Add to collection(s) Add to saved
  1. Business
  2. Economics

Slides

advertisement 
HACKERS & ATTACK ANATOMY
Ted Harrington, Executive Partner | Ted.Harrington@securityevaluators.com
ISE Proprietary
Why is this important?
ISE Proprietary
Attacks
About ISE
III. Security vs. Functionality
I. Assets vs. Perimeters
IV. Build In vs. Bolt On
II. Black Box vs. White Box
V. Ongoing vs. Periodic
ISE Confidential - not for distribution
ISE Proprietary
ISE Proprietary
ISE Proprietary
About ISE
Perspective
• White box
Analysts
• Hackers; Cryptographers; RE
Exploits
• iPhone; Android; Ford; Exxon; Diebold
Research
• Routers; NAS; Healthcare
Customers
• Companies w/ valuable assets to protect
ISE Proprietary
ISE Proprietary
ISE Proprietary
I. Secure Assets, Not Just Perimeters
ISE Proprietary
I. Secure Assets, Not Just Perimeters
Traditional Attacks
Traditional Defenses
ISE Proprietary
1
1
I. Secure Assets, Not Just Perimeters
ISE Proprietary
1
2
I. Secure Assets, Not Just Perimeters
ISE Proprietary
1
3
ISE Proprietary
II. Black Box Penetration Tests == Good
ISE Proprietary
II. Black Box Penetration Tests == Good
White box vulnerability assessment == GOOD!
ISE Proprietary
II. Black Box vs. White Box
• Access Level
• Black Box
• White Box
• Evaluation Types
• Penetration Test
• Vulnerability Assessment
ISE Proprietary
II. Black Box vs. White Box
Black Box Perspective
ISE Proprietary
II. Black Box vs. White Box
White Box Perspective
ISE Proprietary
II. Black Box vs. White Box
ISE Proprietary
II. Black Box vs. White Box
Black Box
White Box
Time/cost
2 mo. / 200 hrs.
2 mo. / 200 hrs.
Severe issues
4 potential issues
1 confirmed
11 confirmed
Other issues
none
10 confirmed
no recommendations
21+ mitigation strategies
Completeness/Confidence
very low
high
Cost/issue
200+ hrs.
~9 hrs.
8
~9 hrs.
Results
Cost/solution
ISE Proprietary
ISE Proprietary
SOHO Routers: Outcomes
Models
Attacks
Compromise
Goals
10
Any
Results
13
Remote, Local, Both
>30%
100% Broken
ISE Proprietary
ISE Proprietary
ISE Proprietary
ISE Proprietary
III. Security vs. Functionality
ISE Proprietary
III. Security vs. Functionality
EMBARRASSINGLY OVERSIMPLIFIED CORPORATE STRUCTURE
SALES
IT FUNCTIONALITY
IT
HR
IT SECURITY
ISE Proprietary
...
III. Security vs. Functionality
EMBARRASSINGLY OVERSIMPLIFIED CORPORATE STRUCTURE
SALES
IT FUNCTIONALITY
IT
HR
IT SECURITY
ISE Proprietary
SECURITY
…
III. Security vs. Functionality
CONFLICT IS GOOD!
ISE Proprietary
III. Security vs. Functionality
ISE Proprietary
I. Security Separated From Functionality
ISE Confidential - not for distribution
I. Security Separated From Functionality
ISE Confidential - not for distribution
I. Security Separated From Functionality
ISE Confidential - not for distribution
ISE Proprietary
ISE Proprietary
ISE Confidential - not for distribution
ISE Confidential - not for distribution
IV. “Build It In,” Not “Bolt It On”
ISE Proprietary
IV. “Build It In,” Not “Bolt It On”
ISE Proprietary
IV. “Build It In,” Not “Bolt It On”
Determine business &
user needs
Develop threat model
Define architecture
Design defense in depth
Coding
Audit code
System testing
White box vulnerability
assessment
DEPLOYMENT
Customer roll-out
Configuration Guidance
MAINTENANCE
Resolve bugs
Iteration Hardening
REQUIREMENTS
DESIGN
IMPLEMENTATION
TESTING
ISE Proprietary
IV. “Build It In,” Not “Bolt It On”
Built In
Bolted On
Assessment cost
90%
100%
Assessment overhead
---
---
Mitigation cost / issue
1x
25x : application
300x : infrastructure
ISE Proprietary
ISE Proprietary
ISE Confidential - not for distribution
V. Security as Ongoing Process
ISE Proprietary
V. Security as Ongoing Process
ISE Proprietary
V. Security as Ongoing Process
ISE Proprietary
V. Security as Ongoing Process
ISE Proprietary
V. Security as Ongoing Process
Initial assessment cost
Full scope reassessment cost
Full assessments / year
Cost / year
Yearly
Bi-yearly
Quarterly
X
X
X
90-95%
35-45%
20-30%
1
2
4
X (0.9)
X (0.7)
X (0.8)
ISE Proprietary
Actionable Guidance
Do:
• Protect assets
• Get 3rd party security
assessments
• Have a security person/team
• Build security in
• Perform security ongoing
Don’t:
• Focus just on perimeter
• Rely on black box
• Have security & IT as same
• Bolt security on
• Assess longer than biannually
ISE Proprietary
Get Involved
ISE Proprietary
Ted Harrington
Executive Partner
ted.harrington@securityevaluators.com
ISE Proprietary
Related documents
Relating research to practice
Relating research to practice
*ngilizce Sunum
*ngilizce Sunum
Bell_CAISE_pi_meeting
Bell_CAISE_pi_meeting
Total - International School of Engineering
Total - International School of Engineering
Attributed to Kojo Bonsu. Finial of a Spokesperson`s Staff (Okyeame
Attributed to Kojo Bonsu. Finial of a Spokesperson`s Staff (Okyeame
2007-2010 Widescreen Template
2007-2010 Widescreen Template
New Media - rise networks
New Media - rise networks
presentation here - International Association of Business
presentation here - International Association of Business
docs\Other\000000 South Shore Routes powerpoint from Jim
docs\Other\000000 South Shore Routes powerpoint from Jim
Cool_Bright_Water_Seitz
Cool_Bright_Water_Seitz
Transfer Aid
Transfer Aid
Star Suite Overview 30min LR
Star Suite Overview 30min LR
Spireon, Inc. - NPP Government
Spireon, Inc. - NPP Government
Download
advertisement