The document discusses strategies for reducing attack surfaces in budget-constrained environments and highlights the evolving nature of cyber threats. It emphasizes the importance of understanding and managing security budgets, conducting regular vulnerability assessments, and maintaining relationships with trusted security partners. The overall goal is to enhance organizational security posture amidst increasing external pressures and sophisticated attacks.

1. © 2018 Denim Group – All Rights Reserved
Building a world where technology is trusted.
Reducing Attack Surface in Budget
Constrained Environments
John B. Dickson, CISSP #4649
@johnbdickson

2. © 2018 Denim Group – All Rights Reserved
Background
• AFCERT Analyst
• 20+ Year Security Professional
• Denim Group Principal
• ISSA Distinguished Fellow
• Security Conference Speaker
• Dark Reading Columnist

3. © 2018 Denim Group – All Rights Reserved
Denim Group | Company Background
• Trusted advisor on all matters of software risk
• External application & network assessments
• Web, mobile, and cloud
• Software development lifecycle development (SDLC) consulting
• Network and infrastructure where applications reside
• Managed security services
• Developed

4. © 2018 Denim Group – All Rights Reserved
The Conventional Network
4

5. © 2018 Denim Group – All Rights Reserved
The Evolving Enterprise
5

6. © 2018 Denim Group – All Rights Reserved
The New Network
6

7. © 2018 Denim Group – All Rights Reserved
Increasing External Pressures & Threats
There are two types of organizations in the world…
1. Targeted
2. Targets of Opportunity
1. 2/3 of all attacks go undetected
2. Leading cause: inadvertent activity
If you are not #1, your challenge is to not become #2
7

8. © 2018 Denim Group – All Rights Reserved
Increasing External Pressures & Threats
Commercialization and Specialization of the Threat
• Sophisticated marketplace of underground suppliers
• Increased specialization of threat actors
• Malware developers
• Call centers
• Card scammers
• “Verticalization” of the Threat
• Ability to adapt and capitalize on current events more quickly
8

9. © 2018 Denim Group – All Rights Reserved
Increasing External Pressures & Threats
Sophisticated Malware and Ransomeware
• Sophisticated marketplace drives more responsive attacks
able to adapt and scale
• Ability to highly automate attacks expands attack footprint
• Sophisticated attacks no longer the worry of the largest
organizations
• Focus back on availability for the SMB, which has always
been a challenge
9

10. © 2018 Denim Group – All Rights Reserved
Security Budgets: The Starting Point
• Some have lost the game before getting on the
field
• Competing Against:
• Company pet projects
• Legacy support requirements
• Current events
• Information security as the “silent service” –
Rich Baich, Wells Fargo CISO
• Source: “Winning as a CISO,” Rich Baich

11. © 2018 Denim Group – All Rights Reserved
Getting Your Security Budget
Approved Without FUD
• Exploit Pet Projects
• Account for Culture
• Tailor to Your Specific Vertical
• Consciously Cultivate Credibility and Relationships
• Capitalize on Timely Events
• Capture Successes & Over-Communicate
Source: RSA 2014 “Getting Your Security Budget Approved Without FUD

12. © 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• Two Dimensions:
• Perception of Software Attack Surface
• Insight into Exposed Assets
12
Perception
Insight

13. © 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• As perception of the problem of attack surface widens the
scope of the problem increases
13
Perception
Insight
Web
Applications

14. © 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• As perception of the problem of attack surface widens the
scope of the problem increases
14
Perception
Insight
Web
Applications
Client-Server
Applications

15. © 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• As perception of the problem of attack surface widens the
scope of the problem increases
15
Perception
Insight
Web
Applications
Client-Server
Applications
Desktop
Applications

16. © 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• As perception of the problem of attack surface widens the
scope of the problem increases
16
Perception
Insight
Web
Applications
Client-Server
Applications
Desktop
Applications
Cloud
Applications
and Services

17. © 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• As perception of the problem of attack surface widens the
scope of the problem increases
17
Perception
Insight
Web
Applications
Client-Server
Applications
Desktop
Applications
Cloud
Applications
and Services
Mobile
Applications

18. © 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• Discovery activities increase insight
18
Perception
Insight
Web
Applications

19. © 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• Discovery activities increase insight
19
Perception
Insight
Web
Applications

20. © 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• Discovery activities increase insight
20
Perception
Insight
Web
Applications

21. © 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• Over time you end up with a progression
21
Perception
Insight
Web
Applications

22. © 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• Over time you end up with a progression
22
Perception
Insight
Web
Applications
Client-Server
Applications

23. © 2018 Denim Group – All Rights Reserved
Desktop
Applications
Client-Server
Applications
Attack Surface: The Security Officer’s Journey
• Over time you end up with a progression
23
Perception
Insight
Web
Applications

24. © 2018 Denim Group – All Rights Reserved
Desktop
Applications
Client-Server
Applications
Attack Surface: The Security Officer’s Journey
• Over time you end up with a progression
24
Perception
Insight
Web
Applications
Cloud
Applications
and Services

25. © 2018 Denim Group – All Rights Reserved
Desktop
Applications
Client-Server
Applications
Attack Surface: The Security Officer’s Journey
• Over time you end up with a progression
25
Perception
Insight
Web
Applications
Cloud
Applications
and Services
Mobile
Applications

26. © 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• When you reach this point it is called “enlightenment”
• You won’t reach this point
26
Perception
Insight
Web
Applications
Client-Server
Applications
Desktop
Applications
Cloud
Applications
and Services
Mobile
Applications

27. © 2018 Denim Group – All Rights Reserved
27
• Understand your Attack Surface -
General
• …and where your company’s most sensitive
client data lives
• Tailor rigorous testing to agreed-upon threat
• Don’t forget mobile/cloud/social media
• Regularly conduct penetration tests mimicking
your most likely threat
Suggested Strategy #1

28. © 2018 Denim Group – All Rights Reserved
28
• Understand your Attack Surface - External
• Conduct monthly (or quarterly) network and
application vulnerability tests to eliminate most
obvious vulnerabilities
• Consider quarterly phishing campaigns using
context from firm clients
• Review DNS registry & shared secret
• Conduct social engineering exercise with firm
leadership buy-in
• Identify 3rd
-party network connections or
federated trust relationships
Suggested Strategy #1
(Continued)

29. © 2018 Denim Group – All Rights Reserved
29
• Protect Information at Rest and in Transit
• Tailor DLP to organization’s needs
• Implement at desktop, gateway, or federated entry points
• Disable USBs through technology acquisition or
Active Directory (AD) Group Policy Objects (GPO)
• Example: IEEE 802.1X-authenticated wired connections
through Group Policy
• Implement trusted sys logging for admins
• Test portal authorization implementation with manual
testing
• Secure 3rd
-party FTP or mail service for most
sensitive documents (obviously)
Suggested Strategy #2

30. © 2018 Denim Group – All Rights Reserved
30
• Protect Information at Rest and in
Transit
• Rollout mobile device management for all
mobile devices implementing:
• Remote wipe, OTA Updates, Containers etc.
• Deploy full disk encryption on ALL laptops
• Rollout next-generation anti-virus and
malware detection
• Enable alerting for key events
Suggested Strategy #2 (Continued)

31. © 2018 Denim Group – All Rights Reserved
31
• Protect Information at Rest and in
Transit
• Consider 2-factor authentication or tokens for:
• Administrative accounts
• Particularly sensitive client documents
• And don’t forget! Implement encrypted email
at all times!
Suggested Strategy #2 (Even more!)

32. © 2018 Denim Group – All Rights Reserved
32
• Reduce your External Attack Surface
• Implement organization-wide patching
• Understand risks of 3rd-party risks of CMS or
portal software
• Catalog trusted entry points from 3rd parties
• Ensure your web-facing sites are devoid of
SQL injections/XSS vulnerabilities
• Start to build a “defense in depth” approach to
your organization
Suggested Strategy #3

33. © 2018 Denim Group – All Rights Reserved
33
• Be Able to Identify an Attack
• Deeply understand your “base” network and
application operations tempo
• Do you regularly monitor network stats?
• Build the competency to regularly review key
events via logging
• IPS/IDS + SEM if you’re big enough to
warrant capability
• Exfiltration logging for after the fact
Suggested Strategy #4

34. © 2018 Denim Group – All Rights Reserved
34
• Don’t go it alone!
• Gain and maintain a trusted relationship with
an organization that understands firm risk and
can conduct knowledge transfer
• Particularly given the broad technology stack
• Consider a Managed Security Services
Provider (MSSP) for 24/7 coverage
• Have a relationship with an IR and crisis
communication firm.
Suggested Strategy #5

35. © 2018 Denim Group – All Rights Reserved
Why Is this Important to You?
• Budget will remain constrained
• Threats adapting and metastasizing faster than defenders
can respond
• Attack surface is constantly in flux

36. © 2018 Denim Group – All Rights Reserved
John B. Dickson, CISSP
@johnbdickson
www.denimgroup.com
Questions and Answers