Code & Cannoli < Security >

13th January 2016@DevMob

#CodeCannoli

Code & Cannoli < Security >

17:30- 18:15 Drinks,pasta&cannoli18:15- 19:00 Fabrizio Cilli:"Vulnerability:AssessingandManaging–

Adiveintotheunexpectedweaknesses”19:00– 20:00 Jacco vanTuijl:"PenetrationTestingProcess”- part120:00- 20:15 Break20:15- 21:15 Jacco vanTuijl:"PenetrationTestingProcess”- part221:15 Drinks

@DevMob#CodeCannoli

Vulnerability:Assessing&Managing

Assessingtheexposureswon’tclosethecircle

Vulnerable

Avulnerabilityisaweaknessinanassetorgroupofassets.Anasset’sweaknesscouldallowittobeexploitedandharmedbyoneormorethreatvectors.

InthecyclictickerofaPDCA wheel:Assessing isaphasewecanexecuteatwill.Managingitsresults,isanendeavour,impactingGovernance,ITOperations,addingworkload.

SurfaceandCore

Weexposeourbusinesstoexternal(Surface)attackersandinternal(Core)malicioususers.TheAttackVectorsareamyriad,fromnetworktohosts,andtotheirvirtualcounterparts.

TheconceptofAttackVectorisvitalwhenitcomestoevaluatethegravityofthevulnerabilitiesweareassessinginourenvironment:AndthebestwaytounderstanditisbybreakingdowntheCVSSscoreoffoundvulnerability!

CVSSAccessVector

BaseScore=round_to_1_decimal(((0.6*Impact)+(0.4*Exploitability)-1.5)*f(Impact))

Impact=10.41*(1-(1-ConfImpact)*(1-IntegImpact)*(1-AvailImpact))

Exploitability=20*AccessVector*AccessComplexity*Authentication

f(impact)=0ifImpact=0,1.176otherwise

AccessVector =caseAccessVector ofrequireslocalaccess:0.395adjacentnetworkaccessible:0.646networkaccessible:1.0

AttackSurface

AttackSurface

Cyclicchecks

Thebestexercisetoachievea“capable”responsemechanismwhena0-Dayhappenstobeannouncedintothewild,istohaveyourtestcycle,inlinewithyourassetbase.

Thelimitinsecurityoperationsiscompleteness,nothingcanbemeasuredasabsolute,giventhechangingenvironmentITOPSmanage.Toreacttoemergingthreatstheidentificationandsanitizationneedstobefastandprecise.

ToolsorSubscriptions?

Asoundvulnerabilitymanagementprogramdoesnotcostinitselfduetothetechnologyrequirements,itcostsasitisapartofaGRCprogram,onesteptoobtainasmartgovernanceandtomaintainregulatorycompliance.

Cyclicchecks,sync’ed withanassetmanagernotonlyrequireITOperationstobefastreacting,buttheAssessmentresults(orreports)tobeintelligentlyfilteredandanalysedagainstthreatintelandfrequentlyupdatedfeeds.

IntegratingTestingandAssessment

SecurityProgramme:Thisunknown.Wellnot100%unknown,weknowweshouldcommittolongtermintegrationbetweenperiodic(applicationandinfrastructure)tests,andcyclicvulnerabilityassessmentsbutthelackistoachieveitandmaintainthatcommitment.

EverythinginITismostprobablyidentifiableasaSYSTEM,withanINPUT,TRANSFORMATIONandanOUTPUT.PenetrationTestingisafundamentalinput totheVulnerabilityManagementProcessandtogetherthesecanboost yourThreatResponse(andROI).

StaticanalysisandDynamictesting

AnotherelementofasoundVulnerabilityManagementProcessespeciallyinEnterpriseenvironmentsliesinthecertaintyofaqualitativeanalysisofalgorithms,beforemovingapplicationarchitecturestoproductionenvironment.

Letmesaythatit’smostlikelythatunsafeorlazycodinghabitsendwriting 0-Days,insteadofsavingfromthem.Weak codewillfacilitateaccesstoback-ends,data,andimpairyourvulnerabilitymanagementprogramaddingwhatwecallmakefutureZeroDays.

Weakness Awareness SecurityProgram Integration

Getthemost,staysafe!

CombiningthefollowingactionsweDOgetthemostwithameasurablereturnonoursecurityprogrammeinvestment.

Achievement

SecurityProgrammeInvestmentWheel

0%10%20%30%40%50%60%70%80%90%100%Weakness

Awareness

SecurityProgramIntegration

Achievement

WeaknesstoAchievement

Insecurity ROI

STARTInvestmentReturns Effects

0% OpenAttackSurface

5% IncreasingAwareness

15% Plansanddeployments

25% Enablinginterchange

30% Achievingreturns

ExposureFactor Effects

99% Easilyviolatedbyanyvector

85% Understandingattacksurface

75% Reducingexposurebymeansofspecial tools

50% Integratingdiversetoolstoachieveintelligence

25% Only0-Daysandunknow threatscanhurt

Apracticalcasestudy.

Whathappenswhen.

TheBattleshipYamato!

TheBattleshipYamato!

…oops…that’sthe !

…ehm …let’sgetbackto !

TheBattleshipYamato

TheBattleshipYamato

Assessing:

Whileinhomewatersafterthewinter1944-1945refitting(moreanti-aircraftweapons),shewasspottedandattackedbyU.S.NavycarrierplanesinMarch1945.Sheescapedwithlightdamage,buthervulnerabilityagainsttheswarmingAmericanaircrafts wasnowclear.[…]

TheBattleshipYamato

Q1:Bylookingatthebattleshiparchitectureanddefense,whatcanyouassess theBattleshiptobeconsidered“vulnerable”inyouropinion?

TheBattleshipYamato

Exploit:

[…] At1220on7Apr1945,whilestillsome270milesnorthofOkinawa,afterbeingtracked byAmericanreconnaissance aircraftandsubmarinesalmosttheentireway,Yamatowasattacked bywavesandwavesofAmericancarrierplanes. […]

TheBattleshipYamato

Q2:Bywhatattackvector,thevulnerabilitycouldhavebeenexploited?

TheBattleshipYamato

Pwnage:

[…] Afteranagonizingtwohours,thelargestbattleshipintheworldsankasthelistreachednearly90degrees.[…]

TheBattleshipYamato

Q3:Toadapt totheupcomingpwonage,whatdoyouthinkitwaspossibletodo,on-the-fly?…ormaybeaftertheinevitablehappened?

TheBattleshipYamato

Zero-Day:

[…] Shethenexplodedtwiceunderwater;thecauseoftheexplosionwaslikelytheshellsfromtheprimaryandsecondarymagazinesfallingofftheirshelvesanddetonatingtheirfusesagainsttheoverhead.[…]

TheBattleshipYamato

Q4:Whatdoyouthinkwasthereasonforalltheopponent’sforcestoconcentrateahugesetofresourcesjustagainstthissingletarget?

TheBattleshipYamato

Loss:

Only269mensurvivedthesinkingsuperbattleship.(Outof2750originalcrewlist)

Resilient

DefinitionandSubstantialmeaning

OPENTALKSESSION: RSAYONTOPIC!

FewtopicsforyoutoJointheTalk[BeforethethirdbeerJ]!

Assessment

RSAYON…

…

CodeSecurity

RSAYON…

…

CodeSecurity

RSAYON…OWASPASVSv.3.0

Disclosure

RSAYON…

…

GoinghomebyTrain?

RSAYON… http://trainwatch.u0d.de/

Thanksforyourtime!

Wehopeourmessageinabottlelefttheshores!

Sendyourfeedback withthereference#CODECANNOLIonourSocial Channels!Togetintouchuseinstead@DEVMOB !