eyes wide open...eyes wide open john sawyer senior security analyst inguardians, inc

35
Eyes Wide Open John Sawyer Senior Security Analyst InGuardians, Inc.

Upload: others

Post on 10-Feb-2021

7 views

Category:

Documents


0 download

TRANSCRIPT

  • Eyes Wide Open

    John Sawyer Senior Security Analyst

    InGuardians, Inc.

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Agenda

    • Who am I? • What is IT Security? • Penetration Testing

    – (aka. Go Hack Yourself) • Fun (and scary) Attacks

    – And, How to Protect Yourself

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Who, What, Where

    •  InGuardians Senior Security Analyst – Penetration Testing

    •  Web, Network, Smart Grid, Mobile, Physical

    – Architecture Review –  Incident Response & Forensics

    •  Dark Reading “Evil Bytes” author •  1@stplace - Retired CTF packet

    monkey – winners DEFCON 14 & 15 CTF

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Eyes Wide Open

    • Why this title? • What does it mean?

    – Amazement – Fear – Naïve – Prepared

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    What is IT Security?

    •  Does it mean what you think it means?

    •  Many areas of focus •  IT vs C-level

    perspective •  Public perspective

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    So Many Areas, So Little Time

    •  System hardening •  Network security •  Incident response •  Forensics •  Penetration Testing •  Vulnerability

    Assessments •  Reverse Engineering •  And, so much more!

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    C-Level Exec vs IT Practitioner

    •  What does security really do? –  Costs money –  ROI? –  Invisible until a

    problem arises

    •  Accuracy vs Speed •  Secure vs Compliant

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Compliance = Security

    • Being “compliant” often leads to a false sense of security

    •  Loads of money spent on security products but no focus on processes

    /

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Public Perspective

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Reality

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Penetration Testing

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    What is Pen Testing?

    • Validation of vulnerability assessments

    • Better measurement of risk • Can answer the “What If” questions • Can determine if the “worst case

    scenario” can really happen

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    What can you do?

    • First, what does your job description say?

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Network Scanning

    • Nmap – network (vuln) scanner – Ndiff – compare scan results

    • Vulnerability Scanning – Low hanging fruit – Don’t focus on HIGH (Low 2 Pwned) – Nessus, NeXpose, ZAP, Burp etc.

    • Shodan

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Shodan (www.shodanhq.com)

    •  “Search engine for service banners of pre-scanned devices accessible via the public Internet”

    • Created by John Matherly • Controversial?

    – Has led to the exposure of many SCADA and ICS devices

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Many Ways to Shodan

    • Web Interface • API • Metasploit •  iPhone • Maltego

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Any Volunteers?

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Shodan Exposures

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Attacks, The News, & Reality

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Javapocalypse

    •  Java – A necessary evil for many – Business reporting applications – Security Tools

    • Burp • Zap • Others

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Decaffeinating Java Exploits

    • Uninstall Java •  Install Java 7 Update 11 •  Java only allowed special VMs • Decouple Java from Browsers • Use separate browsers

    – Only one has Java enabled – “Security Zones”

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Publicly-Accessible Printers

    •  Jet-Direct vulnerabilities • Remote firmware update (FIRE) • Credential exposure?

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Printer Safety

    • Network segmentation • Network scanning

    – Know your network • Nmap • Shodan • Google

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Verizon’s Bob

    • After reading 2012 DBIR, started monitoring logs from VPN.

    • Regular connections from China. •  “US critical infrastructure company” • Developer was

    at his desk.

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Bob = Model Employee

    •  “Quarter after quarter, his performance review noted him as the best developer in the building.” –  9:00 a.m. – Arrive & surf Reddit. Watch cat videos –  11:30 a.m. – Take lunch –  1:00 p.m. – Ebay time. –  2:00 – ish p.m Facebook updates – LinkedIn –  4:30 p.m. – End of day update to management. –  5:00 p.m. – Go home

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Where’s Waldo…Bob?

    •  I’ll get there…

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Internal Detection

    • VLAN Hopping – Tripwire monitoring switch configs

    • Malware & Attacker Tools – Antivirus logs

    • Exploitation of Vulnerable Services – Host Intrusion Prevention logs

    • Nmap Scan – Server Performance Monitor

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    External Detection

    • Nmap Scan – FW Logs via MSP

    • Web Vuln Scan – User Experience

    Monitor

    • Attack Tool Scans – IDS via MSP

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Security Pro’s Dilemma

    • The Defender has to get it right every time

    • The Attacker only has to get it right once in order to win.

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Information Overload

    • Everything logs – Do you know how to collect it?

    • New threats emerge everyday – How do you keep track?

    • More and more data to analyze – Do you look at it all or intelligently

    narrow it down?

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Information Overload

    • Too many logs • Too few hours in the day • Too many new threats • Too few security staff

    • And, what should we focus on?!?

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Risk-Based Approach to Logs

    •  Identify high-value targets •  Identify worst-case scenario

    • How can they be attacked? • Do you have mechanisms in place

    to monitor those areas?

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Start Small

    • Syslog, Splunk, or ELSA – Firewall, VPN, Servers, Door Access

    • Network monitoring (IDS, NetFlow) – Security Onion

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Takeaways

    • Security – It’s more than you against the world

    • Penetration Testing – There’s things you can do!

    • Attacks (and prevention) – Monitor, monitor, MONITOR!

  • Copyright 2013 InGuardians, Inc.! [email protected] - @johnhsawyer!

    Thank You

    • Questions?

    •  Contact information: John Sawyer [email protected] 352-389-4704