM] THEN CHECK Exists• Explanation:Request the HKLM registry key and check to see if itexists.Custom ASPL - Basics
  • 7. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential• Rule:SEND String[GET / HTTP/1.0x0dx0ax0dx0a] THENCHECK Contains/HTTP/1.[01] 200/ WITHOffset[0], Length[12]• Explanation:Send data (in this case an HTTP 1.0 request) to a hostand check that the response matches a typical HTTPresponse pattern in the first 12 bytes of the responsedata.Custom ASPL - Basics
  • 8. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential• Rule:EXECUTE {rule.CIFSGetFile(C$:WindowsWIN.INI)if not rule.success: rule.STOP(False)transcript = rule.buffertranscriptIsFull = True}• Details:Get the contents of C:WindowsWIN.INI and store them tothe rule instance data.Custom ASPL – Now with Python
  • 9. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential• Rule:EXECUTE {import aspl_sshcoreaspl_sshcore.startSSH(rule)rule.SEND(cat /etc/resolv.conf)rule.waitForData()if 8.8.8.8 not in rule.buffer and 8.8.4.4 not in rule.buffer:rule.STOP(True)rule.STOP(False)}• Details:Here we’re connecting via SSH to a host to check the /etc/resolv.conf file to determine ifwe’re using Google’s DNS servers or not. If we aren’t, we fire the rule to inform us of thatfact.Custom Rules – Now with Python
  • 10. © 2013 nCircle. All Rights Reserved.nCircle Company ConfidentialStack the Odds in Your FavorHeuristic ScoringUsing:• Time• Risk Factors• SkillScores form 0 - 55,000+
  • 11. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential• Vulnerability Date Modifiers• Risk Modifiers• Vulnerability Class ModifiersAdjusting Scores