identifying attack surface in budget constrained …...© 2018 denim group –all rights reserved...
Post on 24-Jun-2020
3 Views
Preview:
TRANSCRIPT
© 2018 Denim Group – All Rights Reserved
Building a world where technology is trusted.
Identifying Attack Surface in Budget Constrained Agencies
John B. Dickson, CISSP #4649@johnbdickson
© 2018 Denim Group – All Rights Reserved
My Background• Ex-Air Force Intel & Cyber Officer• 20+ Year Security Professional• Denim Group Principal• ISSA Distinguished Fellow & Past Chapter Prez• Security Conference Speaker• Blogger Dark Reading Columnist• Strategic Advisors to CSOs and CISOs
© 2018 Denim Group – All Rights Reserved
Denim Group | Company Background
• Trusted advisor on all matters of software risk• External application & network assessments• Web, mobile, and cloud• Software development lifecycle development (SDLC) consulting• Network and infrastructure where applications reside
• Managed security services• Developed
© 2018 Denim Group – All Rights Reserved
Increasing External Pressures & Threats
There are two types of organizations in the world…
1. Targeted
2. Targets of Opportunity
1. 2/3 of all attacks go undetected
2. Leading cause: inadvertent activity
If you are not #1, your challenge is to not become #2
4
© 2018 Denim Group – All Rights Reserved
Increasing External Pressures & Threats
Increasingly More Defined Threat Actors
• Nation states• Organized criminal syndicates• Hacktivists
5
© 2018 Denim Group – All Rights Reserved
Increasing External Pressures & ThreatsCommercialization and Specialization of the Threat
• Sophisticated marketplace of underground suppliers• Increased specialization of threat actors
• Malware developers• Call centers• Card scammers
• “Verticalization” of the Threat • Ability to adapt and capitalize on current events more quickly
6
© 2018 Denim Group – All Rights Reserved
Increasing External Pressures & ThreatsSophisticated Malware and Ransomeware
• Sophisticated marketplace drives more responsive attacks able to adapt and scale
• Ability to highly automate attacks expands attack footprint• Sophisticated attacks no longer the worry of the largest
organizations• Focus back on availability for the SMB, which has always
been a challenge
7
© 2018 Denim Group – All Rights Reserved
Breach Fixation8
© 2018 Denim Group – All Rights Reserved
Security Budgets: The Starting Point
• Some have lost the game before getting on the field
• Competing Against:• Agency head pet projects • Legacy support requirements• Current events
• Information security as the “silent service” –Rich Baich, Wells Fargo CISO
• Source: “Winning as a CISO,” Rich Baich
© 2018 Denim Group – All Rights Reserved
Getting Your Security Budget Approved Without FUD
• Exploit Pet Projects• Account for Culture• Tailor to Your Specific Vertical• Consciously Cultivate Credibility and Relationships• Capitalize on Timely Events• Capture Successes & Over-Communicate
Source: RSA 2014 “Getting Your Security Budget Approved Without FUD
© 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• Two Dimensions:• Perception of Software Attack Surface• Insight into Exposed Assets
11
Perception
Insi
ght
© 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• As perception of the problem of attack surface widens the scope of the problem increases
12
Perception
Insi
ght
Web Applications
© 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• As perception of the problem of attack surface widens the scope of the problem increases
13
Perception
Insi
ght
Web Applications
Client-Server Applications
© 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• As perception of the problem of attack surface widens the scope of the problem increases
14
Perception
Insi
ght
Web Applications
Client-Server Applications
Desktop Applications
© 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• As perception of the problem of attack surface widens the scope of the problem increases
15
Perception
Insi
ght
Web Applications
Client-Server Applications
Desktop Applications
Cloud Applications and Services
© 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• As perception of the problem of attack surface widens the scope of the problem increases
16
Perception
Insi
ght
Web Applications
Client-Server Applications
Desktop Applications
Cloud Applications and Services
Mobile Applications
© 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• Discovery activities increase insight
17
Perception
Insi
ght
Web Applications
© 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• Discovery activities increase insight
18
Perception
Insi
ght
Web Applications
© 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• Discovery activities increase insight
19
Perception
Insi
ght
Web Applications
© 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• Over time you end up with a progression
20
Perception
Insi
ght
Web Applications
© 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• Over time you end up with a progression
21
Perception
Insi
ght
Web Applications
Client-Server Applications
© 2018 Denim Group – All Rights Reserved
Desktop
Applications
Client-Server
Applications
Attack Surface: The Security Officer’s Journey
• Over time you end up with a progression
22
Perception
Insig
ht
Web
Applications
© 2018 Denim Group – All Rights Reserved
Desktop
Applications
Client-Server
Applications
Attack Surface: The Security Officer’s Journey
• Over time you end up with a progression
23
Perception
Insig
ht
Web
Applications
Cloud
Applications
and Services
© 2018 Denim Group – All Rights Reserved
Desktop
Applications
Client-Server
Applications
Attack Surface: The Security Officer’s Journey
• Over time you end up with a progression
24
Perception
Insig
ht
Web
Applications
Cloud
Applications
and Services
Mobile
Applications
© 2018 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• When you reach this point it is called “enlightenment”
• You won’t reach this point
25
Perception
Insig
ht
Web
Applications
Client-Server
Applications
Desktop
Applications
Cloud
Applications
and Services
Mobile
Applications
© 2018 Denim Group – All Rights Reserved
26
• Understand your Attack Surface -General• …and where your agency’s most sensitive
client data lives• Tailor rigorous testing to agreed-upon threat• Don’t forget mobile/cloud/social media• Regularly conduct penetration tests mimicking
your most likely threat
Suggested Strategy #1
© 2018 Denim Group – All Rights Reserved
27
• Understand your Attack Surface - External• Conduct monthly (or quarterly) network and
application vulnerability tests to eliminate most obvious vulnerabilities
• Consider quarterly phishing campaigns using context from firm clients
• Review DNS registry & shared secret• Conduct social engineering exercise with firm
leadership buy-in• Identify 3rd-party network connections or
federated trust relationships
Suggested Strategy #1(Continued)
© 2018 Denim Group – All Rights Reserved
28
• Understand your Attack Surface - Internal• Conduct monthly automated scans to validate
patching program• Conduct annual security testing of key suppliers• Understand admin technical segregations of duty
• Move roles around is possible and without notice• Maintain and inventory of USBs in desktops and
laptops• Review policies on 3-party storage system (e.g.,
Dropbox)• Capture what existing sys log review processes exist
• Examples: alerting auth events
Suggested Strategy #1 (Continued)
© 2018 Denim Group – All Rights Reserved
29
• Protect Information at Rest and in Transit• Tailor DLP to agency’s needs
• Implement at desktop, gateway, or federated entry points• Disable USBs through technology acquisition or
Active Directory (AD) Group Policy Objects (GPO)• Example: IEEE 802.1X-authenticated wired connections
through Group Policy• Implement trusted sys logging for admins• Test portal authorization implementation with manual
testing• Secure 3rd-party FTP or mail service for most
sensitive documents (obviously)
Suggested Strategy #2
© 2018 Denim Group – All Rights Reserved
30
• Protect Information at Rest and in Transit • Rollout mobile device management for all
mobile devices implementing:
• Remote wipe, OTA Updates, Containers etc.
• Deploy full disk encryption on ALL laptops
• Rollout next-generation anti-virus and
malware detection
• Enable alerting for key events
Suggested Strategy #2 (Continued)
© 2018 Denim Group – All Rights Reserved
31
• Protect Information at Rest and in Transit • Consider 2-factor authentication or tokens for:
• Administrative accounts• Particularly sensitive client documents
• And don’t forget! Implement encrypted email at all times!
Suggested Strategy #2 (Even more!)
© 2018 Denim Group – All Rights Reserved
32
• Reduce your External Attack Surface• Implement organization-wide patching• Understand risks of 3rd-party risks of CMS or
portal software• Catalog trusted entry points from 3rd parties• Ensure your web-facing sites are devoid of
SQL injections/XSS vulnerabilities• Start to build a “defense in depth” approach to
your organization
Suggested Strategy #3
© 2018 Denim Group – All Rights Reserved
33
• Reduce your External Attack Surface
• Implement organization-wide patching• Not just for Microsoft products (Reference: Verizon
Data Breach Report)• Understand risks of 3rd-party risks of CMS or
portal software• Implement hardening configs for SharePoint,
Drupal, WordPress, others• Monitors security lists and quickly apply patches
Suggested Strategy #3
© 2018 Denim Group – All Rights Reserved
34
• Reduce your External Attack Surface
• Monitor & reduce (possible) trusted entry points from 3rd parties
• Ensure your web-facing sites are devoid of SQL injections/XSS vulnerabilities
• Again, watch 3-party vulnerability notifications
Suggested Strategy #3(Continued)
© 2018 Denim Group – All Rights Reserved
35
• Be Able to Identify an Attack• Deeply understand your “base” network and
application operations tempo • Do you regularly monitor network stats?
• Build the competency to regularly review key events via logging
• IPS/IDS + SEM if you’re big enough to warrant capability
• Exfiltration logging for after the fact
Suggested Strategy #4
© 2018 Denim Group – All Rights Reserved
36
• Don’t go it alone!• Gain and maintain a trusted relationship with
an organization that understands firm risk and can conduct knowledge transfer
• Particularly given the broad technology stack• Consider a Managed Security Services
Provider (MSSP) for 24/7 coverage• Have a relationship with an IR and crisis
communication firm.
Suggested Strategy #5
© 2018 Denim Group – All Rights Reserved
Why Is this Important to You?
• Budget will remain constrained• Threats adapting and metastasizing faster than defenders
can respond• Attack surface is constantly in flux
© 2018 Denim Group – All Rights Reserved
John B. Dickson, CISSP@johnbdickson
www.denimgroup.com
Questions and Answers
top related