Download - Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc

Eyes Wide Open

John Sawyer Senior Security Analyst

InGuardians, Inc.

Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

Agenda

• Who am I? • What is IT Security? • Penetration Testing

– (aka. Go Hack Yourself)

•  Fun (and scary) Attacks – And, How to Protect Yourself


Who, What, Where

•  InGuardians Senior Security Analyst – Penetration Testing

•  Web, Network, Smart Grid, Mobile, Physical

– Architecture Review –  Incident Response & Forensics

•  Dark Reading “Evil Bytes” author •  1@stplace - Retired CTF packet

monkey – winners DEFCON 14 & 15 CTF


Eyes Wide Open

• Why this title? • What does it mean?

– Amazement – Fear – Naïve – Prepared


What is IT Security?

•  Does it mean what you think it means?

•  Many areas of focus •  IT vs C-level

perspective •  Public perspective


So Many Areas, So Little Time

•  System hardening •  Network security •  Incident response •  Forensics •  Penetration Testing •  Vulnerability

Assessments •  Reverse Engineering •  And, so much more!


C-Level Exec vs IT Practitioner

•  What does security really do? –  Costs money –  ROI? –  Invisible until a

problem arises

•  Accuracy vs Speed •  Secure vs Compliant


Compliance = Security

• Being “compliant” often leads to a false sense of security

•  Loads of money spent on security products but no focus on processes

/


Public Perspective


Reality


2012 Eye Openers

•  Flashback OS X •  Java Zero Days •  Flame & Gauss •  Android •  LinkedIn, Last.fm,

Dropbox Passwords •  Shamoon


Penetration Testing


What is Pen Testing?

• Validation of vulnerability assessments

• Better measurement of risk • Can answer the “What If” questions • Can determine if the “worst case

scenario” can really happen


What can you do?

•  First, what does your job description say?


Network Scanning

• Nmap – network (vuln) scanner – Ndiff – compare scan results

• Vulnerability Scanning – Low hanging fruit – Don’t focus on HIGH (Low 2 Pwned) – Nessus, NeXpose, ZAP, Burp etc.

• Shodan


Shodan (www.shodanhq.com)

•  “Search engine for service banners of pre-scanned devices accessible via the public Internet”

• Created by John Matherly • Controversial?

– Has led to the exposure of many SCADA and ICS devices


Many Ways to Shodan

• Web Interface • API • Metasploit •  iPhone • Maltego


Any Volunteers?


Shodan Exposures


Attacks, The News, & Reality


Javapocalypse

•  Java – A necessary evil for many – Business reporting applications – Security Tools

• Burp • Zap • Others


Decaffeinating Java Exploits

• Uninstall Java •  Install Java 7 Update 11 •  Java only allowed special VMs • Decouple Java from Browsers • Use separate browsers

– Only one has Java enabled – “Security Zones”


Publicly-Accessible Printers

• Weak/Default passwords •  Jet-Direct vulnerabilities • Remote firmware update (FIRE) • Credential exposure?


Printer Safety

• Network segmentation • Network scanning

– Know your network • Nmap • Shodan • Google


Verizon’s Bob

• After reading 2012 DBIR, started monitoring logs from VPN.

• Regular connections from China. •  “US critical infrastructure company” • Developer was

at his desk.


Bob = Model Employee

•  “Quarter after quarter, his performance review noted him as the best developer in the building.” –  9:00 a.m. – Arrive & surf Reddit. Watch cat videos –  11:30 a.m. – Take lunch –  1:00 p.m. – Ebay time. –  2:00 – ish p.m Facebook updates – LinkedIn –  4:30 p.m. – End of day update to management. –  5:00 p.m. – Go home


Where’s Waldo…Bob?

•  I’ll get there…


Internal Detection

• VLAN Hopping – Tripwire monitoring switch configs

• Malware & Attacker Tools – Antivirus logs

• Exploitation of Vulnerable Services – Host Intrusion Prevention logs

• Nmap Scan – Server Performance Monitor


External Detection

• Nmap Scan – FW Logs via MSP

• Web Vuln Scan – User Experience

Monitor

• Attack Tool Scans – IDS via MSP


Security Pro’s Dilemma

• The Defender has to get it right every time

• The Attacker only has to get it right once in order to win.


Information Overload

• Everything logs – Do you know how to collect it?

• New threats emerge everyday – How do you keep track?

• More and more data to analyze – Do you look at it all or intelligently

narrow it down?


Information Overload

• Too many logs • Too few hours in the day • Too many new threats • Too few security staff

• And, what should we focus on?!?


Risk-Based Approach to Logs

•  Identify high-value targets •  Identify worst-case scenario

• How can they be attacked? • Do you have mechanisms in place

to monitor those areas?


Start Small

• Syslog, Splunk, or ELSA – Firewall, VPN, Servers, Door Access

• Network monitoring (IDS, NetFlow) – Security Onion


Takeaways

• Security – It’s more than you against the world

• Penetration Testing – There’s things you can do!

• Attacks (and prevention) – Monitor, monitor, MONITOR!


Thank You

• Questions?

•  Contact information: John Sawyer [email protected] 352-389-4704

Download - Eyes Wide Open - Clover Sitesstorage.cloversites.com/.../documents/Keynote-Eyes-Wide-Open.pdfEyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc

Top Related