Delhi the Second Adventure
Thorough, Safe and Secure
Fabian + Joerg
jsimon@fedoraproject.org
http://fedoraproject.org
/me
3 3Communication Security
[ and this! ]
[ Security Lab ]
A Linux based
open source test- and
education platform for
- security-auditing
- forensics
- penetration-...
[ History: @ foss.in Bangalore 2009 ]
- pick up the Idea - give it a home - http://fedorahosted.org/security-spin/
- Contr...
[ possible benefits ]
- usecase for the FSL
- new cool upstreams
- implemented methodology
- fedora get taught along the O...
OSSTMM- Lab
Modified Version of the
Fedora Security Lab
Packaging upstream
Tools from the OSSTMM Team
A stable platform
fo...
9 9
HIC Audit Services
[ From Risk to Operations ]
From Risk to Operations
12 12
[ but we have problem ]
[ Security - Industry ]
 Comply!?
But not secure?
Blocked?
 Get the Audit Result you need?
But not secure?
Blocked?
 Secure?
But not compliant?...
Spend your money on
„Bad Security“?
17 17Communication Security
Security ?
Cloud – Social Media – Mobile Plattform
18 18Communication Security
Trusts
neue
Angriffsvektoren!
[ Reports
Management & Real world
compatible ]
[ reproducible
with the right
Standards
& Methods! ]
[ neutral
unbiased
by ...
[ know ]
- a way for proper testing!
[ there is a Open Source
way]
 How do current operations work?
 How do they work differently from
how management thinks ...
22 22
HIC Audit Services
[ Controls <> Trusts ]
[ Security <> Safety? ]
[ Operations ]
[ Compliance ]
[ the terrible truth...
Human risk will never change
„In Security people are as much a part of the process as are the
machines.“
derived from ISEC...
● Industrie    74,49%
● Military   97,16% 
● Banks 84,36%
● Software­Vendors   73,12%
● Politik   76,58%
Usual testing synonyms
Blind/Blackbox Pentest
Graybox/Chrystal/RedTeam
Social Engineering
WarDriving
WarDialing
Configurat...
[ testpath ]
 False Positive (Status true – although untrue) 
 False Negative (Status untrue – although true)
 GrayPositive (Status ...
35 35
From Risk to Operations
36 36Communication Security
[ Quantify Security ]
37 37Communication Security
Metrics
System Schwachstelle Kritikalität Maßnahme
unsichere Verschlüsselung möglich
evtl. ver...
38 38Communication Security
RAV
Quelle: OSSTMM ISECOM
39 39Communication Security
[ porosity ]
- Visibility
- Access
- Trust
[ how much security do you really need? ]
[ Authentication ]
[ Indemnification ]
[ Resistance ]
[ Subjugation ]
[ Continuity ]
[ non-repudiation ]
[ confidentiality ]
[ privacy ]
[ integrity ]
[ Alarm ]
[ limitations ]
Limitations
OSSTMM Risk Assessment Value
„There are only 2 ways to steal something: either you take it yourself
or you have someone else take it and give it to you...
54 54Communication Security
Apps?
Steal something for me?
55 55Communication Security
Steal something for me
56 56Communication Security
Tom is verbose
57 57Communication Security
Tom the Cat is calling home
Size Symmetry
Visibility
Subjugation
Consistency
Integrity
Offsets
Value
Components
Porosity
[ quantify Trust! ]
59 59Communication Security
Risk!
sometimes the result
is not what you expect!
Delhi The Second Adventure
Delhi The Second Adventure
Delhi The Second Adventure
Delhi The Second Adventure
Delhi The Second Adventure
Delhi The Second Adventure
Delhi The Second Adventure
Delhi The Second Adventure
Delhi The Second Adventure
Delhi The Second Adventure
Delhi The Second Adventure
Delhi The Second Adventure
Upcoming SlideShare
Loading in...5
×

Delhi The Second Adventure

1,355

Published on

null Delhi Special Meeting - with Joerg Simon

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,355
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Delhi The Second Adventure

  1. 1. Delhi the Second Adventure Thorough, Safe and Secure Fabian + Joerg jsimon@fedoraproject.org http://fedoraproject.org
  2. 2. /me
  3. 3. 3 3Communication Security [ and this! ]
  4. 4. [ Security Lab ] A Linux based open source test- and education platform for - security-auditing - forensics - penetration-testing
  5. 5. [ History: @ foss.in Bangalore 2009 ] - pick up the Idea - give it a home - http://fedorahosted.org/security-spin/ - Contributor Wishlist – https://bugzilla.redhat.com/show_bug.cgi?id=563471 - Improve spin section content – went to spins.fedoraproject.org/security - move to SLiM as desktop manager – moved to SLiM -> moved to LXDM ... - move to LXDE as window manager – we moved to LXDE -> move to XFCE in Fedora20 - become a official spin in Fedora 13 – we made it as a official Fedora Security Spin in Fedora 13, 14, 15, 16, 17 and will be for 18 - LIMITS - Webapplication testing tools + implementing OSSTMM upstreams – we packaged SCARE, unicornscan also brought up limits of a large FOSS Project - become the official OSSTMM Distro – ISECOM´s Pete Herzog announced OSSTMM Lab as the “New live linux distro for OSSTMM users” - on 12.September 2012 - new features in the current Version of the OSL (v3.8b4 (F17))with input from the ISECOM HHS Team! - collect input and suggestions - Working on a Test-Bench for Students
  6. 6. [ possible benefits ] - usecase for the FSL - new cool upstreams - implemented methodology - fedora get taught along the OSSTMM
  7. 7. OSSTMM- Lab Modified Version of the Fedora Security Lab Packaging upstream Tools from the OSSTMM Team A stable platform for teaching the curriculum For OSSTMM and HHS Integrate the Methodology Flow Into one possible Toolset [ benefits ]
  8. 8. 9 9 HIC Audit Services [ From Risk to Operations ]
  9. 9. From Risk to Operations
  10. 10. 12 12 [ but we have problem ]
  11. 11. [ Security - Industry ]
  12. 12.  Comply!? But not secure? Blocked?  Get the Audit Result you need? But not secure? Blocked?  Secure? But not compliant? Blocked? [ Compliance? ] Quelle: OSSTMM ISECOM
  13. 13. Spend your money on „Bad Security“?
  14. 14. 17 17Communication Security Security ? Cloud – Social Media – Mobile Plattform
  15. 15. 18 18Communication Security Trusts neue Angriffsvektoren!
  16. 16. [ Reports Management & Real world compatible ] [ reproducible with the right Standards & Methods! ] [ neutral unbiased by relying on Open Standards ] [ comparable real working Metrics – based on scientific research ]
  17. 17. [ know ] - a way for proper testing!
  18. 18. [ there is a Open Source way]  How do current operations work?  How do they work differently from how management thinks they work?  How do they need to work?
  19. 19. 22 22 HIC Audit Services [ Controls <> Trusts ] [ Security <> Safety? ] [ Operations ] [ Compliance ] [ the terrible truth? ]
  20. 20. Human risk will never change „In Security people are as much a part of the process as are the machines.“ derived from ISECOM, OSSTMM 3.0
  21. 21. ● Industrie    74,49% ● Military   97,16%  ● Banks 84,36% ● Software­Vendors   73,12% ● Politik   76,58%
  22. 22. Usual testing synonyms Blind/Blackbox Pentest Graybox/Chrystal/RedTeam Social Engineering WarDriving WarDialing Configuration­Reviews Code Reviews [ common sence ]
  23. 23. [ testpath ]
  24. 24.  False Positive (Status true – although untrue)   False Negative (Status untrue – although true)  GrayPositive (Status always true)  Gray Negative (always untrue)  Specter (true or untrue ­ anomaly)  Indiscretion (true or untrue ­ timedependency)  Entropy Error (true or untrue ­ Overhead)  Falsification (true or untrue – unknown Variables)  Sampling Error (influenced from outside)  Constraint (true or untrue – Equipment Limit)  Propagation (not tested)  Human Error (missing Skill, Expirience)
  25. 25. 35 35 From Risk to Operations
  26. 26. 36 36Communication Security [ Quantify Security ]
  27. 27. 37 37Communication Security Metrics System Schwachstelle Kritikalität Maßnahme unsichere Verschlüsselung möglich evtl. veraltete SW-Version gering bew erten und unterbinden Parameter mit Code-Injection mittel Säuberung der Codefragmente aus den Anfragen Anw endungsaudit unsichere Verschlüsselung möglich evtl. veraltete SW-Version gering bew erten Angriffsfläche verringern unsichere Verschlüsselung möglich evtl. veraltete SW-Version gering prüfen und beheben Anw endungsaudit unverschlüsselte Übertragung von Authentifizierungsdaten Cross Site Tracing mittel Einschränkung von TRACE Anfragen unverschlüsselte Übertragung prüfen und beheben unsichere Verschlüsselung möglich Passwortkombinationen unlimitiert gering bew erten und unterbinden Adminportale unverschlüsselt erreichbar Passwortkombinationen unlimitiert Offenlegung aller Systemdaten! Zugang zu privaten Daten Administrativer Zugang zum Webserver hoch umfangreiche praktische Sofort- Maßnahmen wurden am 21.08.2010 gemeldet siehe Seite 48 Spamversand möglich CodeInjection mittel Formularverarbeitung ist zu überarbeiten Säuberung der Codefragmente aus den Anfragen Anwendungsaudit eingeschränkte Verschlüsselung gering Hersteller Patch einspielen CrossSite Tracing PHP Version angreifbar CrossSiteScripting ParameterTampering InformationDisclosure hoch Einschränkung von TRACE Anfragen Formularverarbeitung ist zu überarbeiten Säuberung der Codefragmente aus den Anfragen Klassifizierung der Informationen Vulnerability Mngmt. vs Threat Modelling vs RiskAssessmentValues
  28. 28. 38 38Communication Security RAV Quelle: OSSTMM ISECOM
  29. 29. 39 39Communication Security [ porosity ] - Visibility - Access - Trust
  30. 30. [ how much security do you really need? ]
  31. 31. [ Authentication ]
  32. 32. [ Indemnification ]
  33. 33. [ Resistance ]
  34. 34. [ Subjugation ]
  35. 35. [ Continuity ]
  36. 36. [ non-repudiation ]
  37. 37. [ confidentiality ] [ privacy ] [ integrity ]
  38. 38. [ Alarm ]
  39. 39. [ limitations ]
  40. 40. Limitations
  41. 41. OSSTMM Risk Assessment Value
  42. 42. „There are only 2 ways to steal something: either you take it yourself or you have someone else take it and give it to you“ OSSTMM 3.0
  43. 43. 54 54Communication Security Apps? Steal something for me?
  44. 44. 55 55Communication Security Steal something for me
  45. 45. 56 56Communication Security Tom is verbose
  46. 46. 57 57Communication Security Tom the Cat is calling home
  47. 47. Size Symmetry Visibility Subjugation Consistency Integrity Offsets Value Components Porosity [ quantify Trust! ]
  48. 48. 59 59Communication Security Risk! sometimes the result is not what you expect!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×