It's Okay to be Wrong (Accelerator Academy Oct '17)
You Can't Buy Security - DerbyCon 2012
1. You Can’t Buy Security
Building an Open Source Information Security Program
By: Boris Sverdlik aka @JadedSecurity
2. Who am I?
Your friendly neighborhood security guy
That Jaded asshole who runs a blog and is on that DAILY
podcast.. You know.. ISDPodcast.com
I’m That Guy on Twitter….
Coming up on almost 15 years in the Industry.
I started on the Offense Side, got sucked into
Defense, now it’s a little bit of both…
I’m Not an “Evangelist” but I have stayed at a
3. Disclaimer
No Animals, Unicorns, Memes, Evangelists were hurt
during the production of this talk.
Do not go back to your organization and say “Boris,
compared this to X”
This presentation has been tailored for consumption by
the awesome “DerbyCon Audience”. A made for RSA
presentation will be available for all of your corporate
Needs
Finally: Rape Is Never Funny.. Except when..
7. Why are we here?
At Security Zone 2011, some very smart people came up
with the idea that Defense should be Sexy
8. Sexy Defense
So a bunch of us put in a CFP for a panel at ShmooCon
and somehow it got hijacked and turned into a “You’re
Doing it Wrong, Read The Manual” discussion.
“We need more Data”
“We need better tools”
“We need to know how to use the tools we have”
Focused on “IT Security” which is Doing it Wrong
9. “IT Security” is an oxymoron
IT is in the business of
keeping the business
running
Security is there to
enable the business to
be continue being
successful
The Pyramid is missing a
key component. Know
Your Business!
10. IT Managers Focus on
Availability - Redundancy
Resource Utilization
Operational Reporting
Ease of Implementation
Ease of Support
Limit production issues
Cost of Ownership
11. Security Managers focus on
Ensuring that security is tightly integrated into the
business
Identifying weaknesses in process and technical controls
Ensuring that new initiatives do not impact current controls
Reducing the risk posture of the entire organization as a
whole (Physical, Technical and Administrative)
Recommend and/or Implement controls that
potentially conflict with IT Focus!
14. Truth of the matter is!
People, Process Technology is the only way to build an
Information Security program properly.
We fail at Security because we focus too much on
Technology and let “Analysts” drive our security decisions
There is no Magic Bullet! There never will be!
23. So without further adieu
<Fancy speak>
Let’s Start with People!!!
Hire the Right People to run your security program.
You Guys are the right People!!!! So let’s ignore the next
couple of slides that are directed towards the other Hiring
Managers.
25. So why hire them to run
Security?
Your Security Program is not a checklist…
It requires an individual who has experience and can learn
and adapt to your environment
26. Don’t Hire the guy/gal who
wants to “Secure Everything”
We all know that security guy who has a fit every time the
firewall is probed.
The Sky is not falling!!! The Planet is not under attack!!!
China is not after all your Data!!! If they are, they already
have it…
27. So let’s say you’ve hired the
right Person!!!
The right person will be someone who understands you’re
business model
He/She is not driven by the latest Gartner Analyst report
Doesn’t play buzzword Bingo
Has been in the industry long enough to Get It.
Has the right combination of Technical, Business and Soft
skills.
28. You are the Right Person!
<for the sake of argument, you aren’t hungover this Sunday
Morning>
You have just been hired as the new CISO for ABC
Condom Company!!! You Start Monday!!! Yay!!!
31. I’m going to assume you
already scouted before you got
hired!
So what are we going to search?
You want to learn everything you can about the business
aspects
How are Condoms Made
How does ABC Condom make money
Do they sell direct?
32. What’s this??? 4Chan??
/b has a post saying ABC Condom Company is making a
new product.. Now with a 100% more @#$^!(
33. Monday Morning Comes!
The First thing your going to do is use all of your 1337
social engineering skills to meet with as many individuals
that you can.
Don’t focus just on the Management team… You really
want to get a feel for the organization
You’re an Employee… Did you sign an NDA as part of
your hiring package? If not, that can give you some insight
on the organizations stance on privacy
You might have your work cut out for you.. But hey, you’re
35. OK,We got the formalities out
of the way.. What’s first?
You can’t have a security Program without understanding
what you are going to protect? Right?
You’re first step is Information Classification!
Do not use some Arbitrary Value that you learned in
CISSP class.. Quantitative Risk assessment is a myth!
AV(Asset Value)*EF(Exposure Factor)=SLE. MEH!!!
The Business does not understand Asset Values of
intangible assets. It’s a futile process and will bring you
nothing but Grief!
36. First steps
At this point you’ve identified from a high level how your
business operates
What are the different Business Units
What if any Legal/Regulatory Obligations you have
What the Collective Organization values.
When you perform a Business Impact Analysis every BU
(Business Unit) will claim that their process/product is the
most valuable to the organization. This usually causes the
process to fall apart and will eventually become a show
stopper!
37. Where do I start
So if /b is an indicator we know we might have an R&D
initiative. Let’s put this in our spank bank for later..
How do we perform classification without using arbitrary
values? Easy.. You have spent the last couple of days
learning your business right?
You know that you make money from Manufacturing and
Direct to wholesalers.
You know you have HIPAA, SOX and PCI obligations
38. First Things first
You’ve done your OSINT Searches and have identified a
couple of Web Servers and look what we have here.. A
customer support forum…
Let’s do some skid testing first…
Run your scripts… put your leet SQLMap skills to the test.
NOTE: This isn’t a pen test! Just to see if you can withstand
the kiddies..
41. So let’s get
So if /b is an indicator we know we might have an R&D
initiative. Let’s put this in our spank bank for later..
How do we perform classification without using arbitrary
values? Easy.. You have spent the last couple of days
learning your business right?
You know that you make money from Manufacturing and
Direct to wholesalers.
You know you have HIPAA, SOX and PCI obligations
43. Sensitive
• Intellectual Property (Secret Condom Formula, Research
Data)
• Books & Records
• PII and PHI
• Employee Information
• Business Strategy Documents
44. For Internal Use Only
• Phone Directories
• Policies and Some Procedures (Depending on the
sensitivity of the system)
• Interoffice communications & General Memos
• Calendars
• HR Procedures
• Non Application Specific Intranet Sites
46. Start with Low Hanging Fruit
You sell rubbers… I’m sure
you have a customer service
organization? Right???
They more than likely have
access to a good chunk of your
sensitive data
They are also most likely the
ones who click all the Shit
Your organization may differ!
This is not a one size fits all!
47. Step#1 Face to Face
• Set up some “Getting to know you time” with the manager
of the group and use your 1337 social engineering skills to
convey “How can I help you” ***IMPORTANT!!!
• Elicit as much information as possible:
• Roles: How many groups do you have
• What are their responsibilities
• What applications do they use *** Important
• How do you get new employees set up
• What frustrates you about IT?
48. Findings
• You’ve identified that the
customer service group uses a
proprietary app web app called
Magnum for most of their
functions.. Let’s consider this
system CRITICAL
• You’ve identified several
different roles within the group
• You've identified that IT
manages account
administration
• You’ve also identified things
you weren’t expecting..
49. Lol. Wut?.. No Really..
• Anyone can request and get
access
• Whoever wrote the app quit
years ago
• Nobody really knows who
maintains the application
• Code hasn’t been touched in
years..
51. Guaranteed Tangent #1
• Now it’s time for some real sexy time!!!
• Meet with IT and position yourself as “Hey, I know
you’re busy but $BusinessManager has asked me to
look into who has access to Magnum..
• Build rapport with IT, don’t come off as Me Vs. You!!
IT: Oh we just add them to $Group(s)
You: Cool, what do $Groups have access to?
IT: I dunno.... Before my time…
You: Great.. Thanks…
52. Are you stuck??
• No.. Now it’s time to put your
leet skillz to use
• Identify the nodes the
application is running on.
• Identify the
authentication/authorization
mechanism
• Identify Change Management
procedures
• Review the code for any
additional connections made
by the application
53. Ha! Now we have Data
• You’ve learned that the App is running on a Tomcat server
with AD Authentication using Roles.. YAY!!
• You know it uses a $ServiceAccount to access $Database
• Now we go back to IT and ask for acl dumps for:
• The individual nodes
• TomCat
• $Database
54. Now comes the hard part
• You have to sort
through all this crap!
• Put together an access
control Matrix based
on job functions and
True access lists
• Document the entire
PROCESS!!!
• Draft an Application
Specific Policy / Run
Book
55. Follow up with the Business
Unit!
• Present the document to $Manager now enabling
them to take responsibility for ownership of the
application and assign a delegate
• Have them review the current entitlements and have
them agree on a review process in line with the
criticality of the application
• You should know each of their processes
intimately, The Run Book should be a good baseline
for a BCP
• Establish a partnership that will prove beneficial to
them
57. Wow.. That took a lot of work
• We haven’t implemented a single bullshit policy yet!
• We haven’t bought a single Blinky Box
• We haven’t bitched about budget.
• We haven’t once talked about CHINA!
58. We’re not even close to
done!
• The classification exercise is the very minimum every
CISO/CSO/Head of Security/Whatever needs to
ensure is done before building their security program!
• We’ll call that Step#1
59. Step #2?
• So now you can go ahead and snag some templates
off of SANS for your “Security” Policies
60. Policies and Procedures
• Now that you know your business you can draft your
policies so that they align with the business
• Keep them short and concise and RELEVANT!
• Don’t forget the basics
• Acceptable Use
• Data USAGE!
• Communications
• Physical
• ETC!!!
61. Now comes the “Fun” part
• You know exactly what assets you need to protect
• You know where your assets are
• You know what they are worth to the success of your
business
• You have the support of the business
62. Step #3 Implementation
• We don’t need to buy $Product to lower your risk of
exposure
• Cover your BASICS (Not what the CISSP Taught You)
• Access Controls
• Application Security
• Network Security
• Operational Controls
• Physical Security
• Business Continuity
• User Awareness Training!
63. OPEN SOURCE
• OPEN SOURCE IS NOT FREE!!!
• Always weigh the cost of implementation against
purchasing a solution if you do not have the resources
available to build.
64. Access Controls
• Authentication & Authorization
• You need to be able to map the classification process
back to a system that can enforce controls and provide
accountability
• Remote Access should follow this access control
mechanism as well.
• If you aren’t on Windows there are options!!!
• OpenLDAP
• OpenIAM
• And much More!!!
65. Application Security
• Work with your development teams to ensure that secure
functions are documented and available for reuse across
the organization
• While code review for ever app will never be possible, make
sure that major revisions for high risk applications are at
reviewed.
• Use static analysis tools to test your development efforts for
potential bugs
• Don’t run applications of different risk levels on the same
logical/physical systems
• Always assume the host/client has been compromised as
such ensure application security controls are at the
application layer
66. Network Security
• VLAN does not mean segregated!
• Firewall rules should be very explicit
• The End User environment should not have unfettered access
to your production environment
• For God Sakes do not allow direct internet access through a
PAT!!
• Group Systems logically by the data that they house
• SSL != SAFE!
• Certificates != Good 2FA
• NAC is a wet dream you will never fully attain
• Use Active and Passive Network Monitoring
68. Change Management!
• WTF does Change Management
have to do with Security???
• Security is always a snapshot in
time
• When you roll code out you need
to be confident that you don’t add
new risks!
70. Logging
• Ensure you have centralized logging from your business
critical systems
• Ensure that you can maintain the integrity of the logs.
• Logging mechanism should provide administrative
monitoring!!
71. Monitoring
• You do not need to spend $$$ on a commercial SIEM
• Open source Solutions such as OSSIM can provide all
that you need to build your monitoring program.
• The Solution must provide real time Alerting
• You do need to build a process to address alerts and fine
tune the system.
• Resources are Key!
72. Intrusion Detection
• Once you’ve identified your critical resources during Step
1, you now know where to focus your resources.
• Network Intrusion Detection should never be implemented
to fulfill a checkbox! You need to spend the time to trend
the environment and build your rules from a white list
perspective. Snort is FREE!
• Host Based Intrusion Detection provided by OSSEC can
provide real value when implemented on critical
resources. It can maintain your compliance checking as
well..
73. Vulnerability Management
• Vulnerability Management is a place where a lot of
organizations get stuck in an endless loop of exceptions
and acceptances and blah blah blah.
• An authenticated scan should be your validation that
patches are being applied and that new applications aren’t
being introduced without going through the process
• It’s a QA function when done right
• Again.. OpenVas and Seccubus are FREE!
74. BYOD???
• Have you noticed I haven’t nitpicked endpoint controls???
• Once you build out your classification you can use
criticality/sensitivity of the data to apply additional controls
as required
• There are plenty of ways to provide access to data in a
hostile environment
75. Security Awareness
• You’re users will never stop
clicking shit
• Compliance driven security
awareness does not work
• It must be reinforced and
integrated into the culture
• Defense in depth and treating
the endpoint as hostile is the
only way to go.
76. Now go find a Red Team
• A Penetration test by a 3rd party is the only way to
validate your program is effective. They hold no bias…
• If you have external facing infrastructure, then crowd
source the external pen test! Often times a bug bounty will
be more cost effective than a full dynamic analysis
77. At this point you’re not even
close to done!!
• The Security Program is just that a program!
• It is a living, breathing animal and must be continually fine
tuned
78. What’s Next?
• This is why I love the Community apparently Dennis Kuntz
@denniskuntz has already started working on a
framework! http://www.cossp.org