Date post: | 13-Jul-2015 |
Category: |
Education |
Upload: | nu-the-open-security-community |
View: | 1,350 times |
Download: | 0 times |
Delhi the Second Adventure
Thorough, Safe and Secure
Fabian + Joerg
http://fedoraproject.org
/me
3 3Communication Security
[ and this! ]
[ Security Lab ]
A Linux based open source test- and education platform for
- security-auditing
- forensics
- penetration-testing
[ History: @ foss.in Bangalore 2009 ]- pick up the Idea - give it a home - http://fedorahosted.org/security-spin/
- Contributor Wishlist – https://bugzilla.redhat.com/show_bug.cgi?id=563471
- Improve spin section content – went to spins.fedoraproject.org/security
- move to SLiM as desktop manager – moved to SLiM -> moved to LXDM ...
- move to LXDE as window manager – we moved to LXDE -> move to XFCE in Fedora20
- become a official spin in Fedora 13 – we made it as a official Fedora Security Spin in
Fedora 13, 14, 15, 16, 17 and will be for 18
- LIMITS - Webapplication testing tools + implementing OSSTMM upstreams – we
packaged SCARE, unicornscan also brought up limits of a large FOSS Project
- become the official OSSTMM Distro – ISECOM´s Pete Herzog announced OSSTMM Lab
as the “New live linux distro for OSSTMM users” - on 12.September 2012
- new features in the current Version of the OSL (v3.8b4 (F17))with input from the
ISECOM HHS Team!
- collect input and suggestions
- Working on a Test-Bench for Students
[ possible benefits ]
- usecase for the FSL
- new cool upstreams
- implemented methodology
- fedora get taught along the OSSTMM
OSSTMM- LabModified Version of theFedora Security Lab
Packaging upstreamTools from the OSSTMM Team
A stable platform for teaching the curriculumFor OSSTMM and HHS
Integrate the Methodology FlowInto one possible Toolset
[ benefits ]
9 9HIC Audit Services
[ From Risk to Operations ]
From Risk to Operations
12 12
[ but we have problem ]
[ Security - Industry ]
Comply!?But not secure?Blocked?
Get the Audit Result you need?But not secure?Blocked?
Secure?But not compliant?Blocked?
[ Compliance? ]
Quelle: OSSTMM ISECOM
Spend your money on„Bad Security“?
17 17Communication Security
Security ?Cloud – Social Media – Mobile Plattform
18 18Communication Security
Trustsneue Angriffsvektoren!
[ Reports Management & Real world
compatible ]
[ reproducible with the right Standards
& Methods! ]
[ neutral unbiasedby relying on
Open Standards ][ comparable real working Metrics
– based on scientific research ]
[ know ]
- a way for proper testing!
[ there is a Open Sourceway ]
How do current operations work?
How do they work differently from how management thinks they work?
How do they need to work?
22 22HIC Audit Services
[ Controls <> Trusts ]
[ Security <> Safety? ]
[ Operations ]
[ Compliance ]
[ the terrible truth? ]
Human risk will never change
„In Security people are as much a part of the process as are the machines.“
derived from ISECOM, OSSTMM 3.0
Quelle: Takedown - Tsutomu Shimomura
● Industrie 74,49%
● Military 97,16%
● Banks 84,36%
● SoftwareVendors 73,12%
● Politik 76,58%
Usual testing synonymsBlind/Blackbox PentestGraybox/Chrystal/RedTeamSocial EngineeringWarDrivingWarDialingConfigurationReviewsCode Reviews
[ common sence ]
[ testpath ]
Quelle: Takedown - Tsutomu Shimomura
False Positive (Status true – although untrue) False Negative (Status untrue – although true) GrayPositive (Status always true) Gray Negative (always untrue) Specter (true or untrue anomaly) Indiscretion (true or untrue timedependency) Entropy Error (true or untrue Overhead) Falsification (true or untrue – unknown Variables) Sampling Error (influenced from outside) Constraint (true or untrue – Equipment Limit) Propagation (not tested) Human Error (missing Skill, Expirience)
35 35
From Risk to Operations
36 36Communication Security
[ Quantify Security ]
37 37Communication Security
Metrics
System Schwachstelle Kritikalität Maßnahme
unsichere Verschlüsselung möglich evtl. veraltete SW-Version
gering bew erten und unterbinden
Parameter mit Code-Injection mittelSäuberung der Codefragmente aus denAnfragenAnw endungsaudit
unsichere Verschlüsselung möglich evtl. veraltete SW-Version
geringbew erten Angriffsfläche verringern
unsichere Verschlüsselung möglich evtl. veraltete SW-Version
geringprüfen und behebenAnw endungsaudit
unverschlüsselte Übertragung vonAuthentif izierungsdatenCross Site Tracing
mittelEinschränkung von TRACE Anfragenunverschlüsselte Übertragung prüfenund beheben
unsichere Verschlüsselung möglich Passwortkombinationen unlimitiert
gering bew erten und unterbinden
Adminportale unverschlüsselterreichbarPasswortkombinationen unlimitiertOffenlegung aller Systemdaten!Zugang zu privaten DatenAdministrativer Zugang zumWebserver
hochumfangreiche praktische Sofort-Maßnahmen wurden am 21.08.2010gemeldet siehe Seite 48
Spamversand möglich CodeInjection
mittel
Formularverarbeitung ist zu überarbeitenSäuberung der Codefragmente aus denAnfragenAnwendungsaudit
eingeschränkte Verschlüsselung gering Hersteller Patch einspielen
CrossSite TracingPHP Version angreifbarCrossSiteScriptingParameterTamperingInformationDisclosure
hoch
Einschränkung von TRACE AnfragenFormularverarbeitung ist zu überarbeitenSäuberung der Codefragmente aus denAnfragenKlassifizierung der Informationen
Vulnerability Mngmt. vs Threat Modelling vs RiskAssessmentValues
38 38Communication Security
RAV
Quelle: OSSTMM ISECOM
39 39Communication Security
[ porosity ]
- Visibility
- Access
- Trust
[ how much security do you really need? ]
[ Authentication ]
[ Indemnification ]
[ Resistance ]
[ Subjugation ]
[ Continuity ]
[ non-repudiation ]
[ confidentiality ]
[ privacy ]
[ integrity ]
[ Alarm ]
[ limitations ]
Limitations
OSSTMM Risk Assessment Value
„There are only 2 ways to steal something: either you take it yourself or you have someone else take it and give it to you“
OSSTMM 3.0
54 54Communication Security
Apps? Steal something for me?
55 55Communication Security
Steal something for me
56 56Communication Security
Tom is verbose
57 57Communication Security
Tom the Cat is calling home
Size Symmetry
Visibility
Subjugation
Consistency
Integrity
Offsets
Value
Components
Porosity
[ quantify Trust! ]
59 59Communication Security
Risk!sometimes the result is not what you expect!