RSA 2013 Presentation: Stacking the Security Deck in your Favor

320 views

Published on

Lamar Bailey, nCircle's director of security research and development, walks you through how deal yourself a winning hand with your security products.

A YouTube video of Lamar's presentation is available through the link below:
http://youtu.be/ogTBB7w1XyM

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
320
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • EWEEK ARTICLCE The report found that the number of vulnerabilities grew to 5,225 in 2012, an increase of 26 percent year-over-year, as counted by their common vulnerabilities and exposures (CVE) identifiers.
  • Going back to day 1 here is a sampling of our coverage for popular products.
  • Areas of concerned that are not always covered
  • Examples of Rules
  • Examples of Rules
  • The date when a vulnerability was discovered plays a large role in the nCircle Scoring Algorithm, which bases score calculation on the idea that the longer a vulnerability exists, the more likely it is to be exploited. This leads to a disparity in scoring when date isn’t a concern and with newer vulnerabilities that have just been discovered.  The risk component of the nCircle Scoring Algorithm represents the vector of the attack (remote or local) and the outcome of the attack (Denial of Service (availability), User Access (access), Privileged Access (privileged)). These configuration options allow you to make changes to the importance of the 6 vulnerability risk levels. VERT has identified seven classes of products that customers may wish to label as remote instead of local on their network. When these modifications are applied, the risk is changed from ‘Local N’ to ‘Remote N’ for all vulnerabilities in that class.  The classes are:Web Browsers (SCORE_BROWSERS)Java (SCORE_JAVA)Web Technologies [Flash, Shockwave] (SCORE_WEB_TECHNOLOGY)PDF Readers [Adobe, Foxit] (SCORE_PDF_READERS)Media Players (SCORE_MEDIA_PLAYERS)Mail Clients (SCORE_MAIL_CLIENTS)Office Products (SCORE_OFFICE_PRODUCTS)
  • RSA 2013 Presentation: Stacking the Security Deck in your Favor

    1. 1. © 2013 nCircle. All Rights Reserved.nCircle Company ConfidentialStacking the Security Deck in yourFavorDeal yourself a winning hand
    2. 2. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential• Operating Systems• Databases• Office Applications• Networking Gear• BrowsersYour hand
    3. 3. © 2013 nCircle. All Rights Reserved.nCircle Company ConfidentialThe Vulnerability Deck is Increasing010002000300040005000600070002002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
    4. 4. © 2013 nCircle. All Rights Reserved.nCircle Company ConfidentialAces
    5. 5. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential• Custom Apps• Legacy• 0-DayWild Cards
    6. 6. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential• Rule:RegistryQuery GetKey[HKLM] THEN CHECK Exists• Explanation:Request the HKLM registry key and check to see if itexists.Custom ASPL - Basics
    7. 7. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential• Rule:SEND String[GET / HTTP/1.0x0dx0ax0dx0a] THENCHECK Contains/HTTP/1.[01] 200/ WITHOffset[0], Length[12]• Explanation:Send data (in this case an HTTP 1.0 request) to a hostand check that the response matches a typical HTTPresponse pattern in the first 12 bytes of the responsedata.Custom ASPL - Basics
    8. 8. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential• Rule:EXECUTE {rule.CIFSGetFile(C$:WindowsWIN.INI)if not rule.success: rule.STOP(False)transcript = rule.buffertranscriptIsFull = True}• Details:Get the contents of C:WindowsWIN.INI and store them tothe rule instance data.Custom ASPL – Now with Python
    9. 9. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential• Rule:EXECUTE {import aspl_sshcoreaspl_sshcore.startSSH(rule)rule.SEND(cat /etc/resolv.conf)rule.waitForData()if 8.8.8.8 not in rule.buffer and 8.8.4.4 not in rule.buffer:rule.STOP(True)rule.STOP(False)}• Details:Here we’re connecting via SSH to a host to check the /etc/resolv.conf file to determine ifwe’re using Google’s DNS servers or not. If we aren’t, we fire the rule to inform us of thatfact.Custom Rules – Now with Python
    10. 10. © 2013 nCircle. All Rights Reserved.nCircle Company ConfidentialStack the Odds in Your FavorHeuristic ScoringUsing:• Time• Risk Factors• SkillScores form 0 - 55,000+
    11. 11. © 2013 nCircle. All Rights Reserved.nCircle Company Confidential• Vulnerability Date Modifiers• Risk Modifiers• Vulnerability Class ModifiersAdjusting Scores

    ×