Delhi The Second Adventure

1,371
-1

Published on

null Delhi Special Meeting - with Joerg Simon

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,371
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Delhi The Second Adventure

  1. 1. Delhi the Second Adventure Thorough, Safe and Secure Fabian + Joerg jsimon@fedoraproject.org http://fedoraproject.org
  2. 2. /me
  3. 3. 3 3Communication Security [ and this! ]
  4. 4. [ Security Lab ] A Linux based open source test- and education platform for - security-auditing - forensics - penetration-testing
  5. 5. [ History: @ foss.in Bangalore 2009 ] - pick up the Idea - give it a home - http://fedorahosted.org/security-spin/ - Contributor Wishlist – https://bugzilla.redhat.com/show_bug.cgi?id=563471 - Improve spin section content – went to spins.fedoraproject.org/security - move to SLiM as desktop manager – moved to SLiM -> moved to LXDM ... - move to LXDE as window manager – we moved to LXDE -> move to XFCE in Fedora20 - become a official spin in Fedora 13 – we made it as a official Fedora Security Spin in Fedora 13, 14, 15, 16, 17 and will be for 18 - LIMITS - Webapplication testing tools + implementing OSSTMM upstreams – we packaged SCARE, unicornscan also brought up limits of a large FOSS Project - become the official OSSTMM Distro – ISECOM´s Pete Herzog announced OSSTMM Lab as the “New live linux distro for OSSTMM users” - on 12.September 2012 - new features in the current Version of the OSL (v3.8b4 (F17))with input from the ISECOM HHS Team! - collect input and suggestions - Working on a Test-Bench for Students
  6. 6. [ possible benefits ] - usecase for the FSL - new cool upstreams - implemented methodology - fedora get taught along the OSSTMM
  7. 7. OSSTMM- Lab Modified Version of the Fedora Security Lab Packaging upstream Tools from the OSSTMM Team A stable platform for teaching the curriculum For OSSTMM and HHS Integrate the Methodology Flow Into one possible Toolset [ benefits ]
  8. 8. 9 9 HIC Audit Services [ From Risk to Operations ]
  9. 9. From Risk to Operations
  10. 10. 12 12 [ but we have problem ]
  11. 11. [ Security - Industry ]
  12. 12.  Comply!? But not secure? Blocked?  Get the Audit Result you need? But not secure? Blocked?  Secure? But not compliant? Blocked? [ Compliance? ] Quelle: OSSTMM ISECOM
  13. 13. Spend your money on „Bad Security“?
  14. 14. 17 17Communication Security Security ? Cloud – Social Media – Mobile Plattform
  15. 15. 18 18Communication Security Trusts neue Angriffsvektoren!
  16. 16. [ Reports Management & Real world compatible ] [ reproducible with the right Standards & Methods! ] [ neutral unbiased by relying on Open Standards ] [ comparable real working Metrics – based on scientific research ]
  17. 17. [ know ] - a way for proper testing!
  18. 18. [ there is a Open Source way]  How do current operations work?  How do they work differently from how management thinks they work?  How do they need to work?
  19. 19. 22 22 HIC Audit Services [ Controls <> Trusts ] [ Security <> Safety? ] [ Operations ] [ Compliance ] [ the terrible truth? ]
  20. 20. Human risk will never change „In Security people are as much a part of the process as are the machines.“ derived from ISECOM, OSSTMM 3.0
  21. 21. ● Industrie    74,49% ● Military   97,16%  ● Banks 84,36% ● Software­Vendors   73,12% ● Politik   76,58%
  22. 22. Usual testing synonyms Blind/Blackbox Pentest Graybox/Chrystal/RedTeam Social Engineering WarDriving WarDialing Configuration­Reviews Code Reviews [ common sence ]
  23. 23. [ testpath ]
  24. 24.  False Positive (Status true – although untrue)   False Negative (Status untrue – although true)  GrayPositive (Status always true)  Gray Negative (always untrue)  Specter (true or untrue ­ anomaly)  Indiscretion (true or untrue ­ timedependency)  Entropy Error (true or untrue ­ Overhead)  Falsification (true or untrue – unknown Variables)  Sampling Error (influenced from outside)  Constraint (true or untrue – Equipment Limit)  Propagation (not tested)  Human Error (missing Skill, Expirience)
  25. 25. 35 35 From Risk to Operations
  26. 26. 36 36Communication Security [ Quantify Security ]
  27. 27. 37 37Communication Security Metrics System Schwachstelle Kritikalität Maßnahme unsichere Verschlüsselung möglich evtl. veraltete SW-Version gering bew erten und unterbinden Parameter mit Code-Injection mittel Säuberung der Codefragmente aus den Anfragen Anw endungsaudit unsichere Verschlüsselung möglich evtl. veraltete SW-Version gering bew erten Angriffsfläche verringern unsichere Verschlüsselung möglich evtl. veraltete SW-Version gering prüfen und beheben Anw endungsaudit unverschlüsselte Übertragung von Authentifizierungsdaten Cross Site Tracing mittel Einschränkung von TRACE Anfragen unverschlüsselte Übertragung prüfen und beheben unsichere Verschlüsselung möglich Passwortkombinationen unlimitiert gering bew erten und unterbinden Adminportale unverschlüsselt erreichbar Passwortkombinationen unlimitiert Offenlegung aller Systemdaten! Zugang zu privaten Daten Administrativer Zugang zum Webserver hoch umfangreiche praktische Sofort- Maßnahmen wurden am 21.08.2010 gemeldet siehe Seite 48 Spamversand möglich CodeInjection mittel Formularverarbeitung ist zu überarbeiten Säuberung der Codefragmente aus den Anfragen Anwendungsaudit eingeschränkte Verschlüsselung gering Hersteller Patch einspielen CrossSite Tracing PHP Version angreifbar CrossSiteScripting ParameterTampering InformationDisclosure hoch Einschränkung von TRACE Anfragen Formularverarbeitung ist zu überarbeiten Säuberung der Codefragmente aus den Anfragen Klassifizierung der Informationen Vulnerability Mngmt. vs Threat Modelling vs RiskAssessmentValues
  28. 28. 38 38Communication Security RAV Quelle: OSSTMM ISECOM
  29. 29. 39 39Communication Security [ porosity ] - Visibility - Access - Trust
  30. 30. [ how much security do you really need? ]
  31. 31. [ Authentication ]
  32. 32. [ Indemnification ]
  33. 33. [ Resistance ]
  34. 34. [ Subjugation ]
  35. 35. [ Continuity ]
  36. 36. [ non-repudiation ]
  37. 37. [ confidentiality ] [ privacy ] [ integrity ]
  38. 38. [ Alarm ]
  39. 39. [ limitations ]
  40. 40. Limitations
  41. 41. OSSTMM Risk Assessment Value
  42. 42. „There are only 2 ways to steal something: either you take it yourself or you have someone else take it and give it to you“ OSSTMM 3.0
  43. 43. 54 54Communication Security Apps? Steal something for me?
  44. 44. 55 55Communication Security Steal something for me
  45. 45. 56 56Communication Security Tom is verbose
  46. 46. 57 57Communication Security Tom the Cat is calling home
  47. 47. Size Symmetry Visibility Subjugation Consistency Integrity Offsets Value Components Porosity [ quantify Trust! ]
  48. 48. 59 59Communication Security Risk! sometimes the result is not what you expect!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×