code&cannoli - 150113 - feeling vulnerable is good! - v.1.1
TRANSCRIPT
Code & Cannoli < Security >
13th January 2016@DevMob
#CodeCannoli
Code & Cannoli < Security >
17:30- 18:15 Drinks,pasta&cannoli18:15- 19:00 Fabrizio Cilli:"Vulnerability:AssessingandManaging–
Adiveintotheunexpectedweaknesses”19:00– 20:00 Jacco vanTuijl:"PenetrationTestingProcess”- part120:00- 20:15 Break20:15- 21:15 Jacco vanTuijl:"PenetrationTestingProcess”- part221:15 Drinks
@DevMob#CodeCannoli
Vulnerability:Assessing&Managing
Assessingtheexposureswon’tclosethecircle
Vulnerable
Avulnerabilityisaweaknessinanassetorgroupofassets.Anasset’sweaknesscouldallowittobeexploitedandharmedbyoneormorethreatvectors.
InthecyclictickerofaPDCA wheel:Assessing isaphasewecanexecuteatwill.Managingitsresults,isanendeavour,impactingGovernance,ITOperations,addingworkload.
SurfaceandCore
Weexposeourbusinesstoexternal(Surface)attackersandinternal(Core)malicioususers.TheAttackVectorsareamyriad,fromnetworktohosts,andtotheirvirtualcounterparts.
TheconceptofAttackVectorisvitalwhenitcomestoevaluatethegravityofthevulnerabilitiesweareassessinginourenvironment:AndthebestwaytounderstanditisbybreakingdowntheCVSSscoreoffoundvulnerability!
CVSSAccessVector
BaseScore=round_to_1_decimal(((0.6*Impact)+(0.4*Exploitability)-1.5)*f(Impact))
Impact=10.41*(1-(1-ConfImpact)*(1-IntegImpact)*(1-AvailImpact))
Exploitability=20*AccessVector*AccessComplexity*Authentication
f(impact)=0ifImpact=0,1.176otherwise
AccessVector =caseAccessVector ofrequireslocalaccess:0.395adjacentnetworkaccessible:0.646networkaccessible:1.0
AttackSurface
AttackSurface
Cyclicchecks
Thebestexercisetoachievea“capable”responsemechanismwhena0-Dayhappenstobeannouncedintothewild,istohaveyourtestcycle,inlinewithyourassetbase.
Thelimitinsecurityoperationsiscompleteness,nothingcanbemeasuredasabsolute,giventhechangingenvironmentITOPSmanage.Toreacttoemergingthreatstheidentificationandsanitizationneedstobefastandprecise.
ToolsorSubscriptions?
Asoundvulnerabilitymanagementprogramdoesnotcostinitselfduetothetechnologyrequirements,itcostsasitisapartofaGRCprogram,onesteptoobtainasmartgovernanceandtomaintainregulatorycompliance.
Cyclicchecks,sync’ed withanassetmanagernotonlyrequireITOperationstobefastreacting,buttheAssessmentresults(orreports)tobeintelligentlyfilteredandanalysedagainstthreatintelandfrequentlyupdatedfeeds.
IntegratingTestingandAssessment
SecurityProgramme:Thisunknown.Wellnot100%unknown,weknowweshouldcommittolongtermintegrationbetweenperiodic(applicationandinfrastructure)tests,andcyclicvulnerabilityassessmentsbutthelackistoachieveitandmaintainthatcommitment.
EverythinginITismostprobablyidentifiableasaSYSTEM,withanINPUT,TRANSFORMATIONandanOUTPUT.PenetrationTestingisafundamentalinput totheVulnerabilityManagementProcessandtogetherthesecanboost yourThreatResponse(andROI).
StaticanalysisandDynamictesting
AnotherelementofasoundVulnerabilityManagementProcessespeciallyinEnterpriseenvironmentsliesinthecertaintyofaqualitativeanalysisofalgorithms,beforemovingapplicationarchitecturestoproductionenvironment.
Letmesaythatit’smostlikelythatunsafeorlazycodinghabitsendwriting 0-Days,insteadofsavingfromthem.Weak codewillfacilitateaccesstoback-ends,data,andimpairyourvulnerabilitymanagementprogramaddingwhatwecallmakefutureZeroDays.
Weakness Awareness SecurityProgram Integration
Getthemost,staysafe!
CombiningthefollowingactionsweDOgetthemostwithameasurablereturnonoursecurityprogrammeinvestment.
Achievement
SecurityProgrammeInvestmentWheel
0%10%20%30%40%50%60%70%80%90%100%Weakness
Awareness
SecurityProgramIntegration
Achievement
WeaknesstoAchievement
Insecurity ROI
STARTInvestmentReturns Effects
0% OpenAttackSurface
5% IncreasingAwareness
15% Plansanddeployments
25% Enablinginterchange
30% Achievingreturns
ExposureFactor Effects
99% Easilyviolatedbyanyvector
85% Understandingattacksurface
75% Reducingexposurebymeansofspecial tools
50% Integratingdiversetoolstoachieveintelligence
25% Only0-Daysandunknow threatscanhurt
Apracticalcasestudy.
Whathappenswhen.
TheBattleshipYamato!
TheBattleshipYamato!
…oops…that’sthe !
…ehm …let’sgetbackto !
TheBattleshipYamato
TheBattleshipYamato
Assessing:
Whileinhomewatersafterthewinter1944-1945refitting(moreanti-aircraftweapons),shewasspottedandattackedbyU.S.NavycarrierplanesinMarch1945.Sheescapedwithlightdamage,buthervulnerabilityagainsttheswarmingAmericanaircrafts wasnowclear.[…]
TheBattleshipYamato
Q1:Bylookingatthebattleshiparchitectureanddefense,whatcanyouassess theBattleshiptobeconsidered“vulnerable”inyouropinion?
TheBattleshipYamato
Exploit:
[…] At1220on7Apr1945,whilestillsome270milesnorthofOkinawa,afterbeingtracked byAmericanreconnaissance aircraftandsubmarinesalmosttheentireway,Yamatowasattacked bywavesandwavesofAmericancarrierplanes. […]
TheBattleshipYamato
Q2:Bywhatattackvector,thevulnerabilitycouldhavebeenexploited?
TheBattleshipYamato
Pwnage:
[…] Afteranagonizingtwohours,thelargestbattleshipintheworldsankasthelistreachednearly90degrees.[…]
TheBattleshipYamato
Q3:Toadapt totheupcomingpwonage,whatdoyouthinkitwaspossibletodo,on-the-fly?…ormaybeaftertheinevitablehappened?
TheBattleshipYamato
Zero-Day:
[…] Shethenexplodedtwiceunderwater;thecauseoftheexplosionwaslikelytheshellsfromtheprimaryandsecondarymagazinesfallingofftheirshelvesanddetonatingtheirfusesagainsttheoverhead.[…]
TheBattleshipYamato
Q4:Whatdoyouthinkwasthereasonforalltheopponent’sforcestoconcentrateahugesetofresourcesjustagainstthissingletarget?
TheBattleshipYamato
Loss:
Only269mensurvivedthesinkingsuperbattleship.(Outof2750originalcrewlist)
Resilient
DefinitionandSubstantialmeaning
OPENTALKSESSION: RSAYONTOPIC!
FewtopicsforyoutoJointheTalk[BeforethethirdbeerJ]!
Assessment
RSAYON…
…
CodeSecurity
RSAYON…
…
CodeSecurity
RSAYON…OWASPASVSv.3.0
Disclosure
RSAYON…
…
GoinghomebyTrain?
RSAYON… http://trainwatch.u0d.de/
Thanksforyourtime!
Wehopeourmessageinabottlelefttheshores!
Sendyourfeedback withthereference#CODECANNOLIonourSocial Channels!Togetintouchuseinstead@DEVMOB !