Академический Документы
Профессиональный Документы
Культура Документы
Loudmouth
Hacker Punk Tells lies (professionally)
Talks $hit
Drinks a LOT Is an overall J3rk
LARES
OSINT SIGINT TSCM/ Bug Sweeping Exploit Development Tool Creation Attack Planning Offensive Consultation Adversarial Intelligence Competitive Intelligence Attack Modeling Business Chain Vuln Assessments Custom Physical Bypass Tool Design Reverse Engineering Other stuff I cant write down
Traditional InfoSec
Typical services Proposed value (Sales BS) Set up for failure WYSIWYG
Reasons to Conduct
Identify potential vulnerabilities Provide scoring of risk & prioritization
of remediation
Manage environment vulnerabilities
over time to show security program improvement, defense capability increase and compliance with ongoing patch, system and vulnerability lifecycle
report consisting of copy/paste data from the Vulnerability scanners and TRY to make sure you delete the word Nessus, qualys and/or the previous clients name
network by simulating an attack from a malicious source... The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures.
http://en.wikipedia.org/wiki/Penetration_test
Reasons to Conduct
Identify if attackers can readily
hosts
Try a few other automated tools Call it SECURE If those dont work
business
Confirm vulnerabilities identified Gain a Real World View of an
Do not allow the exploitation of systems Restrict testing to non production systems Restrict the hours of testing Restrict the length of testing Improperly scope / fail to include ALL addresses Only perform externally Patch/fix BEFORE the test
The IT risk management is the application of risk management to Information technology context in order to manage IT risk. Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of information and information systems. In its simplest form, a risk assessment consists of the identification and valuation of assets and an analysis of those assets in relation to potential threats and vulnerabilities, resulting in a ranking of risks to mitigate. The resulting information should be used to develop strategies to mitigate those risks. http://laresconsulting.com/risk.php
Reasons to Conduct
Compliance with regulations Overall health check of the InfoSec
program
Gain understanding of program
Effectiveness
Baseline discovery
to provide evidence *which is usually faked* of THAT specific assessment *often information centric*
Do not allow ACTUAL/TECHNICAL testing and validation Rely on all information provided as TRUE Minimize scope to only include assets and controls that are part of the selected
TESTING
Skip it!
Do It yourself
Use Scanners to identify Vulns Figure out a process to track them over
time Manage the reduction of Vulns over time Manage the MTTP ( Mean Time To Patch) Do the rest and make your testers WORK hard.
DONT RUSH IT
GO FULL SCOPE
Dont use firms that have SECRET processes or can not
Recon
Scan
Enumerate
Exploit
PostExploit
Write Report
Pre-Engagement Intelligence Gathering Threat Modelling Vulnerability Analysis Exploitation Post-Exploitation Reporting
Common misconceptions
the point
It will offend our users
Doesnt provide enough
email
Track clicks
Write a report to show who
value
clicked
MAKE IT BUSINESS FOCUSED NOT IT FOCUSED Use multiple standards Remove silos and scope restrictions TEST, TEST, TEST (PBC docs ARE NOT SUFFICENT) A sample set does not show the ability to secure. I crack in certain parts of the
the solutions to address THEM and not always just for the audit
Discuss the VALUE of systems in relevance to the business and re-weight scores NEVER allow a compensating control on a BUSINESS critical system. EVER
The term originated within the military to describe a team whose purpose is to penetrate security of "friendly" installations, and thus test their security measures. The members are professionals who install evidence of their success, e.g. leave cardboard signs saying "bomb" in critical defense installations, hand-lettered notes saying that your codebooks have been stolen" (they usually have not been) inside safes, etc. Sometimes, after a successful penetration, a high-ranking security person will show up later for a "security review," and "find" the evidence. Afterward, the term became popular in the computer industry, where the security of computer systems is often tested by tiger teams.
How do you know you can put up a fight if you have never taken a punch?
Electronic
EP Convergance Attacks on physical systems that are network enabled
RED TEAM
Physical
Lockpicking Direct Attack
Social
In Person Social Engineering Phone Conversation Social Profiling
Reasons to Conduct
Real world test to see how you will hold up against a highly skilled, motivated and funded
attacker
The only type of testing that will cover a fully converged attack surface Impact assessment is IMMEDIATE and built to show a maximum damage event This IS the FULL DR test of an InfoSec Program
Reasons to Conduct
Exercises in evaluating WHO your top5 most likely attackers are Full OSINT profiling on the Attackers and their capabilities
Scenarios which are highly focused at Detecting, Confirming, Mitigating and Resolving
What is it?
Evaluate threat and risk from
employee/staff/contractor/executive/etc..
Use company provisioned asset/standard access model (limited
privs)
channels
Identify elevation of privilege scenarios (exploit AND non-exploit
methods)
Why do it?
Provides visibility into what could happen
A user WILL be compromised at some point
Evaluate security posture of corporate asset External testing doesnt always provide accurate measurement of
internal sourced threats Identify insecure internal communication channels Evaluate covert channel resistance/prevention
External assessments usually only measure (1) of these (if youre lucky)
System to system communication Level of noise detection Data leakage/exfil abilities Log/data correlation Incident response/forensics teams level of knowledge/expertise
Reasons to Conduct
Targeted at working BOTH sides of the test Active analysis on defense capability and impreovements / feedback can be real time
Direct understanding of where process,policy and procedure break down in a REAL LIFE
EVENT
Identification of Defensive Technology effectiveness
Reasons to Conduct
Targeted at working on identifying BUSINESS vulns How much can/do partners hurt you
Where can you better defend against Partners and 3rd parties
Who what where when and why. Of how the business works and how it can be
Cnickerson@laresconsulting.com
WWW.LARES.COM