Your SlideShare is downloading. ×
Delhi The Second Adventure
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Delhi The Second Adventure

1,336
views

Published on

null Delhi Special Meeting - with Joerg Simon

null Delhi Special Meeting - with Joerg Simon

Published in: Education, Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,336
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Delhi the Second Adventure Thorough, Safe and Secure Fabian + Joerg jsimon@fedoraproject.org http://fedoraproject.org
  • 2. /me
  • 3. 3 3Communication Security [ and this! ]
  • 4. [ Security Lab ] A Linux based open source test- and education platform for - security-auditing - forensics - penetration-testing
  • 5. [ History: @ foss.in Bangalore 2009 ] - pick up the Idea - give it a home - http://fedorahosted.org/security-spin/ - Contributor Wishlist – https://bugzilla.redhat.com/show_bug.cgi?id=563471 - Improve spin section content – went to spins.fedoraproject.org/security - move to SLiM as desktop manager – moved to SLiM -> moved to LXDM ... - move to LXDE as window manager – we moved to LXDE -> move to XFCE in Fedora20 - become a official spin in Fedora 13 – we made it as a official Fedora Security Spin in Fedora 13, 14, 15, 16, 17 and will be for 18 - LIMITS - Webapplication testing tools + implementing OSSTMM upstreams – we packaged SCARE, unicornscan also brought up limits of a large FOSS Project - become the official OSSTMM Distro – ISECOM´s Pete Herzog announced OSSTMM Lab as the “New live linux distro for OSSTMM users” - on 12.September 2012 - new features in the current Version of the OSL (v3.8b4 (F17))with input from the ISECOM HHS Team! - collect input and suggestions - Working on a Test-Bench for Students
  • 6. [ possible benefits ] - usecase for the FSL - new cool upstreams - implemented methodology - fedora get taught along the OSSTMM
  • 7. OSSTMM- Lab Modified Version of the Fedora Security Lab Packaging upstream Tools from the OSSTMM Team A stable platform for teaching the curriculum For OSSTMM and HHS Integrate the Methodology Flow Into one possible Toolset [ benefits ]
  • 8. 9 9 HIC Audit Services [ From Risk to Operations ]
  • 9. From Risk to Operations
  • 10. 12 12 [ but we have problem ]
  • 11. [ Security - Industry ]
  • 12.  Comply!? But not secure? Blocked?  Get the Audit Result you need? But not secure? Blocked?  Secure? But not compliant? Blocked? [ Compliance? ] Quelle: OSSTMM ISECOM
  • 13. Spend your money on „Bad Security“?
  • 14. 17 17Communication Security Security ? Cloud – Social Media – Mobile Plattform
  • 15. 18 18Communication Security Trusts neue Angriffsvektoren!
  • 16. [ Reports Management & Real world compatible ] [ reproducible with the right Standards & Methods! ] [ neutral unbiased by relying on Open Standards ] [ comparable real working Metrics – based on scientific research ]
  • 17. [ know ] - a way for proper testing!
  • 18. [ there is a Open Source way]  How do current operations work?  How do they work differently from how management thinks they work?  How do they need to work?
  • 19. 22 22 HIC Audit Services [ Controls <> Trusts ] [ Security <> Safety? ] [ Operations ] [ Compliance ] [ the terrible truth? ]
  • 20. Human risk will never change „In Security people are as much a part of the process as are the machines.“ derived from ISECOM, OSSTMM 3.0
  • 21. ● Industrie    74,49% ● Military   97,16%  ● Banks 84,36% ● Software­Vendors   73,12% ● Politik   76,58%
  • 22. Usual testing synonyms Blind/Blackbox Pentest Graybox/Chrystal/RedTeam Social Engineering WarDriving WarDialing Configuration­Reviews Code Reviews [ common sence ]
  • 23. [ testpath ]
  • 24.  False Positive (Status true – although untrue)   False Negative (Status untrue – although true)  GrayPositive (Status always true)  Gray Negative (always untrue)  Specter (true or untrue ­ anomaly)  Indiscretion (true or untrue ­ timedependency)  Entropy Error (true or untrue ­ Overhead)  Falsification (true or untrue – unknown Variables)  Sampling Error (influenced from outside)  Constraint (true or untrue – Equipment Limit)  Propagation (not tested)  Human Error (missing Skill, Expirience)
  • 25. 35 35 From Risk to Operations
  • 26. 36 36Communication Security [ Quantify Security ]
  • 27. 37 37Communication Security Metrics System Schwachstelle Kritikalität Maßnahme unsichere Verschlüsselung möglich evtl. veraltete SW-Version gering bew erten und unterbinden Parameter mit Code-Injection mittel Säuberung der Codefragmente aus den Anfragen Anw endungsaudit unsichere Verschlüsselung möglich evtl. veraltete SW-Version gering bew erten Angriffsfläche verringern unsichere Verschlüsselung möglich evtl. veraltete SW-Version gering prüfen und beheben Anw endungsaudit unverschlüsselte Übertragung von Authentifizierungsdaten Cross Site Tracing mittel Einschränkung von TRACE Anfragen unverschlüsselte Übertragung prüfen und beheben unsichere Verschlüsselung möglich Passwortkombinationen unlimitiert gering bew erten und unterbinden Adminportale unverschlüsselt erreichbar Passwortkombinationen unlimitiert Offenlegung aller Systemdaten! Zugang zu privaten Daten Administrativer Zugang zum Webserver hoch umfangreiche praktische Sofort- Maßnahmen wurden am 21.08.2010 gemeldet siehe Seite 48 Spamversand möglich CodeInjection mittel Formularverarbeitung ist zu überarbeiten Säuberung der Codefragmente aus den Anfragen Anwendungsaudit eingeschränkte Verschlüsselung gering Hersteller Patch einspielen CrossSite Tracing PHP Version angreifbar CrossSiteScripting ParameterTampering InformationDisclosure hoch Einschränkung von TRACE Anfragen Formularverarbeitung ist zu überarbeiten Säuberung der Codefragmente aus den Anfragen Klassifizierung der Informationen Vulnerability Mngmt. vs Threat Modelling vs RiskAssessmentValues
  • 28. 38 38Communication Security RAV Quelle: OSSTMM ISECOM
  • 29. 39 39Communication Security [ porosity ] - Visibility - Access - Trust
  • 30. [ how much security do you really need? ]
  • 31. [ Authentication ]
  • 32. [ Indemnification ]
  • 33. [ Resistance ]
  • 34. [ Subjugation ]
  • 35. [ Continuity ]
  • 36. [ non-repudiation ]
  • 37. [ confidentiality ] [ privacy ] [ integrity ]
  • 38. [ Alarm ]
  • 39. [ limitations ]
  • 40. Limitations
  • 41. OSSTMM Risk Assessment Value
  • 42. „There are only 2 ways to steal something: either you take it yourself or you have someone else take it and give it to you“ OSSTMM 3.0
  • 43. 54 54Communication Security Apps? Steal something for me?
  • 44. 55 55Communication Security Steal something for me
  • 45. 56 56Communication Security Tom is verbose
  • 46. 57 57Communication Security Tom the Cat is calling home
  • 47. Size Symmetry Visibility Subjugation Consistency Integrity Offsets Value Components Porosity [ quantify Trust! ]
  • 48. 59 59Communication Security Risk! sometimes the result is not what you expect!