Delhi The Second Adventure

transcript

Delhi the Second Adventure

Thorough, Safe and Secure

Fabian + Joerg

jsimon@fedoraproject.org

http://fedoraproject.org

3 3Communication Security

[ and this! ]

[ Security Lab ]

A Linux based open source test- and education platform for

- security-auditing

- forensics

- penetration-testing

[ History: @ foss.in Bangalore 2009 ]- pick up the Idea - give it a home - http://fedorahosted.org/security-spin/

- Contributor Wishlist – https://bugzilla.redhat.com/show_bug.cgi?id=563471

- Improve spin section content – went to spins.fedoraproject.org/security

- move to SLiM as desktop manager – moved to SLiM -> moved to LXDM ...

- move to LXDE as window manager – we moved to LXDE -> move to XFCE in Fedora20

- become a official spin in Fedora 13 – we made it as a official Fedora Security Spin in

Fedora 13, 14, 15, 16, 17 and will be for 18

- LIMITS - Webapplication testing tools + implementing OSSTMM upstreams – we

packaged SCARE, unicornscan also brought up limits of a large FOSS Project

- become the official OSSTMM Distro – ISECOM´s Pete Herzog announced OSSTMM Lab

as the “New live linux distro for OSSTMM users” - on 12.September 2012

- new features in the current Version of the OSL (v3.8b4 (F17))with input from the

ISECOM HHS Team!

- collect input and suggestions

- Working on a Test-Bench for Students

[ possible benefits ]

- usecase for the FSL

- new cool upstreams

- implemented methodology

- fedora get taught along the OSSTMM

OSSTMM- LabModified Version of theFedora Security Lab

Packaging upstreamTools from the OSSTMM Team

A stable platform for teaching the curriculumFor OSSTMM and HHS

Integrate the Methodology FlowInto one possible Toolset

[ benefits ]

9 9HIC Audit Services

[ From Risk to Operations ]

From Risk to Operations

[ but we have problem ]

[ Security - Industry ]

Comply!?But not secure?Blocked?

Get the Audit Result you need?But not secure?Blocked?

Secure?But not compliant?Blocked?

[ Compliance? ]

Quelle: OSSTMM ISECOM

Spend your money on„Bad Security“?

Security ?Cloud – Social Media – Mobile Plattform

Trustsneue Angriffsvektoren!

[ Reports Management & Real world

compatible ]

[ reproducible with the right Standards

& Methods! ]

[ neutral unbiasedby relying on

Open Standards ][ comparable real working Metrics

– based on scientific research ]

[ know ]

- a way for proper testing!

[ there is a Open Sourceway ]

How do current operations work?

How do they work differently from how management thinks they work?

How do they need to work?

22 22HIC Audit Services

[ Controls <> Trusts ]

[ Security <> Safety? ]

[ Operations ]

[ Compliance ]

[ the terrible truth? ]

Human risk will never change

„In Security people are as much a part of the process as are the machines.“

derived from ISECOM, OSSTMM 3.0

Quelle: Takedown - Tsutomu Shimomura

● Industrie 74,49%

● Military 97,16%

● Banks 84,36%

● SoftwareVendors 73,12%

● Politik 76,58%

Usual testing synonymsBlind/Blackbox PentestGraybox/Chrystal/RedTeamSocial EngineeringWarDrivingWarDialingConfigurationReviewsCode Reviews

[ common sence ]

[ testpath ]

Quelle: Takedown - Tsutomu Shimomura

False Positive (Status true – although untrue) False Negative (Status untrue – although true) GrayPositive (Status always true) Gray Negative (always untrue) Specter (true or untrue anomaly) Indiscretion (true or untrue timedependency) Entropy Error (true or untrue Overhead) Falsification (true or untrue – unknown Variables) Sampling Error (influenced from outside) Constraint (true or untrue – Equipment Limit) Propagation (not tested) Human Error (missing Skill, Expirience)

From Risk to Operations

[ Quantify Security ]

Metrics

System Schwachstelle Kritikalität Maßnahme

unsichere Verschlüsselung möglich evtl. veraltete SW-Version

gering bew erten und unterbinden

Parameter mit Code-Injection mittelSäuberung der Codefragmente aus denAnfragenAnw endungsaudit

geringbew erten Angriffsfläche verringern

geringprüfen und behebenAnw endungsaudit

unverschlüsselte Übertragung vonAuthentif izierungsdatenCross Site Tracing

mittelEinschränkung von TRACE Anfragenunverschlüsselte Übertragung prüfenund beheben

unsichere Verschlüsselung möglich Passwortkombinationen unlimitiert

gering bew erten und unterbinden

Adminportale unverschlüsselterreichbarPasswortkombinationen unlimitiertOffenlegung aller Systemdaten!Zugang zu privaten DatenAdministrativer Zugang zumWebserver

hochumfangreiche praktische Sofort-Maßnahmen wurden am 21.08.2010gemeldet siehe Seite 48

Spamversand möglich CodeInjection

mittel

Formularverarbeitung ist zu überarbeitenSäuberung der Codefragmente aus denAnfragenAnwendungsaudit

eingeschränkte Verschlüsselung gering Hersteller Patch einspielen

CrossSite TracingPHP Version angreifbarCrossSiteScriptingParameterTamperingInformationDisclosure

Einschränkung von TRACE AnfragenFormularverarbeitung ist zu überarbeitenSäuberung der Codefragmente aus denAnfragenKlassifizierung der Informationen

Vulnerability Mngmt. vs Threat Modelling vs RiskAssessmentValues

Quelle: OSSTMM ISECOM

[ porosity ]

- Visibility

- Access

- Trust

[ how much security do you really need? ]

[ Authentication ]

[ Indemnification ]

[ Resistance ]

[ Subjugation ]

[ Continuity ]

[ non-repudiation ]

[ confidentiality ]

[ privacy ]

[ integrity ]

[ Alarm ]

[ limitations ]

Limitations

OSSTMM Risk Assessment Value

„There are only 2 ways to steal something: either you take it yourself or you have someone else take it and give it to you“

OSSTMM 3.0

Apps? Steal something for me?

Steal something for me

Tom is verbose

Tom the Cat is calling home

Size Symmetry

Visibility

Subjugation

Consistency

Integrity

Offsets

Components

Porosity

[ quantify Trust! ]

Risk!sometimes the result is not what you expect!

Delhi The Second Adventure

Education