SlideShare a Scribd company logo

Coexisting with Vulnerabilities

D
Dennis Chaupis

Why cant organizations fix all vulnerabilities? Why is it so difficult? Let's find it out Presentation given at BSides Ottawa on Nov 29, 2019 by Dennis Chaupis and Ivan Perez

Technology
1 of 23
Headline Verdana Bold Coexisting with Vulnerabilities BSides Ottawa 2019 – Ottawa, Canada Dennis Chaupis & Ivan Perez
Who are we? BSides Ottawa 2019 | Coexisting with vulnerabilities 2 Dennis Chaupis CISSP, CRISC, CTPRP Senior Manager Deloitte – Risk Advisory - Cyber Security Dennis is leading the Vulnerability Management & Penetration testing practice in Toronto from where he supports engagements across Canada and globally. He focuses on helping organizations identifying, managing, and remediating vulnerabilities that could lead to a business impact. Dennis has also worked for a major Canadian bank in its Operational Risk Management group. Opinions and views are my own and not necessarily my current or past employers.
Who are we? BSides Ottawa 2019 | Coexisting with vulnerabilities 3 Ivan Perez OSCP Consultant Deloitte – Risk Advisory - Cyber Security Ivan is a consultant with Deloitte’s Cyber Risk Services practice and a holder of Offensive Security Certified Professional (OSCP) certificate with experience in threat intelligence, vulnerability assessments, and penetration testing. Since joining Deloitte, Ivan has worked on offensive engagements with clients in numerous sectors including the financial, shared services, energy, public, and academic sectors. He also likes sea turtles. Opinions and views are my own and not necessarily my current or past employers.
“Coexisting with vulnerabilities”……… what? Pentester: • How many times have you performed a recurring pentest and have found the exact same vulnerability over and over again? BSides Ottawa 2019 | Coexisting with vulnerabilities 4 SOC: • How many times you have either identified a vulnerability as part of your VA scan, log review, or reported by an “intel” source and when you created a ticket so its resolved……. Ticket gets closed but nothing has been fixed? Architect / Application Team: • “We are going to create the new banking platform, we are going to be revolutionary with this; however, we are still allowing insecure communications to the mainframe so….. We will just deal with it”.
“Coexisting with vulnerabilities”……… what? BSides Ottawa 2019 | Coexisting with vulnerabilities 5
BSides Ottawa 2019 | Coexisting with vulnerabilities 6 Case study 7 What Apps look like in real life 10 Three key roles 11 Examples 13 What to do? 19 Food for thought 22 Contents
Case Study BSides Ottawa 2019 | Coexisting with vulnerabilities 7 192.168.CBA.XY1 – 192.168.CBA.XY5 -> Internal IP’s • Unpatched software • Unsupported software • Public shares • Weak SSH configuration • Self signed /default certificates in use • Unauthenticated remote support access • More… more… more…. 200.101.ABC.XYZ -> External IP • Insecure communication protocols (FTP, Telnet, Remote Mgmt) • Default web application server pages • Management console accessible over the Internet www.MyNextGenBank.com • Use of TLS 1.0 or weak ciphers • Error messages allow user enumeration • Weak password recovery process via PVQs • XSS / SQL Injection • Default pages / error messages
And the question is… BSides Ottawa 2019 | Coexisting with vulnerabilities 8
Case Study BSides Ottawa 2019 | Coexisting with vulnerabilities 9 192.168.CBA.XY1 – 192.168.CBA.XY5 -> Internal IP’s • Unpatched software • Unsupported software • Public shares • Weak SSH configuration • Self signed /default certificates in use • Unauthenticated remote support access • More… more… more…. 200.101.ABC.XYZ -> External IP • Insecure communication protocols (FTP, Telnet, Remote Mgmt) • Default web application server pages • Management console accessible over the Internet www.MyNextGenBank.com • Use of TLS 1.0 or weak ciphers • Error messages allow user enumeration • Weak password recovery process via PVQs • XSS / SQL Injection • Default pages / error messages
Stakeholder What they “see” Business (App Owner) What apps look like in “real life” BSides Ottawa 2019 | Coexisting with vulnerabilities 10 F5 LB App Srv Farm 1 App Srv Farm 2 ESXi … DB 3rd Party App Y API Z AWS/Azure/GCP OS Apps DB Agents Servers Some “Cloud” DatabaseMicro services CIO / CTO App Team (e.g. Architect, QA Team) Server Owner Most commonly seen as… “The Admin”. This is the person who is the responsible for server management, configuration, patching. Usually this individual does not have “full visibility” of what the app exactly does (nor wants to); but this is the person who can help you or *destroy you*. “The admin” also goes by: “Server guy”, “DBA”
Three key roles BSides Ottawa 2019 | Coexisting with vulnerabilities 11 CTO • Focused on new technologies and how the organization “keeps up” with them. • Drives how technology is provided to clients. CISO • Responsible for the overall Information Security / Cyber Security of the organization. • Usually reports to the CIO • Asset management • Server / Infra build • Patch Management • Software Development • … • VA Scans • Pentest, RTO, Threat Hunting • Secure Software Development • … • “We need cloud functionality for A,B,C or E” • “Client’s need to click-and-call” • … Vs Vs CIO • Most commonly focused on internal tasks/operations. • Crucial for IT management and operations.
We won’t be able to patch them all “Coexisting with vulnerabilities” is not the same as “ignoring vulnerabilities” nor an excuse for not remediating. Coexisting with vulnerabilities is the natural “path” that organizations follow to focus in their business. • This is the part where most technical people do not want to spend their time at…. It is “someone else’s job” • Other terms like “risk”, “impact”, “compensating control”, “risk treatment”, “residual risk” come into play. • Must not be the rule for everything the organization does not want to remediate. • This is the part where senior management will spend most of their time: Trying to find the best way possible to deal with vulnerabilities and threats. On the other hand, this is the part where most technical people, struggle the most, because they do not understand why something “this simple” cannot be patched. What can we do? BSides Ottawa 2019 | Coexisting with vulnerabilities 12
Example 1 BSides Ottawa 2019 | Coexisting with vulnerabilities 13 Mainframe HQ LaptopsPhones Mobile 3rd Parties • Vendors • Partners • Alliances Application A is one of our banking applications and can only be accessed via terminal using IBM’s implementation of Telnet.
Example 1: What does it mean? It means that all the communication that is being exchanged between the client and the mainframe is being transmitted in plain text. BSides Ottawa 2019 | Coexisting with vulnerabilities 14 Mainframe Pentester: “Consider replacing insecure protocol with its secure version” Easy there Mr. Security….. Can’t do that. Can’t just “enable SSH”… - Who will manage the keys? - What type of keys are we going to use? - Do we know if the application support it? - Does the business know this will cost them $1 Million to start? - Are there other applications impacted if we just “switch” to secure protocol? - Will we just shut down current port and replace with secure one? Or is there a rollout plan? - Do we need to change anything in application or leave as-is? - Does this impact NW usage? Application delay?
Example 2 BSides Ottawa 2019 | Coexisting with vulnerabilities 15 HQ Laptops VoIP Printers LaptopsVoIP Printers Laptops VoIP Printers Company A has recently deployed their “state of the art” NAC solution. Now they can control who can connect to the LAN network. They felt very confident that no unauthorized user can access their LAN network just by plugging in to the network port. During a pentest, the tester was able to bypass the NAC solution by impersonating a trusted device. The tester cloned the MAC address of a VoIP device and…… done! Network access was achieved 
Example 2: What does it mean? It means that the current NAC solution did not consider the “weakest link” in its design and can be bypassed. BSides Ottawa 2019 | Coexisting with vulnerabilities 16 Pentester: “Consider using certificates for authentication” Easy there Mr. Security….. Can’t do that. Can’t just “install certificates”… - Who will manage the certificates? - Are we buying certificates? - Are we deploying our own CA? - Who is going to pay for it? - Are we sure our devices will support it? - Can we use certificates in VoIP or printers? Any other devices we are forgetting? - Do we have a centralized asset database that we can trust? Laptops VoIP Printers
Example 3 BSides Ottawa 2019 | Coexisting with vulnerabilities 17 Company X launched their ecommerce platform developed by a word class vendor a year ago, it was supposed to use the latest and greatest technologies. During a pentest, the tester found that it was possible to downgrade the encryption to something much less secure (i.e. SSLv3 – POODLE attack). LaptopsPhones Mobile Backend Frontend Clients
Example 3: What does it mean? It means that the current TLS/SSL configuration allows a client to use insecure TLS/SSL algorithms and protocols. BSides Ottawa 2019 | Coexisting with vulnerabilities 18 Pentester: “Disable support for weak protocols and encryption algorithms” Easy there Mr. Security….. Can’t do that. Can’t just “disable weak protocols”… - Have we checked if the application is supporting it? - Is it an infrastructure or application issue? Or both? - Was it well defined when creating the requirements for the application? - What about compatibility with legacy applications?
So… what to do? BSides Ottawa 2019 | Coexisting with vulnerabilities 19 Pentester: Other than reporting it and providing as much technical information as possible……. Not much more. Server Owner / Admin: Provide as much clarity and clarification on what can be done and what cannot be done; moreover, be willing to help the non- technical people to understand the technical aspects of the vulnerabilities and/or technology constraints of remediation activities. Risk Professional: Try to be as technical as possible. This will allow you understand the actual vulnerability and to assess what the right remediation alternative. CXO: Try to listen to the whole story when possible. In the end is your responsibility and accountability if something goes wrong.
Back to the study case… What and how would YOU patch this now? BSides Ottawa 2019 | Coexisting with vulnerabilities 20 192.168.CBA.XY1 – 192.168.CBA.XY5 -> Internal IP’s • Unpatched software • Unsupported software • Public shares • Weak SSH configuration • Self signed /default certificates in use • Unauthenticated remote support access • More… more… more…. 200.101.ABC.XYZ -> External IP • Insecure communication protocols (FTP, Telnet, Remote Mgmt) • Default web application server pages • Management console accessible over the Internet www.MyNextGenBank.com • Use of TLS 1.0 or weak ciphers • Error messages allow user enumeration • Weak password recovery process via PVQs • XSS / SQL Injection • Default pages / error messages
Back to the study case… What and how would YOU patch this now? BSides Ottawa 2019 | Coexisting with vulnerabilities 21 192.168.CBA.XY1 – 192.168.CBA.XY5 -> Int. IP’s • Unpatched software • Unsupported software • Public shares • Weak SSH configuration • Self signed /default certificates in use • Unauthenticated remote support access • More… more… more…. 200.101.ABC.XYZ -> External IP • Insecure communication protocols (FTP, Telnet, Remote Mgmt) • Default web application server pages • Management console accessible over the Internet www.MyNextGenBank.com • Use of TLS 1.0 or weak ciphers • Error messages allow user enumeration • Weak password recovery process via PVQs • XSS / SQL Injection • Default pages / error messages One of many options could be: • Get the detailed findings • Question the existence of the vulnerabilities. For example: “Why is TLS 1.0 enabled… is it a server built issue or application issue?” instead of “No it is not and it’s been working like that without any issues”. • Try to see the “end-to-end”. • Have all the relevant parties in the same discussion. Do not work in silos. • Do not start remediating before thinking all the possible outcomes. • Do you make all the changes at the same time or gradually? Are we “that much” exposed?
Food for thought • Not all vulnerabilities must be “patched; however, all vulnerabilities must be treated. • Avoid thinking that “hackers do not come after us… they go after the big companies”. • Create a remediation strategy that meets both risk exposure and risk appetite. • If you are an admin, do not just fix what was reported. Most likely you might know of other components that are also affected by the same vulnerability. • Do not just assign a risk rating (L/M/H) or a score (e.g. CVSS). You must consider value of the asset and business impact. • Crown Jewels: Identify the assets that matter the most first. BSides Ottawa 2019 | Coexisting with vulnerabilities 22
Questions? BSides Ottawa 2019 | Coexisting with vulnerabilities 23

Recommended

Build Automate and Test Strategies - BATMAN
Build Automate and Test Strategies - BATMAN Build Automate and Test Strategies - BATMAN
Build Automate and Test Strategies - BATMAN Eturnti Consulting Pvt Ltd
 
IIA August Briefing_15AUG2015
IIA August Briefing_15AUG2015IIA August Briefing_15AUG2015
IIA August Briefing_15AUG2015Robert Baldi
 
Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentationrfragola
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouDenim Group
 
Dallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security ThreatsDallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security ThreatsDallas Web Security Group
 
Dallas websecuritygroup addressing-top-security-threats-v2
Dallas websecuritygroup addressing-top-security-threats-v2Dallas websecuritygroup addressing-top-security-threats-v2
Dallas websecuritygroup addressing-top-security-threats-v2Dallas Web Security Group
 
BMC Engage 2015: Optimizing Service Desk Interactions with Knowledge Management
BMC Engage 2015: Optimizing Service Desk Interactions with Knowledge ManagementBMC Engage 2015: Optimizing Service Desk Interactions with Knowledge Management
BMC Engage 2015: Optimizing Service Desk Interactions with Knowledge ManagementJon Stevens-Hall
 

Recommended

Build Automate and Test Strategies - BATMAN
Build Automate and Test Strategies - BATMAN Build Automate and Test Strategies - BATMAN
Build Automate and Test Strategies - BATMAN Eturnti Consulting Pvt Ltd
 
IIA August Briefing_15AUG2015
IIA August Briefing_15AUG2015IIA August Briefing_15AUG2015
IIA August Briefing_15AUG2015Robert Baldi
 
Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentationrfragola
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouDenim Group
 
Dallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security ThreatsDallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security ThreatsDallas Web Security Group
 
Dallas websecuritygroup addressing-top-security-threats-v2
Dallas websecuritygroup addressing-top-security-threats-v2Dallas websecuritygroup addressing-top-security-threats-v2
Dallas websecuritygroup addressing-top-security-threats-v2Dallas Web Security Group
 
BMC Engage 2015: Optimizing Service Desk Interactions with Knowledge Management
BMC Engage 2015: Optimizing Service Desk Interactions with Knowledge ManagementBMC Engage 2015: Optimizing Service Desk Interactions with Knowledge Management
BMC Engage 2015: Optimizing Service Desk Interactions with Knowledge ManagementJon Stevens-Hall
 
Case Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderCase Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderArmor
 
Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!Peter Wood
 
MT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr TechMT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr TechDell EMC World
 
Biometrics and authentication webinar v3
Biometrics and authentication webinar v3Biometrics and authentication webinar v3
Biometrics and authentication webinar v3DigitalPersona
 
Addressing Password Creep
Addressing Password CreepAddressing Password Creep
Addressing Password CreepDigitalPersona
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsEnterprise Management Associates
 
5 Steps to Successful BYOD Implementation
5 Steps to Successful BYOD Implementation5 Steps to Successful BYOD Implementation
5 Steps to Successful BYOD ImplementationJumpCloud
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Dizzion Channel Partner Training blow sales objections out of the water
Dizzion Channel Partner Training blow sales objections out of the waterDizzion Channel Partner Training blow sales objections out of the water
Dizzion Channel Partner Training blow sales objections out of the waterDizzion, Inc.
 
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)Gabriel Dusil
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
 
JP Morgan Paper
JP Morgan PaperJP Morgan Paper
JP Morgan PaperGerasimos Zapantis
 
From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...NetIQ
 
The 2016 Guide to IT Identity Management
The 2016 Guide to IT Identity ManagementThe 2016 Guide to IT Identity Management
The 2016 Guide to IT Identity ManagementJumpCloud
 
Delve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsDelve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsFrederic Roy-Gobeil, CPA, CGA, M.Tax.
 
Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Imperva
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Cenzic
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiativescentralohioissa
 
IAM: Getting the basics right
IAM: Getting the basics rightIAM: Getting the basics right
IAM: Getting the basics rightDavid Doret
 
Digital Outsourcing: Risks, Pitfalls, and Security Considerations
Digital Outsourcing: Risks, Pitfalls, and Security Considerations Digital Outsourcing: Risks, Pitfalls, and Security Considerations
Digital Outsourcing: Risks, Pitfalls, and Security Considerations Peter1020
 
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Berezha Security Group
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdfSavinder Puri
 

More Related Content

What's hot

Case Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderCase Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderArmor
 
Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!Peter Wood
 
MT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr TechMT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr TechDell EMC World
 
Biometrics and authentication webinar v3
Biometrics and authentication webinar v3Biometrics and authentication webinar v3
Biometrics and authentication webinar v3DigitalPersona
 
Addressing Password Creep
Addressing Password CreepAddressing Password Creep
Addressing Password CreepDigitalPersona
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsEnterprise Management Associates
 
5 Steps to Successful BYOD Implementation
5 Steps to Successful BYOD Implementation5 Steps to Successful BYOD Implementation
5 Steps to Successful BYOD ImplementationJumpCloud
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Dizzion Channel Partner Training blow sales objections out of the water
Dizzion Channel Partner Training blow sales objections out of the waterDizzion Channel Partner Training blow sales objections out of the water
Dizzion Channel Partner Training blow sales objections out of the waterDizzion, Inc.
 
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)Gabriel Dusil
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
 
From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...NetIQ
 
The 2016 Guide to IT Identity Management
The 2016 Guide to IT Identity ManagementThe 2016 Guide to IT Identity Management
The 2016 Guide to IT Identity ManagementJumpCloud
 
Delve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsDelve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsFrederic Roy-Gobeil, CPA, CGA, M.Tax.
 
Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Imperva
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Cenzic
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiativescentralohioissa
 
IAM: Getting the basics right
IAM: Getting the basics rightIAM: Getting the basics right
IAM: Getting the basics rightDavid Doret
 
Digital Outsourcing: Risks, Pitfalls, and Security Considerations
Digital Outsourcing: Risks, Pitfalls, and Security Considerations Digital Outsourcing: Risks, Pitfalls, and Security Considerations
Digital Outsourcing: Risks, Pitfalls, and Security Considerations Peter1020
 

What's hot (20)

Case Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderCase Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment Provider
 
Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!
 
MT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr TechMT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr Tech
 
Biometrics and authentication webinar v3
Biometrics and authentication webinar v3Biometrics and authentication webinar v3
Biometrics and authentication webinar v3
 
Addressing Password Creep
Addressing Password CreepAddressing Password Creep
Addressing Password Creep
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-Tools
 
5 Steps to Successful BYOD Implementation
5 Steps to Successful BYOD Implementation5 Steps to Successful BYOD Implementation
5 Steps to Successful BYOD Implementation
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
Dizzion Channel Partner Training blow sales objections out of the water
Dizzion Channel Partner Training blow sales objections out of the waterDizzion Channel Partner Training blow sales objections out of the water
Dizzion Channel Partner Training blow sales objections out of the water
 
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
 
JP Morgan Paper
JP Morgan PaperJP Morgan Paper
JP Morgan Paper
 
From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...
 
The 2016 Guide to IT Identity Management
The 2016 Guide to IT Identity ManagementThe 2016 Guide to IT Identity Management
The 2016 Guide to IT Identity Management
 
Delve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsDelve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of Things
 
Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
 
IAM: Getting the basics right
IAM: Getting the basics rightIAM: Getting the basics right
IAM: Getting the basics right
 
Digital Outsourcing: Risks, Pitfalls, and Security Considerations
Digital Outsourcing: Risks, Pitfalls, and Security Considerations Digital Outsourcing: Risks, Pitfalls, and Security Considerations
Digital Outsourcing: Risks, Pitfalls, and Security Considerations
 

Similar to Coexisting with Vulnerabilities

Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Berezha Security Group
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdfSavinder Puri
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsRedhuntLabs2
 
LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014Ashlie Steele
 
2018 01 smart city symposium - db
2018 01 smart city symposium - db2018 01 smart city symposium - db
2018 01 smart city symposium - dbDavid Bressler
 
Telecommunications Working from home  Security and remote working ca
Telecommunications Working from home  Security and remote working caTelecommunications Working from home  Security and remote working ca
Telecommunications Working from home  Security and remote working caalehosickg3
 
451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?Adrian Sanabria
 
Alpha Anywhere presentation at the the Always on Summit -- Building Offline M...
Alpha Anywhere presentation at the the Always on Summit -- Building Offline M...Alpha Anywhere presentation at the the Always on Summit -- Building Offline M...
Alpha Anywhere presentation at the the Always on Summit -- Building Offline M...Richard Rabins
 
A Tale of Contemporary Software
A Tale of Contemporary SoftwareA Tale of Contemporary Software
A Tale of Contemporary SoftwareYun Zhi Lin
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management ProgramDennis Chaupis
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAPNIC
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Barry Greene
 
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...Executive Leaders Network
 
7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing Investments7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing InvestmentsCaston Thomas
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionEoin Keary
 
The cyber security hype cycle is upon us
The cyber security hype cycle is upon usThe cyber security hype cycle is upon us
The cyber security hype cycle is upon usJonathan Sinclair
 
COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comPentest-Tools.com
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability ManagementGFI Software
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
 
Brighttalk understanding the promise of sde - final
Brighttalk understanding the promise of sde - finalBrighttalk understanding the promise of sde - final
Brighttalk understanding the promise of sde - finalAndrew White
 

Similar to Coexisting with Vulnerabilities (20)

Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
 
LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014
 
2018 01 smart city symposium - db
2018 01 smart city symposium - db2018 01 smart city symposium - db
2018 01 smart city symposium - db
 
Telecommunications Working from home  Security and remote working ca
Telecommunications Working from home  Security and remote working caTelecommunications Working from home  Security and remote working ca
Telecommunications Working from home  Security and remote working ca
 
451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?
 
Alpha Anywhere presentation at the the Always on Summit -- Building Offline M...
Alpha Anywhere presentation at the the Always on Summit -- Building Offline M...Alpha Anywhere presentation at the the Always on Summit -- Building Offline M...
Alpha Anywhere presentation at the the Always on Summit -- Building Offline M...
 
A Tale of Contemporary Software
A Tale of Contemporary SoftwareA Tale of Contemporary Software
A Tale of Contemporary Software
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management Program
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
 
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
 
7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing Investments7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing Investments
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud version
 
The cyber security hype cycle is upon us
The cyber security hype cycle is upon usThe cyber security hype cycle is upon us
The cyber security hype cycle is upon us
 
COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.com
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
 
Brighttalk understanding the promise of sde - final
Brighttalk understanding the promise of sde - finalBrighttalk understanding the promise of sde - final
Brighttalk understanding the promise of sde - final
 

Recently uploaded

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Recently uploaded (20)

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

Coexisting with Vulnerabilities

  • 1. Headline Verdana Bold Coexisting with Vulnerabilities BSides Ottawa 2019 – Ottawa, Canada Dennis Chaupis & Ivan Perez
  • 2. Who are we? BSides Ottawa 2019 | Coexisting with vulnerabilities 2 Dennis Chaupis CISSP, CRISC, CTPRP Senior Manager Deloitte – Risk Advisory - Cyber Security Dennis is leading the Vulnerability Management & Penetration testing practice in Toronto from where he supports engagements across Canada and globally. He focuses on helping organizations identifying, managing, and remediating vulnerabilities that could lead to a business impact. Dennis has also worked for a major Canadian bank in its Operational Risk Management group. Opinions and views are my own and not necessarily my current or past employers.
  • 3. Who are we? BSides Ottawa 2019 | Coexisting with vulnerabilities 3 Ivan Perez OSCP Consultant Deloitte – Risk Advisory - Cyber Security Ivan is a consultant with Deloitte’s Cyber Risk Services practice and a holder of Offensive Security Certified Professional (OSCP) certificate with experience in threat intelligence, vulnerability assessments, and penetration testing. Since joining Deloitte, Ivan has worked on offensive engagements with clients in numerous sectors including the financial, shared services, energy, public, and academic sectors. He also likes sea turtles. Opinions and views are my own and not necessarily my current or past employers.
  • 4. “Coexisting with vulnerabilities”……… what? Pentester: • How many times have you performed a recurring pentest and have found the exact same vulnerability over and over again? BSides Ottawa 2019 | Coexisting with vulnerabilities 4 SOC: • How many times you have either identified a vulnerability as part of your VA scan, log review, or reported by an “intel” source and when you created a ticket so its resolved……. Ticket gets closed but nothing has been fixed? Architect / Application Team: • “We are going to create the new banking platform, we are going to be revolutionary with this; however, we are still allowing insecure communications to the mainframe so….. We will just deal with it”.
  • 5. “Coexisting with vulnerabilities”……… what? BSides Ottawa 2019 | Coexisting with vulnerabilities 5
  • 6. BSides Ottawa 2019 | Coexisting with vulnerabilities 6 Case study 7 What Apps look like in real life 10 Three key roles 11 Examples 13 What to do? 19 Food for thought 22 Contents
  • 7. Case Study BSides Ottawa 2019 | Coexisting with vulnerabilities 7 192.168.CBA.XY1 – 192.168.CBA.XY5 -> Internal IP’s • Unpatched software • Unsupported software • Public shares • Weak SSH configuration • Self signed /default certificates in use • Unauthenticated remote support access • More… more… more…. 200.101.ABC.XYZ -> External IP • Insecure communication protocols (FTP, Telnet, Remote Mgmt) • Default web application server pages • Management console accessible over the Internet www.MyNextGenBank.com • Use of TLS 1.0 or weak ciphers • Error messages allow user enumeration • Weak password recovery process via PVQs • XSS / SQL Injection • Default pages / error messages
  • 8. And the question is… BSides Ottawa 2019 | Coexisting with vulnerabilities 8
  • 9. Case Study BSides Ottawa 2019 | Coexisting with vulnerabilities 9 192.168.CBA.XY1 – 192.168.CBA.XY5 -> Internal IP’s • Unpatched software • Unsupported software • Public shares • Weak SSH configuration • Self signed /default certificates in use • Unauthenticated remote support access • More… more… more…. 200.101.ABC.XYZ -> External IP • Insecure communication protocols (FTP, Telnet, Remote Mgmt) • Default web application server pages • Management console accessible over the Internet www.MyNextGenBank.com • Use of TLS 1.0 or weak ciphers • Error messages allow user enumeration • Weak password recovery process via PVQs • XSS / SQL Injection • Default pages / error messages
  • 10. Stakeholder What they “see” Business (App Owner) What apps look like in “real life” BSides Ottawa 2019 | Coexisting with vulnerabilities 10 F5 LB App Srv Farm 1 App Srv Farm 2 ESXi … DB 3rd Party App Y API Z AWS/Azure/GCP OS Apps DB Agents Servers Some “Cloud” DatabaseMicro services CIO / CTO App Team (e.g. Architect, QA Team) Server Owner Most commonly seen as… “The Admin”. This is the person who is the responsible for server management, configuration, patching. Usually this individual does not have “full visibility” of what the app exactly does (nor wants to); but this is the person who can help you or *destroy you*. “The admin” also goes by: “Server guy”, “DBA”
  • 11. Three key roles BSides Ottawa 2019 | Coexisting with vulnerabilities 11 CTO • Focused on new technologies and how the organization “keeps up” with them. • Drives how technology is provided to clients. CISO • Responsible for the overall Information Security / Cyber Security of the organization. • Usually reports to the CIO • Asset management • Server / Infra build • Patch Management • Software Development • … • VA Scans • Pentest, RTO, Threat Hunting • Secure Software Development • … • “We need cloud functionality for A,B,C or E” • “Client’s need to click-and-call” • … Vs Vs CIO • Most commonly focused on internal tasks/operations. • Crucial for IT management and operations.
  • 12. We won’t be able to patch them all “Coexisting with vulnerabilities” is not the same as “ignoring vulnerabilities” nor an excuse for not remediating. Coexisting with vulnerabilities is the natural “path” that organizations follow to focus in their business. • This is the part where most technical people do not want to spend their time at…. It is “someone else’s job” • Other terms like “risk”, “impact”, “compensating control”, “risk treatment”, “residual risk” come into play. • Must not be the rule for everything the organization does not want to remediate. • This is the part where senior management will spend most of their time: Trying to find the best way possible to deal with vulnerabilities and threats. On the other hand, this is the part where most technical people, struggle the most, because they do not understand why something “this simple” cannot be patched. What can we do? BSides Ottawa 2019 | Coexisting with vulnerabilities 12
  • 13. Example 1 BSides Ottawa 2019 | Coexisting with vulnerabilities 13 Mainframe HQ LaptopsPhones Mobile 3rd Parties • Vendors • Partners • Alliances Application A is one of our banking applications and can only be accessed via terminal using IBM’s implementation of Telnet.
  • 14. Example 1: What does it mean? It means that all the communication that is being exchanged between the client and the mainframe is being transmitted in plain text. BSides Ottawa 2019 | Coexisting with vulnerabilities 14 Mainframe Pentester: “Consider replacing insecure protocol with its secure version” Easy there Mr. Security….. Can’t do that. Can’t just “enable SSH”… - Who will manage the keys? - What type of keys are we going to use? - Do we know if the application support it? - Does the business know this will cost them $1 Million to start? - Are there other applications impacted if we just “switch” to secure protocol? - Will we just shut down current port and replace with secure one? Or is there a rollout plan? - Do we need to change anything in application or leave as-is? - Does this impact NW usage? Application delay?
  • 15. Example 2 BSides Ottawa 2019 | Coexisting with vulnerabilities 15 HQ Laptops VoIP Printers LaptopsVoIP Printers Laptops VoIP Printers Company A has recently deployed their “state of the art” NAC solution. Now they can control who can connect to the LAN network. They felt very confident that no unauthorized user can access their LAN network just by plugging in to the network port. During a pentest, the tester was able to bypass the NAC solution by impersonating a trusted device. The tester cloned the MAC address of a VoIP device and…… done! Network access was achieved 
  • 16. Example 2: What does it mean? It means that the current NAC solution did not consider the “weakest link” in its design and can be bypassed. BSides Ottawa 2019 | Coexisting with vulnerabilities 16 Pentester: “Consider using certificates for authentication” Easy there Mr. Security….. Can’t do that. Can’t just “install certificates”… - Who will manage the certificates? - Are we buying certificates? - Are we deploying our own CA? - Who is going to pay for it? - Are we sure our devices will support it? - Can we use certificates in VoIP or printers? Any other devices we are forgetting? - Do we have a centralized asset database that we can trust? Laptops VoIP Printers
  • 17. Example 3 BSides Ottawa 2019 | Coexisting with vulnerabilities 17 Company X launched their ecommerce platform developed by a word class vendor a year ago, it was supposed to use the latest and greatest technologies. During a pentest, the tester found that it was possible to downgrade the encryption to something much less secure (i.e. SSLv3 – POODLE attack). LaptopsPhones Mobile Backend Frontend Clients
  • 18. Example 3: What does it mean? It means that the current TLS/SSL configuration allows a client to use insecure TLS/SSL algorithms and protocols. BSides Ottawa 2019 | Coexisting with vulnerabilities 18 Pentester: “Disable support for weak protocols and encryption algorithms” Easy there Mr. Security….. Can’t do that. Can’t just “disable weak protocols”… - Have we checked if the application is supporting it? - Is it an infrastructure or application issue? Or both? - Was it well defined when creating the requirements for the application? - What about compatibility with legacy applications?
  • 19. So… what to do? BSides Ottawa 2019 | Coexisting with vulnerabilities 19 Pentester: Other than reporting it and providing as much technical information as possible……. Not much more. Server Owner / Admin: Provide as much clarity and clarification on what can be done and what cannot be done; moreover, be willing to help the non- technical people to understand the technical aspects of the vulnerabilities and/or technology constraints of remediation activities. Risk Professional: Try to be as technical as possible. This will allow you understand the actual vulnerability and to assess what the right remediation alternative. CXO: Try to listen to the whole story when possible. In the end is your responsibility and accountability if something goes wrong.
  • 20. Back to the study case… What and how would YOU patch this now? BSides Ottawa 2019 | Coexisting with vulnerabilities 20 192.168.CBA.XY1 – 192.168.CBA.XY5 -> Internal IP’s • Unpatched software • Unsupported software • Public shares • Weak SSH configuration • Self signed /default certificates in use • Unauthenticated remote support access • More… more… more…. 200.101.ABC.XYZ -> External IP • Insecure communication protocols (FTP, Telnet, Remote Mgmt) • Default web application server pages • Management console accessible over the Internet www.MyNextGenBank.com • Use of TLS 1.0 or weak ciphers • Error messages allow user enumeration • Weak password recovery process via PVQs • XSS / SQL Injection • Default pages / error messages
  • 21. Back to the study case… What and how would YOU patch this now? BSides Ottawa 2019 | Coexisting with vulnerabilities 21 192.168.CBA.XY1 – 192.168.CBA.XY5 -> Int. IP’s • Unpatched software • Unsupported software • Public shares • Weak SSH configuration • Self signed /default certificates in use • Unauthenticated remote support access • More… more… more…. 200.101.ABC.XYZ -> External IP • Insecure communication protocols (FTP, Telnet, Remote Mgmt) • Default web application server pages • Management console accessible over the Internet www.MyNextGenBank.com • Use of TLS 1.0 or weak ciphers • Error messages allow user enumeration • Weak password recovery process via PVQs • XSS / SQL Injection • Default pages / error messages One of many options could be: • Get the detailed findings • Question the existence of the vulnerabilities. For example: “Why is TLS 1.0 enabled… is it a server built issue or application issue?” instead of “No it is not and it’s been working like that without any issues”. • Try to see the “end-to-end”. • Have all the relevant parties in the same discussion. Do not work in silos. • Do not start remediating before thinking all the possible outcomes. • Do you make all the changes at the same time or gradually? Are we “that much” exposed?
  • 22. Food for thought • Not all vulnerabilities must be “patched; however, all vulnerabilities must be treated. • Avoid thinking that “hackers do not come after us… they go after the big companies”. • Create a remediation strategy that meets both risk exposure and risk appetite. • If you are an admin, do not just fix what was reported. Most likely you might know of other components that are also affected by the same vulnerability. • Do not just assign a risk rating (L/M/H) or a score (e.g. CVSS). You must consider value of the asset and business impact. • Crown Jewels: Identify the assets that matter the most first. BSides Ottawa 2019 | Coexisting with vulnerabilities 22
  • 23. Questions? BSides Ottawa 2019 | Coexisting with vulnerabilities 23