eyes wide open - clover sitesstorage.cloversites.com/.../documents/keynote-eyes-wide-open.pdfeyes...
TRANSCRIPT
![Page 1: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/1.jpg)
Eyes Wide Open
John Sawyer Senior Security Analyst
InGuardians, Inc.
![Page 2: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/2.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Agenda
• Who am I? • What is IT Security? • Penetration Testing
– (aka. Go Hack Yourself)
• Fun (and scary) Attacks – And, How to Protect Yourself
![Page 3: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/3.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Who, What, Where
• InGuardians Senior Security Analyst – Penetration Testing
• Web, Network, Smart Grid, Mobile, Physical
– Architecture Review – Incident Response & Forensics
• Dark Reading “Evil Bytes” author • 1@stplace - Retired CTF packet
monkey – winners DEFCON 14 & 15 CTF
![Page 4: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/4.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Eyes Wide Open
• Why this title? • What does it mean?
– Amazement – Fear – Naïve – Prepared
![Page 5: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/5.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
What is IT Security?
• Does it mean what you think it means?
• Many areas of focus • IT vs C-level
perspective • Public perspective
![Page 6: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/6.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
So Many Areas, So Little Time
• System hardening • Network security • Incident response • Forensics • Penetration Testing • Vulnerability
Assessments • Reverse Engineering • And, so much more!
![Page 7: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/7.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
C-Level Exec vs IT Practitioner
• What does security really do? – Costs money – ROI? – Invisible until a
problem arises
• Accuracy vs Speed • Secure vs Compliant
![Page 8: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/8.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Compliance = Security
• Being “compliant” often leads to a false sense of security
• Loads of money spent on security products but no focus on processes
/
![Page 11: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/11.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
2012 Eye Openers
• Flashback OS X • Java Zero Days • Flame & Gauss • Android • LinkedIn, Last.fm,
Dropbox Passwords • Shamoon
![Page 13: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/13.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
What is Pen Testing?
• Validation of vulnerability assessments
• Better measurement of risk • Can answer the “What If” questions • Can determine if the “worst case
scenario” can really happen
![Page 14: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/14.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
What can you do?
• First, what does your job description say?
![Page 15: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/15.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Network Scanning
• Nmap – network (vuln) scanner – Ndiff – compare scan results
• Vulnerability Scanning – Low hanging fruit – Don’t focus on HIGH (Low 2 Pwned) – Nessus, NeXpose, ZAP, Burp etc.
• Shodan
![Page 16: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/16.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Shodan (www.shodanhq.com)
• “Search engine for service banners of pre-scanned devices accessible via the public Internet”
• Created by John Matherly • Controversial?
– Has led to the exposure of many SCADA and ICS devices
![Page 17: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/17.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Many Ways to Shodan
• Web Interface • API • Metasploit • iPhone • Maltego
![Page 21: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/21.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Javapocalypse
• Java – A necessary evil for many – Business reporting applications – Security Tools
• Burp • Zap • Others
![Page 22: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/22.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Decaffeinating Java Exploits
• Uninstall Java • Install Java 7 Update 11 • Java only allowed special VMs • Decouple Java from Browsers • Use separate browsers
– Only one has Java enabled – “Security Zones”
![Page 23: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/23.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Publicly-Accessible Printers
• Weak/Default passwords • Jet-Direct vulnerabilities • Remote firmware update (FIRE) • Credential exposure?
![Page 24: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/24.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Printer Safety
• Network segmentation • Network scanning
– Know your network • Nmap • Shodan • Google
![Page 25: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/25.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Verizon’s Bob
• After reading 2012 DBIR, started monitoring logs from VPN.
• Regular connections from China. • “US critical infrastructure company” • Developer was
at his desk.
![Page 26: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/26.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Bob = Model Employee
• “Quarter after quarter, his performance review noted him as the best developer in the building.” – 9:00 a.m. – Arrive & surf Reddit. Watch cat videos – 11:30 a.m. – Take lunch – 1:00 p.m. – Ebay time. – 2:00 – ish p.m Facebook updates – LinkedIn – 4:30 p.m. – End of day update to management. – 5:00 p.m. – Go home
![Page 27: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/27.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Where’s Waldo…Bob?
• I’ll get there…
![Page 28: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/28.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Internal Detection
• VLAN Hopping – Tripwire monitoring switch configs
• Malware & Attacker Tools – Antivirus logs
• Exploitation of Vulnerable Services – Host Intrusion Prevention logs
• Nmap Scan – Server Performance Monitor
![Page 29: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/29.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
External Detection
• Nmap Scan – FW Logs via MSP
• Web Vuln Scan – User Experience
Monitor
• Attack Tool Scans – IDS via MSP
![Page 30: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/30.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Security Pro’s Dilemma
• The Defender has to get it right every time
• The Attacker only has to get it right once in order to win.
![Page 31: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/31.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Information Overload
• Everything logs – Do you know how to collect it?
• New threats emerge everyday – How do you keep track?
• More and more data to analyze – Do you look at it all or intelligently
narrow it down?
![Page 32: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/32.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Information Overload
• Too many logs • Too few hours in the day • Too many new threats • Too few security staff
• And, what should we focus on?!?
![Page 33: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/33.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Risk-Based Approach to Logs
• Identify high-value targets • Identify worst-case scenario
• How can they be attacked? • Do you have mechanisms in place
to monitor those areas?
![Page 34: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/34.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Start Small
• Syslog, Splunk, or ELSA – Firewall, VPN, Servers, Door Access
• Network monitoring (IDS, NetFlow) – Security Onion
![Page 35: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/35.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Takeaways
• Security – It’s more than you against the world
• Penetration Testing – There’s things you can do!
• Attacks (and prevention) – Monitor, monitor, MONITOR!
![Page 36: Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc](https://reader033.vdocuments.net/reader033/viewer/2022050608/5faf71de4978b450df77a01e/html5/thumbnails/36.jpg)
Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!
Thank You
• Questions?
• Contact information: John Sawyer [email protected] 352-389-4704