delhi the second adventure
TRANSCRIPT
![Page 1: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/1.jpg)
Delhi the Second Adventure
Thorough, Safe and Secure
Fabian + Joerg
http://fedoraproject.org
![Page 2: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/2.jpg)
/me
![Page 3: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/3.jpg)
3 3Communication Security
[ and this! ]
![Page 4: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/4.jpg)
![Page 5: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/5.jpg)
[ Security Lab ]
A Linux based open source test- and education platform for
- security-auditing
- forensics
- penetration-testing
![Page 6: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/6.jpg)
[ History: @ foss.in Bangalore 2009 ]- pick up the Idea - give it a home - http://fedorahosted.org/security-spin/
- Contributor Wishlist – https://bugzilla.redhat.com/show_bug.cgi?id=563471
- Improve spin section content – went to spins.fedoraproject.org/security
- move to SLiM as desktop manager – moved to SLiM -> moved to LXDM ...
- move to LXDE as window manager – we moved to LXDE -> move to XFCE in Fedora20
- become a official spin in Fedora 13 – we made it as a official Fedora Security Spin in
Fedora 13, 14, 15, 16, 17 and will be for 18
- LIMITS - Webapplication testing tools + implementing OSSTMM upstreams – we
packaged SCARE, unicornscan also brought up limits of a large FOSS Project
- become the official OSSTMM Distro – ISECOM´s Pete Herzog announced OSSTMM Lab
as the “New live linux distro for OSSTMM users” - on 12.September 2012
- new features in the current Version of the OSL (v3.8b4 (F17))with input from the
ISECOM HHS Team!
- collect input and suggestions
- Working on a Test-Bench for Students
![Page 7: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/7.jpg)
[ possible benefits ]
- usecase for the FSL
- new cool upstreams
- implemented methodology
- fedora get taught along the OSSTMM
![Page 8: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/8.jpg)
OSSTMM- LabModified Version of theFedora Security Lab
Packaging upstreamTools from the OSSTMM Team
A stable platform for teaching the curriculumFor OSSTMM and HHS
Integrate the Methodology FlowInto one possible Toolset
[ benefits ]
![Page 9: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/9.jpg)
9 9HIC Audit Services
[ From Risk to Operations ]
![Page 10: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/10.jpg)
From Risk to Operations
![Page 11: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/11.jpg)
![Page 12: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/12.jpg)
12 12
[ but we have problem ]
![Page 13: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/13.jpg)
[ Security - Industry ]
![Page 14: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/14.jpg)
Comply!?But not secure?Blocked?
Get the Audit Result you need?But not secure?Blocked?
Secure?But not compliant?Blocked?
[ Compliance? ]
Quelle: OSSTMM ISECOM
![Page 15: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/15.jpg)
![Page 16: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/16.jpg)
Spend your money on„Bad Security“?
![Page 17: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/17.jpg)
17 17Communication Security
Security ?Cloud – Social Media – Mobile Plattform
![Page 18: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/18.jpg)
18 18Communication Security
Trustsneue Angriffsvektoren!
![Page 19: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/19.jpg)
[ Reports Management & Real world
compatible ]
[ reproducible with the right Standards
& Methods! ]
[ neutral unbiasedby relying on
Open Standards ][ comparable real working Metrics
– based on scientific research ]
![Page 20: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/20.jpg)
[ know ]
- a way for proper testing!
![Page 21: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/21.jpg)
[ there is a Open Sourceway ]
How do current operations work?
How do they work differently from how management thinks they work?
How do they need to work?
![Page 22: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/22.jpg)
22 22HIC Audit Services
[ Controls <> Trusts ]
[ Security <> Safety? ]
[ Operations ]
[ Compliance ]
[ the terrible truth? ]
![Page 23: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/23.jpg)
Human risk will never change
„In Security people are as much a part of the process as are the machines.“
derived from ISECOM, OSSTMM 3.0
![Page 24: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/24.jpg)
Quelle: Takedown - Tsutomu Shimomura
![Page 25: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/25.jpg)
● Industrie 74,49%
● Military 97,16%
● Banks 84,36%
● SoftwareVendors 73,12%
● Politik 76,58%
![Page 26: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/26.jpg)
![Page 27: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/27.jpg)
Usual testing synonymsBlind/Blackbox PentestGraybox/Chrystal/RedTeamSocial EngineeringWarDrivingWarDialingConfigurationReviewsCode Reviews
[ common sence ]
![Page 28: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/28.jpg)
[ testpath ]
![Page 29: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/29.jpg)
![Page 30: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/30.jpg)
Quelle: Takedown - Tsutomu Shimomura
![Page 31: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/31.jpg)
![Page 32: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/32.jpg)
![Page 33: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/33.jpg)
![Page 34: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/34.jpg)
False Positive (Status true – although untrue) False Negative (Status untrue – although true) GrayPositive (Status always true) Gray Negative (always untrue) Specter (true or untrue anomaly) Indiscretion (true or untrue timedependency) Entropy Error (true or untrue Overhead) Falsification (true or untrue – unknown Variables) Sampling Error (influenced from outside) Constraint (true or untrue – Equipment Limit) Propagation (not tested) Human Error (missing Skill, Expirience)
![Page 35: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/35.jpg)
35 35
From Risk to Operations
![Page 36: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/36.jpg)
36 36Communication Security
[ Quantify Security ]
![Page 37: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/37.jpg)
37 37Communication Security
Metrics
System Schwachstelle Kritikalität Maßnahme
unsichere Verschlüsselung möglich evtl. veraltete SW-Version
gering bew erten und unterbinden
Parameter mit Code-Injection mittelSäuberung der Codefragmente aus denAnfragenAnw endungsaudit
unsichere Verschlüsselung möglich evtl. veraltete SW-Version
geringbew erten Angriffsfläche verringern
unsichere Verschlüsselung möglich evtl. veraltete SW-Version
geringprüfen und behebenAnw endungsaudit
unverschlüsselte Übertragung vonAuthentif izierungsdatenCross Site Tracing
mittelEinschränkung von TRACE Anfragenunverschlüsselte Übertragung prüfenund beheben
unsichere Verschlüsselung möglich Passwortkombinationen unlimitiert
gering bew erten und unterbinden
Adminportale unverschlüsselterreichbarPasswortkombinationen unlimitiertOffenlegung aller Systemdaten!Zugang zu privaten DatenAdministrativer Zugang zumWebserver
hochumfangreiche praktische Sofort-Maßnahmen wurden am 21.08.2010gemeldet siehe Seite 48
Spamversand möglich CodeInjection
mittel
Formularverarbeitung ist zu überarbeitenSäuberung der Codefragmente aus denAnfragenAnwendungsaudit
eingeschränkte Verschlüsselung gering Hersteller Patch einspielen
CrossSite TracingPHP Version angreifbarCrossSiteScriptingParameterTamperingInformationDisclosure
hoch
Einschränkung von TRACE AnfragenFormularverarbeitung ist zu überarbeitenSäuberung der Codefragmente aus denAnfragenKlassifizierung der Informationen
Vulnerability Mngmt. vs Threat Modelling vs RiskAssessmentValues
![Page 38: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/38.jpg)
38 38Communication Security
RAV
Quelle: OSSTMM ISECOM
![Page 39: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/39.jpg)
39 39Communication Security
[ porosity ]
- Visibility
- Access
- Trust
![Page 40: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/40.jpg)
[ how much security do you really need? ]
![Page 41: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/41.jpg)
[ Authentication ]
![Page 42: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/42.jpg)
[ Indemnification ]
![Page 43: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/43.jpg)
[ Resistance ]
![Page 44: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/44.jpg)
[ Subjugation ]
![Page 45: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/45.jpg)
[ Continuity ]
![Page 46: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/46.jpg)
[ non-repudiation ]
![Page 47: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/47.jpg)
[ confidentiality ]
[ privacy ]
[ integrity ]
![Page 48: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/48.jpg)
[ Alarm ]
![Page 49: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/49.jpg)
[ limitations ]
![Page 50: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/50.jpg)
Limitations
![Page 51: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/51.jpg)
OSSTMM Risk Assessment Value
![Page 52: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/52.jpg)
![Page 53: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/53.jpg)
„There are only 2 ways to steal something: either you take it yourself or you have someone else take it and give it to you“
OSSTMM 3.0
![Page 54: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/54.jpg)
54 54Communication Security
Apps? Steal something for me?
![Page 55: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/55.jpg)
55 55Communication Security
Steal something for me
![Page 56: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/56.jpg)
56 56Communication Security
Tom is verbose
![Page 57: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/57.jpg)
57 57Communication Security
Tom the Cat is calling home
![Page 58: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/58.jpg)
Size Symmetry
Visibility
Subjugation
Consistency
Integrity
Offsets
Value
Components
Porosity
[ quantify Trust! ]
![Page 59: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/59.jpg)
59 59Communication Security
Risk!sometimes the result is not what you expect!
![Page 60: Delhi The Second Adventure](https://reader030.vdocument.in/reader030/viewer/2022032616/55a3bc691a28abb13a8b4604/html5/thumbnails/60.jpg)