SlideShare a Scribd company logo
1 of 47
Securing Systems: Still Crazy
After All These Years
Scan the QR code for handouts, or
email sawaba@zip.sh with
TacticalEdge2019 as the subject.
whoami
Defender - 9 years
Financial Services
Consultant - 5 years
Pen Testing, PCI
Industry Analyst - 4 years
451 Research
Research - 2 years
Savage Security, Threatcare, NopSec
@sawaba
3
Why is it so hard to secure systems?
Can the cycle of stress and worry be broken?
Cybersecurity is a difficult job
http://rafeeqrehman.com/2018/05/21/ciso-mindmap-2018-what-do-infosec-professionals-really-do/
Constantly Changing Attackers/Threats
Yesterday: Exploit Kits, Botnets
Today: Ransomware, Cryptojacking
Tomorrow: 5G? The CFO’s car?
https://www.pentestpartners.com/security-blog/gone-in-six-seconds-exploiting-car-alarms/
Emerging Technologies
We still haven’t solved BYOD
yet!
But now we have:
• cloud
• IoT
• privacy frameworks (e.g.
GDPR)
• SaaS versions of everything
• cryptomining
• supply chain tampering...
SO MUCH attack surface
SO MANY untrusted networks
No real ‘guide’ to maturity
We’re largely making it up as we go...
So many types of devices, apps, systems
Database servers
Email servers
Storage (SAN) systems
MDM/EMM
SAP CRM/HCM/BI-BW
SAP HANA
Internal Web Apps
AWS
Azure
SaaS providers
Apache, IIS, DNN, PHP
Windows 7, 10 endpoints
MacOS endpoints
iPads
iPhones
Chromebooks
Android Phones
Windows Servers (2008,
2008R2, 2012, 2012R2, 2016)
Printers
Print Servers
Security Products
Backup Servers/Systems
Firewalls
Routers
Switches
Load balancers
Wireless LAN infrastructure
Telecom Servers
VOIP equipment
Telepresence Systems
Time Clocks
IP Cameras
Noisy Security Products
Inherited Problems and Challenges
• Lack of support from board, executives, IT...
• Employee retention
• Abandoned projects
• Poorly planned purchases
• Legacy systems
• Regulatory deadlines
• Broken products and processes
• Many more!
13
What can we do?
Where do we start?
Help!
The Basics, of course!
The Basics are DIFFICULT
There’s nothing basic about The Basics
1. Inventory and Control of Hardware Assets
2. Inventory and Control of Software Assets
3. Continuous Vulnerability Management
4. Controlled Use of Administrative Privileges
5. Secure Configuration for Hardware and Software
on Mobile Devices, Laptops, Workstations and
Servers
6. Maintenance, Monitoring and Analysis of Audit
Logs
BASIC?!?
Let’s get MORE basic
1. Inventory and Control of Hardware Assets
2. Inventory and Control of Software Assets
3. Continuous Vulnerability Management
4. Controlled Use of Administrative Privileges
5. Secure Configuration for Hardware and Software
on Mobile Devices, Laptops, Workstations and
Servers
6. Maintenance, Monitoring and Analysis of Audit
Logs
Let’s get MORE basic
1. Asset Discovery and Management
2. Vulnerability Management
3. Hardening
Don’t focus too much on any one area
Some assets won’t be targets.
Most vulnerabilities aren’t important.
Some hardening is overkill.
Products can kill progress.
20
Asset Discovery and Management
You must know what you have before you can protect it
Getting Started
Hardware Assets
● Servers
● Network Devices
● Workstations
● Laptops
● Phones
● IoT
● Printers
● Industrial
Locations
● Datacenters
● Offices
● Employee Homes
● Hosting Providers
● Cloud
Software Assets
● Operating Systems
● Firmware
● Server Software
● Internal Code
● 3rd party libraries
● User Applications
● Websites
Asset Discovery Strategies
1. Active Network Scanning
2. Passive Scanning
3. Agents
4. ‘Ask’ the Network
Situational Awareness is the goal!
Resources
• Nmap (free)
• NetDB (free)
• Vulnerability Scanners
• Passive Scanners
• Commercial
– Axonius
– Awake Security
– Senrio Insight
– ForeScout
– Others...
What if...
New asset notifications were instant?
NAC was easier?
Zero Trust/Beyondcorp was easier?
https://www.fing.com/products/fingbox/
24
Addressing Vulnerability Fatigue
If everything is critical, nothing can be critical
The problem hasn’t changed got worse
2006-2013
Haystack construction -
researchers must create a
minimum number of vuln
checks and/or exploits to
get bonuses.
2013 -
Full Haystack - we
can’t find anything
meaningful anymore.
pre-2003
Early Days - Nessus
was open-source,
early commercial
scanners.
2003-2006
Early Vuln Scanner
Funding
High Signal, Low Noise High Noise, Low Signal
The problem hasn’t changed got worse
Thousands of different kinds of assets
Hundreds of thousands of unique vulnerabilities
Millions of different potential misconfigurations
Only a few dozen likely to result in a breach.
Vulnerability data lacks credibility
From NopSec’s 2018 annual SOV report:
1. 21% of CVEs have public exploits
2. 1.6% have Metasploit modules
3. 1.92% are associated with malware
4. 95% of high vulns have never been
exploited in the wild
5. 44% of CVEs associated with
malware were scored medium or low
Solutions?
Prioritization
Is it in Metasploit?
Patch quickly when you can.
Mitigate when you can’t.
“Build systems as if there is always a zero
day and the patch is never coming.”
29
Hardening
What if a few simple changes could stop most attacks?
How important is hardening?
SO IMPORTANT!
It costs you nothing.
It stops most of the attacks.
It doesn’t stop zero-day attacks.
You probably shouldn’t be worrying about zero-day attacks.
Hardening Windows
Low-Hanging Fruit
1. Migrate to Windows 10
2. Use Defender
3. Restrict admin rights when possible
4. Don’t allow use of Flash or Java browser plugins
5. Office Macro restrictions
6. Powershell restrictions
7. Review CIS benchmarks
Hardening, what’s the goal?
Perfection
Survivability
Durability
Resilience
Problem: We typically don’t test controls
Resources (all free!)
Infection Monkey
RITA
Breach Impact Assessment Report Sample
Blue Team CTF (OpenSOC)
The Big Picture: Where are we?
Applications
Devices
Network
Data
People
Identify RecoverRespondDetectProtect
Process
Technology People
Degree of
Dependence on
People, Process,
Technology
Cyber Defense Matrix by Sounil Yu
Vuln Mgmt
and
Hardening
Asset
Discovery
What else is there?
Vuln Scan
Asset Discovery
TVM
Pen Test
IDENTIFY PREVENT DETECT RESPOND RECOVER
EDR
PROACTIVE REACTIVE
IPS, AV
Patch
Mitigate (e.g.
WAF)
Harden
IDS
SIEM
SoC
Threat Hunting
Manual Incident
Response Tasks
Forensics
Backups
BCP/DR
IR
SOAR
What’s my ACTUAL
Risk/Posture?
The ‘Basics’
What else is there?
Vuln Scanning,
Asset mgmt,
CMDB
Anti-virus,
NGAV, Patch,
Hardening
EDR, SIEM,
SOC
EDR, SOAR
manual IR
Backups,
reimage
App Scanning WAF,
Hardening
WAF, SIEM WAF, SOAR
manual IR
Backups
PCAP,
Netflow
Firewall/NGFW,
IPS
IDS, SIEM,
NBAD
Anti-DDoS,
Firewall, ACLs,
manual IR
Rebuild
network
Data labeling,
Data discovery
Encryption,
DLP
DLP, Anti-
Fraud
DRM, IRM,
revoke
keys/certs
Backups
Directory
services,
badges
Security
awareness,
anti-phishing
UBA, UBEA
Table-tops
DR/BCP
procedures
Applications
Devices
Network
Data
People
Identify RecoverRespondDetectProtect
Process
Technology People
Degree of
Dependence on
People, Process,
Technology
PROACTIVE REACTIVE
38
Perspective and Positivity
Choose to see and approach things differently
Change your perspective
“Attackers only have to succeed once - defenders
can never make a mistake!”
“There’s two types of companies: those that have
been breached and those that don’t yet know
they’ve been breached.”
Change your perspective
Use events or scenarios to drive security, not
checklists
Breaches kill companies?
NO.Well, it DOES happen, but it is very rare.
1. CardSystems
2. OnlyHonest
3. Code Spaces
4. DigiNotar
5. Precedent
6. Distribute.IT
7. HBGary Federal
8. Blue Frog
9. Bitcoin wallet providers
during Mt. Gox failure
Equifax Process and Control Failures
1. No asset inventory (CSC01
2. No software inventory (CSC02)
3. No file integrity monitoring
4. No network segmentation
5. Broken SSL Visibility Appliance
6. Broken SSLV failed open
7. SSLV lacked certs for key systems
8. SAST failed to find Struts (user error)
9. No anomaly detection on web servers
10. Custom snort rule didn’t work
11. Custom snort rule wasn’t tested.
12. Network scanner didn’t find Struts
13. Failed to detect webshells
14. Failed to detect interactive activity
15. File with cleartext creds accessible
16. Additional database access
17. DB queries were not restricted
18. No DB anomaly monitoring
19. No field-level encryption in DBs
20. No data exfiltration detection
21. DAST scanning failed to detect vulns
22. Ineffective IR plan/procedures
23. No owners assigned to apps or DBs
24. Comms issues due to corp structure
25. Lack of accountability in processes
26. Patching process lacked follow up
27. Old audit findings were not addressed
28. Insecure NFS configs
29. Logs retained for less than 30 days
Equifax Process and Control Failures
1,12,23 28 29
2,8,21 3,9,13,14
4,5,6,7,16 10,11,20
15 16,17,19 17,18,20
24 25,26,27 10,11 22
Applications
Devices
Network
Data
People
Identify RecoverRespondDetectProtect
Process
Technology People
Degree of
Dependence on
People, Process,
Technology
Recap and recommendations
• Security is large, broad and difficult
– get help where you can
– make friends with IT and others
• The Basics are important - don’t skip them
– even if they’re difficult
– even if they’re boring
• CIS is a helpful roadmap (also PCI, ISO 27k, etc)
– you don’t have to do it in exact order
– you don’t have to do it all at once
• Don’t let the news/media discourage you
– they always make it sound worse than it is
• Study breaches!
• Communicate with peers. Share information.
What to do after this presentation?
1. Think of events and scenarios you want to prevent
2. How do you simulate them?
3. Discuss them. Do tabletop exercises.
4. Create a roadmap with goals for processes
5. Don’t worry about all “The Basics” - go after low-hanging fruit first
Bonus Resources!
Breach Impact Report Sample
CISO Mind Map
CISO Guide to Working with Startups
Scan the QR code for handouts
OR email sawaba@zip.sh with TacticalEdge2019 as the subject.
PREGUNTAS?
asanabria@nopsec.com
@sawaba

More Related Content

What's hot

Veezo - Virtual Security Officer
Veezo - Virtual Security OfficerVeezo - Virtual Security Officer
Veezo - Virtual Security Officer
Dirk Cipido
 

What's hot (20)

NTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John WhitedNTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John Whited
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci   Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci   Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
 
The Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryThe Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup Story
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} Hackathon
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
 
Vulnerability Management V0.1
Vulnerability Management V0.1Vulnerability Management V0.1
Vulnerability Management V0.1
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources
 
The Importance of Endpoint Protection - Featuring SEP 14
The Importance of Endpoint Protection - Featuring SEP 14The Importance of Endpoint Protection - Featuring SEP 14
The Importance of Endpoint Protection - Featuring SEP 14
 
Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018
 
Veezo - Virtual Security Officer
Veezo - Virtual Security OfficerVeezo - Virtual Security Officer
Veezo - Virtual Security Officer
 
Top Tactics For Endpoint Security
Top Tactics For Endpoint SecurityTop Tactics For Endpoint Security
Top Tactics For Endpoint Security
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Chris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert CommunicationsChris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert Communications
 
Vulnerability management today and tomorrow
Vulnerability management today and tomorrowVulnerability management today and tomorrow
Vulnerability management today and tomorrow
 
Endpoint Security Evasion
Endpoint Security EvasionEndpoint Security Evasion
Endpoint Security Evasion
 

Similar to Securing Systems - Still Crazy After All These Years

Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 
2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm
azfayel
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
Norm Barber
 

Similar to Securing Systems - Still Crazy After All These Years (20)

Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat Management
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability Scanner
 
New Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons SCYBER Presentation
New Horizons SCYBER Presentation
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionGISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Managing security threats in today’s enterprise
Managing security threats in today’s enterpriseManaging security threats in today’s enterprise
Managing security threats in today’s enterprise
 

More from Adrian Sanabria

Lies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix EnigmaLies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix Enigma
Adrian Sanabria
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Adrian Sanabria
 

More from Adrian Sanabria (20)

Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
 
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
 
Lies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix EnigmaLies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix Enigma
 
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
 
2019 InfoSec Buyer's Guide
2019 InfoSec Buyer's Guide2019 InfoSec Buyer's Guide
2019 InfoSec Buyer's Guide
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
The Products We Deserve
The Products We DeserveThe Products We Deserve
The Products We Deserve
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
From due diligence to IoT disaster
From due diligence to IoT disasterFrom due diligence to IoT disaster
From due diligence to IoT disaster
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017
 
451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps Overview
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletin
 
RSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsRSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to Startups
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
 
Ten Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfTen Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard Of
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
Hybrid Cloud Security: Potential to be the Stuff of Dreams, not Nightmares
Hybrid Cloud Security: Potential to be the Stuff of Dreams, not NightmaresHybrid Cloud Security: Potential to be the Stuff of Dreams, not Nightmares
Hybrid Cloud Security: Potential to be the Stuff of Dreams, not Nightmares
 
Why does InfoSec play bass?
Why does InfoSec play bass?Why does InfoSec play bass?
Why does InfoSec play bass?
 

Recently uploaded

Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 

Recently uploaded (20)

Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 

Securing Systems - Still Crazy After All These Years

  • 1. Securing Systems: Still Crazy After All These Years Scan the QR code for handouts, or email sawaba@zip.sh with TacticalEdge2019 as the subject.
  • 2. whoami Defender - 9 years Financial Services Consultant - 5 years Pen Testing, PCI Industry Analyst - 4 years 451 Research Research - 2 years Savage Security, Threatcare, NopSec @sawaba
  • 3. 3 Why is it so hard to secure systems? Can the cycle of stress and worry be broken?
  • 4. Cybersecurity is a difficult job http://rafeeqrehman.com/2018/05/21/ciso-mindmap-2018-what-do-infosec-professionals-really-do/
  • 5. Constantly Changing Attackers/Threats Yesterday: Exploit Kits, Botnets Today: Ransomware, Cryptojacking Tomorrow: 5G? The CFO’s car? https://www.pentestpartners.com/security-blog/gone-in-six-seconds-exploiting-car-alarms/
  • 6. Emerging Technologies We still haven’t solved BYOD yet! But now we have: • cloud • IoT • privacy frameworks (e.g. GDPR) • SaaS versions of everything • cryptomining • supply chain tampering...
  • 7. SO MUCH attack surface SO MANY untrusted networks
  • 8. No real ‘guide’ to maturity We’re largely making it up as we go...
  • 9. So many types of devices, apps, systems Database servers Email servers Storage (SAN) systems MDM/EMM SAP CRM/HCM/BI-BW SAP HANA Internal Web Apps AWS Azure SaaS providers Apache, IIS, DNN, PHP Windows 7, 10 endpoints MacOS endpoints iPads iPhones Chromebooks Android Phones Windows Servers (2008, 2008R2, 2012, 2012R2, 2016) Printers Print Servers Security Products Backup Servers/Systems Firewalls Routers Switches Load balancers Wireless LAN infrastructure Telecom Servers VOIP equipment Telepresence Systems Time Clocks IP Cameras
  • 11. Inherited Problems and Challenges • Lack of support from board, executives, IT... • Employee retention • Abandoned projects • Poorly planned purchases • Legacy systems • Regulatory deadlines • Broken products and processes • Many more!
  • 12.
  • 13. 13 What can we do? Where do we start? Help!
  • 14. The Basics, of course!
  • 15. The Basics are DIFFICULT
  • 16. There’s nothing basic about The Basics 1. Inventory and Control of Hardware Assets 2. Inventory and Control of Software Assets 3. Continuous Vulnerability Management 4. Controlled Use of Administrative Privileges 5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers 6. Maintenance, Monitoring and Analysis of Audit Logs BASIC?!?
  • 17. Let’s get MORE basic 1. Inventory and Control of Hardware Assets 2. Inventory and Control of Software Assets 3. Continuous Vulnerability Management 4. Controlled Use of Administrative Privileges 5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers 6. Maintenance, Monitoring and Analysis of Audit Logs
  • 18. Let’s get MORE basic 1. Asset Discovery and Management 2. Vulnerability Management 3. Hardening
  • 19. Don’t focus too much on any one area Some assets won’t be targets. Most vulnerabilities aren’t important. Some hardening is overkill. Products can kill progress.
  • 20. 20 Asset Discovery and Management You must know what you have before you can protect it
  • 21. Getting Started Hardware Assets ● Servers ● Network Devices ● Workstations ● Laptops ● Phones ● IoT ● Printers ● Industrial Locations ● Datacenters ● Offices ● Employee Homes ● Hosting Providers ● Cloud Software Assets ● Operating Systems ● Firmware ● Server Software ● Internal Code ● 3rd party libraries ● User Applications ● Websites
  • 22. Asset Discovery Strategies 1. Active Network Scanning 2. Passive Scanning 3. Agents 4. ‘Ask’ the Network Situational Awareness is the goal! Resources • Nmap (free) • NetDB (free) • Vulnerability Scanners • Passive Scanners • Commercial – Axonius – Awake Security – Senrio Insight – ForeScout – Others...
  • 23. What if... New asset notifications were instant? NAC was easier? Zero Trust/Beyondcorp was easier? https://www.fing.com/products/fingbox/
  • 24. 24 Addressing Vulnerability Fatigue If everything is critical, nothing can be critical
  • 25. The problem hasn’t changed got worse 2006-2013 Haystack construction - researchers must create a minimum number of vuln checks and/or exploits to get bonuses. 2013 - Full Haystack - we can’t find anything meaningful anymore. pre-2003 Early Days - Nessus was open-source, early commercial scanners. 2003-2006 Early Vuln Scanner Funding High Signal, Low Noise High Noise, Low Signal
  • 26. The problem hasn’t changed got worse Thousands of different kinds of assets Hundreds of thousands of unique vulnerabilities Millions of different potential misconfigurations Only a few dozen likely to result in a breach.
  • 27. Vulnerability data lacks credibility From NopSec’s 2018 annual SOV report: 1. 21% of CVEs have public exploits 2. 1.6% have Metasploit modules 3. 1.92% are associated with malware 4. 95% of high vulns have never been exploited in the wild 5. 44% of CVEs associated with malware were scored medium or low
  • 28. Solutions? Prioritization Is it in Metasploit? Patch quickly when you can. Mitigate when you can’t. “Build systems as if there is always a zero day and the patch is never coming.”
  • 29. 29 Hardening What if a few simple changes could stop most attacks?
  • 30. How important is hardening? SO IMPORTANT! It costs you nothing. It stops most of the attacks. It doesn’t stop zero-day attacks. You probably shouldn’t be worrying about zero-day attacks.
  • 31. Hardening Windows Low-Hanging Fruit 1. Migrate to Windows 10 2. Use Defender 3. Restrict admin rights when possible 4. Don’t allow use of Flash or Java browser plugins 5. Office Macro restrictions 6. Powershell restrictions 7. Review CIS benchmarks
  • 32. Hardening, what’s the goal? Perfection Survivability Durability Resilience
  • 33. Problem: We typically don’t test controls
  • 34. Resources (all free!) Infection Monkey RITA Breach Impact Assessment Report Sample Blue Team CTF (OpenSOC)
  • 35. The Big Picture: Where are we? Applications Devices Network Data People Identify RecoverRespondDetectProtect Process Technology People Degree of Dependence on People, Process, Technology Cyber Defense Matrix by Sounil Yu Vuln Mgmt and Hardening Asset Discovery
  • 36. What else is there? Vuln Scan Asset Discovery TVM Pen Test IDENTIFY PREVENT DETECT RESPOND RECOVER EDR PROACTIVE REACTIVE IPS, AV Patch Mitigate (e.g. WAF) Harden IDS SIEM SoC Threat Hunting Manual Incident Response Tasks Forensics Backups BCP/DR IR SOAR What’s my ACTUAL Risk/Posture? The ‘Basics’
  • 37. What else is there? Vuln Scanning, Asset mgmt, CMDB Anti-virus, NGAV, Patch, Hardening EDR, SIEM, SOC EDR, SOAR manual IR Backups, reimage App Scanning WAF, Hardening WAF, SIEM WAF, SOAR manual IR Backups PCAP, Netflow Firewall/NGFW, IPS IDS, SIEM, NBAD Anti-DDoS, Firewall, ACLs, manual IR Rebuild network Data labeling, Data discovery Encryption, DLP DLP, Anti- Fraud DRM, IRM, revoke keys/certs Backups Directory services, badges Security awareness, anti-phishing UBA, UBEA Table-tops DR/BCP procedures Applications Devices Network Data People Identify RecoverRespondDetectProtect Process Technology People Degree of Dependence on People, Process, Technology PROACTIVE REACTIVE
  • 38. 38 Perspective and Positivity Choose to see and approach things differently
  • 39. Change your perspective “Attackers only have to succeed once - defenders can never make a mistake!” “There’s two types of companies: those that have been breached and those that don’t yet know they’ve been breached.”
  • 40. Change your perspective Use events or scenarios to drive security, not checklists
  • 41. Breaches kill companies? NO.Well, it DOES happen, but it is very rare. 1. CardSystems 2. OnlyHonest 3. Code Spaces 4. DigiNotar 5. Precedent 6. Distribute.IT 7. HBGary Federal 8. Blue Frog 9. Bitcoin wallet providers during Mt. Gox failure
  • 42. Equifax Process and Control Failures 1. No asset inventory (CSC01 2. No software inventory (CSC02) 3. No file integrity monitoring 4. No network segmentation 5. Broken SSL Visibility Appliance 6. Broken SSLV failed open 7. SSLV lacked certs for key systems 8. SAST failed to find Struts (user error) 9. No anomaly detection on web servers 10. Custom snort rule didn’t work 11. Custom snort rule wasn’t tested. 12. Network scanner didn’t find Struts 13. Failed to detect webshells 14. Failed to detect interactive activity 15. File with cleartext creds accessible 16. Additional database access 17. DB queries were not restricted 18. No DB anomaly monitoring 19. No field-level encryption in DBs 20. No data exfiltration detection 21. DAST scanning failed to detect vulns 22. Ineffective IR plan/procedures 23. No owners assigned to apps or DBs 24. Comms issues due to corp structure 25. Lack of accountability in processes 26. Patching process lacked follow up 27. Old audit findings were not addressed 28. Insecure NFS configs 29. Logs retained for less than 30 days
  • 43. Equifax Process and Control Failures 1,12,23 28 29 2,8,21 3,9,13,14 4,5,6,7,16 10,11,20 15 16,17,19 17,18,20 24 25,26,27 10,11 22 Applications Devices Network Data People Identify RecoverRespondDetectProtect Process Technology People Degree of Dependence on People, Process, Technology
  • 44. Recap and recommendations • Security is large, broad and difficult – get help where you can – make friends with IT and others • The Basics are important - don’t skip them – even if they’re difficult – even if they’re boring • CIS is a helpful roadmap (also PCI, ISO 27k, etc) – you don’t have to do it in exact order – you don’t have to do it all at once • Don’t let the news/media discourage you – they always make it sound worse than it is • Study breaches! • Communicate with peers. Share information.
  • 45. What to do after this presentation? 1. Think of events and scenarios you want to prevent 2. How do you simulate them? 3. Discuss them. Do tabletop exercises. 4. Create a roadmap with goals for processes 5. Don’t worry about all “The Basics” - go after low-hanging fruit first
  • 46. Bonus Resources! Breach Impact Report Sample CISO Mind Map CISO Guide to Working with Startups Scan the QR code for handouts OR email sawaba@zip.sh with TacticalEdge2019 as the subject.